├── tmp ├── csidh-8192-df-m4.h ├── csidh-8192-wd1-m4.h ├── csidh-8192-wd2-m5.h ├── csidh-9216-wd1-m4.h ├── csidh-6144(Nist1)-df-m5.h ├── csidh-6144(Nist1)-wd1-m5.h ├── csidh-8192(Nist1)-wd1-m3.h ├── csidh-1792-wd2-m1.h ├── csidh-2048-wd2-m1.h ├── csidh-2048-wd1-m1.h ├── csidh-2048-df-m1.h ├── csidh-3072-wd2-m1.h ├── csidh-3072-wd1-m1.h ├── csidh-3072-df-m1.h ├── csidh-4096-wd2-m1.h ├── csidh-4096-wd1-m1.h ├── csidh-4096-df-m1.h ├── csidh-5120-wd2-m1.h ├── csidh-1024-wd2-m2.h ├── csidh-5120-wd1-m1.h └── csidh-5120-df-m1.h ├── .gitignore ├── include ├── rng.h ├── ijk.h ├── sdacs.h ├── poly.h ├── ijk │ ├── p512.h │ ├── p1024.h │ ├── p1792.h │ └── p2048.h ├── styles.h ├── primes.h ├── csidh.h ├── strategy │ ├── csidh-1792-wd2.h │ ├── csidh-2048-wd2.h │ ├── csidh-3072-wd2.h │ ├── csidh-4096-wd2.h │ ├── csidh-4096-wd1.h │ ├── csidh-4096-df.h │ ├── csidh-5120-wd2.h │ └── csidh-1024-wd2.h ├── fp.h ├── sdacs │ └── p512.h └── mont.h ├── src ├── rng.c ├── fp │ ├── uint512.s │ ├── uint1024.s │ ├── uint1792.s │ ├── uint2048.s │ ├── uint3072.s │ ├── uint4096.s │ ├── uint5120.s │ ├── uint6144.s │ ├── uint8192.s │ └── uint9216.s ├── csidh.c ├── kps.c └── mont.c ├── results ├── build_all_dat.sh └── parse_results.py ├── test ├── gae-wd1.c ├── gae-wd2.c ├── gae-df.c ├── fp-test.c ├── mont-test.c └── isog-test.c ├── get-data-experiments ├── main └── csidh.c ├── quantum-cost-estimation └── README.md ├── prime-search.py └── README.md /tmp/csidh-8192-df-m4.h: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tmp/csidh-8192-wd1-m4.h: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tmp/csidh-8192-wd2-m5.h: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /tmp/csidh-9216-wd1-m4.h: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.test 2 | *.main 3 | *.bench 4 | *.valgrind 5 | obj/* 6 | -------------------------------------------------------------------------------- /include/rng.h: -------------------------------------------------------------------------------- 1 | #ifndef RNG_H 2 | #define RNG_H 3 | 4 | #include 5 | 6 | void randombytes(void *x, size_t l); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /tmp/csidh-6144(Nist1)-df-m5.h: -------------------------------------------------------------------------------- 1 | Traceback (most recent call last): 2 | File "header.py", line 4, in 3 | from csidh.header import * 4 | File "/home/francisco/JCS/python-code/csidh/header.py", line 41, in 5 | exec("from tmp.%s import m" % vectorbound) 6 | File "", line 1, in 7 | ModuleNotFoundError: No module named 'tmp.csidh_p6144_df_m5' 8 | -------------------------------------------------------------------------------- /tmp/csidh-6144(Nist1)-wd1-m5.h: -------------------------------------------------------------------------------- 1 | Traceback (most recent call last): 2 | File "header.py", line 4, in 3 | from csidh.header import * 4 | File "/home/francisco/JCS/python-code/csidh/header.py", line 41, in 5 | exec("from tmp.%s import m" % vectorbound) 6 | File "", line 1, in 7 | ModuleNotFoundError: No module named 'tmp.csidh_p6144_wd1_m5' 8 | -------------------------------------------------------------------------------- /tmp/csidh-8192(Nist1)-wd1-m3.h: -------------------------------------------------------------------------------- 1 | Traceback (most recent call last): 2 | File "header.py", line 4, in 3 | from csidh.header import * 4 | File "/home/francisco/JCS/python-code/csidh/header.py", line 41, in 5 | exec("from tmp.%s import m" % vectorbound) 6 | File "", line 1, in 7 | ModuleNotFoundError: No module named 'tmp.csidh_p8192_wd1_m3' 8 | -------------------------------------------------------------------------------- /src/rng.c: -------------------------------------------------------------------------------- 1 | 2 | #include "rng.h" 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | void randombytes(void *x, size_t l) 9 | { 10 | static int fd = -1; 11 | ssize_t n; 12 | if (fd < 0 && 0 > (fd = open("/dev/urandom", O_RDONLY))) 13 | exit(1); 14 | for (size_t i = 0; i < l; i += n) 15 | if (0 >= (n = read(fd, (char *) x + i, l - i))) 16 | exit(2); 17 | } 18 | 19 | -------------------------------------------------------------------------------- /include/ijk.h: -------------------------------------------------------------------------------- 1 | #ifndef _IJK_H_ 2 | #define _IJK_H_ 3 | 4 | #if defined P512 5 | #include "ijk/p512.h" 6 | 7 | #elif defined P1024 8 | #include "ijk/p1024.h" 9 | 10 | #elif defined P1792 11 | #include "ijk/p1792.h" 12 | 13 | #elif defined P2048 14 | #include "ijk/p2048.h" 15 | 16 | #elif defined P3072 17 | #include "ijk/p3072.h" 18 | 19 | #elif defined P4096 20 | #include "ijk/p4096.h" 21 | 22 | #elif defined P5120 23 | #include "ijk/p5120.h" 24 | 25 | #elif defined P6144 26 | #include "ijk/p6144.h" 27 | 28 | #elif defined P8192 29 | #include "ijk/p8192.h" 30 | 31 | #elif defined P9216 32 | #include "ijk/p9216.h" 33 | 34 | #endif 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /include/sdacs.h: -------------------------------------------------------------------------------- 1 | #ifndef _SDACS_H_ 2 | #define _SDACS_H_ 3 | 4 | #if defined P512 5 | #include "sdacs/p512.h" 6 | 7 | #elif defined P1024 8 | #include "sdacs/p1024.h" 9 | 10 | #elif defined P1792 11 | #include "sdacs/p1792.h" 12 | 13 | #elif defined P2048 14 | #include "sdacs/p2048.h" 15 | 16 | #elif defined P3072 17 | #include "sdacs/p3072.h" 18 | 19 | #elif defined P4096 20 | #include "sdacs/p4096.h" 21 | 22 | #elif defined P5120 23 | #include "sdacs/p5120.h" 24 | 25 | #elif defined P6144 26 | #include "sdacs/p6144.h" 27 | 28 | #elif defined P8192 29 | #include "sdacs/p8192.h" 30 | 31 | #elif defined P9216 32 | #include "sdacs/p9216.h" 33 | 34 | #endif 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /results/build_all_dat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | python3 parse_results.py 1024 > ../../manuscript/figures/boxplot-csidh-1024.dat 3 | python3 parse_results.py 1792 > ../../manuscript/figures/boxplot-csidh-1792.dat 4 | python3 parse_results.py 2048 > ../../manuscript/figures/boxplot-csidh-2048.dat 5 | python3 parse_results.py 3072 > ../../manuscript/figures/boxplot-csidh-3072.dat 6 | python3 parse_results.py 4096 > ../../manuscript/figures/boxplot-csidh-4096.dat 7 | python3 parse_results.py 5120 > ../../manuscript/figures/boxplot-csidh-5120.dat 8 | python3 parse_results.py 6144 > ../../manuscript/figures/boxplot-csidh-6144.dat 9 | python3 parse_results.py 8192 > ../../manuscript/figures/boxplot-csidh-8192.dat 10 | python3 parse_results.py 9216 > ../../manuscript/figures/boxplot-csidh-9216.dat 11 | 12 | 13 | -------------------------------------------------------------------------------- /src/fp/uint512.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | 10 | 11 | .section .text 12 | 13 | .global uintbig_add 14 | uintbig_add: 15 | mov rax, [rsi + 0] 16 | add rax, [rdx + 0] 17 | mov [rdi + 0], rax 18 | .set k, 1 19 | .rept 7 20 | mov rax, [rsi + 8*k] 21 | adc rax, [rdx + 8*k] 22 | mov [rdi + 8*k], rax 23 | .set k, k+1 24 | .endr 25 | setc al 26 | movzx rax, al 27 | ret 28 | 29 | .global uintbig_sub 30 | uintbig_sub: 31 | mov rax, [rsi + 0] 32 | sub rax, [rdx + 0] 33 | mov [rdi + 0], rax 34 | .set k, 1 35 | .rept 7 36 | mov rax, [rsi + 8*k] 37 | sbb rax, [rdx + 8*k] 38 | mov [rdi + 8*k], rax 39 | .set k, k+1 40 | .endr 41 | setc al 42 | movzx rax, al 43 | ret 44 | 45 | -------------------------------------------------------------------------------- /src/fp/uint1024.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .section .text 12 | 13 | .global uintbig_add 14 | uintbig_add: 15 | mov rax, [rsi + 0] 16 | add rax, [rdx + 0] 17 | mov [rdi + 0], rax 18 | .set k, 1 19 | .rept 15 20 | mov rax, [rsi + 8*k] 21 | adc rax, [rdx + 8*k] 22 | mov [rdi + 8*k], rax 23 | .set k, k+1 24 | .endr 25 | setc al 26 | movzx rax, al 27 | ret 28 | 29 | .global uintbig_sub 30 | uintbig_sub: 31 | mov rax, [rsi + 0] 32 | sub rax, [rdx + 0] 33 | mov [rdi + 0], rax 34 | .set k, 1 35 | .rept 15 36 | mov rax, [rsi + 8*k] 37 | sbb rax, [rdx + 8*k] 38 | mov [rdi + 8*k], rax 39 | .set k, k+1 40 | .endr 41 | setc al 42 | movzx rax, al 43 | ret 44 | -------------------------------------------------------------------------------- /results/parse_results.py: -------------------------------------------------------------------------------- 1 | import sys 2 | bits=sys.argv[1] 3 | 4 | print("# All wd2 wd1 df") 5 | for m in range(1,6): 6 | print(m-1,end=" ") 7 | for style in ["wd2", "wd1", "df"]: 8 | try: 9 | f = open("csidh-"+str(bits)+"-"+style+"-m"+str(m)+".results") 10 | for i in range(0, 1024): 11 | f.readline() 12 | average = f.readline().split("\x1b")[-2].split("m")[-1] 13 | f.readline() 14 | Q1 = f.readline().split("\x1b")[-2].split("m")[-1] 15 | median = f.readline().split("\x1b")[-2].split("m")[-1] 16 | Q3 = f.readline().split("\x1b")[-2].split("m")[-1] 17 | f.readline() 18 | Min = f.readline().split("\x1b")[-2].split("m")[-1] 19 | Max = f.readline().split("\x1b")[-2].split("m")[-1] 20 | print(Min, Q1, median, Q3, Max,end=" ") 21 | except: 22 | print("0 0 0 0 0",end=" ") 23 | print("") 24 | -------------------------------------------------------------------------------- /src/csidh.c: -------------------------------------------------------------------------------- 1 | #define _C_CODE_ 2 | #include "csidh.h" 3 | 4 | // Public Montogmery curve affine coefficient generation 5 | void pkgen(pub pk, priv const sk) 6 | { 7 | gae(pk, sk, fp_0); // Public base Montgomery curve affine coefficient is always(?) ser as zero: [sk] * E_0 8 | } 9 | 10 | // Public (Montgomery curve affine coefficient) and private (integer vector) keys generation 11 | void keygen(pub pk, priv sk) 12 | { 13 | skgen(sk); // random private integer vector 14 | pkgen(pk, sk); // Public Montgomery curve affine coefficient: [sk] * E_0 15 | } 16 | 17 | // Secret sharing derivation (Montgomery curve affine coefficient) 18 | bool derive(pub ss, pub const pk, priv const sk) 19 | { 20 | if (!validate(pk)) return 0; // validating the input Montgomery curve affine coefficiente (it must be supersingular!) 21 | //printf("Public key validation (running-time): %luM + %luS + %lua\n", fpmul, fpsqr, fpadd); 22 | gae(ss, sk, pk); // Secrect sharing Montgomery curve affine coefficient: [sk] * pk 23 | return 1; 24 | } 25 | -------------------------------------------------------------------------------- /src/fp/uint1792.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .section .text 15 | 16 | .global uintbig_add 17 | uintbig_add: 18 | mov rax, [rsi + 0] 19 | add rax, [rdx + 0] 20 | mov [rdi + 0], rax 21 | .set k, 1 22 | .rept 27 23 | mov rax, [rsi + 8*k] 24 | adc rax, [rdx + 8*k] 25 | mov [rdi + 8*k], rax 26 | .set k, k+1 27 | .endr 28 | setc al 29 | movzx rax, al 30 | ret 31 | 32 | .global uintbig_sub 33 | uintbig_sub: 34 | mov rax, [rsi + 0] 35 | sub rax, [rdx + 0] 36 | mov [rdi + 0], rax 37 | .set k, 1 38 | .rept 27 39 | mov rax, [rsi + 8*k] 40 | sbb rax, [rdx + 8*k] 41 | mov [rdi + 8*k], rax 42 | .set k, k+1 43 | .endr 44 | setc al 45 | movzx rax, al 46 | ret 47 | -------------------------------------------------------------------------------- /src/fp/uint2048.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .section .text 16 | 17 | .global uintbig_add 18 | uintbig_add: 19 | mov rax, [rsi + 0] 20 | add rax, [rdx + 0] 21 | mov [rdi + 0], rax 22 | .set k, 1 23 | .rept 31 24 | mov rax, [rsi + 8*k] 25 | adc rax, [rdx + 8*k] 26 | mov [rdi + 8*k], rax 27 | .set k, k+1 28 | .endr 29 | setc al 30 | movzx rax, al 31 | ret 32 | 33 | .global uintbig_sub 34 | uintbig_sub: 35 | mov rax, [rsi + 0] 36 | sub rax, [rdx + 0] 37 | mov [rdi + 0], rax 38 | .set k, 1 39 | .rept 31 40 | mov rax, [rsi + 8*k] 41 | sbb rax, [rdx + 8*k] 42 | mov [rdi + 8*k], rax 43 | .set k, k+1 44 | .endr 45 | setc al 46 | movzx rax, al 47 | ret 48 | -------------------------------------------------------------------------------- /src/fp/uint3072.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .quad 0, 0, 0, 0 16 | .quad 0, 0, 0, 0 17 | .quad 0, 0, 0, 0 18 | .quad 0, 0, 0, 0 19 | .section .text 20 | 21 | .global uintbig_add 22 | uintbig_add: 23 | mov rax, [rsi + 0] 24 | add rax, [rdx + 0] 25 | mov [rdi + 0], rax 26 | .set k, 1 27 | .rept 47 28 | mov rax, [rsi + 8*k] 29 | adc rax, [rdx + 8*k] 30 | mov [rdi + 8*k], rax 31 | .set k, k+1 32 | .endr 33 | setc al 34 | movzx rax, al 35 | ret 36 | 37 | .global uintbig_sub 38 | uintbig_sub: 39 | mov rax, [rsi + 0] 40 | sub rax, [rdx + 0] 41 | mov [rdi + 0], rax 42 | .set k, 1 43 | .rept 47 44 | mov rax, [rsi + 8*k] 45 | sbb rax, [rdx + 8*k] 46 | mov [rdi + 8*k], rax 47 | .set k, k+1 48 | .endr 49 | setc al 50 | movzx rax, al 51 | ret 52 | -------------------------------------------------------------------------------- /src/fp/uint4096.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .quad 0, 0, 0, 0 16 | .quad 0, 0, 0, 0 17 | .quad 0, 0, 0, 0 18 | .quad 0, 0, 0, 0 19 | .quad 0, 0, 0, 0 20 | .quad 0, 0, 0, 0 21 | .quad 0, 0, 0, 0 22 | .quad 0, 0, 0, 0 23 | .section .text 24 | 25 | .global uintbig_add 26 | uintbig_add: 27 | mov rax, [rsi + 0] 28 | add rax, [rdx + 0] 29 | mov [rdi + 0], rax 30 | .set k, 1 31 | .rept 63 32 | mov rax, [rsi + 8*k] 33 | adc rax, [rdx + 8*k] 34 | mov [rdi + 8*k], rax 35 | .set k, k+1 36 | .endr 37 | setc al 38 | movzx rax, al 39 | ret 40 | 41 | .global uintbig_sub 42 | uintbig_sub: 43 | mov rax, [rsi + 0] 44 | sub rax, [rdx + 0] 45 | mov [rdi + 0], rax 46 | .set k, 1 47 | .rept 63 48 | mov rax, [rsi + 8*k] 49 | sbb rax, [rdx + 8*k] 50 | mov [rdi + 8*k], rax 51 | .set k, k+1 52 | .endr 53 | setc al 54 | movzx rax, al 55 | ret 56 | -------------------------------------------------------------------------------- /src/fp/uint5120.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .quad 0, 0, 0, 0 16 | .quad 0, 0, 0, 0 17 | .quad 0, 0, 0, 0 18 | .quad 0, 0, 0, 0 19 | .quad 0, 0, 0, 0 20 | .quad 0, 0, 0, 0 21 | .quad 0, 0, 0, 0 22 | .quad 0, 0, 0, 0 23 | .quad 0, 0, 0, 0 24 | .quad 0, 0, 0, 0 25 | .quad 0, 0, 0, 0 26 | .quad 0, 0, 0, 0 27 | .section .text 28 | 29 | .global uintbig_add 30 | uintbig_add: 31 | mov rax, [rsi + 0] 32 | add rax, [rdx + 0] 33 | mov [rdi + 0], rax 34 | .set k, 1 35 | .rept 79 36 | mov rax, [rsi + 8*k] 37 | adc rax, [rdx + 8*k] 38 | mov [rdi + 8*k], rax 39 | .set k, k+1 40 | .endr 41 | setc al 42 | movzx rax, al 43 | ret 44 | 45 | .global uintbig_sub 46 | uintbig_sub: 47 | mov rax, [rsi + 0] 48 | sub rax, [rdx + 0] 49 | mov [rdi + 0], rax 50 | .set k, 1 51 | .rept 79 52 | mov rax, [rsi + 8*k] 53 | sbb rax, [rdx + 8*k] 54 | mov [rdi + 8*k], rax 55 | .set k, k+1 56 | .endr 57 | setc al 58 | movzx rax, al 59 | ret 60 | -------------------------------------------------------------------------------- /src/fp/uint6144.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .quad 0, 0, 0, 0 16 | .quad 0, 0, 0, 0 17 | .quad 0, 0, 0, 0 18 | .quad 0, 0, 0, 0 19 | .quad 0, 0, 0, 0 20 | .quad 0, 0, 0, 0 21 | .quad 0, 0, 0, 0 22 | .quad 0, 0, 0, 0 23 | .quad 0, 0, 0, 0 24 | .quad 0, 0, 0, 0 25 | .quad 0, 0, 0, 0 26 | .quad 0, 0, 0, 0 27 | .quad 0, 0, 0, 0 28 | .quad 0, 0, 0, 0 29 | .quad 0, 0, 0, 0 30 | .quad 0, 0, 0, 0 31 | .section .text 32 | 33 | .global uintbig_add 34 | uintbig_add: 35 | mov rax, [rsi + 0] 36 | add rax, [rdx + 0] 37 | mov [rdi + 0], rax 38 | .set k, 1 39 | .rept 95 40 | mov rax, [rsi + 8*k] 41 | adc rax, [rdx + 8*k] 42 | mov [rdi + 8*k], rax 43 | .set k, k+1 44 | .endr 45 | setc al 46 | movzx rax, al 47 | ret 48 | 49 | .global uintbig_sub 50 | uintbig_sub: 51 | mov rax, [rsi + 0] 52 | sub rax, [rdx + 0] 53 | mov [rdi + 0], rax 54 | .set k, 1 55 | .rept 95 56 | mov rax, [rsi + 8*k] 57 | sbb rax, [rdx + 8*k] 58 | mov [rdi + 8*k], rax 59 | .set k, k+1 60 | .endr 61 | setc al 62 | movzx rax, al 63 | ret 64 | -------------------------------------------------------------------------------- /include/poly.h: -------------------------------------------------------------------------------- 1 | #ifndef POLY_MUL_H 2 | #define POLY_MUL_H 3 | 4 | #include "fp.h" 5 | typedef fp *poly; // Polynomials are arrays of coeffs over Fq, lowest degree first 6 | 7 | void poly_mul(poly h, const poly f, const int lenf, const poly g, const int leng); 8 | void poly_mul_low(poly h, const int n, const poly f, const int lenf, const poly g, const int leng); 9 | void poly_mul_middle(poly h, const poly g, const int leng, const poly f, const int lenf); 10 | void poly_mul_selfreciprocal(poly h, const poly g, const int leng, const poly f, const int lenf); 11 | 12 | void product_tree(poly H[], int DEG[], const int root, const poly F[], const int LENF, const int n); 13 | void product_tree_selfreciprocal(poly H[], int DEG[], const int root, const poly F[], const int LENF, const int n); 14 | void clear_tree(poly H[], const int root, const int n); 15 | 16 | void product(fp c, const fp F[], const int n); 17 | void poly_print(const poly f, const int degree, char *c); 18 | 19 | 20 | void reciprocal(poly h, fp c, const poly f, const int lenf, const int n); 21 | void poly_redc(poly h, const poly g, const int leng, const poly f, const int lenf,const poly f_inv, const fp c); 22 | void reciprocal_tree(poly R[], fp A[], const int leng, const poly H[], const int DEG[], const int root, const int n); 23 | void multieval_unscaled(fp REM[], const poly g, const int leng, const poly R[], const fp A[], const poly H[], const int DEG[], const int root, const int n); 24 | void multieval_scaled(fp REM[], const poly G, const poly H[], const int DEG[], const int root, const int n); 25 | 26 | #endif /* POLY_MUL_H */ 27 | -------------------------------------------------------------------------------- /src/fp/uint8192.