1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <stdint.h>
4
#include <math.h>
5
#include "gmp.h"
6
#include "galrep.h"
7

8

9
/*
10
    Copyright 2009 Andrew V. Sutherland
11

12
    This file is part of galrep.
13

14
    galrep is free software: you can redistribute it and/or modify
15
    it under the terms of the GNU General Public License as published by
16
    the Free Software Foundation, either version 2 of the License, or
17
    (at your option) any later version.
18

19
    galrep is distributed in the hope that it will be useful,
20
    but WITHOUT ANY WARRANTY; without even the implied warranty of
21
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
22
    GNU General Public License for more details.
23

24
    You should have received a copy of the GNU General Public License
25
    along with smalljac.  If not, see <http://www.gnu.org/licenses/>.
26
*/
27

28
// NB: The int datatype is assumed to hold at least 32-bits
29

30
#define MASK_BITS			32
31
typedef uint32_t bitmask_t;
32

33
static int elltab[GALREP_ELL_COUNT] = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59 };
34
static int ellitab[GALREP_MAX_ELL+1];		// ellitab[ell] = i iff elltab[i] = ell, set to -1 ow.  initialized by galrep_load_gl2data
35

36
/*
37
	General utility stuff for barebones modular arithmetic and bitmask manipulation.
38
	Note that we assume throughout that the modulus p is small enough so that 4*p^2 fits in an unsigned int
39
	We include this utility code here just to make things self contained.
40
*/
41
static inline void swab16 (uint16_t *x) { *x = ((*x&(uint16_t)0x00ffU) << 8) | ((*x&(uint16_t)0xff00U) >> 8); }
42
static inline void swab32 (uint32_t *x) { *x = ((*x&(uint32_t)0x000000ffU) << 24) | ((*x&(uint32_t)0x0000ff00U) << 8) | ((*x&(uint32_t)0x00ff0000U) >> 8) | ((*x&(uint32_t)0xff000000U) >> 24); }
43

44
double log2 (double x);
45

46
// the modular aritmetic below is about twice as fast as the % operator on an AMD Athlon 64 (YMMV)
47
static unsigned int ui_mod_i (unsigned int x, unsigned int m, double mi)
48
	{ register unsigned int t, z;  t = mi * x - 0.5;  z = x-t*m;  if ( z >= m ) z-= m; return z; }
49
static unsigned int ui_mod (unsigned int x, unsigned int m) { return ui_mod_i (x, m, 1.0/m); }
50
static int i_mod(int x, int m) { register int t;  if ( x >= 0 ) return ui_mod(x,m);  t = - (int)ui_mod((unsigned int)(-x),m);  return (t<0?t+m:t); }
51
int gcdext (int a, int b, int *x, int *y);
52
int legendre (int a, int b);
53
static int inverse_mod_p (int a, int p) { int y;  if ( gcdext(p, a, 0, &y) != 1 ) return 0; else return (y >= 0 ? y : y+p ); }
54
static int residue_mod_p (int a, int p) { return ( legendre (a, p) < 0 ? 0 : 1 ); }
55

56
static inline void bitset (bitmask_t *mask, int i) { mask[i/MASK_BITS] |= (1UL<<(i&(MASK_BITS-1))); }
57
static inline void bitclr (bitmask_t *mask, int i) { mask[i/MASK_BITS] &= ~(1UL<<(i&(MASK_BITS-1))); }
58
static inline int bittest (bitmask_t *mask, int i) { return ( (mask[i/MASK_BITS]>>(i&(MASK_BITS-1))) & 1UL ); }
59
static inline void maskand (bitmask_t *mask, bitmask_t *mask1, bitmask_t *mask2, int words) { register int i; for ( i = 0 ; i < words ; i++ ) mask[i] = mask1[i] & mask2[i]; }
60
static inline void maskor (bitmask_t *mask, bitmask_t *mask1, bitmask_t *mask2, int words) { register int i; for ( i = 0 ; i < words ; i++ ) mask[i] = mask1[i] | mask2[i]; }
61
static inline int maskclear (bitmask_t *mask, int words) { register int i; for ( i = 0 ; i < words ; i++ ) mask[i] = 0; }
62
static inline int masksetall (bitmask_t *mask, int words) { register int i; for ( i = 0 ; i < words ; i++ ) mask[i] = ~((bitmask_t)0UL); }
63
static inline int masknull (bitmask_t *mask, int words) { register int i; for ( i = 0 ; i < words ; i++ ) if ( mask[i] ) return 0; return 1; }
64
static inline int maskequal (bitmask_t *mask1, bitmask_t *mask2, int words) { register int i; for ( i = 0 ; i < words ; i++ )  if ( mask1[i] != mask2[i] ) return 0; return 1; }
65
static inline void maskcopy (bitmask_t *mask1, bitmask_t *mask2, int words) { register int i; for ( i = 0 ; i < words ; i++ ) mask1[i] = mask2[i]; }
66

