Working with 1 prefix.

configure.ac

@@ -55,7 +55,7 @@ AC_ARG_ENABLE(debug,
    CFLAGS+=" -DNDEBUG -O3 -march=native")
 
 
-AC_DEFINE([ERROR],  [17], [log inverse of the error probability, default: 17.])
+AC_DEFINE([FAILURE],  [9], [log inverse of the failure probability, default: 17.])
 AC_DEFINE([FB_BASE], [10], [log of precomputed base for group operation, default: 8.])
 AC_DEFINE([SS_BASE], [1], [log of secret shares representation, default: 1.])
 

src/Makefile.am

@@ -1,7 +1,7 @@
 BENCHMARKS = rms_bench ddlog_bench exp_bench mul_bench
 
 bin_PROGRAMS = $(BENCHMARKS) sanity_check
-check_PROGRAMS = group_test
+check_PROGRAMS = group_test ddlog_test
 
 DDLOG = ddlog.c ddlog.h
 ELGAMAL = elgamal.c elgamal.h
@@ -14,6 +14,9 @@ TESTS = $(check_PROGRAMS)
 
 group_test_SOURCES = group_test.c \
 	$(GROUP) $(ENTROPY)
+ddlog_test_SOURCES = ddlog_test.c \
+	$(GROUP) $(ENTROPY) $(DDLOG)
+
 rms_bench_SOURCES = rms_bench.c \
 	$(DDLOG) $(ELGAMAL) $(ENTROPY) $(GROUP) $(FBASE) $(HSS) $(TIMEIT)
 ddlog_bench_SOURCES = ddlog_bench.c \

src/ddlog.c

@@ -1,3 +1,4 @@
+#include <stdbool.h>
 #include <stdint.h>
 #include <limits.h>
 #include <strings.h>
@@ -12,9 +13,12 @@ uint32_t lookup[256];
 uint32_t offset[256];
 
 static const uint64_t topmask = ~(ULLONG_MAX >> halfstrip_size);
-static const uint64_t topbigmask = ~(ULLONG_MAX >> strip_size);
+//static const uint64_t topbigmask = ~(ULLONG_MAX >> strip_size);
 static const uint64_t bottommask = (0x01  << halfstrip_size) -1;
 
+static const uint64_t failuremask = ~(ULLONG_MAX >> FAILURE);
+#define distinguished_limb 0x8000000000000000
+#define clz(x) __builtin_clzll(x)
 
 static inline
 void add_1(uint64_t *b, const size_t start, const size_t len, uint64_t a)
@@ -30,6 +34,9 @@ void add_1(uint64_t *b, const size_t start, const size_t len, uint64_t a)
    */
 }
 
+
+#define zdistinguished(x) (((x)[head] & topbigmask)) == 0
+
 uint32_t __attribute__((optimize("unroll-loops"))) convert(uint64_t * nn)
 {
   uint32_t steps;
@@ -37,40 +44,38 @@ uint32_t __attribute__((optimize("unroll-loops"))) convert(uint64_t * nn)
 #define next_head  ((head + 23) % 24)
 #define tail       ((head + 1)  % 24)
 #define next_tail  ((head + 2)  % 24)
-
-#define distinguished(x) (((x)[head] & topbigmask)) == 0
+#define x (nn[head])
+#define y (nn[next_head])
 
   /** Check the most significant block */
-  const uint64_t x = nn[head];
-  for (uint32_t w2 = halfstrip_size; w2 < 64-halfstrip_size; w2 += halfstrip_size) {
+  for (uint32_t w2 = clz(x) + halfstrip_size - (clz(x) % halfstrip_size);
+       w2 < 64 - halfstrip_size;
+       w2 += halfstrip_size) {
     if (!(x & (topmask >> w2))) {
       const size_t previous = (x >> (64 - halfstrip_size - w2 + halfstrip_size)) & bottommask;
-      const uint32_t next =   (x >> (64 - halfstrip_size - w2 - halfstrip_size)) & bottommask;
-      if (next <= lookup[previous]) return w2 - offset[previous];
+      const uint32_t next   = (x >> (64 - halfstrip_size - w2 - halfstrip_size)) & bottommask;
+      if (next <= lookup[previous]) return w2 - offset[previous] - 1;
     }
   }
 