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .quad 0, 0, 0, 0 16 | .quad 0, 0, 0, 0 17 | .quad 0, 0, 0, 0 18 | .quad 0, 0, 0, 0 19 | .quad 0, 0, 0, 0 20 | .quad 0, 0, 0, 0 21 | .quad 0, 0, 0, 0 22 | .quad 0, 0, 0, 0 23 | .quad 0, 0, 0, 0 24 | .quad 0, 0, 0, 0 25 | .quad 0, 0, 0, 0 26 | .quad 0, 0, 0, 0 27 | .quad 0, 0, 0, 0 28 | .quad 0, 0, 0, 0 29 | .quad 0, 0, 0, 0 30 | .quad 0, 0, 0, 0 31 | .quad 0, 0, 0, 0 32 | .quad 0, 0, 0, 0 33 | .quad 0, 0, 0, 0 34 | .quad 0, 0, 0, 0 35 | .quad 0, 0, 0, 0 36 | .quad 0, 0, 0, 0 37 | .quad 0, 0, 0, 0 38 | .quad 0, 0, 0, 0 39 | .section .text 40 | 41 | .global uintbig_add 42 | uintbig_add: 43 | mov rax, [rsi + 0] 44 | add rax, [rdx + 0] 45 | mov [rdi + 0], rax 46 | .set k, 1 47 | .rept 127 48 | mov rax, [rsi + 8*k] 49 | adc rax, [rdx + 8*k] 50 | mov [rdi + 8*k], rax 51 | .set k, k+1 52 | .endr 53 | setc al 54 | movzx rax, al 55 | ret 56 | 57 | .global uintbig_sub 58 | uintbig_sub: 59 | mov rax, [rsi + 0] 60 | sub rax, [rdx + 0] 61 | mov [rdi + 0], rax 62 | .set k, 1 63 | .rept 127 64 | mov rax, [rsi + 8*k] 65 | sbb rax, [rdx + 8*k] 66 | mov [rdi + 8*k], rax 67 | .set k, k+1 68 | .endr 69 | setc al 70 | movzx rax, al 71 | ret 72 | -------------------------------------------------------------------------------- /src/fp/uint9216.s: -------------------------------------------------------------------------------- 1 | .intel_syntax noprefix 2 | 3 | .section .rodata 4 | 5 | .global uintbig_1 6 | uintbig_1: 7 | .quad 1, 0, 0, 0 8 | .quad 0, 0, 0, 0 9 | .quad 0, 0, 0, 0 10 | .quad 0, 0, 0, 0 11 | .quad 0, 0, 0, 0 12 | .quad 0, 0, 0, 0 13 | .quad 0, 0, 0, 0 14 | .quad 0, 0, 0, 0 15 | .quad 0, 0, 0, 0 16 | .quad 0, 0, 0, 0 17 | .quad 0, 0, 0, 0 18 | .quad 0, 0, 0, 0 19 | .quad 0, 0, 0, 0 20 | .quad 0, 0, 0, 0 21 | .quad 0, 0, 0, 0 22 | .quad 0, 0, 0, 0 23 | .quad 0, 0, 0, 0 24 | .quad 0, 0, 0, 0 25 | .quad 0, 0, 0, 0 26 | .quad 0, 0, 0, 0 27 | .quad 0, 0, 0, 0 28 | .quad 0, 0, 0, 0 29 | .quad 0, 0, 0, 0 30 | .quad 0, 0, 0, 0 31 | .quad 0, 0, 0, 0 32 | .quad 0, 0, 0, 0 33 | .quad 0, 0, 0, 0 34 | .quad 0, 0, 0, 0 35 | .quad 0, 0, 0, 0 36 | .quad 0, 0, 0, 0 37 | .quad 0, 0, 0, 0 38 | .quad 0, 0, 0, 0 39 | .quad 0, 0, 0, 0 40 | .quad 0, 0, 0, 0 41 | .quad 0, 0, 0, 0 42 | .quad 0, 0, 0, 0 43 | .section .text 44 | 45 | .global uintbig_add 46 | uintbig_add: 47 | mov rax, [rsi + 0] 48 | add rax, [rdx + 0] 49 | mov [rdi + 0], rax 50 | .set k, 1 51 | .rept 143 52 | mov rax, [rsi + 8*k] 53 | adc rax, [rdx + 8*k] 54 | mov [rdi + 8*k], rax 55 | .set k, k+1 56 | .endr 57 | setc al 58 | movzx rax, al 59 | ret 60 | 61 | .global uintbig_sub 62 | uintbig_sub: 63 | mov rax, [rsi + 0] 64 | sub rax, [rdx + 0] 65 | mov [rdi + 0], rax 66 | .set k, 1 67 | .rept 143 68 | mov rax, [rsi + 8*k] 69 | sbb rax, [rdx + 8*k] 70 | mov [rdi + 8*k], rax 71 | .set k, k+1 72 | .endr 73 | setc al 74 | movzx rax, al 75 | ret 76 | -------------------------------------------------------------------------------- /test/gae-wd1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define _C_CODE_ 4 | #include "csidh.h" 5 | #include "styles.h" 6 | 7 | int main() 8 | { 9 | int i, j; 10 | priv a, b; 11 | 12 | // --------------------------------------------------------------------------------------- 13 | // Testing the accesses and modifications on the integer vectors (private keys and bounds) 14 | skgen(a); 15 | for (i = 0; i < N; i++) 16 | b[i] = a[i]; 17 | 18 | for (i = 0; i < (int)NUMBER_OF_PRIMES[0]; i++) 19 | { 20 | assert( (a[i] >= -(int8_t)M[i]) && (a[i] <= (int8_t)M[i]) ); 21 | assert( (sign(a[i]) * a[i]) >= 0); 22 | if (a[i] == 0) 23 | assert(sign(a[i]) == 0); 24 | 25 | update(i, a[i] + 1, b); 26 | for (j = 0; j < N; j++) 27 | { 28 | if (i != j) 29 | assert( b[j] == a[j] ); 30 | else 31 | assert( b[j] != a[j] ); 32 | }; 33 | update(i, a[i], b); 34 | }; 35 | 36 | // --------------------------------------------------------------------------------------- 37 | // Testing both of the strategy evaluation and the group action evaluation (gae) 38 | 39 | pub A; 40 | fp_set0(A); // We start with the Montgomery curve y^2 = x^3 + x 41 | 42 | // -------------------- 43 | for (i = 0; i < N; i++) 44 | a[i] = 0; 45 | 46 | gae(A, a, A); 47 | assert(validate(A)); 48 | assert( fp_iszero(A) ); 49 | 50 | // -------------------- 51 | for (i = 0; i < N; i++) 52 | a[i] = 1; 53 | 54 | gae(A, a, A); 55 | assert(validate(A)); 56 | gae(A, a, A); 57 | assert(validate(A)); 58 | gae(A, a, A); 59 | assert(validate(A)); 60 | assert( fp_iszero(A) ); 61 | 62 | // general test 63 | for (i = 0; i < 1024; i++) 64 | { 65 | skgen(a); 66 | 67 | printf("// Doing %d experiment:\t", i); 68 | printf("%2d%%", 100 * i / (int)1024); 69 | fflush(stdout); 70 | printf("\r\x1b[K"); 71 | 72 | // -------------------- 73 | gae(A, a, A); 74 | assert(validate(A)); 75 | }; 76 | 77 | printf("// No errors!\n"); 78 | return 0; 79 | }; 80 | -------------------------------------------------------------------------------- /test/gae-wd2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define _C_CODE_ 4 | #include "csidh.h" 5 | #include "styles.h" 6 | 7 | static void fp_print(fp const a, char *c) 8 | { 9 | int i; 10 | printf("%s := 0x", c); 11 | for(i=NUMBER_OF_WORDS-1; i > -1; i--) 12 | printf("%.16" PRIX64 "", a[i]); 13 | printf(";\n"); 14 | } 15 | int main() 16 | { 17 | int i, j; 18 | priv a, b; 19 | 20 | // --------------------------------------------------------------------------------------- 21 | // Testing the accesses and modifications on the integer vectors (private keys and bounds) 22 | skgen(a); 23 | for (i = 0; i < N; i++) 24 | b[i] = a[i]; 25 | 26 | for (i = 0; i < (int)NUMBER_OF_PRIMES[0]; i++) 27 | { 28 | assert( (a[i] >= -(int8_t)M[i]) && (a[i] <= (int8_t)M[i]) ); 29 | assert( (sign(a[i]) * a[i]) >= 0); 30 | if (a[i] == 0) 31 | assert(sign(a[i]) == 0); 32 | 33 | update(i, a[i] + 1, b); 34 | for (j = 0; j < N; j++) 35 | { 36 | if (i != j) 37 | assert( b[j] == a[j] ); 38 | else 39 | assert( b[j] != a[j] ); 40 | }; 41 | update(i, a[i], b); 42 | }; 43 | 44 | // --------------------------------------------------------------------------------------- 45 | // Testing both of the strategy evaluation and the group action evaluation (gae) 46 | 47 | pub A; 48 | fp_set0(A); // We start with the Montgomery curve y^2 = x^3 + x 49 | 50 | for (i = 0; i < 1024; i++) 51 | { 52 | skgen(a); 53 | for (j = 0; j < N; j++) 54 | b[j] = -a[j]; 55 | 56 | printf("// Doing %d experiment:\t", i); 57 | printf("%2d%%", 100 * i / (int)1024); 58 | fflush(stdout); 59 | printf("\r\x1b[K"); 60 | 61 | // -------------------- 62 | assert(fp_iszero(A)); 63 | gae(A, a, A); 64 | assert(validate(A)); 65 | // -------------------- 66 | gae(A, b, A); 67 | assert(validate(A)); 68 | if (!fp_iszero(A)) 69 | fp_print(A, "A"); 70 | assert(fp_iszero(A)); 71 | }; 72 | 73 | printf("// No errors!\n"); 74 | return 0; 75 | }; 76 | -------------------------------------------------------------------------------- /test/gae-df.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define _C_CODE_ 4 | #include "csidh.h" 5 | #include "styles.h" 6 | 7 | static void fp_print(fp const a, char *c) 8 | { 9 | int i; 10 | printf("%s := 0x", c); 11 | for(i=NUMBER_OF_WORDS-1; i > -1; i--) 12 | printf("%.16" PRIX64 "", a[i]); 13 | printf(";\n"); 14 | } 15 | 16 | int main() 17 | { 18 | int i, j; 19 | priv a, b; 20 | 21 | // --------------------------------------------------------------------------------------- 22 | // Testing the accesses and modifications on the integer vectors (private keys and bounds) 23 | skgen(a); 24 | for (i = 0; i < N; i++) 25 | b[i] = a[i]; 26 | 27 | for (i = 0; i < (int)NUMBER_OF_PRIMES[0]; i++) 28 | { 29 | assert( (a[i] >= -(int8_t)M[i]) && (a[i] <= (int8_t)M[i]) ); 30 | assert( (sign(a[i]) * a[i]) >= 0); 31 | if (a[i] == 0) 32 | assert(sign(a[i]) == 0); 33 | 34 | update(i, a[i] + 1, b); 35 | for (j = 0; j < N; j++) 36 | { 37 | if (i != j) 38 | assert( b[j] == a[j] ); 39 | else 40 | assert( b[j] != a[j] ); 41 | }; 42 | update(i, a[i], b); 43 | }; 44 | 45 | // --------------------------------------------------------------------------------------- 46 | // Testing both of the strategy evaluation and the group action evaluation (gae) 47 | 48 | pub A; 49 | fp_set0(A); // We start with the Montgomery curve y^2 = x^3 + x 50 | 51 | for (i = 0; i < 1024; i++) 52 | { 53 | skgen(a); 54 | for (j = 0; j < N; j++) 55 | b[j] = -a[j]; 56 | 57 | printf("// Doing %d experiment:\t", i); 58 | printf("%2d%%", 100 * i / (int)1024); 59 | fflush(stdout); 60 | printf("\r\x1b[K"); 61 | 62 | // -------------------- 63 | assert(fp_iszero(A)); 64 | gae(A, a, A); 65 | assert(validate(A)); 66 | // -------------------- 67 | gae(A, b, A); 68 | assert(validate(A)); 69 | if (!fp_iszero(A)) 70 | fp_print(A, "A"); 71 | assert(fp_iszero(A)); 72 | }; 73 | 74 | printf("// No errors!\n"); 75 | return 0; 76 | }; 77 | -------------------------------------------------------------------------------- /include/ijk/p512.h: -------------------------------------------------------------------------------- 1 | #ifndef _IJK_p512_H_ 2 | #define _IJK_p512_H_ 3 | 4 | #ifdef _MONT_C_CODE_ 5 | // The list of the bitlength of each SOP 6 | static uint64_t bL[] = { 7 | 2, 3, 3, 4, 4, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 8 | 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9 | 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10 10 | }; 11 | #endif 12 | 13 | #ifdef _ISOG_H_ 14 | 15 | // The list of Small Odd Primes (SOPs) is stored such that l_0 < l_1 < ... < l_{n-1} 16 | static uint64_t L[] = { 17 | 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97,101, 18 | 103,107,109,113,127,131,137,139,149,151,157,163,167,173,179,181,191,193,197,199,211,223,227,229,233, 19 | 239,241,251,257,263,269,271,277,281,283,293,307,311,313,317,331,337,347,349,353,359,367,373,587 20 | }; 21 | 22 | #ifndef _C_CODE_ 23 | // Sizes for the sets I, J, and K required in the new velusqrt formulae 24 | static int sizeI[] = { 25 | 0, 1, 1, 2, 3, 2, 2, 2, 3, 3, 4, 3, 5, 5, 4, 4, 5, 4, 4, 4, 4, 5, 5, 6, 6, 26 | 6, 6, 6, 7, 6, 6, 6, 6, 6, 6, 6, 8, 8, 7, 7, 7, 7, 8, 8, 8, 7, 9, 8, 8, 8, 27 | 8, 10, 10, 8, 8, 8, 8, 8, 8, 10, 9, 9, 9, 9, 9, 10, 10, 10, 10, 11, 11, 11, 11, 12 28 | }; 29 | static int sizeJ[] = { 30 | 0, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 3, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 31 | 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 6, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 6, 7, 7, 7, 32 | 7, 6, 6, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 12 33 | }; 34 | static int sizeK[] = { 35 | 1, 0, 1, 1, 0, 0, 1, 3, 2, 3, 2, 2, 1, 3, 2, 5, 0, 1, 3, 4, 7, 1, 4, 0, 2, 36 | 3, 5, 6, 0, 3, 5, 8, 9, 2, 3, 6, 1, 3, 2, 5, 6, 11, 0, 2, 3, 7, 3, 1, 2, 4, 37 | 7, 0, 5, 0, 3, 6, 7, 10, 12, 1, 2, 9, 11, 12, 14, 5, 8, 13, 14, 0, 3, 7, 10, 5 38 | }; 39 | #endif 40 | 41 | #define sI_max 12 42 | #define sJ_max 12 43 | #define sK_max 294 44 | #endif 45 | 46 | #endif /* required framework for the #I, #J, and #K, which is used in new velusqrt fomurlae on CSIDH-512 */ 47 | -------------------------------------------------------------------------------- /test/fp-test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "fp.h" 5 | 6 | int main() 7 | { 8 | int i; 9 | fp a, b, c, d; 10 | 11 | for (i = 0; i < 1024; i++) 12 | { 13 | printf("// Doing %d experiment:\t", i); 14 | printf("%2d%%", 100 * i / (int)1024); 15 | fflush(stdout); 16 | printf("\r\x1b[K"); 17 | 18 | // Random elements of fp 19 | fp_random(a); 20 | fp_random(b); 21 | fp_copy(c, a); 22 | c[0] += 1; 23 | fp_copy(d, b); 24 | d[0] -= 1; 25 | 26 | assert(fp_isequal(a,b) == 0); // different values check --> (a != b) 27 | assert(fp_isequal(c,c) == 1); // equal values check --> 1 (c == c) 28 | assert(fp_issmaller(a,a) == 0); // smaller than check --> 0 (a == a) 29 | assert(fp_issmaller(a,c) == 1); // smaller than check --> 1 (a < c) 30 | assert(fp_issmaller(b,d) == 0); // smaller than check --> 0 (b > d) 31 | 32 | uintbig_set1(a); // Now a == 1 33 | fp_set0(b); // Now b == 0 34 | 35 | assert(fp_iszero(a) == 0); 36 | assert(fp_iszero(b) == 1); 37 | 38 | // testing c - c 39 | fp_sub(d, c, c); 40 | assert(fp_iszero(d) == 1); 41 | 42 | // tetsing c * 0 43 | //fp_mul(d, c, b); 44 | assert(fp_iszero(d) == 1); 45 | 46 | // tetsing c * 1 ... recall, in Montgomery domain R mod p plays the role of the 1 47 | fp_set1(a); 48 | fp_mul(d, c, a); 49 | 50 | /* printf("\n"); 51 | for(i= 0; i<28;i++){ 52 | printf("a[%i] = %lx\t", i, a[i]); 53 | printf("a[%i] = %lx\t", i, a[i]); 54 | printf("d[%i] = %lx\t", i, d[i]); 55 | printf("%lx\n", c[i]-d[i]); 56 | } 57 | */ 58 | assert(fp_isequal(d, c) == 1); 59 | 60 | uintbig_set1(a); // Now a == 1 61 | fp_pow(d, a, c); 62 | assert(fp_isequal(d, c) == 1); 63 | 64 | fp_set0(a); // Now a == 0 65 | fp_pow(d, a, c); 66 | assert(fp_isone(d) == 1); 67 | 68 | fp_set1(a); // Now a == R mod p 69 | fp_pow(d, c, a); 70 | assert(fp_isone(d) == 1); 71 | 72 | // Testing 1/a by computing (1/a) x a 73 | fp_random(a); 74 | fp_copy(b, a); 75 | fp_inv(a); 76 | fp_mul(c, a, b); 77 | assert(fp_isone(c) == 1); 78 | 79 | fp_random(a); 80 | fp_sqr(b, a); 81 | assert( fp_issquare(b) ); 82 | 83 | }; 84 | 85 | // Notice, all the above functions test all the field arithmetic and auxiliar functions required in the polynomial arithmetic. 86 | printf("// No errors!\n"); 87 | return 0; 88 | } 89 | -------------------------------------------------------------------------------- /test/mont-test.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "mont.h" 4 | #include "sdacs.h" 5 | 6 | uint8_t test_elligator_output(proj const Tp, proj const Tm, fp const a) 7 | { 8 | fp XTp, XTm; 9 | 10 | fp_copy(XTp, Tp[1]); 11 | fp_inv(XTp); 12 | fp_copy(XTm, Tm[1]); 13 | fp_inv(XTm); 14 | 15 | fp_mul(XTp, XTp, Tp[0]); 16 | fp_mul(XTm, XTm, Tm[0]); 17 | 18 | fp tmp, aux, YTp_squared, YTm_squared; 19 | 20 | fp_sqr(tmp, XTp); 21 | fp_mul(aux, tmp, XTp); 22 | fp_mul(tmp, tmp, a); 23 | fp_add(YTp_squared, tmp, aux); 24 | fp_add(YTp_squared, YTp_squared, XTp); 25 | 26 | fp_sqr(tmp, XTm); 27 | fp_mul(aux, tmp, XTm); 28 | fp_mul(tmp, tmp, a); 29 | fp_add(YTm_squared, tmp, aux); 30 | fp_add(YTm_squared, YTm_squared, XTm); 31 | 32 | return fp_issquare(YTp_squared) & ( 1 - fp_issquare(YTm_squared)); 33 | } 34 | 35 | int main() 36 | { 37 | // ------------ 38 | 39 | int i, j; 40 | 41 | proj A; 42 | fp_set0(A[0]); 43 | fp_set1(A[1]); 44 | 45 | fp_add(A[0], A[1], A[0]); // 1 46 | fp_add(A[0], A[0], A[0]); // 2 47 | fp_add(A[0], A[1], A[0]); // 3 48 | fp_add(A[0], A[0], A[0]); // 6 49 | 50 | fp_add(A[1], A[1], A[1]); // 2C 51 | fp_add(A[0], A[0], A[1]); // A' + 2C 52 | fp_add(A[1], A[1], A[1]); // 4C 53 | 54 | // Just to ensure the projective curve coeffientes are different from zero 55 | assert( !fp_iszero(A[0]) & !fp_iszero(A[0]) ); 56 | 57 | fp a; 58 | coeff(a, (const fp*)A); 59 | 60 | proj Tp, Tm; 61 | for (j = 0; j < 1024; j++) 62 | { 63 | printf("// Doing %d experiment:\t", j); 64 | printf("%2d%%", 100 * j / (int)1024); 65 | fflush(stdout); 66 | printf("\r\x1b[K"); 67 | 68 | // CSIDH case: Tp belongs to E[\pi + 1] and Tm belongs to E[\pi - 1], and both of them are torsion-(p + 1) points 69 | assert(validate(a)); 70 | elligator(Tp, Tm, (const fp*)A); 71 | assert( test_elligator_output((const fp*)Tp, (const fp*)Tm, a) ); 72 | 73 | for (i = 0; i < (int)cofactor; i++) 74 | { 75 | xdbl(Tp, (const fp*)Tp, (const fp*)A); 76 | xdbl(Tm, (const fp*)Tm, (const fp*)A); 77 | }; 78 | 79 | for (i = 0; i < N; i++) 80 | { 81 | xmul(Tp, i, (const fp*)Tp, (const fp*)A); 82 | xmul(Tm, i, (const fp*)Tm, (const fp*)A); 83 | }; 84 | 85 | assert( isinfinity((const fp*)Tp) ); // [p + 1]Tp is the point at infinity 86 | assert( isinfinity((const fp*)Tm) ); // [p + 1]Tm is the point at infinity 87 | }; 88 | 89 | printf("// No errors!