67
/*
68
	ecdata routines go here - functions to load/unload/lookup precomputed group structure data
69
	for every elliptic curve over Fp for various small p > 3.
70
*/
71

72
/*
73
	Elliptic curve data for small primes in [4,32768] (the exact number depends on the file loaded).
74
	The jdata table includes for each j-invariant over F_p:
75
		1) the absolute value of the trace (stored in the high 11 bits)
76
		2) bit 0 indicating the sign of the trace for the twist of the form y^2=x^3+Ax+B for which A/B is a quadratic residue
77
		3) bits 1,2,3,4 indicating whether either twist has full 2,3,5,7-torsion mod p.
78
		    If bit 1 is set, both twists have 2-torsion, and for odd ell the twist for which p+1-t = 0 mod ell is the one with ell-torsion
79
	For ell from 11 to 59, if p is 1 mod ell then a p-terminated list of increasing j-invariants with full ell-torsion is stored.
80
	
81
	When p=1 mod 3, the data for j-invariant 0 should be ignored, since there are 6 twists, not 2, and we don't distinguish them (we could, but we don't)
82
	Similarly, when p=1 mod 4, the data for j-invariant 1728 should be ignored, since there are 4 twists, not 2.
83
	
84
	Note that we *could* distinguish the twists for 0 and 1728, we just don't *need* to, we will just ignore primes where this occurs.
85
	In the worst case, when we have a curve j-invariant 0 or 1728 over Q, we only use half the primes, but otherwise we use almost all of them.
86
*/
87

88
#define TORP			13
89
#define ECDATA_ID		12345
90

91
static struct ectab_entry_struct {
92
	uint16_t p;					// a prime p in the range [4,32768]
93
	uint16_t ptor;					// mask in which the nth bit is set iff p is 1 mod the (n+5)th prime (n=0 for 11, n=12 for 59)
94
	uint16_t *jdata;				// see details above
95
	uint16_t *torlist[TORP];			// torlist[i] points to a zero-terminated list of j-invariants with ell-torsion, where ell is the (n+5)th prime (n=0 for ell=11)
96
} *ecdata;
97
static int ecdatacnt;
98

99

100
void galrep_ecdata_unload (void)
101
{
102
	int i;
103
	
104
	if ( ecdata ) {
105
		for ( i = 0 ; i < ecdatacnt ; i++ ) if ( ecdata[i].jdata ) { free (ecdata[i].jdata); ecdata[i].jdata = 0; }
106
		free (ecdata);
107
	}
108
	ecdata = 0;  ecdatacnt = 0;
109
}
110

111
int galrep_ecdata_load (char *filename)
112
{
113
	FILE *fp;
114
	struct ectab_entry_struct *tabspace, *tabnext;
115
	char *s, *buf;
116
	uint16_t x16 , pcnt, *ps, *pe;
117
	int i, j, swab_flag, bytes;
118
	
119
	if ( ecdata ) galrep_ecdata_unload();
120
	if ( ! filename || ! filename[0] ) filename = (char*)GALREP_ECDATA_FILENAME;
121
	fp = fopen (filename, "rb");
122
	if ( ! fp ) return GALREP_FILE_NOT_FOUND;
123
	if ( fread(&x16,2,1,fp) != 1 ) goto read_error;
124
	if ( x16 != ECDATA_ID ) { swab_flag = 1;  swab16(&x16); if ( x16 != ECDATA_ID ) { fclose(fp); return GALREP_BAD_ECDATA; } } else { swab_flag = 0; }
125
	if ( fread(&x16,2,1,fp) != 1 ) goto read_error;  if ( swab_flag ) swab16(&x16);
126
	ecdatacnt = x16;  bytes = ecdatacnt * sizeof(*ecdata);
127
	ecdata = (struct ectab_entry_struct *) malloc(bytes);
128
	if ( ! ecdata ) { fclose(fp); galrep_ecdata_unload();  return GALREP_MALLOC_FAILED; }
129
	for ( i = 0 ; i < ecdatacnt ; i++ ) {
130
		if ( fread(&x16,2,1,fp) != 1 ) goto read_error;  if ( swab_flag ) swab16(&x16);  ecdata[i].p = x16;
131
		if ( fread(&x16,2,1,fp) != 1 ) goto read_error;  if ( swab_flag ) swab16(&x16);  ecdata[i].ptor = x16;
132
		if ( fread(&x16,2,1,fp) != 1 ) goto read_error;  if ( swab_flag ) swab16(&x16);  pcnt = x16;
133
		if ( pcnt < ecdata[i].p ) { fclose(fp); printf ("bad pcnt=%d for prime %d in ECDATA file %s\n", pcnt, ecdata[i].p, filename); galrep_ecdata_unload();  return GALREP_BAD_ECDATA; }
134
		ecdata[i].jdata = (uint16_t *) malloc(2*pcnt);
135
		pe = ecdata[i].jdata + pcnt;
136
		if ( ! ecdata[i].jdata ) { fclose (fp); galrep_ecdata_unload(); return GALREP_MALLOC_FAILED; }
137
		if ( fread(ecdata[i].jdata,2,pcnt,fp) != pcnt ) goto read_error;
138
		if ( swab_flag ) for ( ps = ecdata[i].jdata ; ps < pe ; ps++ ) swab16(ps);
139
		ps = ecdata[i].jdata + ecdata[i].p;
140
		for ( j = 0 ; j < TORP ; j++ ) {
141
			if ( ecdata[i].ptor & (((uint16_t)1)<<j) ) {
142
				ecdata[i].torlist[j] = ps;
143
				for ( ; ps < pe && *ps<ecdata[i].p ; ps++ );			// be careful not to read past the end of the buffer if it isn't properly terminated
144
				if ( ps++==pe ) { fclose(fp); printf ("invalid record format for prime %d in ECDATA file %s\n", ecdata[i].p, filename); galrep_ecdata_unload(); return GALREP_BAD_ECDATA; }
145
			} else {
146
				ecdata[i].torlist[j] = 0;
147
			}
148
		}
149
		if ( ps != pe ) { fclose(fp); printf ("invalid record format for prime %d in ECDATA file %s\n", ecdata[i].p, filename); galrep_ecdata_unload(); return GALREP_BAD_ECDATA; }
150
	}
151
	fclose(fp);
152
	/* printf("Loaded elliptic curve group data for %d primes up to %d from file %s\n", ecdatacnt, ecdata[ecdatacnt-1].p, filename);*/
153
	return 0;
154
	
