Mon Apr 25 13:39:23 PDT 2005

Implemented singular curve y^2 = x^3 + x^2, though it will probably
never be used. See e_param.c. Also cleaned up e_param.c code: no need
for mapbase.

"polymod" field no longer piggybacks on the "poly" field, as changing
the number of coefficients in the polynomial dynamic makes less sense when
it is more or less fixed. Minor speedup obtained.

Plugged memory leak in c_param.c (in pairing_even_k)

[0.2.1]

Sun Apr 24 13:36:59 PDT 2005

c_param's now save a particular minimal polynomial and quadratic nonresidue
so F_q can be extended to F_q^d and F_q^k deterministically.

Moved part of mnt.c to c_param.c, and other parts to hilbert.c.

[0.2.0]

Sun Apr 24 03:07:26 PDT 2005

Wrote documentation. Inspired by GMP, I renamed LICENSE to COPYING and
rewrote README. The technical details are now in manual.txt. Also created
INSTALL and AUTHORS.

For the record, on my laptop:

./benchmark < a.param:
average pairing time = 0.032055

./benchmark < c201.param:
average pairing time = 0.156073

./benchmark < c159.param:
average pairing time = 0.109618

My old timings are too large because benchmark sends a lot of data to
standard output, which causes my terminal program to hog the CPU.
This time I piped the output to a file.

Sat Apr 23 21:54:16 PDT 2005

Decided to name curve types as follows:

a_param: solinas_param in the old code. y^2 = x^3 + x
c_param: cc_param in the old code. MNT curves with k=6, though the code
can easily be extended to other k
e_param: k=1 CM curves with Solinas primes.

b_param: reserved for the curve y^2 = x^3 + x. (May have to split into
subcases b1, b2 for symmetric, asymmetric pairings.)
d_param: reserved for supersingular curves with k=6.

Now param files contain an extra "type" field.

Bug fix: poly_out_str was always using base 10

Sat Apr 23 14:52:15 PDT 2005

Moved random functions to random.c. Some cleanup.
k=1 CM curves.

Fri Apr 22 15:27:22 PDT 2005

Makefile update from Hovav. Makes libraries now.

Fri Apr 22 10:52:50 PDT 2005

Bugfix: polymod_from_bytes() wasn't allocating space for the coefficients.

[0.1.5]

Thu Apr 21 22:51:24 PDT 2005

Many changes due to Hovav Shacham <hovav@cs.stanford.edu>:
    - Bugfix in curve.c: cc_add() wasn't clearing inf_flag.
    - New improved Makefile.
    - General code cleanup to get rid of most compiler warnings.
    - element_pow2, element_pow3 for faster computation of expressions
    such as g^x h^y. (Multi-exponentiation.)
    - BBS demo program optimizations: e.g. precomputations,
    multi-exponentiations

Wed Apr 20 23:35:55 PDT 2005

Memory leak in field_init_polymod/compute_x_powers() (darray_init called twice)

[0.1.3]

Output bugs: printing various parameters of cc_param_t and solinas_param_t
to standard output instead of given stream.

[0.1.4]

Wed Apr 20 14:11:29 PDT 2005

Tate exponentiation optimization for k = 6 curves. Timings are much better.

e.g: output of benchmark.c on my laptop:
average pairing time = 0.170114

[0.1.2]

Renamed example.txt to 201.txt, created 159.txt which is more likely to
be used in a typical cryptosystem.

Wed Apr 20 02:28:37 PDT 2005

Fixed bug in poly.c causing "polymod" fields to incorrectly report element
lengths. Generalized fieldi to fieldquadratic, kept fieldi as special case
for efficiency.

Twist curve optimization for MNT curves of even embedding degree. Uses
denominator elimination now.

solinas_pairing() can handle Solinas primes of all kinds now.

[0.1.1]

Tue Apr 19 14:02:31 PDT 2005

Wrote code to help detect memory leaks. (Compile with -include leak.h and
link with leak.o to allow mem_report() to work.)

Plugged memory leaks: poly_clear, polymod_mul, poly_const_mul,
field_clear_polymod (in clear())

[0.1.0]

Tue Apr 19 01:12:55 PDT 2005

Moved code around, wrote new version of cc_miller() to do most operations
in base field. Optimized Tate exponentiation for Solinas prime case. Wrote
simple benchmark program. Fixed memory leak: field->order was not being
freed.

Mon Apr 18 15:04:10 PDT 2005

Optimized Miller's algorithm for Solinas prime case.

Sun Apr 17 02:13:11 PDT 2005

Got rid of point_extend, cc_init_extend. Instead, pass a map around.
fieldmap_t gone. Have to pass domains and ranges when needed,
but most of the time it seems only the map itself is needed.

k=2 curves work, but Solinas prime optimizations yet to be written.