\n"); 90 | return 0; 91 | } 92 | -------------------------------------------------------------------------------- /include/styles.h: -------------------------------------------------------------------------------- 1 | #ifndef _STYLE_H_ 2 | #define _STYLE_H_ 3 | 4 | // This header can use three variants for the group action evaluation (using strategies like SIDH) 5 | // wd2 : with dummy isogeny cosuntructions and two torsion points 6 | // wd1 : with dummy isogeny cosuntructions and one torsion point 7 | // df : dummy-free variant using two torsion points 8 | 9 | #if defined P512 10 | #if defined wd2 11 | #include "strategy/csidh-512-wd2.h" 12 | #elif defined wd1 13 | #include "strategy/csidh-512-wd1.h" 14 | #else 15 | #include "strategy/csidh-512-df.h" 16 | #endif 17 | 18 | #elif defined P1024 19 | #if defined wd2 20 | #include "strategy/csidh-1024-wd2.h" 21 | #elif defined wd1 22 | #include "strategy/csidh-1024-wd1.h" 23 | #else 24 | #include "strategy/csidh-1024-df.h" 25 | #endif 26 | 27 | #elif defined P1792 28 | #if defined wd2 29 | #include "strategy/csidh-1792-wd2.h" 30 | #elif defined wd1 31 | #include "strategy/csidh-1792-wd1.h" 32 | #else 33 | #include "strategy/csidh-1792-df.h" 34 | #endif 35 | 36 | #elif defined P2048 37 | #if defined wd2 38 | #include "strategy/csidh-2048-wd2.h" 39 | #elif defined wd1 40 | #include "strategy/csidh-2048-wd1.h" 41 | #else 42 | #include "strategy/csidh-2048-df.h" 43 | #endif 44 | 45 | #elif defined P3072 46 | #if defined wd2 47 | #include "strategy/csidh-3072-wd2.h" 48 | #elif defined wd1 49 | #include "strategy/csidh-3072-wd1.h" 50 | #else 51 | #include "strategy/csidh-3072-df.h" 52 | #endif 53 | 54 | #elif defined P4096 55 | #if defined wd2 56 | #include "strategy/csidh-4096-wd2.h" 57 | #elif defined wd1 58 | #include "strategy/csidh-4096-wd1.h" 59 | #else 60 | #include "strategy/csidh-4096-df.h" 61 | #endif 62 | 63 | #elif defined P5120 64 | #if defined wd2 65 | #include "strategy/csidh-5120-wd2.h" 66 | #elif defined wd1 67 | #include "strategy/csidh-5120-wd1.h" 68 | #else 69 | #include "strategy/csidh-5120-df.h" 70 | #endif 71 | 72 | #elif defined P6144 73 | #if defined wd2 74 | #include "strategy/csidh-6144-wd2.h" 75 | #elif defined wd1 76 | #include "strategy/csidh-6144-wd1.h" 77 | #else 78 | #include "strategy/csidh-6144-df.h" 79 | #endif 80 | 81 | #elif defined P8192 82 | #if defined wd2 83 | #include "strategy/csidh-8192-wd2.h" 84 | #elif defined wd1 85 | #include "strategy/csidh-8192-wd1.h" 86 | #else 87 | #include "strategy/csidh-8192-df.h" 88 | #endif 89 | 90 | #elif defined P9216 91 | #if defined wd2 92 | #include "strategy/csidh-9216-wd2.h" 93 | #elif defined wd1 94 | #include "strategy/csidh-9216-wd1.h" 95 | #else 96 | #include "strategy/csidh-9216-df.h" 97 | #endif 98 | 99 | #endif 100 | 101 | #endif 102 | 103 | -------------------------------------------------------------------------------- /include/primes.h: -------------------------------------------------------------------------------- 1 | #ifndef _PRIMES_H_ 2 | #define _PRIMES_H_ 3 | 4 | // If a new field arithmetic will be used, just add it but taking in count that it is required: 5 | // fp_add(output, input_x, input_y), 6 | // fp_sub(output, input_x, input_y), 7 | // fp_mul(output, input_x, input_y), 8 | // fp_sqr(output, input_x), 9 | // fp_inv(input), 10 | // fp_issquare(input), and 11 | // fp_random(input); 12 | // This above functions must be implemented allowing that the output variable can be one of the inputs. 13 | 14 | #if defined P512 15 | #define N 74 // number of small odd primes l_i's in the factirization of (p+1) 16 | #define NUMBER_OF_WORDS 8 // Number of 64-bit words 17 | #define suffix "p512\0" 18 | 19 | #elif defined P1024 20 | #define N 130 // number of small odd primes l_i's in the factirization of (p+1) 21 | #define NUMBER_OF_WORDS 16 // Number of 64-bit words 22 | #define suffix "p1024\0" 23 | 24 | #elif defined P1792 25 | #define N 207 // number of small odd primes l_i's in the factirization of (p+1) 26 | #define NUMBER_OF_WORDS 28 // Number of 64-bit words 27 | #define suffix "p1792\0" 28 | 29 | #elif defined P2048 30 | #define N 231 // number of small odd primes l_i's in the factirization of (p+1) 31 | #define NUMBER_OF_WORDS 32 // Number of 64-bit words 32 | #define suffix "p2048\0" 33 | 34 | #elif defined P3072 35 | #define N 326 // number of small odd primes l_i's in the factirization of (p+1) 36 | #define NUMBER_OF_WORDS 48 // Number of 64-bit words 37 | #define suffix "p3072\0" 38 | 39 | #elif defined P4096 40 | #define N 417 // number of small odd primes l_i's in the factirization of (p+1) 41 | #define NUMBER_OF_WORDS 64 // Number of 64-bit words 42 | #define suffix "p4096\0" 43 | 44 | #elif defined P5120 45 | #define N 504 // number of small odd primes l_i's in the factirization of (p+1) 46 | #define NUMBER_OF_WORDS 80 // Number of 64-bit words 47 | #define suffix "p5120\0" 48 | 49 | #elif defined P6144 50 | #define N 590 // number of small odd primes l_i's in the factirization of (p+1) 51 | #define NUMBER_OF_WORDS 96 // Number of 64-bit words 52 | #define suffix "p6144\0" 53 | 54 | #elif defined P8192 55 | #define N 757 // number of small odd primes l_i's in the factirization of (p+1) 56 | #define NUMBER_OF_WORDS 128 // Number of 64-bit words 57 | #define suffix "p8192\0" 58 | 59 | #elif defined P9216 60 | #define N 838 // number of small odd primes l_i's in the factirization of (p+1) 61 | #define NUMBER_OF_WORDS 144 // Number of 64-bit words 62 | #define suffix "p9216\0" 63 | 64 | #endif 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /get-data-experiments: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p results 4 | 5 | bits=$1 6 | framework=`ls tmp/csidh-$bits-*` 7 | 8 | inputWD2="" 9 | inputWD1="" 10 | inputDF="" 11 | 12 | outputWD2="" 13 | outputWD1="" 14 | outputDF="" 15 | 16 | for style in $framework 17 | do 18 | # OAYT-style (wd2 configuration) 19 | if [[ "$style" == *"wd2"* ]] 20 | then 21 | inputWD2="$inputWD2 $style" 22 | STYLE=${style/tmp/results} 23 | STYLE=${STYLE/.h/.results} 24 | outputWD2="$outputWD2 $STYLE" 25 | fi 26 | # MCR-style (wd1 configuration) 27 | if [[ "$style" == *"wd1"* ]] 28 | then 29 | inputWD1="$inputWD1 $style" 30 | STYLE=${style/tmp/results} 31 | STYLE=${STYLE/.h/.results} 32 | outputWD1="$outputWD1 $STYLE" 33 | fi 34 | # Dummy-free-style (dummy-free configuration) 35 | if [[ "$style" == *"df"* ]] 36 | then 37 | inputDF="$inputDF $style" 38 | STYLE=${style/tmp/results} 39 | STYLE=${STYLE/.h/.results} 40 | outputDF="$outputDF $STYLE" 41 | fi 42 | done 43 | 44 | 45 | echo "======================" 46 | echo "Processing CSIDH-$bits" 47 | echo "--------------------------------" 48 | echo "Configurations to be considered (inputs):" 49 | echo "OAYT-style: $inputWD2" 50 | echo "MCR-style: $inputWD1" 51 | echo "Dummy-free-style: $inputDF" 52 | echo "Configurations to be considered (outputs):" 53 | echo "OAYT-style: $outputWD2" 54 | echo "MCR-style: $outputWD1" 55 | echo "DUmmy-free-style: $outputDF" 56 | 57 | # ---------------------- 58 | # Converting into arrays 59 | inputWD2=($inputWD2) 60 | outputWD2=($outputWD2) 61 | 62 | inputWD1=($inputWD1) 63 | outputWD1=($outputWD1) 64 | 65 | inputDF=($inputDF) 66 | outputDF=($outputDF) 67 | 68 | # Number of different configurations per style 69 | countWD2=${#inputWD2[@]} 70 | countWD1=${#inputWD1[@]} 71 | countDF=${#inputDF[@]} 72 | 73 | echo "" 74 | for i in `seq 1 $countWD2` 75 | do 76 | echo "" 77 | echo "=================================" 78 | echo ${inputWD2[$i-1]} 79 | echo ${outputWD2[$i-1]} 80 | echo "---------------------------------" 81 | cp ${inputWD2[$i-1]} include/strategy/csidh-$bits-wd2.h 82 | make bench BITS=$bits STYLE=wd2 CC=clang -B 83 | ./csidh-$bits-wd2.bench &> ${outputWD2[$i-1]} 84 | done 85 | 86 | echo "" 87 | for i in `seq 1 $countWD1` 88 | do 89 | echo "" 90 | echo "=================================" 91 | echo ${inputWD1[$i-1]} 92 | echo ${outputWD1[$i-1]} 93 | echo "---------------------------------" 94 | cp ${inputWD1[$i-1]} include/strategy/csidh-$bits-wd1.h 95 | make bench BITS=$bits STYLE=wd1 CC=clang -B 96 | ./csidh-$bits-wd1.bench &> ${outputWD1[$i-1]} 97 | done 98 | 99 | echo "" 100 | for i in `seq 1 $countDF` 101 | do 102 | echo "" 103 | echo "=================================" 104 | echo ${inputDF[$i-1]} 105 | echo ${outputDF[$i-1]} 106 | echo "---------------------------------" 107 | cp ${inputDF[$i-1]} include/strategy/csidh-$bits-df.h 108 | make bench BITS=$bits STYLE=df CC=clang -B 109 | ./csidh-$bits-df.bench &> ${outputDF[$i-1]} 110 | done 111 | -------------------------------------------------------------------------------- /main/csidh.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define _C_CODE_ 4 | #include "csidh.h" 5 | #include "cycle.h" 6 | 7 | int main() 8 | { 9 | ticks cc0, cc1; // for measuringthe clock cycles 10 | 11 | //------------------------------------------------------ 12 | // Key generation 13 | printf("\033[0;33m// --------------\033[0m\n"); 14 | printf("\033[0;33m// Key generation\033[0m\n"); 15 | 16 | // ---------- 17 | // Alice 18 | printf("\n\033[0;35m// Alice\033[0m\n"); 19 | priv a; 20 | pub A, ss_a; 21 | cc0 = getticks(); 22 | keygen(A, a); 23 | cc1 = getticks(); 24 | sk_print(a, "sk_a"); 25 | pk_print(A, "pk_a"); 26 | printf("Running-time (millions): %2.03lfM + %2.03lfS + %2.03lfa = \033[1;35m%2.03lfM\033[0m\n", (1.0 * fpmul) / 1000000.0, (1.0 * fpsqr) / 1000000.0, (1.0 * fpadd) / 1000000.0, (1.0 * (fpmul + fpsqr)) / 1000000.0); 27 | printf("Clock cycles (millions): \033[1;35m%7.03lf\033[0m\n", ( 1.0 * (cc1 - cc0)) / 1000000.0); 28 | 29 | // ---------- 30 | // Bob 31 | printf("\n\033[0;34m// Bob\033[0m\n"); 32 | priv b; 33 | pub B, ss_b; 34 | cc0 = getticks(); 35 | keygen(B, b); 36 | cc1 = getticks(); 37 | sk_print(b, "sk_b"); 38 | pk_print(B, "pk_b"); 39 | printf("Running-time (millions): %2.03lfM + %2.03lfS + %2.03lfa = \033[1;34m%2.03lfM\033[0m\n", (1.0 * fpmul) / 1000000.0, (1.0 * fpsqr) / 1000000.0, (1.0 * fpadd) / 1000000.0, (1.0 * (fpmul + fpsqr)) / 1000000.0); 40 | printf("Clock cycles (millions): \033[1;34m%7.03lf\033[0m\n", ( 1.0 * (cc1 - cc0)) / 1000000.0); 41 | 42 | //------------------------------------------------------ 43 | // Secret sharing derivation 44 | printf("\n\033[0;33m// -------------------------\033[0m\n"); 45 | printf("\033[0;33m// Secret sharing generation\033[0m\n"); 46 | 47 | // ---------------- 48 | // Alice 49 | printf("\n\033[0;35m// Alice\033[0m\n"); 50 | cc0 = getticks(); 51 | assert(derive(ss_a, B, a)); 52 | cc1 = getticks(); 53 | pk_print(ss_a, "ss_a"); 54 | printf("Running-time (millions) [without validation]: %2.03lfM + %2.03lfS + %2.03lfa = \033[1;35m%2.03lfM\033[0m\n", 55 | (1.0 * fpmul) / 1000000.0, (1.0 * fpsqr) / 1000000.0, (1.0 * fpadd) / 1000000.0, (1.0 * (fpmul + fpsqr)) / 1000000.0); 56 | printf("Clock cycles (millions) [including validation]: \033[1;35m%7.03lf\033[0m\n", ( 1.0 * (cc1 - cc0)) / 1000000.0); 57 | 58 | // ---------------- 59 | // Bob 60 | printf("\n\033[0;34m// Bob\033[0m\n"); 61 | cc0 = getticks(); 62 | assert(derive(ss_b, A, b)); 63 | cc1 = getticks(); 64 | pk_print(ss_b, "ss_b"); 65 | printf("Running-time (millions) [without validation]: %2.03lfM + %2.03lfS + %2.03lfa = \033[1;34m%2.03lfM\033[0m\n", 66 | (1.0 * fpmul) / 1000000.0, (1.0 * fpsqr) / 1000000.0, (1.0 * fpadd) / 1000000.0, (1.0 * (fpmul + fpsqr)) / 1000000.0); 67 | printf("Clock cycles (millions) [including validation]: \033[1;34m%7.03lf\033[0m\n", ( 1.0 * (cc1 - cc0)) / 1000000.0); 68 | 69 | // ============================= 70 | // Verifying same secret sharing 71 | assert( fp_isequal(ss_a, ss_b) ); 72 | 73 | //------------------------------------------------------ 74 | printf("\n\033[0;32m// Successfully secret sharing computation!\033[0m\n"); 75 | return 0; 76 | } 77 | -------------------------------------------------------------------------------- /include/csidh.h: -------------------------------------------------------------------------------- 1 | #ifndef _CSIDH_H_ 2 | #define _CSIDH_H_ 3 | 4 | #include "isog.h" 5 | 6 | typedef int8_t priv[N]; // secret keys corresponds with integer vectors of dimension N 7 | typedef fp pub; // public keys corresponds with affine Montgomery curve coefficients 8 | 9 | void strategy_evaluation(proj B, int8_t e[], proj const *P, proj const A, uint8_t const j, int8_t m[]); // strategy evaluation 10 | void gae(fp b, int8_t const v[], fp const a); // group action evaluation 11 | 12 | void skgen(priv sk); // secret key generation 13 | void pkgen(pub pk, priv const sk); // public key generation 14 | void keygen(pub pk, priv sk); // key generation (both secret and public keys are generated) 15 | bool derive(pub ss, pub const pk, priv const sk); // secret sharing derivation 16 | 17 | void sk_print(priv const a, char *c); 18 | void pk_print(pub const a, char *c); 19 | // ---------------------------------------------------- 20 | // ---------------------------------------------------- 21 | 22 | // decision bit b has to be either 0 or 1 23 | static inline void cmov(int8_t *r, const int8_t a, uint32_t b) 24 | { 25 | uint32_t t; 26 | b = -b; // Now b is either 0 or 0xffffffff 27 | t = (*r ^ a) & b; 28 | *r ^= t; 29 | } 30 | 31 | // check if a and b are equal in constant time 32 | static inline uint32_t isequal(uint32_t a, uint32_t b) 33 | { 34 | //size_t i; 35 | uint32_t r = 0; 36 | unsigned char *ta = (unsigned char *)&a; 37 | unsigned char *tb = (unsigned char *)&b; 38 | r = (ta[0] ^ tb[0]) | (ta[1] ^ tb[1]) | (ta[2] ^ tb[2]) | (ta[3] ^ tb[3]); 39 | r = (-r); 40 | r = r >> 31; 41 | return (uint32_t)(1-r); 42 | } 43 | 44 | // get priv[pos] in constant time 45 | static inline uint32_t lookup(size_t pos, int8_t const priv[]) 46 | { 47 | int b; 48 | int8_t r = priv[0]; 49 | for(size_t i = 1; i < N; i++) 50 | { 51 | b = isequal(i, pos); 52 | cmov(&r, priv[i], b); 53 | } 54 | return r; 55 | } 56 | 57 | // constant-time comparison: 1 if x < y, 0 otherwise. 58 | static inline int32_t issmaller(int32_t x, int32_t y) 59 | { 60 | int32_t xy = x ^ y; 61 | int32_t c = x - y; 62 | c ^= xy & (c ^ x); 63 | c = c >> 31; 64 | return 1 - (uint32_t)(1 + c); 65 | } 66 | 67 | // constant-time sign computation 68 | static inline int8_t sign(int8_t const e) 69 | { 70 | int b; 71 | int8_t r = 0; 72 | 73 | // Is e a negative integer? 74 | b = issmaller(e, 0); 75 | cmov(&r, -1, b); 76 | 77 | // Is e a positive integer? 78 | b = issmaller(0, e); 79 | cmov(&r, 1, b); 80 | 81 | return r; // Now, r has the sign of e 82 | } 83 | 84 | // priv[pos] is updated in constant-time with the value in e 85 | static inline void update(size_t pos, int8_t const e, int8_t priv[]) 86 | { 87 | int b; 88 | for(size_t i = 0; i < N; i++) 89 | { 90 | b = isequal(i, pos); 91 | cmov(&priv[i], e, b); 92 | } 93 | } 94 | 95 | #endif 96 | -------------------------------------------------------------------------------- /include/ijk/p1024.h: -------------------------------------------------------------------------------- 1 | #ifndef _IJK_p1024_H_ 2 | #define _IJK_p1024_H_ 3 | 4 | #ifdef _MONT_C_CODE_ 5 | // The list of the bitlength of each SOP 6 | static uint64_t bL[] = { 7 | 2, 3, 3, 4, 4, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8 | 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9 | 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10 10 | }; 11 | #endif 12 | 13 | #ifdef _ISOG_H_ 14 | 15 | // The list of Small Odd Primes (SOPs) is stored such that l_0 < l_1 < ... < l_{n-1} 16 | static uint64_t L[] = { 17 | 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97,101,103,107,109,113,127,131,137,139,149,151,157,163,167,173,179,181,191,193,197, 18 | 199,211,223,227,229,233,239,241,251,257,263,269,271,277,281,283,293,307,311,313,317,331,337,347,349,353,359,367,373,379,383,389,397,401,409,419,421,431,433,439,443,449,457,461, 19 | 463,467,479,487,491,499,503,509,521,523,541,547,557,563,569,571,577,587,593,599,601,607,613,617,619,631,641,643,647,653,659,661,673,677,683,691,701,709,719,727,733,983 20 | }; 21 | 22 | #ifndef _C_CODE_ 23 | // Sizes for the sets I, J, and K required in the new velusqrt formulae 24 | static int sizeI[] = { 25 | 0, 1, 1, 2, 3, 2, 2, 2, 3, 3, 4, 3, 5, 5, 4, 4, 5, 4, 4, 4, 4, 5, 5, 6, 6, 6, 6, 6, 7, 6, 6, 6, 6, 6, 6, 6, 8, 8, 7, 7, 7, 7, 8, 8, 26 | 8, 7, 9, 8, 8, 8, 8, 10, 10, 8, 8, 8, 8, 8, 8, 10, 9, 9, 9, 9, 9, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 12, 11, 11, 11, 13, 13, 13, 12, 12, 11, 11, 14, 14, 27 | 14, 14, 13, 12, 11, 11, 11, 14, 13, 13, 13, 17, 17, 14, 14, 14, 12, 12, 12, 12, 12, 12, 12, 14, 14, 13, 13, 13, 13, 13, 13, 15, 14, 14, 14, 14, 14, 14, 14, 15, 14, 16 28 | }; 29 | static int sizeJ[] = { 30 | 0, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 3, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 6, 5, 5, 6, 6, 6, 6, 6, 6, 31 | 6, 7, 6, 7, 7, 7, 7, 6, 6, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 8, 8, 8, 9, 9, 10, 10, 8, 8, 32 | 8, 8, 9, 10, 11, 11, 11, 9, 10, 10, 10, 8, 8, 10, 10, 10, 12, 12, 12, 12, 12, 12, 12, 11, 11, 12, 12, 12, 12, 12, 12, 11, 12, 12, 12, 12, 12, 12, 12, 12, 13, 15 33 | }; 34 | static int sizeK[] = { 35 | 1, 0, 1, 1, 0, 0, 1, 3, 2, 3, 2, 2, 1, 3, 2, 5, 0, 1, 3, 4, 7, 1, 4, 0, 2, 3, 5, 6, 0, 3, 5, 8, 9, 2, 3, 6, 1, 3, 2, 5, 6, 11, 0, 2, 36 | 3, 7, 3, 1, 2, 4, 7, 0, 5, 0, 3, 6, 7, 10, 12, 1, 2, 9, 11, 12, 14, 5, 8, 13, 14, 0, 3, 7, 10, 13, 15, 2, 0, 2, 6, 1, 2, 7, 0, 3, 1, 4, 4, 6, 37 | 7, 9, 5, 3, 3, 7, 9, 2, 0, 1, 10, 1, 6, 1, 4, 5, 0, 5, 8, 11, 12, 15, 18, 0, 1, 3, 8, 9, 11, 14, 17, 0, 0, 2, 5, 9, 14, 18, 23, 3, 2, 11 38 | }; 39 | #endif 40 | 41 | #define sI_max 17 42 | #define sJ_max 15 43 | #define sK_max 492 44 | #endif 45 | 46 | #endif /* required framework for the #I, #J, and #K, which is used in new velusqrt fomurlae on CSIDH-1024 */ 47 | -------------------------------------------------------------------------------- /tmp/csidh-1792-wd2-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184, 17 | 183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161, 18 | 160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 26, 10, 6, 4, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 17, 8, 7, 6, 5, 4, 3, 2, 1, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-1792 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /include/strategy/csidh-1792-wd2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184, 17 | 183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161, 18 | 160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 26, 10, 6, 4, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 17, 8, 7, 6, 5, 4, 3, 2, 1, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-1792 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /tmp/csidh-2048-wd2-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200, 17 | 199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169, 18 | 168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 27, 10, 6, 5, 4, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 18, 8, 7, 6, 5, 4, 3, 2, 1, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-2048 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /include/strategy/csidh-2048-wd2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200, 17 | 199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169, 18 | 168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 27, 10, 6, 5, 4, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 18, 8, 7, 6, 5, 4, 3, 2, 1, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-2048 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /include/fp.h: -------------------------------------------------------------------------------- 1 | #ifndef _FP_H_ 2 | #define _FP_H_ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include 11 | 12 | #define __STDC_FORMAT_MACROS 13 | #include 14 | 15 | #include "rng.h" // Random Number Generator 16 | #include "primes.h" // Framework: N, prime label, and number of 64-bit words required for representing a field element 17 | 18 | // (64 x NUMBER_OF_WORDS)-bits integer number in Montgomery domain 19 | typedef uint64_t fp[NUMBER_OF_WORDS]; 20 | 21 | // ------------------------------------- 22 | // big unsigned add and sub implementation 23 | extern const fp uintbig_1; 24 | 25 | bool uintbig_bit(fp const x, uint64_t k); 26 | bool uintbig_add(fp x, fp const y, fp const z); /* returns carry */ 27 | bool uintbig_sub(fp x, fp const y, fp const z); /* returns borrow */ 28 | 29 | // ------------------------------------- 30 | extern const fp p; // field characteristic 31 | extern const fp fp_1; // 1 in the Montgomery domain 32 | extern const fp fp_0; // 0 in the Montgomery domain 33 | extern const fp p_minus_1_halves; // (p - 1)/2 used for find a random fp element 2 <= u <= (p-1)/2 34 | extern const fp p_minus_3_quarters; // (p - 3)/4 used in fp2_issquare() 35 | 36 | extern uint64_t fpadd; // counter of fp-additions 37 | extern uint64_t fpsqr; // counter of fp-squarings 38 | extern uint64_t fpmul; // counter of fp-multiplications 39 | 40 | static inline void init_counters(void) 41 | { 42 | fpadd = 0; 43 | fpsqr = 0; 44 | fpmul = 0; 45 | } 46 | 47 | // All operations are perfomed in the Montgomery domain 48 | void fp_enc(fp a, fp const b); // from fp into Montgomery domain 49 | void fp_dec(fp a, fp const b); // from Montgomery domain into fp 50 | void fp_cswap(fp a, fp b, uint8_t c); 51 | 52 | void fp_add(fp c, const fp a, const fp b); // a + a 53 | void fp_sub(fp c, const fp a, const fp b); // a - b 54 | void fp_mul(fp c, const fp a, const fp b); // a * b 55 | void fp_sqr(fp b, const fp a); // a ^ 2 56 | void fp_pow(fp b, const fp e, const fp a); // a ^ e 57 | void fp_inv(fp a); // 1 / a 58 | 59 | uint8_t fp_issquare(fp const a); // Legendre symbol 60 | void fp_copy(fp b, const fp a); // copy of elements in fp 61 | void fp_random(fp a); // this function should be modified in order to have a better random function: e.g., shake256. 62 | 63 | // set to zero 64 | static inline void fp_set0(fp a) 65 | { 66 | fp_copy(a, fp_0); 67 | } 68 | 69 | // set to one 70 | static inline void uintbig_set1(fp a) 71 | { 72 | fp_copy(a, uintbig_1); 73 | } 74 | 75 | // set to one in mongotmery domnain 76 | static inline void fp_set1(fp a) 77 | { 78 | fp_copy(a, fp_1); 79 | } 80 | 81 | // constant-time check of a < b 82 | static inline uint64_t fp_issmaller(fp const a, fp const b) 83 | { 84 | int i; 85 | int64_t r = 0, ab, c; 86 | 87 | for (i = 0; i < NUMBER_OF_WORDS; i++) 88 | { 89 | 90 | ab = a[i] ^ b[i]; 91 | c = a[i] - b[i]; 92 | c ^= ab & (c ^ a[i]); 93 | c = (c >> 63); 94 | r |= c; 95 | }; 96 | 97 | return 1 - (uint64_t)(r + 1); 98 | } 99 | 100 | // constant-time check of a == b 101 | static inline uint64_t fp_isequal(fp const a, fp const b) 102 | { 103 | int i; 104 | uint64_t r = 0, t; 105 | 106 | for (i = 0; i < NUMBER_OF_WORDS; i++) 107 | { 108 | t = 0; 109 | unsigned char *ta = (unsigned char *)&a[i]; 110 | unsigned char *tb = (unsigned char *)&b[i]; 111 | t = (ta[0] ^ tb[0]) | (ta[1] ^ tb[1]) | (ta[2] ^ tb[2]) | (ta[3] ^ tb[3]) | (ta[4] ^ tb[4]) | (ta[5] ^ tb[5]) | (ta[6] ^ tb[6]) | (ta[7] ^ tb[7]); 112 | 113 | t = (-t); 114 | t = t >> 63; 115 | r |= t; 116 | }; 117 | 118 | return (uint64_t)(1 - r); 119 | } 120 | 121 | // constant-time check of a == 0 122 | static inline int fp_iszero(fp const a) 123 | { 124 | int i; 125 | uint64_t c = 0; 126 | for (i=NUMBER_OF_WORDS-1; i >= 0; i--) 127 | c |= a[i]; 128 | return (c == 0); 129 | } 130 | 131 | // constant-time check of a == R mod p (one in Montogmery domain) 132 | static inline uint64_t fp_isone(fp const a) 133 | { 134 | return fp_isequal(a, fp_1); 135 | } 136 | 137 | #endif /* fp */ 138 | -------------------------------------------------------------------------------- /include/sdacs/p512.h: -------------------------------------------------------------------------------- 1 | #ifndef _SDACS_p512_H_ 2 | #define _SDACS_p512_H_ 3 | 4 | #define cofactor 2 // Exponent of 2 in the factorization of (p + 1) 5 | 6 | #ifdef _MONT_C_CODE_ 7 | #define UPPER_BOUND 276 // Bits of 4 * sqrt( [p + 1] / [2^e] ) 8 | 9 | // Recall, the list of Small Odd Primes (SOPs) is stored such that l_0 < l_1 < ... < l_{n-1} 10 | 11 | // The list of Shortest Differential Addition Chains (SDACs) corresponding with each l_i 12 | static int LENGTHS[] = { 13 | 0, 1, 2, 3, 3, 4, 4, 5, 5, 5, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 8, 7, 8, 8, 14 | 8, 8, 8, 9, 9, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 9, 10, 10, 10, 10, 9, 15 | 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 10, 11, 11, 11, 11, 11, 11, 12 16 | }; 17 | 18 | static char SDAC0[1]; 19 | static char SDAC1[] = "0"; 20 | static char SDAC2[] = "10"; 21 | static char SDAC3[] = "100"; 22 | static char SDAC4[] = "000"; 23 | static char SDAC5[] = "1010"; 24 | static char SDAC6[] = "0100"; 25 | static char SDAC7[] = "11000"; 26 | static char SDAC8[] = "10000"; 27 | static char SDAC9[] = "01000"; 28 | static char SDAC10[] = "110000"; 29 | static char SDAC11[] = "101010"; 30 | static char SDAC12[] = "100010"; 31 | static char SDAC13[] = "100000"; 32 | static char SDAC14[] = "1101010"; 33 | static char SDAC15[] = "1011000"; 34 | static char SDAC16[] = "1010001"; 35 | static char SDAC17[] = "1001000"; 36 | static char SDAC18[] = "1010000"; 37 | static char SDAC19[] = "0010100"; 38 | static char SDAC20[] = "0010000"; 39 | static char SDAC21[] = "11010010"; 40 | static char SDAC22[] = "0000000"; 41 | static char SDAC23[] = "11000000"; 42 | static char SDAC24[] = "10100100"; 43 | static char SDAC25[] = "00110000"; 44 | static char SDAC26[] = "01100000"; 45 | static char SDAC27[] = "10000100"; 46 | static char SDAC28[] = "111010000"; 47 | static char SDAC29[] = "110100001"; 48 | static char SDAC30[] = "01000000"; 49 | static char SDAC31[] = "110101000"; 50 | static char SDAC32[] = "110000100"; 51 | static char SDAC33[] = "110100000"; 52 | static char SDAC34[] = "010110100"; 53 | static char SDAC35[] = "110000000"; 54 | static char SDAC36[] = "100101000"; 55 | static char SDAC37[] = "100001010"; 56 | static char SDAC38[] = "011000000"; 57 | static char SDAC39[] = "100010000"; 58 | static char SDAC40[] = "100000010"; 59 | static char SDAC41[] = "010001000"; 60 | static char SDAC42[] = "010000010"; 61 | static char SDAC43[] = "1100010001"; 62 | static char SDAC44[] = "100000000"; 63 | static char SDAC45[] = "1100010100"; 64 | static char SDAC46[] = "1011000100"; 65 | static char SDAC47[] = "1100001000"; 66 | static char SDAC48[] = "1100010000"; 67 | static char SDAC49[] = "000000000"; 68 | static char SDAC50[] = "1010101010"; 69 | static char SDAC51[] = "1101000000"; 70 | static char SDAC52[] = "1000101010"; 71 | static char SDAC53[] = "1010000001"; 72 | static char SDAC54[] = "1001010000"; 73 | static char SDAC55[] = "1000101000"; 74 | static char SDAC56[] = "1010001000"; 75 | static char SDAC57[] = "1010100000"; 76 | static char SDAC58[] = "0101001000"; 77 | static char SDAC59[] = "1001000000"; 78 | static char SDAC60[] = "1000000010"; 79 | static char SDAC61[] = "0100001000"; 80 | static char SDAC62[] = "0010100000"; 81 | static char SDAC63[] = "0001010000"; 82 | static char SDAC64[] = "0101000000"; 83 | static char SDAC65[] = "11010101000"; 84 | static char SDAC66[] = "0000100000"; 85 | static char SDAC67[] = "10101101000"; 86 | static char SDAC68[] = "10110101000"; 87 | static char SDAC69[] = "10110010000"; 88 | static char SDAC70[] = "11001000000"; 89 | static char SDAC71[] = "10110000010"; 90 | static char SDAC72[] = "10101001010"; 91 | static char SDAC73[] = "101100010000"; 92 | 93 | static char *SDACs[N] = { 94 | SDAC0, SDAC1, SDAC2, SDAC3, SDAC4, SDAC5, SDAC6, SDAC7, SDAC8, SDAC9, SDAC10, SDAC11, SDAC12, SDAC13, SDAC14, SDAC15, SDAC16, SDAC17, SDAC18, SDAC19, SDAC20, SDAC21, SDAC22, SDAC23, SDAC24, 95 | SDAC25, SDAC26, SDAC27, SDAC28, SDAC29, SDAC30, SDAC31, SDAC32, SDAC33, SDAC34, SDAC35, SDAC36, SDAC37, SDAC38, SDAC39, SDAC40, SDAC41, SDAC42, SDAC43, SDAC44, SDAC45, SDAC46, SDAC47, SDAC48, SDAC49, 96 | SDAC50, SDAC51, SDAC52, SDAC53, SDAC54, SDAC55, SDAC56, SDAC57, SDAC58, SDAC59, SDAC60, SDAC61, SDAC62, SDAC63, SDAC64, SDAC65, SDAC66, SDAC67, SDAC68, SDAC69, SDAC70, SDAC71, SDAC72, SDAC73 97 | }; 98 | #endif 99 | 100 | #endif /* required framework for the SDACs, which is used in CSIDH-512 */ 101 | -------------------------------------------------------------------------------- /tmp/csidh-2048-wd1-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 230,229,228,227, 17 | 226,225,224,223, 18 | 222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 154, 40, 14, 6, 3, 2, 1, 1, 2, 1, 4, 1, 3, 2, 1, 10, 3, 2, 1, 7, 2, 1, 5, 1, 4, 3, 2, 1, 30, 7, 2, 1, 6, 5, 4, 3, 2, 1, 23, 6, 5, 4, 3, 2, 1, 18, 4, 3, 2, 1, 14, 3, 2, 1, 11, 2, 1, 9, 1, 8, 7, 6, 5, 4, 3, 2, 1,125, 23, 5, 4, 3, 2, 1, 22 | 18, 4, 3, 2, 1, 15, 2, 1, 13, 1, 11, 1, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,107, 15, 2, 1, 13, 1, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 93, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 81, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 70, 10, 9, 8, 7, 6, 5, 4, 23 | 3, 2, 1, 60, 9, 8, 7, 6, 5, 4, 3, 2, 1, 51, 8, 7, 6, 5, 4, 3, 2, 1, 43, 7, 6, 5, 4, 3, 2, 1, 36, 6, 5, 4, 3, 2, 1, 30, 5, 4, 3, 2, 1, 25, 4, 3, 2, 1, 22, 2, 1, 20, 1, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 60 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-2048 using MCR-style */ 64 | -------------------------------------------------------------------------------- /tmp/csidh-2048-df-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 230,229,228,227, 17 | 226,225,224,223, 18 | 222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 149, 42, 16, 6, 4, 3, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 10, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 30, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 21, 8, 7, 6, 5, 4, 3, 2, 1, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,125, 23, 22 | 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,103, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 84, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 68, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 23 | 5, 4, 3, 2, 1, 54, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 42, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 60 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-2048 using dummy-free-style */ 64 | -------------------------------------------------------------------------------- /quantum-cost-estimation/README.md: -------------------------------------------------------------------------------- 1 | # Large-prime Kuberberg Sieve Cost Estimator # 2 | 3 | This code estimates the costs to find a hidden shift of an imaginary quadratic order, i.e., to break CSIDH and related schemes, under a range of depth limits. 4 | 5 | To run: 6 | 7 | `python3 c-sieve-estimator.py` 8 | 9 | This will first validate the number of oracle calls and collimations against Peikert's results, then produce severl csv files. Files ending in "\_dw.csv" optimize for depth * width; others optimize for the total number of logical gates. Suffixes of 0, 1, 2, and 3 refer to the targeted NIST levels, and account for potentitally different hardware limits (currently all are 2^80). "\_unlimited" means no hardware limit. 10 | 11 | In either case, the outputs are (all in log base 2 unless specified otherwise): 12 | 13 | - Prime: The bit-length of the prime field (so the class group has a size with half of this bitlength) 14 | - MaxDepth: The maximum depth allowed for this instance 15 | - Gates/DW-cost: The total cost in logical gates, or units of logical depth * width (including a 2^10 overhead for error correction) 16 | - Depth: The total circuit depth 17 | - Width: Total number of logical qubits 18 | - Oracle calls: Total number of oracle calls (evaluation of the isogeny action in superposition) 19 | - Sieve depth: The height of the tree of collimations, not expressed in log base 2 20 | - Collimations: Total number of collimations 21 | - Vector length: The length of phase vectors input into each collimation. This is also the number of phases that must be stored in classical memory. Note that this means each phase vector requires this many qubits (i.e., "25" means 25 qubits needed, but this stores a superposition of 2^25 phases, which must all be stored in classical memory). 22 | - Arity: The arity of the tree of collimations, meaning the number of phase vectors that are collimated simultaneously. 23 | 24 | The remainder of the columns are extra data including the type of memory access circuit used, how much collimation parallelization was needed, and the strategy to compute the permutation. 25 | 26 | ## Script details ## 27 | `Estimate_and_write` organizes the estimate: For all primes in a range, it calls `CSIDH_depth_costs` to return a list of estimates at different depths. `CSIDH_depth_costs` iterates over all possible vector lengths L and arities r, checks the cost, and saves the lowest cost. For each value, it calls `CSIDH_break_cost`, which computes the number of full sieve runs needed until the remaining bits can be solved with a brute-force search, then computes the cost of each run with `depth_limited_cost`. `depth_limited_cost` computes the cost of a sieve under a depth limit, arranging how to parallelize collimations and oracle calls. 28 | 29 | The main data structure is `QuantumCost`, which stores the gates, depth, width, and ancilla of a quantum operation. These can be combined in serial or parallel. 30 | 31 | To find collimation costs, the script fills two global dictionaries, `lookup_costs` and `unlookup_costs`, which give the optimal look-up costs subject to depth constraints. Once these are filled, it will reference them until it is finished estimates for a particular prime size. 32 | 33 | ## Magic Constants ## 34 | 35 | The script has several parameters, set as constants at the beginning of the script. 36 | 37 | - COST_METRIC: Do we count all gates equally (set COST_METRIC = ALL_GATES), or only count T gates (set COST_METRIC = T_GATES)? 38 | - COST_MODEL: Do we optimize for G-cost or DW-cost? 39 | - QUANTUM_OVERHEAD: When computing DW cost from a `QuantumCost` object, it adds this overhead to represent error correction. 40 | - Gate constants: These are the costs for fundamental gates, such as Toffoli, Swap, or CNOT. Mainly these are helpful when switching between costing only T gates or all gates. 41 | - SPATIAL_CONSTANT and SPATIAL_EXPONENT: For access to n bits of memory, it adds a depth of (SPATIAL_CONSTANT * n)^SPATIAL_EXPONENT, to represent latency. 42 | - MAX_CLASSICAL_MEMORY: The total amount of classical hardware (bits or processors, weighted equally) available. This also gives the maximum quantum memory, given by the quantum overhead. 