155
read_error:
156
	fclose(fp);  galrep_ecdata_unload();
157
	return GALREP_FILE_READ_ERROR;
158
}
159

160
int galrep_ecdata_maxp (void) { return ( !ecdatacnt ? 0 : ecdata[ecdatacnt-1].p ); }
161

162
/*
163
	Given an elliptic curve E in the form y^2=x^3+Ax+B over F_p , returns the trace and optionally a bitmask
164
	identifying full ell-torsion subgroups (the ith bit is set iff for the (i+1)st prime ell either E or its twist has full ell-torsion over F_p).
165
	The prime p is specified by its index in ecdata, which is pi(p)-3 (i.e. pi=0 corresponds to 5).
166

167
	On input, the bitmask tormask should have the bits set for which torsion information is desired.
168
	Bits above 17 (corresponding to 59) will be ignored.
169
*/
170
int ecdata_lookup (int *trace, uint32_t *tormask, int A, int B, int pi)
171
{
172
	uint16_t *jp;
173
	uint32_t mask;
174
	register int i,j,k,t1,t2,jinv,p;									// we assume an int is at least 32 bits
175

176
	if ( ! ecdata || pi >= ecdatacnt ) return GALREP_ECDATA_UNAVAILABLE;
177
	p = ecdata[pi].p;
178

179
	if ( ! B ) {													// handle j-invariant 1728 separately
180
		if ( ! A ) return GALREP_SINGULAR_CURVE;					// this can happen when reducing mod p
181
		if ( !(p&2) ) return GALREP_ECDATA_UNAVAILABLE;			// ignore requests for j-invariant 1728 when p is 1 mod 4, we don't distinguish quartic twists
182
		*trace = 0;											// trace is always zero when p = 3 mod 4
183
		*tormask &= ( residue_mod_p (A,p) ? 0 : 1 );					// we can't have full odd-torsion, and we get full 2-torsion iff A is a non-residue (for p = 3 mod 4)
184
		return 0;
185
	}
186
	if ( ! A && (p%3)==1 ) return GALREP_ECDATA_UNAVAILABLE;		// ignore requests for j-invariant 0 when p is 1 mod 3, we don't distinguish sextic twists
187
	