[0.0.6]

Sat Apr 16 16:38:19 PDT 2005

Implementing k=2 supersingular curves with Solinas primes.

Sat Apr 16 04:10:25 PDT 2005

Cleaned up the way nonquadratic residues are computed. Only computed when
needed, and result is cached.

Fri Apr 15 12:06:03 PDT 2005

fieldi.c operational.

Fri Apr 15 01:49:01 PDT 2005

curve_init_cc_j calls curve_init_cc_ab now.

Started work on fieldi.c, which extends any input field by [i] where
i is a square root of -1. Does not check if -1 already has square roots
in the base field.

Thu Apr 14 02:17:09 PDT 2005

Fixed bug in curve_group_from_bytes(). Forgot to unset inf_flag. Also
realized that my code can't read/write the point at infinity, which is not
a problem for cryptography.

BBS group signatures implemented, except no hashing is done.

[0.0.5]

Fri Apr  8 12:08:58 PDT 2005

[0.0.4]

Fri Apr  8 03:54:27 PDT 2005

Added serialization routines for `curve_group' fields. Fixed a bug where
polymod was computing the fixed_length_in_bytes incorrectly.
(Had `poly->field' instead of `p->field'.) Thus elements of pairing->G1
and pairing->G2 can be serialized.

Thu Feb  3 14:03:34 PST 2005

[0.0.3]

Mon Jan 31 00:22:14 PST 2005

Changed random function interfaces slightly so they can have state.
Small change: now call random_set_file("/dev/urandom") to use /dev/urandom.

Thu Jan 27 00:06:37 PST 2005

Cleaned up random functions a little. Can choose to use /dev/urandom now
by calling random_set_devrandom().

Sun Jan 23 20:48:01 PST 2005

Fixed BB signatures bug: had inited a variable twice by accident, the
second time it was being placed in the wrong group.

[0.0.2]

Tue Jan 18 13:52:47 PST 2005

BB signatures coded. Just about to test them.

Sun Dec 26 02:58:54 PST 2004

Coded routines to serialize and deserialize element_t, though only for
the rings needed for the pairing, i.e. F_p and F_p^k.

Wrote testbls program, BLS signature library works, but at the moment
only the signature can be read from and written to disk.

Tue Dec 21 02:30:50 PST 2004

Working on BLS signature library.
Changed out_str functions to take base argument, like GMP.

Thu Dec  9 13:22:06 PST 2004

Got rid of pbc_init().
Wrote IBE demo, testibe.c and short signatures demo, testsig.c.

[0.0.1]

Wed Dec  8 15:21:43 PST 2004

Abstraction complete.

Wed Dec  8 03:36:10 PST 2004

Started work on abstracting pairing (the `pairing_t' data type).

Mon Dec  6 18:46:08 PST 2004

Minor fixes, cleanup. First release.

[0.0.0]

Wed Nov 24 03:20:31 PST 2004

Finally have a single program that starts with a given D and generates
a k=6 curve.

Tue Nov 23 19:08:21 PST 2004

Compute integral part of input to mpc_exp separately so that the Taylor
series converges quickly.

Tue Nov 23 01:51:51 PST 2004

Fixed bug in hilbert_poly (multiplcation by (X^2 - 2 Re(j)X + |j|^2) was
wrong).

Mon Nov 22 18:49:29 PST 2004

Integrating pell equation solver with hilbert poly code.

Fri Nov 19 14:36:18 PST 2004

hilbert_poly() works, but still need code to change the precision
of the computatons for higher D.

Fri Nov 19 04:21:05 PST 2004

Started work on computing Hilbert polys. Can compute j's, just need
to multiply them together and round to integers.

Is old code faster? Is it better to compute real exp, sin and cos functions
rather than one complex power series for complex exp()?

Wed Nov 17 23:11:38 PST 2004

Complex numbers. Miller's algorithm optimizations: can scale points by
any element of the base field due to final exponentiation, i.e. use
projective version of doubling and mixin.
Intend to modify original one so it works on embedding degree 1 curves.

Wed Nov 17 04:05:39 PST 2004

Finally found bug that was messing up Tate pairing.
v = v + b instead of v = v + c in miller_line()

Tue Nov  9 23:42:27 PST 2004

Bugfix: field_init_polymod assumes input polynomial is irreducible, but
poly_is_irred() calls this without caring.

Tue Nov  9 14:22:26 PST 2004

Fixed bug in random polynomial generator. Also in poly_irred test
code: it was only looking for GCD = +- 1, rather than GCD = any unit

Mon Nov  8 01:13:39 PST 2004

Implemented Cantor-Zassenhaus algorithm for finding square roots.
(Is this the same as Legendre's method?)

Thu Nov  4 14:33:06 PST 2004

Polynomial rings. (Perhaps need to rename "field" data structure to ring.)

Sun Oct 31 11:44:44 PST 2004

Very basic infrastructure. F_p implemented.