43 | 44 | Other constants 45 | - LOG_ADD_THRESHOLD: All arithmetic is done with numbers expressed as log base 2. The `log_add` function computes `lg(2^x+2^y)` for x and y, but if `|x - y| >= LOG_ADD_THRESHOLD` then it simply returns the larger number. Lower values mean the estimator runs faster, but with slightly reduced accuracy 46 | - TOLERANCE: The tolerance when comparing costs; if the difference between two costs is within `TOLERANCE`, it regards them as equal. 47 | 48 | ## Modifications ## 49 | To test other prime sizes, change `p_range` at line 787. 50 | 51 | The function `get_oracle_cost` returns the cost of the oracle. Currently it returns a a cost of 1 gate, but could be modified to return a real cost. -------------------------------------------------------------------------------- /tmp/csidh-3072-wd2-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263, 17 | 262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200, 18 | 199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 27, 10, 6, 3, 2, 1, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 18, 8, 7, 6, 5, 4, 3, 2, 1, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-3072 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /include/ijk/p1792.h: -------------------------------------------------------------------------------- 1 | #ifndef _IJK_p1792_H_ 2 | #define _IJK_p1792_H_ 3 | 4 | #ifdef _MONT_C_CODE_ 5 | // The list of the bitlength of each SOP 6 | static uint64_t bL[] = { 7 | 2, 3, 3, 4, 4, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 8 | 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 9 | 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11 10 | }; 11 | #endif 12 | 13 | #ifdef _ISOG_H_ 14 | 15 | // The list of Small Odd Primes (SOPs) is stored such that l_0 < l_1 < ... < l_{n-1} 16 | static uint64_t L[] = { 17 | 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97,101,103,107,109,113,127,131,137,139,151,157,163,167,173,179,181,191,193,197,199,211,223,227,229,233,239,241,251,257,263,269,271,277,281,283,293,307,311,313,317,331,337,347,349,353,359, 18 | 367,373,379,383,389,397,401,409,419,421,431,433,439,443,449,457,461,463,467,479,487,491,499,503,509,521,523,541,547,557,563,569,571,577,587,593,599,601,607,613,617,619,631,641,643,647,653,659,661,673,677,683,691,701,709,719,727,733,739,743,751,757,761,769,773,787,797,809,811,821, 19 | 823,827,829,839,853,857,859,863,877,881,883,887,907,911,919,929,937,941,947,953,967,971,977,983,991,997,1009,1013,1019,1021,1031,1033,1039,1049,1051,1061,1063,1069,1087,1091,1093,1097,1103,1109,1117,1123,1129,1151,1153,1163,1171,1181,1187,1193,1201,1213,1217,1223,1229,1231,1237,1249,1259,1277,1279,1283,1289 20 | }; 21 | 22 | #ifndef _C_CODE_ 23 | // Sizes for the sets I, J, and K required in the new velusqrt formulae 24 | static int sizeI[] = { 25 | 0, 1, 1, 2, 3, 2, 2, 2, 3, 3, 4, 3, 5, 5, 4, 4, 5, 4, 4, 4, 4, 5, 5, 6, 6, 6, 6, 6, 7, 6, 6, 6, 6, 6, 6, 8, 8, 7, 7, 7, 7, 8, 8, 8, 7, 9, 8, 8, 8, 8, 10, 10, 8, 8, 8, 8, 8, 8, 10, 9, 9, 9, 9, 9, 10, 10, 10, 10, 11, 11, 26 | 11, 11, 11, 11, 12, 11, 11, 11, 13, 13, 13, 12, 12, 11, 11, 14, 14, 14, 14, 13, 12, 11, 11, 11, 14, 13, 13, 13, 17, 17, 14, 14, 14, 12, 12, 12, 12, 12, 12, 12, 14, 14, 13, 13, 13, 13, 13, 13, 15, 14, 14, 14, 14, 14, 14, 14, 15, 14, 14, 14, 14, 14, 14, 16, 16, 14, 14, 14, 14, 17, 27 | 17, 17, 17, 16, 15, 15, 15, 15, 18, 18, 18, 17, 15, 15, 19, 19, 18, 18, 18, 17, 16, 16, 16, 16, 19, 19, 18, 18, 18, 17, 16, 16, 16, 16, 16, 16, 16, 19, 18, 17, 17, 17, 17, 17, 17, 17, 17, 19, 18, 18, 18, 18, 18, 18, 20, 20, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20 28 | }; 29 | static int sizeJ[] = { 30 | 0, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 3, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 6, 7, 7, 7, 7, 6, 6, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 31 | 8, 8, 8, 8, 8, 9, 9, 9, 8, 8, 8, 9, 9, 10, 10, 8, 8, 8, 8, 9, 10, 11, 11, 11, 9, 10, 10, 10, 8, 8, 10, 10, 10, 12, 12, 12, 12, 12, 12, 12, 11, 11, 12, 12, 12, 12, 12, 12, 11, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 12, 12, 14, 14, 14, 14, 12, 32 | 12, 12, 12, 13, 14, 14, 14, 14, 12, 12, 12, 13, 15, 15, 12, 12, 13, 13, 13, 14, 15, 15, 15, 15, 13, 13, 14, 14, 14, 15, 16, 16, 16, 16, 16, 16, 16, 14, 15, 16, 16, 16, 16, 16, 16, 16, 16, 15, 16, 16, 16, 16, 16, 16, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16 33 | }; 34 | static int sizeK[] = { 35 | 1, 0, 1, 1, 0, 0, 1, 3, 2, 3, 2, 2, 1, 3, 2, 5, 0, 1, 3, 4, 7, 1, 4, 0, 2, 3, 5, 6, 0, 3, 5, 8, 9, 3, 6, 1, 3, 2, 5, 6, 11, 0, 2, 3, 7, 3, 1, 2, 4, 7, 0, 5, 0, 3, 6, 7, 10, 12, 1, 2, 9, 11, 12, 14, 5, 8, 13, 14, 0, 3, 36 | 7, 10, 13, 15, 2, 0, 2, 6, 1, 2, 7, 0, 3, 1, 4, 4, 6, 7, 9, 5, 3, 3, 7, 9, 2, 0, 1, 10, 1, 6, 1, 4, 5, 0, 5, 8, 11, 12, 15, 18, 0, 1, 3, 8, 9, 11, 14, 17, 0, 0, 2, 5, 9, 14, 18, 23, 3, 2, 5, 7, 11, 14, 16, 0, 2, 1, 6, 12, 13, 2, 37 | 3, 5, 6, 3, 6, 8, 9, 11, 6, 8, 9, 1, 3, 5, 3, 8, 0, 2, 5, 0, 3, 5, 8, 11, 1, 4, 0, 2, 5, 0, 3, 4, 7, 12, 13, 18, 19, 2, 3, 1, 2, 4, 7, 10, 14, 17, 20, 5, 0, 5, 9, 14, 17, 20, 0, 6, 0, 3, 6, 7, 10, 16, 21, 30, 31, 1, 4 38 | }; 39 | #endif 40 | 41 | #define sI_max 20 42 | #define sJ_max 16 43 | #define sK_max 645 44 | #endif 45 | 46 | #endif /* required framework for the #I, #J, and #K, which is used in new velusqrt fomurlae on CSIDH-1792 */ 47 | -------------------------------------------------------------------------------- /include/strategy/csidh-3072-wd2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263, 17 | 262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200, 18 | 199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 27, 10, 6, 3, 2, 1, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 18, 8, 7, 6, 5, 4, 3, 2, 1, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-3072 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /prime-search.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import json 3 | import random 4 | from functools import reduce 5 | from progress.bar import Bar 6 | 7 | bitlength = lambda x: len(bin(x)[2:]) # number of bits 8 | 9 | # -------------------------------------------------------------------------------------------------------------------------------- 10 | # Checking if p is composite 11 | 12 | def _try_composite(a, d, n, s): 13 | if pow(a, d, n) == 1: 14 | return False 15 | for i in range(s): 16 | if pow(a, 2**i * d, n) == n-1: 17 | return False 18 | return True # n is definitely composite 19 | 20 | def is_prime(n): 21 | """ 22 | Miller-Rabin primality test. 23 | 24 | A return value of False means n is certainly not prime. A return value of 25 | True means n is very likely a prime. 26 | """ 27 | if n!=int(n): 28 | return False 29 | n=int(n) 30 | #Miller-Rabin test for prime 31 | if n==0 or n==1 or n==4 or n==6 or n==8 or n==9: 32 | return False 33 | 34 | if n==2 or n==3 or n==5 or n==7: 35 | return True 36 | s = 0 37 | d = n-1 38 | while d%2==0: 39 | d>>=1 40 | s+=1 41 | assert(2**s * d == n-1) 42 | 43 | def trial_composite(a): 44 | if pow(a, d, n) == 1: 45 | return False 46 | for i in range(s): 47 | if pow(a, 2**i * d, n) == n-1: 48 | return False 49 | return True 50 | 51 | for i in range(128): #number of trials 52 | a = random.randrange(2, n) 53 | if trial_composite(a): 54 | return False 55 | 56 | return True 57 | 58 | # n SOP will be required, and the corresponding prime number must has b bits 59 | if( (len(sys.argv) != 2) ): 60 | print(" ,-~~-.___.") 61 | print(" / | ' \\ SYNTAX ERROR ..., ") 62 | print("( ) 0 Expected syntax:\tpython3 b" %sys.argv[0]) 63 | print(" \_/-, ,----' \t\t n ") 64 | print(" ==== // \t\t ~~~~~~~~~") 65 | print(" / \-'~; /~~~(O) \t\t | | ") 66 | print(" / __/~| / | \twhere\tp = 2^{MOD x k} x | | l_j - 1 is a b-bit prime number for some positive integer k") 67 | print("=( _____| (_________| \t\t j=1") 68 | exit(-1) 69 | 70 | b = int(sys.argv[1]) - 1# Bitlength of p 71 | 72 | # ------------------------------------------------------ 73 | # List of small odd primes that makes p to fit in b-bits 74 | L = [] 75 | l = 3 76 | L.append(l) 77 | while bitlength(4 * reduce(lambda x,y : (x*y), L) - 1) < b: 78 | l += 1; 79 | while not is_prime(l): 80 | l += 1 81 | L.append(l) 82 | # ------------------------------------------------------ 83 | T = list(L) 84 | k = len(T) 85 | 86 | print("Number of l_i\'s in the factorization of (p+1):\t%d" % (k-1)) 87 | print("Bitlength of the desired prime number p:\t%d " % (b+1)) 88 | 89 | bar = Bar('Looking for a %d-bit CSIDH prime;' % b, max=k) 90 | # ---------------------------- 91 | for i in range(k - 1, -1, -1): 92 | 93 | L = list(T[:i]) + list(T[(i+1):]) 94 | l = L[-1] 95 | 96 | n = len(L) # Number of small odd primes (sop) 97 | assert(n == (k-1)) 98 | # ============================== 99 | # Main loop for the prime search 100 | bar.next() 101 | while True: 102 | # ---------------------------------- 103 | # Now, we take the next prime number 104 | l += 1; 105 | while not is_prime(l): 106 | l += 1 107 | 108 | # --------------------------- 109 | # Looking for the CSIDH-prime 110 | for j in range(n - 1, -1, -1): 111 | 112 | tmp = list(L[:j]) + list(L[(j+1):]) + list([l]) 113 | assert(len(tmp) == n) 114 | p = 4 * reduce(lambda x,y : (x*y), tmp) - 1 115 | 116 | if bitlength(p) > b: 117 | break 118 | 119 | if (bitlength(p) <= b) and ((b - 1) <= bitlength(p)): 120 | if is_prime(p): 121 | break 122 | 123 | # ------------------- 124 | if bitlength(p) > b: 125 | break 126 | # --------------------------------------------------- 127 | if (bitlength(p) <= b) and ((b - 1) <= bitlength(p)): 128 | if is_prime(p): 129 | break 130 | # --------------------------------------------------- 131 | if (bitlength(p) <= b) and ((b - 1) <= bitlength(p)): 132 | if is_prime(p): 133 | break 134 | 135 | # ---------------------------- 136 | bar.finish() 137 | 138 | print("Reached prime p:\t0x%s" % format(p,"0%dX" % (b/16))) 139 | print("Reached bitlength:\t%s" % bitlength(p)) 140 | 141 | L = list(tmp) 142 | # Storing the "shape" of p 143 | line_string = ' '.join([str(2)] + [ str(l) for l in L ]) + '\n' 144 | f = open("./tmp/p" + str(b+1), "w") 145 | f.write(line_string) 146 | f.close() 147 | exit(1) 148 | -------------------------------------------------------------------------------- /tmp/csidh-3072-wd1-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290, 17 | 289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254, 18 | 253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 154, 40, 14, 6, 3, 2, 1, 1, 2, 1, 3, 2, 1, 2, 1, 10, 3, 2, 1, 7, 2, 1, 5, 1, 4, 3, 2, 1, 30, 7, 2, 1, 6, 5, 4, 3, 2, 1, 23, 6, 5, 4, 3, 2, 1, 18, 4, 3, 2, 1, 14, 3, 2, 1, 11, 2, 1, 9, 1, 8, 7, 6, 5, 4, 3, 2, 1,125, 23, 5, 4, 3, 2, 1, 22 | 18, 4, 3, 2, 1, 15, 2, 1, 13, 1, 11, 1, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,107, 15, 2, 1, 13, 1, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 93, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 81, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 70, 10, 9, 8, 7, 6, 5, 4, 23 | 3, 2, 1, 60, 9, 8, 7, 6, 5, 4, 3, 2, 1, 51, 8, 7, 6, 5, 4, 3, 2, 1, 43, 7, 6, 5, 4, 3, 2, 1, 36, 6, 5, 4, 3, 2, 1, 30, 5, 4, 3, 2, 1, 25, 4, 3, 2, 1, 22, 2, 1, 20, 1, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 60 | 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-3072 using MCR-style */ 64 | -------------------------------------------------------------------------------- /tmp/csidh-3072-df-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290, 17 | 289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254, 18 | 253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 149, 41, 16, 6, 4, 4, 3, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 10, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 30, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 21, 8, 7, 6, 5, 4, 3, 2, 1, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,125, 23, 22 | 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,103, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 84, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 68, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 23 | 5, 4, 3, 2, 1, 54, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 42, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 60 | 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-3072 using dummy-free-style */ 64 | -------------------------------------------------------------------------------- /include/ijk/p2048.h: -------------------------------------------------------------------------------- 1 | #ifndef _IJK_p2048_H_ 2 | #define _IJK_p2048_H_ 3 | 4 | #ifdef _MONT_C_CODE_ 5 | // The list of the bitlength of each SOP 6 | static uint64_t bL[] = { 7 | 2, 3, 4, 4, 5, 5, 5, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 8 | 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 9 | 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 12 10 | }; 11 | #endif 12 | 13 | #ifdef _ISOG_H_ 14 | 15 | // The list of Small Odd Primes (SOPs) is stored such that l_0 < l_1 < ... < l_{n-1} 16 | static uint64_t L[] = { 17 | 3, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97,101,103,107,109,113,127,131,137,139,149,151,157,163,167,173,179,181,191,193,197,199,211,223,227,229,233,239,241,251,257,263,269,271,277,281,283,293,307,311,313,317,331,337,347,349,353,359,367,373,379,383,389,397,401,409, 18 | 419,421,431,433,439,443,449,457,461,463,467,479,487,491,499,503,509,521,523,541,547,557,563,569,571,577,587,593,599,601,607,613,617,619,631,641,643,647,653,659,661,673,677,683,691,701,709,719,727,733,739,743,751,757,761,769,773,787,797,809,811,821,823,827,829,839,853,857,859,863,877,881,883,887,907,911,919,929, 19 | 937,941,947,953,967,971,977,983,991,997,1009,1013,1019,1021,1031,1033,1039,1049,1051,1061,1063,1069,1087,1091,1093,1097,1103,1109,1117,1123,1129,1151,1153,1163,1171,1181,1187,1193,1201,1213,1217,1223,1229,1231,1237,1249,1259,1277,1279,1283,1289,1291,1297,1301,1303,1307,1319,1321,1327,1361,1367,1373,1381,1399,1409,1423,1427,1429,1433,1439,1447,1451,1453,1459,3413 20 | }; 21 | 22 | #ifndef _C_CODE_ 23 | // Sizes for the sets I, J, and K required in the new velusqrt formulae 24 | static int sizeI[] = { 25 | 0, 1, 2, 3, 2, 2, 2, 3, 3, 4, 3, 5, 5, 4, 4, 5, 4, 4, 4, 4, 5, 5, 6, 6, 6, 6, 6, 7, 6, 6, 6, 6, 6, 6, 6, 8, 8, 7, 7, 7, 7, 8, 8, 8, 7, 9, 8, 8, 8, 8, 10, 10, 8, 8, 8, 8, 8, 8, 10, 9, 9, 9, 9, 9, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 12, 11, 11, 11, 26 | 13, 13, 13, 12, 12, 11, 11, 14, 14, 14, 14, 13, 12, 11, 11, 11, 14, 13, 13, 13, 17, 17, 14, 14, 14, 12, 12, 12, 12, 12, 12, 12, 14, 14, 13, 13, 13, 13, 13, 13, 15, 14, 14, 14, 14, 14, 14, 14, 15, 14, 14, 14, 14, 14, 14, 16, 16, 14, 14, 14, 14, 17, 17, 17, 17, 16, 15, 15, 15, 15, 18, 18, 18, 17, 15, 15, 19, 19, 27 | 18, 18, 18, 17, 16, 16, 16, 16, 19, 19, 18, 18, 18, 17, 16, 16, 16, 16, 16, 16, 16, 19, 18, 17, 17, 17, 17, 17, 17, 17, 17, 19, 18, 18, 18, 18, 18, 18, 20, 20, 19, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 21, 21, 21, 21, 21, 22, 22, 22, 21, 21, 21, 21, 21, 21, 21, 30 28 | }; 29 | static int sizeJ[] = { 30 | 0, 1, 1, 1, 2, 2, 2, 2, 2, 2, 3, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 6, 6, 6, 5, 5, 6, 6, 6, 6, 6, 6, 6, 7, 6, 7, 7, 7, 7, 6, 6, 8, 8, 8, 8, 8, 8, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 31 | 8, 8, 8, 9, 9, 10, 10, 8, 8, 8, 8, 9, 10, 11, 11, 11, 9, 10, 10, 10, 8, 8, 10, 10, 10, 12, 12, 12, 12, 12, 12, 12, 11, 11, 12, 12, 12, 12, 12, 12, 11, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 12, 12, 14, 14, 14, 14, 12, 12, 12, 12, 13, 14, 14, 14, 14, 12, 12, 12, 13, 15, 15, 12, 12, 32 | 13, 13, 13, 14, 15, 15, 15, 15, 13, 13, 14, 14, 14, 15, 16, 16, 16, 16, 16, 16, 16, 14, 15, 16, 16, 16, 16, 16, 16, 16, 16, 15, 16, 16, 16, 16, 16, 16, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 28 33 | }; 34 | static int sizeK[] = { 35 | 1, 1, 1, 0, 0, 1, 3, 2, 3, 2, 2, 1, 3, 2, 5, 0, 1, 3, 4, 7, 1, 4, 0, 2, 3, 5, 6, 0, 3, 5, 8, 9, 2, 3, 6, 1, 3, 2, 5, 6, 11, 0, 2, 3, 7, 3, 1, 2, 4, 7, 0, 5, 0, 3, 6, 7, 10, 12, 1, 2, 9, 11, 12, 14, 5, 8, 13, 14, 0, 3, 7, 10, 13, 15, 2, 0, 2, 6, 36 | 1, 2, 7, 0, 3, 1, 4, 4, 6, 7, 9, 5, 3, 3, 7, 9, 2, 0, 1, 10, 1, 6, 1, 4, 5, 0, 5, 8, 11, 12, 15, 18, 0, 1, 3, 8, 9, 11, 14, 17, 0, 0, 2, 5, 9, 14, 18, 23, 3, 2, 5, 7, 11, 14, 16, 0, 2, 1, 6, 12, 13, 2, 3, 5, 6, 3, 6, 8, 9, 11, 6, 8, 9, 1, 3, 5, 3, 8, 37 | 0, 2, 5, 0, 3, 5, 8, 11, 1, 4, 0, 2, 5, 0, 3, 4, 7, 12, 13, 18, 19, 2, 3, 1, 2, 4, 7, 10, 14, 17, 20, 5, 0, 5, 9, 14, 17, 20, 0, 6, 0, 3, 6, 7, 10, 16, 21, 30, 31, 1, 4, 5, 8, 10, 11, 13, 19, 20, 23, 8, 11, 14, 18, 27, 0, 7, 9, 0, 2, 5, 9, 11, 12, 15, 26 38 | }; 39 | #endif 40 | 41 | #define sI_max 30 42 | #define sJ_max 28 43 | #define sK_max 1707 44 | #endif 45 | 46 | #endif /* required framework for the #I, #J, and #K, which is used in new velusqrt fomurlae on CSIDH-2048 */ 47 | -------------------------------------------------------------------------------- /test/isog-test.