188
	t1 = ui_mod(A*A,p); t1 = ui_mod(4*t1*A,p);						// t1 = 4A^3
189
	t2 = ui_mod(B*B,p);
190
	t2 = ui_mod(t1+27*t2,p);									// t2 = 4A^3 + 27B^2
191
	if ( ! t2 ) return GALREP_SINGULAR_CURVE;
192
	t2 = inverse_mod_p (t2, p);
193
	t1 = ui_mod(t1*t2, p);
194
	jinv = ui_mod(1728*t1,p);									// j = 1728 * 4A^3 / (4A^3+27B^2)
195
	t1 = ecdata[pi].jdata[jinv];									// lookup data for E/Fp in the database via its j-invariant
196
	*trace = t1 >> 5;											// get the absolute value of the trace
197
	if ( t1&0x10 ) *trace = - (*trace);								// check sign bit
198
	if ( A ) {
199
		if ( ! residue_mod_p (ui_mod(A*B,p),p)  ) *trace = -(*trace);		// adjust trace for the twist we have.  Note that B/A is a residue iff A*B is.
200
	} else {
201
		if ( ! residue_mod_p (B,p) ) *trace = -(*trace);				// when A is 0, we can just use B to distinguish twists (and there are only 2 because p=2 mod 3)
202
	}
203
	mask = (t1 & 0xf);											// get 2,3,5,7-torsion info
204
	*tormask &= (0xfffffff0|mask);									// set 2,3,5,7-torsion info
205
	mask = ecdata[pi].ptor;										// find out what other torsion info is possible for this p (i.e. ell for which p=1 mod ell)
206
	mask = *tormask & (mask << 4);								// restrict to ell's the caller actually cares about
207
	if ( ! mask ) { *tormask &= (0xf|mask); return 0;	}				// if nothing to do, return
208
	for ( i = 0 ; i < TORP ; i++ ) {									// for each ell from 11 to 59
209
		if ( mask&(((uint32_t)1)<<(i+4)) ) {						// if we are interested in this ell
210
			for ( jp = ecdata[pi].torlist[i] ; *jp < p && *jp != jinv ; jp++ );// do a linear search of the list of j-invariants with ell-torsion
211
			if ( *jp != jinv ) mask &= ~((uint32_t)1<<(i+4));			// if our j-invariant wasn't found, clear the corresponding bit
212
		}
213
	}
214
	*tormask &= (0xf|mask);
215
	return 0;
216
}
217

218
#define MAX_MASK_SIZE		(GALREP_MAX_CCS/32+((GALREP_MAX_CCS&0x1f)?1:0))	// largest possible mask size
219

220
struct cc_struct {
221
	int tag;									// legacy identifier, now deprecated
222
	int dups;									// number of distinct conjugacy classes with the same signature -- we only store data for one of these
223
	int order;								// subgroup size for this conjugacy class
224
	int pcnt;									// minimum number of primes we need to test to obtain a correct result with prob > 1-1/2^MAX_ERRBND (heuristically)
225
	uint32_t flags;								// bitmask identitying certain properties of the conjugacy class, see GALREP_CC_FLAG_xxx definitions in galrep.h
226
	int gencnt;								// number of generators for representative subgroup
227
	uint32_t gens[GALREP_MAX_GENERATORS];		// each generating matrix A is encoded as A[1][1]<<24 + A[1][0]<<16 + A[0][1]<<8 + A[0][0]
228
	bitmask_t upmask[MAX_MASK_SIZE];			// bit i is set for each class whose signature contains the signature of the current class
229
	uint16_t *counts;							// points to an array of counts -- the ith element counts non-trivial elements with i=(det-1)*ell+tr
230
};
231

232
static struct {
233
	int ell;									// currently the ith entry in this table always has ell equal to the (i+1)st prime (i.e. entry 0 has ell=2)
234
	int msize;								// size of subgroup masks for this ell, in words
235
	int cccnt;								// number of conjugacy classes in GL(2,Z/ellZ) that span determinants  with distinct signatures
236
	bitmask_t fullmask[MAX_MASK_SIZE];			// points to mask with a bit set for every proper subgroup of GL(2,Z/ellZ)
237
	bitmask_t *masks;							// array of ell*(ell-1) subgroup masks, ith entry corresponds to i=(det-1)*ell+tr
238
	struct cc_struct *ccs;						// points to and array of cc_count cc_structs
239
} gl2data[GALREP_ELL_COUNT];
240
static int gl2datacnt;							// number of entries currently loaded
241

242

243
#define GL2DATA_ID	123456789
244

245

246
void galrep_gl2data_unload (void)
247
{
248
	int i, j;
249
	
250
	for ( i = 0 ; i < gl2datacnt ; i++ ) {
251
		if ( gl2data[i].masks ) { free (gl2data[i].masks); gl2data[i].masks = 0; }
252
		if ( gl2data[i].ccs ) {
253
			for ( j = 0 ; j < gl2data[i].cccnt ; j++ ) if ( gl2data[i].ccs[j].counts ) free (gl2data[i].ccs[j].counts);
254
			gl2data[i].ccs = 0;
255
		}
256
	}
257
	gl2datacnt = 0;
258
}
259

260

261
int galrep_gl2data_load (char *filename)
262
{
263
	FILE *fp;
264
	uint8_t x8;
265
	uint16_t x16;
266
	uint32_t x32;
267
	int i, j, k, ell, msize, swab;
268
	
