Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two new search strategies to find special-form primes p #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Two new search strategies to find special-form primes p #4

wants to merge 1 commit into from

Conversation

tevador
Copy link

@tevador tevador commented Feb 22, 2023
edited
Loading

This PR adds two new search strategies that look for special-form primes p with faster modular arithmetic. This is important for projects that will use the curve Ep much more often than curve Eq, such as Monero.

The new stategies work by enumerating special-form primes p and then solving for T and V using the Cornacchia's algorithm. If a solution exists and any of the 6 possible orders are prime, a curve cycle is guaranteed to exist.

Because special-form primes are rare, there is a new option --anyeqn that will find the smallest b such that both curves have the equation y^2 = x^3 + b.

Additional small changes are:

  1. Primes are printed in hex format, which is arguably more readable.
  2. Pool termination is handled correctly, so the script will exit if the search space is exhausted.

Crandall primes

Crandall primes have the form of 2^x-c with c small. The most famous example is the prime 2^255-19 used by Curve25519. These primes allow a fast Barrett modular reduction algorithm.

Unfortunately, this strategy does not work very well with the 2-adicity requirement, but can still be used to find cycles without it. For example:

sage amicable.sage --sequential --ignoretwist --anyeqn --crandall 255 1

The first cycle found is:

p   = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffad8b (bitlength 255, weight 248, 2-adicity 1)
q   = 0x800000000000000000000000000000014c6ce9c4bd00be001b8b4bcb29ef7267 (bitlength 256, weight 65, 2-adicity 1)
Ep/Fp : y^2 = x^3 + 23
Eq/Fq : y^2 = x^3 + 23

Montgomery-friendly primes

Primes in the form of c*2^x+1 with c small have a much more efficient Montgomery reduction algorithm. A big advantage is that these primes are naturally 2-adic.

Cycles found with this strategy always have 2-adicity of the prime p twice higher than the 2-adicity of prime q.

For example, the command:

sage amicable.sage --sequential --ignoretwist --anyeqn --montgomery 255 112

wil perform an exhaustive search and find a total of 5 cycles. The first cycle found is:

p   = 0x5eca430000000000000000000000000000000000000000000000000000000001 (bitlength 255, weight 13, 2-adicity 232)
q   = 0x5eca43000000000000000000000000010dd00000000000000000000000000001 (bitlength 255, weight 20, 2-adicity 116)
Ep/Fp : y^2 = x^3 + 278
Eq/Fq : y^2 = x^3 + 278

All the changes are backwards compatible. The Pasta cycle can still be reproduced using the same command:

sage amicable.sage --sequential --requireisos --sortpq --ignoretwist --nearpowerof2 255 32

@tevador
Two new search strategies to find special-form primes p.
7ed44d7 
1. Crandall primes p = 2^x-c with c small.
2. Montgomery-friendly primes p = c*2^x+1 with c small.

Additional tweaks:

- Added new option: --anyeqn to search curve equations with b in [1, 999]. Without this option, the script only uses b = 5.
- Print the primes in hex format instead of binary.
- Wait on the pool termination.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tevador