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define _C_CODE_ 4 | #include "isog.h" 5 | #include "sdacs.h" 6 | 7 | uint8_t test_elligator_output(proj const Tp, proj const Tm, fp const a) 8 | { 9 | fp XTp, XTm; 10 | 11 | fp_copy(XTp, Tp[1]); 12 | fp_inv(XTp); 13 | fp_copy(XTm, Tm[1]); 14 | fp_inv(XTm); 15 | 16 | fp_mul(XTp, XTp, Tp[0]); 17 | fp_mul(XTm, XTm, Tm[0]); 18 | 19 | fp tmp, aux, YTp_squared, YTm_squared; 20 | 21 | fp_sqr(tmp, XTp); 22 | fp_mul(aux, tmp, XTp); 23 | fp_mul(tmp, tmp, a); 24 | fp_add(YTp_squared, tmp, aux); 25 | fp_add(YTp_squared, YTp_squared, XTp); 26 | 27 | fp_sqr(tmp, XTm); 28 | fp_mul(aux, tmp, XTm); 29 | fp_mul(tmp, tmp, a); 30 | fp_add(YTm_squared, tmp, aux); 31 | fp_add(YTm_squared, YTm_squared, XTm); 32 | 33 | return fp_issquare(YTp_squared) & ( 1 - fp_issquare(YTm_squared)); 34 | } 35 | 36 | int main() 37 | { 38 | // ------------ 39 | 40 | int i, j; 41 | 42 | fp a; 43 | proj A, B, T, Tp, Tm, P[N]; 44 | fp_set0(A[0]); 45 | fp_set1(A[1]); 46 | 47 | fp_add(A[0], A[1], A[0]); // 1 48 | fp_add(A[0], A[0], A[0]); // 2 49 | fp_add(A[0], A[1], A[0]); // 3 50 | fp_add(A[0], A[0], A[0]); // 6 51 | 52 | fp_add(A[1], A[1], A[1]); // 2C 53 | fp_add(A[0], A[0], A[1]); // A' + 2C 54 | fp_add(A[1], A[1], A[1]); // 4C 55 | 56 | // Just to ensure the projective curve coeffientes are different from zero 57 | assert( !fp_iszero(A[0]) & !fp_iszero(A[0]) ); 58 | 59 | uint8_t boolp, boolm; 60 | do 61 | { 62 | elligator(Tp, Tm, (const fp*)A); 63 | for (j = 0; j < (int)cofactor; j++) 64 | { 65 | xdbl(Tp, (const fp*)Tp, (const fp*)A); 66 | xdbl(Tm, (const fp*)Tm, (const fp*)A); 67 | }; 68 | 69 | // Checking if Tp is an order (p+1)/(2^e) 70 | proj_copy(P[0], (const fp*)Tp); 71 | cofactor_multiples(P, (const fp*)A, 0, N); 72 | boolp = 1; 73 | for (j = 0; j < N; j++) 74 | boolp &= (1 - isinfinity((const fp*)P[j])); 75 | 76 | // Checking if Tm is an order (p+1)/(2^e) 77 | proj_copy(P[0], (const fp*)Tm); 78 | cofactor_multiples(P, (const fp*)A, 0, N); 79 | boolm = 1; 80 | for (j = 0; j < N; j++) 81 | boolm &= (1 - isinfinity((const fp*)P[j])); 82 | 83 | } while ( (1 - boolp) | (1 - boolm) ); 84 | 85 | setmemory(); 86 | // -------------------------------------------------------------- 87 | uint64_t sadd, smul, ssqr; 88 | for (i = 0; i < N; i++) 89 | { 90 | printf("// Processing the %d-th prime:\t", i + 1); 91 | printf("%2d%%", 100 * i / (int)N); 92 | fflush(stdout); 93 | printf("\r\x1b[K"); 94 | 95 | proj_copy(T, (const fp*)Tm); 96 | for (j = (i+1); j < N; j++) 97 | xmul(T, j, (const fp*)T, (const fp*)A); 98 | 99 | assert( !isinfinity((const fp*)T) ); 100 | 101 | init_counters(); // set to zero the field operation counters 102 | sadd = 0; 103 | smul = 0; 104 | ssqr = 0; 105 | kps(i, (const fp*)T, (const fp*)A); 106 | sadd += fpadd; 107 | smul += fpmul; 108 | ssqr += fpsqr; 109 | if (L[i] > gap) 110 | printf("[\033[0;31m%5ld\033[0m] (#I: %3d, #J: %3d, #K: %3d) ", L[i], sI, sJ, sK); 111 | else 112 | printf("[\033[0;31m%5ld\033[0m] --------------------------- ", L[i]); 113 | printf("\033[0;33mkps:\033[0m %7luM + %7luS + %7lua\033[0;33m;\033[0m ", fpmul, fpsqr, fpadd); 114 | 115 | init_counters(); // set to zero the field operation counters 116 | xisog(B, i, (const fp*)A); 117 | sadd += fpadd; 118 | smul += fpmul; 119 | ssqr += fpsqr; 120 | printf("\033[0;35mxisog:\033[0m %7luM + %7luS + %7lua\033[0;35m;\033[0m ", fpmul, fpsqr, fpadd); 121 | 122 | init_counters(); // set to zero the field operation counters 123 | xeval(Tm, i, (const fp*)Tm, (const fp*)A); 124 | sadd += fpadd; 125 | smul += fpmul; 126 | ssqr += fpsqr; 127 | printf("\033[0;34mxeval:\033[0m %7luM + %7luS + %7lua\033[0;34m;\033[0m ", fpmul, fpsqr, fpadd); 128 | 129 | printf("\033[0;32mcost:\033[0m %7luM\033[0;32m;\033[0m ", smul + ssqr); 130 | printf("\033[0;36mratio:\033[0m %2.03f\033[0;36m;\033[0m\n", ((float)smul + (float)ssqr) / (2.0 + (float)L[i]) ); 131 | init_counters(); // set to zero the field operation counters 132 | xeval(Tp, i, (const fp*)Tp, (const fp*)A); 133 | proj_copy(A, (const fp*)B); 134 | 135 | coeff(a, (const fp*)A); 136 | assert(validate(a)); 137 | 138 | if (L[i] > gap) 139 | { 140 | if (!scaled) 141 | clear_tree(rtree_hI, 0, sI); 142 | clear_tree(ptree_hI, 0, sI); 143 | } 144 | }; 145 | 146 | assert( fp_iszero(a) ); 147 | 148 | for (i = 0; i < N; i++) 149 | { 150 | printf("// Doing more tests, %d-th experiment:\t", i); 151 | printf("%2d%%", 100 * i / (int)N); 152 | fflush(stdout); 153 | printf("\r\x1b[K"); 154 | 155 | proj_copy(T, (const fp*)Tp); 156 | for (j = (i+1); j < N; j++) 157 | xmul(T, j, (const fp*)T, (const fp*)A); 158 | 159 | assert( !isinfinity((const fp*)T) ); 160 | kps(i, (const fp*)T, (const fp*)A); 161 | xisog(B, i, (const fp*)A); 162 | xeval(Tp, i, (const fp*)Tp, (const fp*)A); 163 | proj_copy(A, (const fp*)B); 164 | 165 | coeff(a, (const fp*)A); 166 | assert(validate(a)); 167 | 168 | if (L[i] > gap) 169 | { 170 | if (!scaled) 171 | clear_tree(rtree_hI, 0, sI); 172 | clear_tree(ptree_hI, 0, sI); 173 | }; 174 | }; 175 | 176 | fp_dec(a, a); 177 | fp six; 178 | fp_set0(six); 179 | six[0] = 0x6; 180 | assert( fp_isequal(six, a) ); 181 | 182 | freememory(); 183 | printf("// No errors!\n"); 184 | return 0; 185 | } 186 | -------------------------------------------------------------------------------- /include/mont.h: -------------------------------------------------------------------------------- 1 | #ifndef _MONT_H_ 2 | #define _MONT_H_ 3 | 4 | #include "fp.h" 5 | //#include "sdacs.h" 6 | 7 | typedef fp proj[2]; // projective x-coordinate point (X:Z) or projective Montogmery curve coefficient (A':C) 8 | 9 | //char *SDACs[N]; // Shortest Differential Additions Chains (SDAC's) 10 | //int LENGTHS[N]; // Size of each shortest Differential Additions Chains (SDAC's) 11 | //uint64_t L[N]; // "2^e" and the Small Odd Primes (SOPs) in the factorization of (p + 1) 12 | //uint64_t bL[N]; // Bitlength of each element in L \ {2^e} 13 | //uint64_t cofactor; // Power of 2 in the factorization of (p + 1) 14 | //uint64_t UPPER_BOUND; // For traditional CSIDH primes this value is approximately equals to log2(4 sqrt(p)) 15 | 16 | void coeff(fp B, proj const A); // From projective curve coefficients into affine representation 17 | void xadd(proj R, const proj P, proj const Q, proj const PQ); // Differential point addition 18 | void xdbl(proj Q, const proj P, proj const A); // Differential point doubling 19 | void xmul(proj Q, uint64_t const i, proj const P, proj const A); // Differential point multiplication by l_i 20 | 21 | // Next functions corresponds to B-SIDH 22 | void xdbladd(proj R, proj S, proj const P, proj const Q, proj const PQ, proj const A); // For computing x([2]P) and x(P + Q) 23 | void ladder3pt(proj R, fp const m, proj const P, proj const Q, proj const PQ, proj const A); // For computing x(P + [m]Q) 24 | // Validation for B-SIDH must be implemented (similar validation than SIDH and SIKE cases) 25 | 26 | // Next functions corresponds to CSIDH 27 | void elligator(proj Tp, proj Tm, proj const A); // Random points in E[\pi - 1] and E[\pi + 1] 28 | void cofactor_multiples(proj P[], proj const A, size_t lower, size_t upper); // For computing [(p + 1) / l_i]P, i:=0, ..., (N - 1) 29 | bool validate(fp const a); // This function check if A is supersingular 30 | 31 | // For computing the bitlength of positive integer 32 | static inline uint64_t bitlength(uint64_t n) 33 | { 34 | uint64_t count = 0; 35 | while (n > 0) 36 | { 37 | count += 1; 38 | n >>= 1; 39 | } 40 | return count; 41 | } 42 | 43 | /* 44 | // Function to remove all spaces from a given string 45 | static inline int removespace(char *str) 46 | { 47 | // To keep track of non-space character count 48 | int count = 0, i; 49 | 50 | // Traverse the given string. If current character 51 | // is not space, then place it at index 'count++' 52 | for (i = 0; str[i]; i++) 53 | if (str[i] != ' ') 54 | str[count++] = str[i]; 55 | str[count] = '\0'; 56 | return count; 57 | } 58 | 59 | // Reading SOPs coded as in the Python-code of "Optimal Strategies for CSIDH" 60 | static inline void read_sops() 61 | { 62 | FILE *sops; 63 | 64 | // File name must be stored as string 65 | char prefix[13] = "./src/sop/\0", 66 | path[(int)strlen(suffix) + 13 + 1]; 67 | 68 | snprintf(path, sizeof(path), "%s%s", prefix, suffix); 69 | 70 | sops = fopen(path, "r"); // reading sdacs 71 | assert(NULL != sops); // ensuring the file exists 72 | 73 | int i = 0; 74 | assert(fscanf(sops, "%lu", &cofactor) > 0); // Exponent of 2 in the factorization of (p + 1) 75 | assert( cofactor >= 2); // Ensuring p = 3 mod 4 76 | while (fscanf(sops, "%lu", &L[i++]) != EOF); // SOPs in the factorization of (p + 1) 77 | 78 | assert(i == (N + 1)); // Ensuring N SOPs have been read them 79 | 80 | UPPER_BOUND = 0; 81 | for (i = 0; i < N; i++) 82 | { 83 | bL[i] = bitlength(L[i]); // Bitlength of each SOP 84 | UPPER_BOUND += bL[i]; 85 | }; 86 | 87 | UPPER_BOUND /= 2; // This corresponds with the bits of sqrt( [p + 1] / [2^e] ) 88 | UPPER_BOUND += 2; // Bits of 4 * sqrt( [p + 1] / [2^e] ) 89 | fclose(sops); 90 | } 91 | 92 | // Reading SDACs coded as in the Python-code of "Optimal Strategies for CSIDH" 93 | static inline void read_sdacs() 94 | { 95 | FILE *sdacs; 96 | char buffer[127] = "\0"; 97 | 98 | // File name must be stored as string 99 | char prefix[13] = "./src/sdacs/\0", 100 | path[(int)strlen(suffix) + 13 + 1]; 101 | 102 | snprintf(path, sizeof(path), "%s%s", prefix, suffix); 103 | 104 | sdacs = fopen(path, "r"); // reading sdacs 105 | assert(NULL != sdacs); // ensuring the file exists 106 | 107 | // Reading line by line 108 | int i = 0; 109 | while (EOF != fscanf(sdacs, "%[^\n]", buffer)) 110 | { 111 | fgetc(sdacs); // Removing breakline character 112 | 113 | LENGTHS[i++] = removespace(buffer); 114 | SDACs[i - 1] = calloc(1, sizeof(char) * LENGTHS[i - 1] + 1); 115 | strcpy(SDACs[i - 1], buffer); 116 | }; 117 | assert(i == N); 118 | 119 | fclose(sdacs); 120 | } 121 | */ 122 | 123 | // Constant-time swap of projective x-coordinates 124 | static inline void proj_copy(proj P, proj const Q) 125 | { 126 | fp_copy(P[0], Q[0]); 127 | fp_copy(P[1], Q[1]); 128 | } 129 | 130 | // Constant-time swap of projective x-coordinates 131 | static inline void proj_cswap(proj P, proj Q, uint8_t c) 132 | { 133 | fp_cswap(P[0], Q[0], c); 134 | fp_cswap(P[1], Q[1], c); 135 | } 136 | 137 | 138 | // Two projective x-cooridinate (XP : ZP) and (XQ : ZQ) are equal iff (XP/ZP) == (XQ/ZQ) 139 | static inline uint64_t proj_isequal(proj const P, proj const Q) 140 | { 141 | fp XPZQ, ZPXQ; 142 | fp_mul(XPZQ, P[0], Q[1]); 143 | fp_mul(ZPXQ, P[1], Q[0]); 144 | return fp_isequal(XPZQ, ZPXQ); 145 | } 146 | 147 | // The projective x-coordinate point (X : Z) at infinity is such that Z == 0 148 | static inline int isinfinity(proj const P) 149 | { 150 | return fp_iszero(P[1]); 151 | } 152 | 153 | #endif 154 | -------------------------------------------------------------------------------- /tmp/csidh-4096-wd2-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351,350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324, 17 | 323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231, 18 | 230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 91, 25, 10, 6, 4, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 17, 7, 6, 5, 4, 3, 2, 1, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 22 | 1, 72, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 59 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-4096 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /include/strategy/csidh-4096-wd2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351,350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324, 17 | 323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231, 18 | 230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 91, 25, 10, 6, 4, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 17, 7, 6, 5, 4, 3, 2, 1, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 22 | 1, 72, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 59 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-4096 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The SQALE of CSIDH: Square-root velu Quantum-resistant isogeny Action with Low Exponents 2 | 3 | This repository ilustrates the practical implications of the quantum security analysis of [**The SQALE of CSIDH: Square-root velu Quantum-resistant isogeny Action with Low Exponents**](#), which are based on and detailed study of the Kuperberg's algorithm. 4 | 5 | ## Description of the C-code implementation 6 | 7 | Summarizing, the presented C-code implementation corresponds with translation of the python-code implementation of [**On new Vélu's formulae and their applications to CSIDH and B-SIDH constant-time implementations**](https://eprint.iacr.org/2020/1109), but this time focusing on constant-time implementations of CSIDH for arbitrary primes. The primes used corresponds with the family of primes `p` such that `(p+1)/4` splits into `n` different small odd primes. Additionally, we also provide a code that estimates the costs to find a hidden shift of an imaginary quadratic order, i.e., to break CSIDH and related schemes, under a range of depth limits (for more details, to check its corresponding [README.md](quantum-cost-estimation/README.md) file). 8 | 9 | The novelty of this C-code implementation relies on the large constant-time CSIDH instantiations (named them: CSIDH-1024, CSIDH-1792, CSIDH-2048, CSIDH-3072, CSIDH-4096, CSIDH-5120, CSIDH-6144, CSIDH-8192, CSIDH-9216). 10 | 11 | ### Compilation 12 | 13 | The syntax and option for the compilation can be check by running `make help`, which prints the following 14 | ```bash 15 | Remarks: 16 | # GCC compiler is choosen by default, and the variable CC is optional 17 | Syntax: 18 | make csidh-all CC=[any version of gcc / any version of clang] 19 | make csidh BITS=[512 / 1024 / 1792 / 2048 / 3072 / 4096 / 5120 / 6144 / 8192 / 9216] STYLE=[wd2 / wd / df] CC=[any version of gcc / any version of clang] 20 | make bench-all CC=[any version of gcc / any version of clang] 21 | make bench BITS=[512 / 1024 / 1792 / 2048 / 3072 / 4096 / 5120 / 6144 / 8192 / 9216] STYLE=[wd2 / wd / df] CC=[any version of gcc / any version of clang] 22 | Tests: 23 | make test BITS=[512 / 1024 / 1792 / 2048 / 3072 / 4096 / 5120 / 6144 / 8192 / 9216] CC=[any version of gcc / any version of clang] 24 | make gae BITS=[512 / 1024 / 1792 / 2048 / 3072 / 4096 / 5120 / 6144 / 8192 / 9216] STYLE=[wd2 / wd / df] CC=[any version of gcc / any version of clang] 25 | Debug: 26 | make debug BITS=[512 / 1024 / 1792 / 2048 / 3072 / 4096 / 5120 / 6144 / 8192 / 9216] STYLE=[wd2 / wd / df] CC=[any version of gcc / any version of clang] 27 | make valgrind BITS=[512 / 1024 / 1792 / 2048 / 3072 / 4096 / 5120 / 6144 / 8192 / 9216] STYLE=[wd2 / wd / df] CC=[any version of gcc / any version of clang] 28 | Cleanup: 29 | make clean 30 | make deepclean 31 | ``` 32 | 33 | For example, let's assume we want to use CSIDH-`B` using `S`-style, where `B` and `S` denotes the bit-length of the prime characteristic `p` and `S` is one of `wd2` (OAYT-style), `wd1` (MCR-style), and `df` (dummy-free). 34 | ```bash 35 | # For testing prime field, polynomial and elliptic curve arithmetics, and traditional and sqrt velu formulae (isogenies) 36 | make test BITS=B 37 | # Testing the group action evaluation of CSIDH (main block) 38 | make gae BITS=B STYLE=S 39 | # CSIDH key-exchange 40 | make csidh BITS=B STYLE=S 41 | # Benchmark 42 | make bench BITS=B STYLE=S 43 | ``` 44 | 45 | Moreover, for compiling (and building) for all the provided CSIDH primes, just run 46 | ```bash 47 | # CSIDH protocol 48 | make csidh-all 49 | # Benchmark 50 | make bench-all 51 | # Both of CSIDH and Benchmark 52 | make 53 | ``` 54 | 55 | ### Examples of runs 56 | 57 | ```bash 58 | # Tests 59 | make test BITS=1024 60 | ./fp-1024.test 61 | ./poly_mul_fp1024.test 62 | ./poly_redc_fp1024.test 63 | ./mont-fp1024.test 64 | ./isog-fp1024.test 65 | # CSIDH 66 | make csidh BITS=2048 STYLE=wd2 67 | ./csidh.2048-wd2.main 68 | # Benchmark 69 | make bench BITS=4096 STYLE=df 70 | ./csidh.4096-df.bench 71 | ``` 72 | 73 | Additionally, the directory `/tmp` has all the optimal strategy used in the Group Action Evaluation of each CSIDH instantiation done in this project (our experimental benchmarking results can be found in the directory `/results`). 74 | 75 | ## Remarks 76 | 77 | This C-code implementation allows and easy integration with different primes (of any feasible bit-length). Additionally, one can use different consecutive small odd primes (instead of all the odd prime factors of `p+1`), and therefore different strategies in the Group Action Evaluation (check the files in `src/styles/`. for the required assignation). Any other instances can be integrated by using the python code of [**Adj _et al._**](https://github.com/JJChiDguez/velusqrt) (to be more precise, by using the python scripts `bounds.py`, `headers.py`, `sdacs.py`, and `ijk.py`). 78 | 79 | ## Authors 80 | 81 | 1. **Jorge Chávez-Saab** , 82 | 2. **Jesús-Javier Chi-Domínguez** , 83 | 3. **Samuel Jaques** , and 84 | 4. **Francisco Rodríguez-Henríquez** . 