csidh/reference/csidh-20180427-by-castryck-et-al/supersingular.sage
2018-09-18 17:43:39 +02:00

129 rivejä
3.2 KiB
Python
Executable File

#!/usr/bin/env sage
#coding: utf8
proof.all(False)
# parameters.
ls = list(primes(3, 374)) + [587] # Elkies primes
#ls = list(primes(3, 47)) + [97] # (a smaller example)
p = 4 * prod(ls) - 1
assert is_prime(p)
print "\nElkies primes:", " ".join(map(str, ls))
max_exp = ceil((sqrt(p) ** (1/len(ls)) - 1) / 2)
assert (2 * max_exp + 1) ** len(ls) >= sqrt(p)
print "exponents are chosen in the range {}..{}.".format(-max_exp, max_exp)
base = GF(p)(0) # Montgomery coefficient of starting curve
# helper functions.
# NB: all the operations can be computed entirely over the prime field,
# but for simplicity of this implementation we will make use of curves
# defined over GF(p^2). note this slows everything down quite a bit.
Fp2.<i> = GF(p**2, modulus = x**2 + 1)
def montgomery_curve(A):
return EllipticCurve(Fp2, [0, A, 0, 1, 0])
# sage's isogeny formulas return Weierstraß curves, hence we need this...
def montgomery_coefficient(E):
Ew = E.change_ring(GF(p)).short_weierstrass_model()
_, _, _, a, b = Ew.a_invariants()
R.<z> = GF(p)[]
r = (z**3 + a*z + b).roots(multiplicities=False)[0]
s = sqrt(3 * r**2 + a)
if not is_square(s): s = -s
A = 3 * r / s
assert montgomery_curve(A).change_ring(GF(p)).is_isomorphic(Ew)
return GF(p)(A)
# actual implementation.
def private():
return [randrange(-max_exp, max_exp + 1) for _ in range(len(ls))]
def validate(A):
while True:
k = 1
P = montgomery_curve(A).lift_x(GF(p).random_element())
for l in ls:
Q = (p + 1) // l * P
if not Q: continue
if l * Q: return False
k *= l
if k > 4 * sqrt(p): return True
def action(pub, priv):
E = montgomery_curve(pub)
es = priv[:]
while any(es):
E._order = (p + 1)**2 # else sage computes this
P = E.lift_x(GF(p).random_element())
s = +1 if P.xy()[1] in GF(p) else -1
k = prod(l for l, e in zip(ls, es) if sign(e) == s)
P *= (p + 1) // k
for i, (l, e) in enumerate(zip(ls, es)):
if sign(e) != s: continue
Q = k // l * P
if not Q: continue
Q._order = l # else sage computes this
phi = E.isogeny(Q)
E, P = phi.codomain(), phi(P)
es[i] -= s
k //= l
return montgomery_coefficient(E)
# example.
print
print "testing public-key validation on random ordinary curves (should be all 0s):\n ",
for _ in range(16):
while True:
A = GF(p).random_element()
if montgomery_curve(A).is_ordinary(): break
print int(validate(A)),
print
privA = private()
print "\nAlice's private key:\n ", " ".join(map('{:2d}'.format, privA))
pubA = action(base, privA)
print "\nAlice's public key:\n ", pubA,
print " (valid: {})".format(int(validate(pubA)))
privB = private()
print "\nBob's private key:\n ", " ".join(map('{:2d}'.format, privB))
pubB = action(base, privB)
print "\nBob's public key:\n ", pubB,
print " (valid: {})".format(int(validate(pubB)))
sharedA = action(pubB, privA)
print "\nAlice's shared secret:\n ", sharedA
sharedB = action(pubA, privB)
print "\nBob's shared secret:\n ", sharedB
if sharedA == sharedB:
print "\n--> equal!\n"
else:
print "\n--> NOT EQUAL?!\n"