-  for (steps = 64; !distinguished(nn); steps += 64) {
-    const uint64_t x = nn[head];
-    const uint64_t y = nn[next_head];
-
+  for (steps = 64; true; steps += 64) {
     if (!(x & bottommask)) {
       const size_t previous = (x >> halfstrip_size) & bottommask;
-      const uint32_t next = y >> (64 - halfstrip_size);
-      if (next <= lookup[previous]) return steps - halfstrip_size - offset[previous];
+      const uint32_t next   =  y >> (64 - halfstrip_size);
+      if (next <= lookup[previous]) return steps - halfstrip_size - offset[previous] - 1;
     }
 
     if (!(y & topmask)) {
-      const size_t previous = x & bottommask;
-      const uint32_t next = (y >> (64 - 2*halfstrip_size)) & bottommask;
-      if (next <= lookup[previous]) return steps - offset[previous];
+      const size_t previous =  x & bottommask;
+      const uint32_t next   = (y >> (64 - 2*halfstrip_size)) & bottommask;
+      if (next <= lookup[previous]) return steps - offset[previous] - 1;
     }
 
     for (uint32_t w2 = halfstrip_size; w2 < 64-halfstrip_size; w2 += halfstrip_size) {
       if (!(y & (topmask >> w2))) {
         const size_t previous = (y >> (64 - halfstrip_size - w2 + halfstrip_size)) & bottommask;
-        const uint32_t next =   (y >> (64 - halfstrip_size - w2 - halfstrip_size)) & bottommask;
-        if (next <= lookup[previous]) return steps + w2 - offset[previous];
+        const uint32_t next   = (y >> (64 - halfstrip_size - w2 - halfstrip_size)) & bottommask;
+        if (next <= lookup[previous]) return steps + w2 - offset[previous] - 1;
       }
     }
 
@@ -83,27 +88,23 @@ uint32_t __attribute__((optimize("unroll-loops"))) convert(uint64_t * nn)
     head = next_head;
     nn[tail] = al;
     add_1(nn, next_tail, 24, ah);
-
   }
-  return steps;
 }
 
+bool distinguished(mpz_t n)
+{
+  return (n->_mp_d[23] & failuremask) == distinguished_limb;
+}
 
 uint32_t naif_convert(mpz_t n)
 {
-  uint32_t i;
-  mpz_t t;
-  mpz_init_set_ui(t, 1);
-  mpz_mul_2exp(t, t, 1536-strip_size);
-
+  uint32_t steps;
 
-  for (i = 0; mpz_cmp(n, t) > -1; i++) {
-    mpz_mul_ui(n, n, 2);
-    mpz_mod(n, n, p);
+  for (steps = 0; !distinguished(n); steps++) {
+    mpz_mul_ui_modp(n, n, 2);
   }
 
-  mpz_clear(t);
-  return i;
+  return steps;
 }
 
 
@@ -111,7 +112,7 @@ void dlog_precompute()
 {
   for (size_t i = 0; i <= bottommask; i++) {
     uint32_t j = ffs(i) ? ffs(i) - 1 : halfstrip_size;
-    lookup[i] = bottommask >> (halfstrip_size-j);
+    lookup[i] = bottommask >> (halfstrip_size - j);
     offset[i] = j;
   }
 }

src/ddlog.h

@@ -1,10 +1,12 @@
 #pragma once
 
 #include "config.h"
+#include <stdbool.h>
 #include <stdint.h>
+
 #include <gmp.h>
 