85 | 86 | 87 | ## License 88 | 89 | This project is licensed under the GNU general public license - see the [LICENSE](LICENSE) file for details 90 | 91 | ## Funding 92 | 93 | This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 804476). 94 | Samuel Jaques was supported by the University of Oxford Clarendon fund. 95 | The fourth author received partial funds from the Mexican Science council CONACyT project 313572. 96 | -------------------------------------------------------------------------------- /tmp/csidh-4096-wd1-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351, 17 | 350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285, 18 | 284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 153, 40, 14, 7, 3, 2, 1, 1, 2, 1, 4, 2, 1, 3, 2, 1, 10, 3, 2, 1, 7, 2, 1, 5, 1, 4, 3, 2, 1, 30, 7, 2, 1, 6, 5, 4, 3, 2, 1, 23, 6, 5, 4, 3, 2, 1, 18, 4, 3, 2, 1, 14, 3, 2, 1, 11, 2, 1, 9, 1, 8, 7, 6, 5, 4, 3, 2, 1,124, 23, 5, 4, 3, 2, 22 | 1, 18, 4, 3, 2, 1, 15, 2, 1, 13, 1, 11, 1, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,106, 15, 2, 1, 13, 1, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 92, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 80, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 69, 10, 9, 8, 7, 6, 5, 23 | 4, 3, 2, 1, 59, 9, 8, 7, 6, 5, 4, 3, 2, 1, 50, 8, 7, 6, 5, 4, 3, 2, 1, 42, 7, 6, 5, 4, 3, 2, 1, 35, 6, 5, 4, 3, 2, 1, 29, 5, 4, 3, 2, 1, 25, 3, 2, 1, 22, 2, 1, 20, 1, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-4096 using MCR-style */ 64 | -------------------------------------------------------------------------------- /tmp/csidh-4096-df-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351, 17 | 350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285, 18 | 284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 148, 42, 16, 6, 4, 4, 3, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 10, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 30, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 21, 8, 7, 6, 5, 4, 3, 2, 1, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,124, 22 | 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,103, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 84, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 68, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 23 | 5, 4, 3, 2, 1, 54, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 42, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-4096 using dummy-free-style */ 64 | -------------------------------------------------------------------------------- /include/strategy/csidh-4096-wd1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351, 17 | 350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285, 18 | 284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 153, 40, 14, 7, 3, 2, 1, 1, 2, 1, 4, 2, 1, 3, 2, 1, 10, 3, 2, 1, 7, 2, 1, 5, 1, 4, 3, 2, 1, 30, 7, 2, 1, 6, 5, 4, 3, 2, 1, 23, 6, 5, 4, 3, 2, 1, 18, 4, 3, 2, 1, 14, 3, 2, 1, 11, 2, 1, 9, 1, 8, 7, 6, 5, 4, 3, 2, 1,124, 23, 5, 4, 3, 2, 22 | 1, 18, 4, 3, 2, 1, 15, 2, 1, 13, 1, 11, 1, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,106, 15, 2, 1, 13, 1, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 92, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 80, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 69, 10, 9, 8, 7, 6, 5, 23 | 4, 3, 2, 1, 59, 9, 8, 7, 6, 5, 4, 3, 2, 1, 50, 8, 7, 6, 5, 4, 3, 2, 1, 42, 7, 6, 5, 4, 3, 2, 1, 35, 6, 5, 4, 3, 2, 1, 29, 5, 4, 3, 2, 1, 25, 3, 2, 1, 22, 2, 1, 20, 1, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-4096 using MCR-style */ 64 | -------------------------------------------------------------------------------- /include/strategy/csidh-4096-df.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351, 17 | 350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285, 18 | 284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 148, 42, 16, 6, 4, 4, 3, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 10, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 30, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 21, 8, 7, 6, 5, 4, 3, 2, 1, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,124, 22 | 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,103, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 84, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 68, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 23 | 5, 4, 3, 2, 1, 54, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 42, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-4096 using dummy-free-style */ 64 | -------------------------------------------------------------------------------- /src/kps.c: -------------------------------------------------------------------------------- 1 | #include "isog.h" 2 | 3 | // ----------------------------------------------------------- 4 | // ----------------------------------------------------------- 5 | // Traditional Kernel Point computation (KPs) 6 | 7 | void eds2mont(proj P) 8 | { 9 | fp t; 10 | fp_add(t, P[1], P[0]); 11 | fp_sub(P[1], P[1], P[0]); 12 | fp_copy(P[0], t); 13 | } 14 | 15 | 16 | // Differential doubling in Twisted Edwards model 17 | void ydbl(proj Q, proj const P, proj const A) 18 | { 19 | fp t_0, t_1, X, Z; 20 | 21 | fp_sqr(t_0, P[0]); 22 | fp_sqr(t_1, P[1]); 23 | fp_mul(Z, A[1], t_0); 24 | fp_mul(X, Z, t_1); 25 | fp_sub(t_1, t_1, t_0); 26 | fp_mul(t_0, A[0], t_1); 27 | fp_add(Z, Z, t_0); 28 | fp_mul(Z, Z, t_1); 29 | 30 | fp_sub(Q[0], X, Z); 31 | fp_add(Q[1], X, Z); 32 | } 33 | 34 | // Differential addition in Twisted Edwards model 35 | void yadd(proj R, proj const P, proj const Q, proj const PQ) 36 | { 37 | fp a, b, c, d, X, Z; 38 | 39 | fp_mul(a, P[1], Q[0]); 40 | fp_mul(b, P[0], Q[1]); 41 | fp_add(c, a, b); 42 | fp_sub(d, a, b); 43 | fp_sqr(c, c); 44 | fp_sqr(d, d); 45 | 46 | fp_add(a, PQ[1], PQ[0]); 47 | fp_sub(b, PQ[1], PQ[0]); 48 | fp_mul(X, b, c); 49 | fp_mul(Z, a, d); 50 | 51 | fp_sub(R[0], X, Z); 52 | fp_add(R[1], X, Z); 53 | } 54 | 55 | // tvelu formulae 56 | void kps_t(uint64_t const i, proj const P, proj const A) 57 | { 58 | int j; 59 | int d = ((int)L[i] - 1) / 2; 60 | 61 | // Mapping the input point x(P), which belongs to a 62 | // Montogmery curve model, into its Twisted Edwards 63 | // representation y(P) 64 | fp_sub(K[0][0], P[0], P[1]); 65 | fp_add(K[0][1], P[0], P[1]); 66 | ydbl(K[1], (const fp*)K[0], A); // y([2]P) 67 | 68 | for (j = 2; j < d; j++) 69 | yadd(K[j], (const fp*)K[j - 1], (const fp*)K[0], (const fp*)K[j - 2]); // y([j+1]P) 70 | } 71 | 72 | // ----------------------------------------------------------- 73 | // ----------------------------------------------------------- 74 | // Kernel Point computation (KPs) used in velu SQRT 75 | void kps_s(uint64_t const i, proj const P, proj const A) 76 | { 77 | // ================================================================================= 78 | assert(L[i] > gap); // Ensuring velusqrt is used for l_i > gap 79 | sI = sizeI[i]; // size of I 80 | sJ = sizeJ[i]; // size of J 81 | sK = sizeK[i]; // size of K 82 | 83 | assert(sI >= sJ); // Ensuring #I >= #J 84 | assert(sK >= 0); // Recall, it must be that #K >= 0 85 | assert(sJ > 1); // ensuring sI >= sJ > 1 86 | // ================================================================================= 87 | 88 | // Now, we can proceed by the general case 89 | 90 | int j; 91 | 92 | // -------------------------------------------------- 93 | // Computing [j]P for each j in {1, 3, ..., 2*sJ - 1} 94 | proj P2, P4; 95 | proj_copy(J[0], P); // x(P) 96 | xdbl(P2, P, A); // x([2]P) 97 | xadd(J[1], (const fp*)P2, (const fp*)J[0], (const fp*)J[0]); // x([3]P) 98 | for (j = 2; j < sJ; j++) 99 | xadd(J[j], (const fp*)J[j - 1], (const fp*)P2, (const fp*)J[j - 2]); // x([2*j + 1]P) 100 | 101 | // ---------------------------------------------------------- 102 | // Computing [i]P for i in { (2*sJ) * (2i + 1) : 0 <= i < sI} 103 | proj Q, Q2; 104 | int bhalf_floor= sJ >> 1; 105 | int bhalf_ceil = sJ - bhalf_floor; 106 | xdbl(P4, (const fp*)P2, A); // x([4]P) 107 | proj_cswap(P2, P4, sJ % 2); // x([4]P) <--- coditional swap ---> x([2]P) 108 | xadd(Q, (const fp*)J[bhalf_ceil], (const fp*)J[bhalf_floor - 1], (const fp*)P2); // Q := [2b]P 109 | proj_cswap(P2, P4, sJ % 2); // x([4]P) <--- coditional swap ---> x([2]P) 110 | 111 | // ............................................. 112 | proj_copy(I[0], (const fp*)Q); // x(Q) 113 | xdbl(Q2, (const fp*)Q, A); // x([2]Q) 114 | xadd(I[1], (const fp*)Q2, (const fp*)I[0], (const fp*)I[0]); // x([3]Q) 115 | 116 | for (j = 2; j < sI; j++) 117 | xadd(I[j], (const fp*)I[j - 1], (const fp*)Q2, (const fp*)I[j - 2]); // x([2*j + 1]Q) 118 | 119 | // ............................................. 120 | // Computing on fly the linear factors of h_I(W) 121 | for (j = 0; j < sI; j++) 122 | fp_sub(I[j][0], fp_0, I[j][0]); // just negate projective x-coordinate 123 | 124 | // ---------------------------------------------------------------- 125 | // Computing [k]P for k in { 4*sJ*sI + 1, ..., l - 6, l - 4, l - 2} 126 | // In order to avoid BRANCHES we make allways copy in K[0] and K[1] 127 | // by assuming that these entries are only used when sK >= 1 and 128 | // sK >= 2, respectively. 129 | 130 | //if (sK >= 1) 131 | proj_copy(K[0], (const fp*)P2); // x([l - 2]P) = x([2]P) 132 | //if (sK >= 2) 133 | proj_copy(K[1], (const fp*)P4); // x([l - 4]P) = x([4]P) 134 | 135 | for (j = 2; j < sK; j++) 136 | xadd(K[j], (const fp*)K[j - 1], (const fp*)P2, (const fp*)K[j - 2]); // x([l - 2*(j+1)]P) = x([2 * (j+1)]P) 137 | 138 | // ---------------------------------------------------------------- 139 | // ~~~~~~~~ ~~~~~~~~ 140 | // | | | | 141 | // Computing h_I(W) = | | (W - x([i]P)) = | | (Zi * W - Xi) / Zi where x([i]P) = Xi/Zi 142 | // i in I i in I 143 | // In order to avoid costly inverse computations in fp, we are gonna work with projective coordinates 144 | 145 | product_tree(ptree_hI, deg_ptree_hI, 0, I, 2, sI); // Product tree of hI 146 | if (!scaled) 147 | { 148 | // (unscaled) remainder tree approach 149 | reciprocal_tree(rtree_hI, rtree_A, 2*sJ + 1, ptree_hI, deg_ptree_hI, 0, sI); // Reciprocal tree of hI 150 | } 151 | else 152 | { 153 | // scaled remainder tree approach 154 | fp f_rev[sI + 1]; 155 | for (j = 0; j < (sI + 1); j++) 156 | fp_copy(f_rev[j], ptree_hI[0][sI - j]); 157 | 158 | if (sI > (2*sJ - sI + 1)) 159 | reciprocal(R0, A0, f_rev, sI + 1, sI); 160 | else 161 | reciprocal(R0, A0, f_rev, sI + 1, 2*sJ - sI + 1); 162 | }; 163 | } 164 | -------------------------------------------------------------------------------- /src/mont.c: -------------------------------------------------------------------------------- 1 | #include "mont.h" 2 | #define _MONT_C_CODE_ 3 | #include "sdacs.h" 4 | #include "ijk.h" 5 | 6 | /* All the projective curve coefficients corresponds with (A + 2C : 4C) */ 7 | 8 | // Affine Montgomery coefficient computation (A + 2C : 4C) --> A/C 9 | void coeff(fp B, proj const A) 10 | { 11 | fp t; 12 | fp_add(t, A[0], A[0]); // (2 * A24) 13 | fp_sub(t, t, A[1]); // (2 * A24) - C24 14 | 15 | fp_copy(B, A[1]); 16 | fp_inv(B); // 1 / (C24) 17 | fp_add(t, t, t); // 4*A = 2[(2 * A24) - C24] 18 | fp_mul(B, t, B); // A/C = 2[(2 * A24) - C24] / C24 19 | } 20 | 21 | // Differential point doubling 22 | void xdbl(proj Q, const proj P, proj const A) 23 | { 24 | fp t_0, t_1; 25 | fp_sub(t_0, P[0],P[1]); 26 | fp_add(t_1, P[0],P[1]); 27 | 28 | fp_sqr(t_0, t_0); 29 | fp_sqr(t_1, t_1); 30 | 31 | fp_mul(Q[1], A[1], t_0); 32 | fp_mul(Q[0], Q[1], t_1); 33 | 34 | fp_sub(t_1, t_1, t_0); 35 | fp_mul(t_0, A[0], t_1); 36 | fp_add(Q[1], Q[1], t_0); 37 | fp_mul(Q[1], Q[1], t_1); 38 | } 39 | 40 | // Differential point addition 41 | void xadd(proj R, const proj P, proj const Q, proj const PQ) 42 | { 43 | fp a, b, c, d; 44 | 45 | fp_add(a, P[0], P[1]); 46 | fp_sub(b, P[0], P[1]); 47 | fp_add(c, Q[0], Q[1]); 48 | fp_sub(d, Q[0], Q[1]); 49 | 50 | fp_mul(a, a, d); 51 | fp_mul(b, b, c); 52 | fp_add(c, a, b); 53 | fp_sub(d, a, b); 54 | 55 | fp_sqr(c, c); 56 | fp_sqr(d, d); 57 | 58 | fp_mul(R[0], PQ[1], c); 59 | fp_mul(R[1], PQ[0], d); 60 | } 61 | 62 | // Differential point multiplication by l_i, that is, x([l_i]P) 63 | void xmul(proj Q, uint64_t const i, proj const P, proj const A) 64 | { 65 | proj R0, R1, R2, T; 66 | proj_copy(R0, P); 67 | xdbl(R1, P, A); 68 | xadd(R2, (const fp*)R1, (const fp*)R0, P); 69 | 70 | int j; 71 | for (j = LENGTHS[i] - 1; j >= 0; j--) 72 | { 73 | proj_cswap(R0, R1, (uint8_t)((int)SDACs[i][j] - 48)); // cswap of points 74 | // This branch is only required for CSIDH 75 | // It would amazing to do the next branch with constant-swaps (xdbl can be easily modified in order to have the same cost than xadd) 76 | if (isinfinity((const fp*)R0)) 77 | xdbl(T, (const fp*)R2, A); 78 | else 79 | xadd(T, (const fp*)R2, (const fp*)R1, (const fp*)R0); 80 | 81 | proj_copy(R0, (const fp*)R1); 82 | proj_copy(R1, (const fp*)R2); 83 | proj_copy(R2, (const fp*)T); 84 | }; 85 | 86 | proj_copy(Q, (const fp*)R2); 87 | } 88 | 89 | // Elligator is used for sampling point on E(fp)[\pi - 1] and E(fp)[\pi + 1] 90 | void elligator(proj Tp, proj Tm, proj const A) 91 | { 92 | fp Ap, C_times_u_squared_minus_one, AC_times_u_squared_minus_one, 93 | u, u_squared, u_squared_plus_one, u_squared_minus_one, 94 | alpha, beta, tmp, aux; 95 | 96 | fp_add(Ap, A[0], A[0]); 97 | fp_sub(Ap, Ap, A[1]); 98 | fp_add(Ap, Ap, Ap); 99 | 100 | fp_random(u); 101 | fp_sqr(u_squared, u); 102 | 103 | fp_add(u_squared_plus_one, u_squared, fp_1); 104 | fp_sub(u_squared_minus_one, u_squared, fp_1); 105 | 106 | fp_mul(C_times_u_squared_minus_one, A[1], u_squared_minus_one); 107 | fp_mul(AC_times_u_squared_minus_one, Ap, C_times_u_squared_minus_one); 108 | 109 | fp_sqr(tmp, Ap); 110 | fp_mul(tmp, tmp, u_squared); 111 | fp_sqr(aux, C_times_u_squared_minus_one); 112 | fp_add(tmp, tmp, aux); 113 | fp_mul(tmp, AC_times_u_squared_minus_one, tmp); 114 | 115 | fp_set0(alpha); 116 | fp_copy(beta, u); 117 | fp_cswap(alpha, beta, fp_iszero(tmp)); 118 | fp_mul(u_squared_plus_one, alpha, u_squared_plus_one); 119 | fp_mul(alpha, alpha, C_times_u_squared_minus_one); 120 | 121 | fp_add(Tp[0], Ap, alpha); 122 | fp_mul(Tm[0], Ap, u_squared); 123 | fp_add(Tm[0], Tm[0], alpha); 124 | fp_sub(Tm[0], fp_0, Tm[0]); 125 | 126 | fp_add(tmp, tmp, u_squared_plus_one); 127 | fp_cswap(Tp[0], Tm[0], 1 - fp_issquare(tmp)); 128 | 129 | fp_copy(Tp[1], C_times_u_squared_minus_one); 130 | fp_copy(Tm[1], C_times_u_squared_minus_one); 131 | } 132 | 133 | // For computing [(p + 1) / l_i]P, i:=0, ..., (N - 1) 134 | void cofactor_multiples(proj P[], proj const A, size_t lower, size_t upper) 135 | { 136 | assert(lower < upper); 137 | if (upper - lower == 1) 138 | return ; 139 | 140 | int i; 141 | size_t mid = lower + (upper - lower + 1) / 2; 142 | 143 | proj_copy(P[mid], (const fp*)P[lower]); 144 | for (i = lower; i < (int)mid; i++) 145 | xmul(P[mid], i, (const fp*)P[mid], A); 146 | 147 | for (i = (int)mid; i < (int)upper; i++) 148 | xmul(P[lower], i, (const fp*)P[lower], A); 149 | 150 | cofactor_multiples(P, A, lower, mid); 151 | cofactor_multiples(P, A, mid, upper); 152 | } 153 | 154 | // Next functions determines is the Montgomery curve y² = x³ + ax² + x is supersingular 155 | bool validate(fp const a) 156 | { 157 | init_counters(); // set to zero the field operation counters 158 | fp x; 159 | proj A, P[N]; 160 | // A = (a : 1) 161 | fp_copy(A[0], a); 162 | fp_set1(A[1]); 163 | 164 | // Coding curve coefficients as (A' + 2C : 4C) 165 | fp_add(A[1], A[1], A[1]); // 2C 166 | fp_add(A[0], A[0], A[1]); // A' + 2C 167 | fp_add(A[1], A[1], A[1]); // 4C 168 | 169 | int i; 170 | uint64_t bits; 171 | 172 | do 173 | { 174 | bits = 0; 175 | // P = (x : 1) 176 | fp_random(x); 177 | fp_copy(P[0][0], x); 178 | fp_set1(P[0][1]); 179 | 180 | // Multiplying by 2^cofactor 181 | for (i = 0; i < (int)cofactor; i++) 182 | xdbl(P[0], (const fp*)P[0], (const fp*)A); 183 | 184 | // At this step, P[0] is expected to be a torsion-([p + 1]/[2^e]) point 185 | cofactor_multiples(P, (const fp*)A, 0, N); 186 | for (i = N - 1; i >= 0; i--) 187 | { 188 | // we only gain information if [(p+1)/l] P is non-zero 189 | if (isinfinity((const fp*)P[i]) != 1) 190 | { 191 | xmul(P[i], i, (const fp*)P[i], (const fp*)A); 192 | 193 | // P does not have order dividing p + 1? 