269
	// intialize inverse elltab
270
	for ( i = 0 ; i <= GALREP_MAX_ELL ; i++ ) ellitab[i] = -1;
271
	for ( i = 0 ; i < GALREP_ELL_COUNT ; i++ ) ellitab[elltab[i]] = i;
272
	if ( ! filename || ! filename[0] ) filename = (char*) GALREP_GL2DATA_FILENAME;
273
	fp = fopen (filename, "rb");
274
	if ( ! fp ) return GALREP_FILE_NOT_FOUND;
275
	if ( (i=fread (&x32,4,1,fp)) != 1 ) { printf ("fread returned %d\n", i); goto read_error; }
276
	if ( x32 != GL2DATA_ID ) { swab  = 1; swab32(&x32); if ( x32 != GL2DATA_ID ) { fclose(fp); return GALREP_BAD_GL2DATA; } } else swab = 0;
277
	
278
	for ( i = 0 ; i < GALREP_ELL_COUNT; i++ ) {
279
		if ( fread (&x8,1,1, fp) != 1 ) break;  gl2data[i].ell = ell = x8;
280
		if ( gl2data[i].ell != elltab[i] ) { fclose(fp); return GALREP_BAD_GL2DATA; }
281
		if ( fread (&x8,1,1, fp) != 1 ) goto read_error;  gl2data[i].msize = msize = x8;
282
		if ( fread (&x16,2,1, fp) != 1 ) goto read_error;  if ( swab ) swab16(&x16);  gl2data[i].cccnt = x16;
283
		if ( gl2data[i].cccnt > GALREP_MAX_CCS || 32*gl2data[i].msize < gl2data[i].cccnt ) { fclose(fp); galrep_gl2data_unload (); return GALREP_BAD_GL2DATA; }
284
		if ( fread (gl2data[i].fullmask,4,msize,fp) != msize ) goto read_error;
285
		if ( swab ) for ( k = 0 ; k < msize ; k++ ) swab32(gl2data[i].fullmask+k);
286
		gl2data[i].masks = (bitmask_t *) malloc (ell*(ell-1)*msize*sizeof(bitmask_t));
287
		if ( ! gl2data[i].masks ) { fclose(fp); galrep_gl2data_unload (); return GALREP_MALLOC_FAILED; }
288
		if ( fread(gl2data[i].masks,4,ell*(ell-1)*msize,fp) != ell*(ell-1)*msize ) goto read_error;
289
		if ( swab ) for ( j = 0 ; j < ell*(ell-1)*msize ; j++ ) swab32(gl2data[i].masks+j);
290
		gl2data[i].ccs = (struct cc_struct *) calloc(gl2data[i].cccnt,sizeof(struct cc_struct));
291
		if ( ! gl2data[i].ccs ) { fclose(fp); galrep_gl2data_unload (); return GALREP_MALLOC_FAILED; }
292
		for ( j = 0 ; j < gl2data[i].cccnt ; j++ ) {
293
			if ( fread (&x16,2,1,fp) != 1 ) goto read_error;  if ( swab ) swab16(&x16);  	gl2data[i].ccs[j].tag = x16;
294
			if ( fread (&x8,1,1,fp) != 1 ) goto read_error;  gl2data[i].ccs[j].dups = x8;
295
			if ( fread (&x8,1,1,fp) != 1 ) goto read_error;  gl2data[i].ccs[j].gencnt = x8;
296
			if ( gl2data[i].ccs[j].gencnt > GALREP_MAX_GENERATORS ) { fclose(fp); return GALREP_BAD_GL2DATA; }
297
			if ( fread (&x32,4,1,fp) != 1 ) goto read_error;  if ( swab ) swab32(&x32);  	gl2data[i].ccs[j].order = x32;
298
			if ( fread (&x32,4,1,fp) != 1 ) goto read_error;  if ( swab ) swab32(&x32);  	gl2data[i].ccs[j].flags = x32;
299
			if ( fread (&x32,4,1,fp) != 1 ) goto read_error;  if ( swab ) swab32(&x32);  	gl2data[i].ccs[j].pcnt = x32;
300
			if ( fread (gl2data[i].ccs[j].upmask,4,msize,fp) != msize ) goto read_error;
301
			if ( swab ) for ( k = 0 ; k < msize ; k++ ) swab32(gl2data[i].ccs[j].upmask+k);
302
			if ( fread (gl2data[i].ccs[j].gens,4,gl2data[i].ccs[j].gencnt,fp) != gl2data[i].ccs[j].gencnt ) goto read_error;
303
			if ( swab ) for ( k = 0 ; k < gl2data[i].ccs[j].gencnt ; k++ ) swab32(gl2data[i].ccs[j].gens+k);
304
			gl2data[i].ccs[j].counts = (uint16_t *) malloc(ell*(ell-1)*sizeof(uint16_t));
305
			if ( ! gl2data[i].ccs[j].counts ) { fclose (fp); galrep_gl2data_unload (); return GALREP_MALLOC_FAILED; }
306
			if ( fread (gl2data[i].ccs[j].counts,2,ell*(ell-1),fp) != ell*(ell-1) ) goto read_error;
307
			if ( swab ) for ( k = 0 ; k < ell*(ell-1) ; k++ ) swab16(gl2data[i].ccs[j].counts+k);
308
		}
309
	}
310
	fclose (fp);
311
	gl2datacnt = i;
312
	/* printf("Loaded conjugacy class data for GL(2,Z/ellZ) for %d primes up to %d from file %s\n", gl2datacnt, gl2data[i-1].ell, filename);*/
313
	return 0;
314
read_error:
315
	fclose(fp);  galrep_ecdata_unload();
316
	return GALREP_FILE_READ_ERROR;
317
}
318