-#define strip_size (ERROR - 1)
+#define strip_size (FAILURE - 1)
 #define halfstrip_size ((strip_size)/2)
 
 extern uint32_t lookup[256];
@@ -13,5 +15,6 @@ extern uint32_t offset[256];
 
 uint32_t convert(uint64_t *nn);
 uint32_t naif_convert(mpz_t n);
+bool distinguished(mpz_t n);
 
 void dlog_precompute();

src/ddlog_bench.c

@@ -15,7 +15,7 @@ int main()
   mpz_entropy_init();
 
   INIT_TIMEIT(CLOCK_PROCESS_CPUTIME_ID);
-  for (int i=0; i < (int) (1e9 / (0x01 << strip_size) * 3.5); i++) {
+  for (int i=0; i < (int) (1e6); i++) {
     mpz_t n, n0;
     mpz_inits(n, n0, NULL);
 

src/ddlog_test.c

@@ -0,0 +1,40 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <strings.h>
+
+#include "ddlog.h"
+#include "entropy.h"
+#include "group.h"
+#include "timeit.h"
+
+#ifdef NDEBUG
+#error "running test without debug?"
+#endif
+
+int main()
+{
+
+  group_init();
+  dlog_precompute();
+  mpz_entropy_init();
+
+
+  for (int i=0; i < (int) (1e3); i++) {
+    mpz_t n, n0;
+    mpz_inits(n, n0, NULL);
+
+    mpz_urandomm(n0, _rstate, p);
+    mpz_set(n, n0);
+    uint32_t expected = naif_convert(n);
+    mpz_set(n, n0);
+    uint32_t converted = convert(n->_mp_d);
+    printf("%d %d\n", converted, expected);
+    assert(converted == expected);
+    mpz_clears(n, n0, NULL);
+  }
+
+  group_clear();
+  return 0;
+
+}

src/group.h

@@ -76,4 +76,14 @@ void remp(mpz_t rop)
 void powmp_ui(mpz_t rop, const mpz_t base, uint64_t exp);
 void mul_modp(mpz_t rop, mpz_t op1, mpz_t op2);
 
-#define mpz_mul_modp(rop, op1, op2) mpz_mul(rop, op1, op2); remp(rop);
+#define mpz_mul_modp(rop, op1, op2)             \
+  do {                                          \
+    mpz_mul(rop, op1, op2);                     \
+    remp(rop);                                  \
+  } while (0)
+
+#define mpz_mul_ui_modp(rop, op1, op2)          \
+  do {                                          \
+    mpz_mul_ui(rop, op1, op2);                  \
+    remp(rop);                                  \
+  } while (0)

src/sanity_check.c

@@ -13,25 +13,31 @@ int main()
   hss_init();
 
 
-  mpz_t x, y;
+  mpz_t x, y, z;
   uint32_t xc, yc;
 
-  mpz_inits(x, y, NULL);
+  mpz_inits(x, y, z, NULL);
 
+  /* z is a uniformly random group element */
   mpz_urandomm(x, _rstate, q);
-  mpz_set_ui(y, 2);
-
-  /* y is a uniformly random group element */
-  mpz_powm(y, y, x, p);
+  mpz_set_ui(z, 2);
+  mpz_powm(z, z, x, p);
+  /* y = 2z  (mod p) */
+  mpz_mul_2exp(y, z, 1);
+  mpz_mod(y, y, p);
   /* x = 2y  (mod p) */
   mpz_mul_2exp(x, y, 1);
-  mpz_mod(x, x, p);
+  mpz_mod(x, z, p);
 
+  printf("%lx %lx\n", x->_mp_d[23], y->_mp_d[23]);
   xc = convert(x->_mp_d);
   yc = convert(y->_mp_d);
-  printf("%d %d\n", xc, yc);
+
+  printf("%d %d    %d\n", xc, yc, distinguished(z));
+
 
   hss_clear();
+  mpz_clears(x, y, z, NULL);
   return 0;
 
 }