194 | if (isinfinity((const fp*)P[i]) != 1) 195 | return false; 196 | 197 | // If bits > UPPER_BOUND, hence definitely supersingular 198 | bits += bL[i]; 199 | if (bits > UPPER_BOUND) 200 | return true; 201 | }; 202 | }; 203 | 204 | } while (1); 205 | } 206 | 207 | 208 | -------------------------------------------------------------------------------- /tmp/csidh-5120-wd2-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 503,502,501,500,499,498,497,496,495,494,493,492,491,490,489,488,487,486,485,484,483,482,481,480,479,478,477,476,475,474,473,472,471,470,469,468,467,466,465,464,463,462,461,460,459,458,457,456,455,454,453,452,451,450,449,448,447,446,445,444,443,442,441,440,439,438,437,436,435,434,433,432,431,430,429,428,427,426,425,424,423,422,421,420,419,418,417,416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382, 17 | 381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351,350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260, 18 | 259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 27, 10, 6, 5, 4, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 18, 8, 7, 6, 5, 4, 3, 2, 1, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 59 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-5119 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /include/strategy/csidh-5120-wd2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 12 | 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 13 | 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 503,502,501,500,499,498,497,496,495,494,493,492,491,490,489,488,487,486,485,484,483,482,481,480,479,478,477,476,475,474,473,472,471,470,469,468,467,466,465,464,463,462,461,460,459,458,457,456,455,454,453,452,451,450,449,448,447,446,445,444,443,442,441,440,439,438,437,436,435,434,433,432,431,430,429,428,427,426,425,424,423,422,421,420,419,418,417,416,415,414,413,412,411,410,409,408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382, 17 | 381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351,350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314,313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260, 18 | 259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221,220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147,146,145,144,143,142,141,140,139 19 | }; 20 | static uint32_t S0[] = { 21 | 90, 27, 10, 6, 5, 4, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 18, 8, 7, 6, 5, 4, 3, 2, 1, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 22 | 2, 1, 72, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 57, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 44, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 23 | 1, 33, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 139 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 59 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-5119 using OAYT-style */ 64 | -------------------------------------------------------------------------------- /tmp/csidh-1024-wd2-m2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 12 | 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 13 | 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 129,128,127,126,125,124,123,122,121,120,119,118, 17 | 117,116,115,114,113,112,111,110,109,108,107,106, 18 | 105,104,103,102,101,100, 99, 98, 97, 96, 95 19 | }; 20 | static uint32_t S0[] = { 21 | 59, 20, 8, 4, 3, 2, 1, 3, 2, 1, 7, 6, 5, 4, 3, 2, 1, 13, 6, 5, 4, 3, 2, 1, 12, 11, 10, 9, 8, 7, 6, 5, 22 | 4, 3, 2, 1, 45, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 33, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 24, 8, 23 | 7, 6, 5, 4, 3, 2, 1, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | // ----------------------------------------------------------------------------------------------------------------------------------- 26 | // Strategy number 1 27 | 28 | static uint32_t L1[] = { 29 | 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 30 | 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 31 | 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 32 | }; 33 | static uint32_t W1[] = { 34 | 129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104, 35 | 103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 36 | 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55 37 | }; 38 | static uint32_t S1[] = { 39 | 32, 10, 6, 4, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 40 | 4, 3, 2, 1, 23, 8, 7, 6, 5, 4, 3, 2, 1, 17, 5, 4, 3, 2, 1, 41 | 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 42 | }; 43 | // ----------------------------------------------------------------------------------------------------------------------------------- 44 | // Strategy number 2 45 | 46 | static uint32_t L2[] = { 47 | 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 48 | 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 49 | 6, 5, 4, 3, 2, 1, 0 50 | }; 51 | static uint32_t W2[] = { 52 | 129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 53 | 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 54 | 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27 55 | }; 56 | static uint32_t S2[] = { 57 | 14, 6, 4, 2, 1, 3, 2, 1, 5, 58 | 4, 3, 2, 1, 9, 4, 3, 2, 1, 59 | 8, 7, 6, 5, 4, 3, 2, 1 60 | }; 61 | // ----------------------------------------------------------------------------------------------------------------------------------- 62 | // Strategy number 3 63 | 64 | static uint32_t L3[] = { 65 | 26, 25, 24, 23, 22, 21, 20, 19, 18, 66 | 17, 16, 15, 14, 13, 12, 11, 10, 9, 67 | 8, 7, 6, 5, 4, 2, 1, 0 68 | }; 69 | static uint32_t W3[] = { 70 | 129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 71 | 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 72 | 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 3 73 | }; 74 | static uint32_t S3[] = { 75 | 12, 7, 3, 3, 2, 1, 2, 1, 6, 76 | 5, 4, 3, 2, 1, 11, 10, 9, 8, 77 | 7, 6, 5, 4, 3, 2, 1 78 | }; 79 | 80 | 81 | // ----------------------------------------------------------------------------------------------------------------------------------- 82 | // ----------------------------------------------------------------------------------------------------------------------------------- 83 | #define NUMBER_OF_DIFFERENT_STRATEGIES 4 84 | 85 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 86 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 87 | L0, L1, L2, L3 88 | }; 89 | 90 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 91 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 92 | W0, W1, W2, W3 93 | }; 94 | 95 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 96 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 97 | S0, S1, S2, S3 98 | }; 99 | 100 | // Number of primes for each strategy 101 | static uint32_t NUMBER_OF_PRIMES[] = { 102 | 95, 55, 27, 26 103 | }; 104 | 105 | // Number of rounds per each different strategy 106 | static uint8_t ROUNDS[] = { 107 | 1, 1, 2, 1 108 | }; 109 | 110 | // Maximum number of degree-(l_i) isogeny constructions 111 | static uint8_t M[] = { 112 | 3, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 113 | 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 114 | 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 115 | }; 116 | 117 | #endif /* required framework for the strategies to be used in CSIDH-1024 using OAYT-style */ 118 | -------------------------------------------------------------------------------- /include/strategy/csidh-1024-wd2.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 12 | 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 13 | 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 129,128,127,126,125,124,123,122,121,120,119,118, 17 | 117,116,115,114,113,112,111,110,109,108,107,106, 18 | 105,104,103,102,101,100, 99, 98, 97, 96, 95 19 | }; 20 | static uint32_t S0[] = { 21 | 59, 20, 8, 4, 3, 2, 1, 3, 2, 1, 7, 6, 5, 4, 3, 2, 1, 13, 6, 5, 4, 3, 2, 1, 12, 11, 10, 9, 8, 7, 6, 5, 22 | 4, 3, 2, 1, 45, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 33, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 24, 8, 23 | 7, 6, 5, 4, 3, 2, 1, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | // ----------------------------------------------------------------------------------------------------------------------------------- 26 | // Strategy number 1 27 | 28 | static uint32_t L1[] = { 29 | 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 30 | 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 31 | 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 32 | }; 33 | static uint32_t W1[] = { 34 | 129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104, 35 | 103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 36 | 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55 37 | }; 38 | static uint32_t S1[] = { 39 | 32, 10, 6, 4, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 40 | 4, 3, 2, 1, 23, 8, 7, 6, 5, 4, 3, 2, 1, 17, 5, 4, 3, 2, 1, 41 | 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 42 | }; 43 | // ----------------------------------------------------------------------------------------------------------------------------------- 44 | // Strategy number 2 45 | 46 | static uint32_t L2[] = { 47 | 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 48 | 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 49 | 6, 5, 4, 3, 2, 1, 0 50 | }; 51 | static uint32_t W2[] = { 52 | 129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 53 | 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 54 | 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27 55 | }; 56 | static uint32_t S2[] = { 57 | 14, 6, 4, 2, 1, 3, 2, 1, 5, 58 | 4, 3, 2, 1, 9, 4, 3, 2, 1, 59 | 8, 7, 6, 5, 4, 3, 2, 1 60 | }; 61 | // ----------------------------------------------------------------------------------------------------------------------------------- 62 | // Strategy number 3 63 | 64 | static uint32_t L3[] = { 65 | 26, 25, 24, 23, 22, 21, 20, 19, 18, 66 | 17, 16, 15, 14, 13, 12, 11, 10, 9, 67 | 8, 7, 6, 5, 4, 2, 1, 0 68 | }; 69 | static uint32_t W3[] = { 70 | 129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 71 | 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 72 | 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 3 73 | }; 74 | static uint32_t S3[] = { 75 | 12, 7, 3, 3, 2, 1, 2, 1, 6, 76 | 5, 4, 3, 2, 1, 11, 10, 9, 8, 77 | 7, 6, 5, 4, 3, 2, 1 78 | }; 79 | 80 | 81 | // ----------------------------------------------------------------------------------------------------------------------------------- 82 | // ----------------------------------------------------------------------------------------------------------------------------------- 83 | #define NUMBER_OF_DIFFERENT_STRATEGIES 4 84 | 85 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 86 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 87 | L0, L1, L2, L3 88 | }; 89 | 90 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 91 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 92 | W0, W1, W2, W3 93 | }; 94 | 95 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 96 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 97 | S0, S1, S2, S3 98 | }; 99 | 100 | // Number of primes for each strategy 101 | static uint32_t NUMBER_OF_PRIMES[] = { 102 | 95, 55, 27, 26 103 | }; 104 | 105 | // Number of rounds per each different strategy 106 | static uint8_t ROUNDS[] = { 107 | 1, 1, 2, 1 108 | }; 109 | 110 | // Maximum number of degree-(l_i) isogeny constructions 111 | static uint8_t M[] = { 112 | 3, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 113 | 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 114 | 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 115 | }; 116 | 117 | #endif /* required framework for the strategies to be used in CSIDH-1024 using OAYT-style */ 118 | -------------------------------------------------------------------------------- /tmp/csidh-5120-wd1-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 503,502,501,500,499,498,497,496,495,494,493,492,491,490,489,488,487,486,485,484,483,482,481,480,479,478,477,476,475,474,473,472,471,470,469,468,467,466,465,464,463,462,461,460,459,458,457,456,455,454,453,452,451,450,449,448,447,446,445,444,443,442,441,440,439,438,437,436,435,434,433,432,431,430,429,428,427,426,425,424,423,422,421,420,419,418,417,416,415,414,413,412,411,410,409, 17 | 408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351,350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314, 18 | 313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 154, 40, 14, 6, 3, 2, 1, 1, 2, 1, 4, 1, 3, 2, 1, 10, 3, 2, 1, 7, 2, 1, 5, 1, 4, 3, 2, 1, 30, 7, 2, 1, 6, 5, 4, 3, 2, 1, 23, 6, 5, 4, 3, 2, 1, 18, 4, 3, 2, 1, 14, 3, 2, 1, 11, 2, 1, 9, 1, 8, 7, 6, 5, 4, 3, 2, 1,125, 23, 5, 4, 3, 2, 1, 22 | 18, 4, 3, 2, 1, 15, 2, 1, 13, 1, 11, 1, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,107, 15, 2, 1, 13, 1, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 93, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 81, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 70, 10, 9, 8, 7, 6, 5, 4, 23 | 3, 2, 1, 60, 9, 8, 7, 6, 5, 4, 3, 2, 1, 51, 8, 7, 6, 5, 4, 3, 2, 1, 43, 7, 6, 5, 4, 3, 2, 1, 36, 6, 5, 4, 3, 2, 1, 30, 5, 4, 3, 2, 1, 25, 4, 3, 2, 1, 22, 2, 1, 20, 1, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-5119 using MCR-style */ 64 | -------------------------------------------------------------------------------- /tmp/csidh-5120-df-m1.h: -------------------------------------------------------------------------------- 1 | #ifndef _STRATEGIES_H_ 2 | #define _STRATEGIES_H_ 3 | 4 | // This script assumes the C-code implementation has the list of Small Odd Primes (SOPs) stored such that l_0 < l_1 < ... < l_{n-1} 5 | // Recall, the strategies process from small SOPs to large SOPs. 6 | 7 | // ----------------------------------------------------------------------------------------------------------------------------------- 8 | // Strategy number 0 9 | 10 | static uint32_t L0[] = { 11 | 220,219,218,217,216,215,214,213,212,211,210,209,208,207,206,205,204,203,202,201,200,199,198,197,196,195,194,193,192,191,190,189,188,187,186,185,184,183,182,181,180,179,178,177,176,175,174,173,172,171,170,169,168,167,166,165,164,163,162,161,160,159,158,157,156,155,154,153,152,151,150,149,148,147, 12 | 146,145,144,143,142,141,140,139,138,137,136,135,134,133,132,131,130,129,128,127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 99, 98, 97, 96, 95, 94, 93, 92, 91, 90, 89, 88, 87, 86, 85, 84, 83, 82, 81, 80, 79, 78, 77, 76, 75, 74, 73, 13 | 72, 71, 70, 69, 68, 67, 66, 65, 64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49, 48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 14 | }; 15 | static uint32_t W0[] = { 16 | 503,502,501,500,499,498,497,496,495,494,493,492,491,490,489,488,487,486,485,484,483,482,481,480,479,478,477,476,475,474,473,472,471,470,469,468,467,466,465,464,463,462,461,460,459,458,457,456,455,454,453,452,451,450,449,448,447,446,445,444,443,442,441,440,439,438,437,436,435,434,433,432,431,430,429,428,427,426,425,424,423,422,421,420,419,418,417,416,415,414,413,412,411,410,409, 17 | 408,407,406,405,404,403,402,401,400,399,398,397,396,395,394,393,392,391,390,389,388,387,386,385,384,383,382,381,380,379,378,377,376,375,374,373,372,371,370,369,368,367,366,365,364,363,362,361,360,359,358,357,356,355,354,353,352,351,350,349,348,347,346,345,344,343,342,341,340,339,338,337,336,335,334,333,332,331,330,329,328,327,326,325,324,323,322,321,320,319,318,317,316,315,314, 18 | 313,312,311,310,309,308,307,306,305,304,303,302,301,300,299,298,297,296,295,294,293,292,291,290,289,288,287,286,285,284,283,282,281,280,279,278,277,276,275,274,273,272,271,270,269,268,267,266,265,264,263,262,261,260,259,258,257,256,255,254,253,252,251,250,249,248,247,246,245,244,243,242,241,240,239,238,237,236,235,234,233,232,231,230,229,228,227,226,225,224,223,222,221 19 | }; 20 | static uint32_t S0[] = { 21 | 149, 42, 16, 6, 4, 3, 2, 1, 3, 2, 1, 5, 4, 3, 2, 1, 10, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1, 30, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 21, 8, 7, 6, 5, 4, 3, 2, 1, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,125, 23, 22 | 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,103, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 84, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 68, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 23 | 5, 4, 3, 2, 1, 54, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 42, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 41, 40, 39, 38, 37, 36, 35, 34, 33, 32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 24 | }; 25 | 26 | 27 | // ----------------------------------------------------------------------------------------------------------------------------------- 28 | // ----------------------------------------------------------------------------------------------------------------------------------- 29 | #define NUMBER_OF_DIFFERENT_STRATEGIES 1 30 | 31 | // L_STRATEGY[i] determines the small odd primes l_i per each strategy 32 | static uint32_t *L_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 33 | L0 34 | }; 35 | 36 | // W_STRATEGY[i] determines L \ L_STRATEGY[i] 37 | static uint32_t *W_STRATEGY[NUMBER_OF_DIFFERENT_STRATEGIES] = { 38 | W0 39 | }; 40 | 41 | // S_STRATEGY[i] determines the optimal strategy for L_STRATEGY[i] 42 | static uint32_t *S[NUMBER_OF_DIFFERENT_STRATEGIES] = { 43 | S0 44 | }; 45 | 46 | // Number of primes for each strategy 47 | static uint32_t NUMBER_OF_PRIMES[] = { 48 | 221 49 | }; 50 | 51 | // Number of rounds per each different strategy 52 | static uint8_t ROUNDS[] = { 53 | 1 54 | }; 55 | 56 | // Maximum number of degree-(l_i) isogeny constructions 57 | static uint8_t M[] = { 58 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 59 | 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 61 | }; 62 | 63 | #endif /* required framework for the strategies to be used in CSIDH-5119 using dummy-free-style */ 64 | --------------------------------------------------------------------------------