319
int galrep_gl2data_maxl (void) { return ( !gl2datacnt ? 0 : gl2data[gl2datacnt-1].ell ); }
320

321
int galrep_gl2_cc_count (int ell)
322
{
323
	int i;
324
	
325
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
326
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
327
	return gl2data[i].cccnt;
328
}
329

330
int galrep_gl2_cc_order (int ell, int id)
331
{
332
	int i;
333
	
334
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
335
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
336
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
337
	return gl2data[i].ccs[id].order;
338
}
339

340
int galrep_gl2_cc_index (int ell, int id)
341
{
342
	int n, o;
343
	
344
	o = galrep_gl2_cc_order(ell,id);
345
	if ( o < 0 ) return o;
346
	n = ell*(ell-1)*(ell-1)*(ell+1);		// we assume ell is small enough to avoid overflow here
347
	return n/o;
348
}
349

350
int galrep_gl2_cc_tag (int ell, int id)
351
{
352
	int i;
353
	
354
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
355
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
356
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
357
	return gl2data[i].ccs[id].tag;
358
}
359

360
int galrep_gl2_cc_dups (int ell, int id)
361
{
362
	int i;
363
	
364
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
365
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
366
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
367
	return gl2data[i].ccs[id].dups;
368
}
369

370
int galrep_gl2_cc_flags (int ell, int id)
371
{
372
	int i;
373
	
374
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
375
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
376
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
377
	return gl2data[i].ccs[id].flags;
378
}
379

380
int galrep_gl2_cc_gen_count (int ell, int id)
381
{
382
	int i;
383
	
384
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
385
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
386
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
387
	return gl2data[i].ccs[id].gencnt;
388
}
389

390
int galrep_gl2_cc_gen (int ell, int id, int n)
391
{
392
	int i;
393
	
394
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
395
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
396
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
397
	if ( n < 0 || n > gl2data[i].ccs[id].gencnt ) return GALREP_BAD_CC_GEN_ID;
398
	return gl2data[i].ccs[id].gens[n];
399
}
400

401
int galrep_gl2_cc_freq (int ell, int id, int det, int tr)
402
{
403
	int i,k,cnt;
404
	
405
	if ( ell < 0 || ell > GALREP_MAX_ELL || (i=ellitab[ell]) < 0 ) return GALREP_BAD_ELL;
406
	if ( i >= gl2datacnt ) return GALREP_GL2DATA_UNAVAILABLE;
407
	if ( id < 0 || id >= gl2data[i].cccnt ) return GALREP_BAD_CC_ID;
408
	if ( det < -1 || det == 0 || det >= ell ) return GALREP_BAD_DET;
409
	if ( tr < -1 || tr >= ell ) return GALREP_BAD_TR;
410
	if ( det >= 1 && tr >= 0 ) {
411
		k = (det-1)*ell+tr;
412
		cnt = gl2data[i].ccs[id].counts[k];
413
		if ( det==1 && (tr==2 || (ell==2&&!tr)) ) cnt++;
414
	} else if ( tr >= 0 ) {
415
		if ( tr==2 || (!tr && ell==2) ) cnt = 1; else cnt = 0;
416
		for ( det = 1 ; det < ell ; det++ ) {
417
			k = (det-1)*ell+tr;
418
			cnt += gl2data[i].ccs[id].counts[k];
419
		}
420
	} else if ( det >= 0 ) {
421
		if ( det==1 ) cnt = 1; else cnt = 0;
422
		for ( tr = 0 ; tr < ell ; tr++ ) {
423
			k = (det-1)*ell+tr;
424
			cnt += gl2data[i].ccs[id].counts[k];
425
		}		
426
	} else {
427
		cnt = gl2data[i].ccs[id].order;
428
	}
429
	return cnt;
430
}
431

432
struct curve_ctx {
433
	int start_index, end_index;
434
	bitmask_t submask[GALREP_ELL_COUNT][MAX_MASK_SIZE];
435
	int pcnt[GALREP_ELL_COUNT];
436
	int done[GALREP_ELL_COUNT];
437
	int cc[GALREP_ELL_COUNT];
438
	int done_count;
439
	int errbnd;
440
};
441

442
void process_frobenius (struct curve_ctx *ctx, int p, int ap, uint32_t tormask);
443
int setup_ctx (struct curve_ctx *ctx, int minell, int maxell, int errbnd);
444

445
int galrep_ec_modl_image (int ell, mpz_t A, mpz_t B, int errbnd)
446
	{ int cc, err;  err = galrep_ec_modl_images (&cc, ell, ell, A, B, errbnd);  if ( err < 0 ) return err;  return cc; }
447

448
int galrep_ec_modl_images (int *ccs, int min, int max, mpz_t A, mpz_t B, int errbnd)
449
{
450
	uint32_t tormask;
451
	int a, b, p, ap;
452
	struct curve_ctx ctx;
453
	int ell_count, err;
454
	register int i,j;
455

456
	if ( (err=setup_ctx (&ctx, min, max, errbnd)) < 0 ) return err;
457
	ell_count = ctx.end_index - ctx.start_index;
458
	for ( i = 0 ; i < ecdatacnt ; i++ ) {
459
		p = ecdata[i].p;
460
		a = (int) mpz_fdiv_ui (A, p);  b = (int) mpz_fdiv_ui (B, p);
461
		tormask = 0x1FF;
462
		if ( ecdata_lookup (&ap, &tormask, a, b, i) < 0 ) continue;		// skip primes where we get an error, e.g. primes of bad reduction
463
		process_frobenius (&ctx, p, ap, tormask);
464
		if ( ctx.done_count == ell_count ) break;
465
	}
466
	if ( i==ecdatacnt ) return GALREP_OUT_OF_PRIMES;
467
	for ( j = 0 ; j < ell_count ; j++ ) ccs[j] = ctx.cc[ctx.start_index+j];
468
	return i+1;											// return the number of primes we used, just in case someone is curious
469
}
470

471
int galrep_ec_non_surjective (int min, int max, mpz_t A, mpz_t B, int errbnd)
472
{
473
	int ccs[GALREP_ELL_COUNT];
474
	int i, j, err, retval;
475
	
476
	if ( max > GALREP_MAX_ELL ) return GALREP_BAD_ELL;
477
	err = galrep_ec_modl_images (ccs, min, max, A, B, errbnd);
478
	if ( err < 0 ) return err;
479
	retval = 0;
480
	for ( i = 0 ; elltab[i] < min ; i++ );
481
	for ( j = i ; elltab[i] <= max ; i++) if ( ccs[i-j] > 0 ) retval |= (1<<i);
482
	return retval;
483
}
484

485
int galrep_ec_modl_image_i (int ell, long A, long B, int errbnd)
486
	{ int cc, err;  err = galrep_ec_modl_images_i (&cc, ell, ell, A, B, errbnd);  if ( err < 0 ) return err;  return cc; }
487

488
int galrep_ec_modl_images_i (int *ccs, int min, int max, long A, long B, int errbnd)
489
{
490
	uint32_t tormask;
491
	int a, b, p, ap;
492
	struct curve_ctx ctx;
493
	int ell_count, err;
494
	register int i,j;
495

496
	if ( (err=setup_ctx (&ctx, min, max, errbnd)) < 0 ) return err;
497
	ell_count = ctx.end_index - ctx.start_index;
498
	for ( i = 0 ; i < ecdatacnt ; i++ ) {
499
		p = ecdata[i].p;
500
		a = i_mod (A, p);  b = i_mod (B, p);
501
		tormask = 0x1FF;
502
		if ( ecdata_lookup (&ap, &tormask, a, b, i) < 0 ) continue;		// skip primes where we get an error, e.g. primes of bad reduction
503
		process_frobenius (&ctx, p, ap, tormask);
504
		if ( ctx.done_count == ell_count ) break;
505
	}
506
	if ( i==ecdatacnt ) return GALREP_OUT_OF_PRIMES;
507
	for ( j = 0 ; j < ell_count ; j++ ) ccs[j] = ctx.cc[ctx.start_index+j];
508
	return i+1;											// return the number of primes we used, just in case someone is curious
509
}
510

511
int galrep_ec_non_surjective_i (int min, int max, long A, long B, int errbnd)
512
{
513
	int ccs[GALREP_ELL_COUNT];
514
	int i, j, err, retval;
515
	
516
	if ( max > GALREP_MAX_ELL ) return GALREP_BAD_ELL;
517
	err = galrep_ec_modl_images_i (ccs, min, max, A, B, errbnd);
518
	if ( err < 0 ) return err;
519
	retval = 0;
520
	for ( i = 0 ; elltab[i] < min ; i++ );
521
	for ( j = i ; elltab[i] <= max ; i++) if ( ccs[i-j] > 0 ) retval |= (1<<i);
522
	return retval;
523
}
524

525
int setup_ctx (struct curve_ctx *ctx, int minell, int maxell, int errbnd)
526
{
527
	int i, err;
528
	
529
	if ( maxell > GALREP_MAX_ELL ) return GALREP_BAD_ELL;
530
	if ( errbnd < 0 || errbnd > GALREP_MAX_ERRBND ) return GALREP_BAD_ERRBND;
531
	if ( ! errbnd ) errbnd = GALREP_DEFAULT_ERRBND;
532
	if ( ! ecdatacnt && (err=galrep_ecdata_load(0)) ) return err;
533
	if ( ! gl2datacnt && (err=galrep_gl2data_load(0)) ) return err;
534

535
	ctx->done_count = 0;  ctx->errbnd = errbnd;
536
	for ( i = 0 ; i < GALREP_ELL_COUNT && elltab[i] < minell ; i++ );
537
	ctx->start_index = i;
538
	while ( i < GALREP_ELL_COUNT && elltab[i] <= maxell ) i++;
539
	ctx->end_index = i;
540
	if ( ctx->start_index == ctx->end_index )  return GALREP_BAD_ELL;
541
	for ( i = ctx->start_index ; i < ctx->end_index ; i++ ) { ctx->done[i] = ctx->pcnt[i] = 0;  maskcopy (ctx->submask[i], gl2data[i].fullmask, gl2data[i].msize); }
542
	return 0;
543
}
544

545
void process_frobenius (struct curve_ctx *ctx, int p, int ap, uint32_t tormask)
546
{
547
	register int i, j, k, ell, msize;
548

549
//	printf ("process_frobenius: p=%d, ap=%d, tor=%x (hex)\n", p, ap, tormask);
550
	for ( i = ctx->start_index ; i < ctx->end_index ; i++ ) {
551
		if  ( ctx->done[i] ) continue;
552
		ell = gl2data[i].ell;
553
		if ( p==ell ) continue;
554
		msize = gl2data[i].msize;
555
		ctx->pcnt[i]++;
556
		// Only process frobenius elements pi_p that act non-trivially mod ell, i.e. for which we do not have full ell-torsion mod p
557
		// Note that tormask doesn't distinguish the trace, so if ell is odd we also check that the group order is divisible by ell
558
		if ( ! (tormask&((uint32_t)1<<i)) || (i && ui_mod(p+1-ap,ell)) ) {
559
			j = ui_mod(p,ell);  k = i_mod(ap,ell);
560
			k = (j-1)*ell+k;
561
			maskand(ctx->submask[i],ctx->submask[i],gl2data[i].masks+k*msize,msize);
562
			if ( masknull(ctx->submask[i], msize) ) { ctx->cc[i] = 0; ctx->done[i] = 1; ctx->done_count++; continue; }
563
		}
564
		if ( ctx->pcnt[i] > ctx->errbnd && !(ctx->pcnt[i]&0x7) ) {	// only check every 8th prime to avoid a lot of fruitless checking
565
			// we do a linear search here, we could use a binary search or a hash table, but the lists are pretty short (< 200)
566
			for ( j = 0 ; j < gl2data[i].cccnt ; j++ ) if ( maskequal (ctx->submask[i],gl2data[i].ccs[j].upmask,msize) ) break;
567
			if ( j < gl2data[i].cccnt && ctx->pcnt[i]*GALREP_MAX_ERRBND >= gl2data[i].ccs[j].pcnt*ctx->errbnd ) { ctx->cc[i] = j; ctx->done[i] = 1; ctx->done_count++; continue; }
568
		}
569
	}
570
}
571

572

573
// both a and b must be nonnegative
574
int gcdext (int a, int b, int *x, int *y)
575
{
576
	register int q, r, s, t, r0, r1, s0, s1, t0, t1;
577
	
578
	if ( a < b ) return gcdext (b, a, y, x);
579
	if ( b == 0 ) {
580
		if ( x ) *x = 1;
581
		if ( y ) *y = 0;
582
		return a;
583
	}
584
	if ( x ) { s0 = 1;  s1 = 0; }
585
	if ( y ) { t1 = 1;  t0 = 0; }
586
	r0 = a;  r1 = b;
587
	while ( r1 > 0 ) {
588
		q = r0/r1;  r = r0 - q*r1;
589
		r0 = r1;  r1 = r;
590
		if ( y ) { t = t0 - q*t1;  t0 = t1;  t1 = t; }
591
		if ( x ) { s = s0 - q*s1;  s0 = s1;  s1 = s; }
592
	}
593
	if ( x ) *x = s0;
594
	if ( y ) *y = t0;
595
	return r0;
596
}
597

598
// both a and b must be nonnegative and b must be odd.  this is not verified
599
int legendre (int a, int b)
600
{
601
	register int r, k, v;
602
	
603
	k = 1;
604
	while ( a ) {
605
		for ( v = 0 ; ! (a&0x1) ; v++ ) a >>= 1;
606
		if ( v&0x1 )  if ( (b&0x7) ==3 || (b&0x7) ==5 ) k = -k;
607
		if ( (a&0x3) == 3 && (b&0x3) == 3 ) k = -k;
608
		r = a;   a = ui_mod(b,r);  b = r;
609
	}
610
	return ( b == 1 ? k : 0 );
611
}
612

613