In [2]:
# Performs fast addition to evaluating [k]P by multiplying P by 2 each time and
# adding that result if the binary representation of k has a 1 in that spot
def fast_addition(E, P, k):
    out = E([0, 1, 0])
    if k == 0:
        return out
    r = int(log(k, 2))
    if k % 2 == 1:
        out += P
    for i in range(1, r + 1):
        P = P + P
        if int((k >> i) & 1) == 1:
            out += P
    return(out)

In [3]:
# This method is pretty slow so I end up opting for the faster prebuilt order() method
def find_elliptic_curve_order(p, a, b):
    order = 1
    for i in range(0, p):
        order += 1 + Jacobi(mod(i^3 + a*i + b, p), p)
    return order

In [4]:
# Finds the order of a point in an elliptic curve given the curve
# Relies on the theorem that g is a generator of the additive group G with identity element i iff 
# for every k factor of order(G), [order(G)/k] g != i. If it ever fails, the order of the point
# divides that l and thus we can recursively repeat that process.
def find_point_order(E, P, c_order):
    O = E([0, 1, 0])
    factors = [int(c_order/int(i[0])) for i in factor(c_order)]
    for l in factors:
        if fast_addition(E, P, l) == O:
            return find_point_order(E, P, l)
    return c_order

In [5]:
# Finds ind_P(Q) using the baby-step-giant-step algorithm
def ind(p, a, b, P, Q, verbose):
    # Curve Validation
    if not is_prime(p):
        if verbose: print("Error: " + str(p) + " is not prime...")
        return "Composite Characteristic Error"
    if (4*a^3 + 27*b^2 == 0):
        if verbose: print("Error: The discriminant is 0...")
        return "Zero Discriminant Error"
    if (mod(P[1]^2-P[0]^3-a*P[0]-b, p) != 0):
        if verbose: print("Error: P not on the curve...")
        return "Nonelement Error"
    # Generate the curve
    E = EllipticCurve(GF(p), [a, b])
    P = E([P[0], P[1], 1])
    # Checking if P is a generator
    E_order = E.order()
    P_order = find_point_order(E, P, E_order)
    if P_order != E_order:
        if verbose: print(str(P) + " is not a generator element...")
        return "Nongenerator Element Error"
    # Checking if Q is on the curve
    if (mod(Q[1]^2-Q[0]^3-a*Q[0]-b, p) != 0):
        if verbose: print("Error: Q not on the curve...")
        return "Nonelement Error"
    Q = E([Q[0], Q[1], 1])
    # Generating Baby List
    baby_l = []
    m = ceil(sqrt(P_order))
    if verbose: print("m = " + str(m))
    P_m = fast_addition(E, P, m)
    P_inv = E([P[0], -P[1], 1])
    sol_pair = [0, 0]
    for j in range(0, m):
        baby_l.append((j, Q + fast_addition(E, P_inv, j)))
    # Computing the left-hand-side until a match is found
    for i in range(0, m):
        U = fast_addition(E, P_m, i)
        for baby in baby_l:
            if U == baby[1]:
                if verbose: print("Found a match at i = " + str(i) + " and j = " + str(baby[0]) + ", where the left and right hand sides are equal to "  + str(U))
                sol_pair = [i, baby[0]]
                break
    x = sol_pair[0]*m + sol_pair[1]
    if verbose: print("Therefore, ind_P(Q) = im + j = " + str(x))
    if verbose:
        Q_computed = fast_addition(E, P, x)
        print(str(Q) + " = [" + str(x) +"] " + str(P) + " = " + str(Q_computed) + ". " + str(Q == Q_computed))
    return x # The index of Q sub P

In [6]:
# TESTING:

In [7]:
# Given Tests:
# Curve 1
p1 = 6917
a1 = 0
b1 = 6521
P1 = (210, 1338)
Q1 = (3329, 6379)
index1 = ind(p1, a1, b1, P1, Q1, True)
print("ind_P1(Q1) = " + str(index1))

# Curve 2
p2 = 6047
a2 = 0
b2 = 5986
P2 = (804, 2425)
Q2 = (4791, 105)
index2 = ind(p2, a2, b2, P2, Q2, True)
print("ind_P2(Q2) = " + str(index2))

# Curve 3
p3 = 5953
a3 = 0
b3 = 4687
P3 = (841, 5852)
Q3 = (5577, 235)
index3 = ind(p3, a3, b3, P3, Q3, True)
print("ind_P3(Q3) = " + str(index3))

m = 84
Found a match at i = 63 and j = 79, where the left and right hand sides are equal to (5585 : 2576 : 1)
Therefore, ind_P(Q) = im + j = 5371
(3329 : 6379 : 1) = [5371] (210 : 1338 : 1) = (3329 : 6379 : 1). True
ind_P1(Q1) = 5371
m = 78


Found a match at i = 64 and j = 6, where the left and right hand sides are equal to (2248 : 1598 : 1)
Therefore, ind_P(Q) = im + j = 4998
(4791 : 105 : 1) = [4998] (804 : 2425 : 1) = (4791 : 105 : 1). True
ind_P2(Q2) = 4998
m = 78
Found a match at i = 60 and j = 9, where the left and right hand sides are equal to (3950 : 5872 : 1)
Therefore, ind_P(Q) = im + j = 4689
(5577 : 235 : 1) = [4689] (841 : 5852 : 1) = (5577 : 235 : 1). True
ind_P3(Q3) = 4689


In [2]:
# Modified Jacobi where Jacobi(kp, p) = 0 For any k
def Jacobi(m, n):
    m = int(m)
    n = int(n)
    if mod(m,n) == 0:
        return 0
    temp = 1
    m -= int(m/n)*n
    if n % 2 == 0:
        print(str(n) + " is not an odd integer.")
        return
    if gcd(m, n) != 1:
        print(str(m) + " is not coprime to " + str(n))
        return
    while m % 2 == 0:
        temp *= pow(-1, (pow(n, 2) - 1)/8)
        m /= 2
    if m == 1:
        return temp * 1
    return temp * pow(-1, (m - 1)*(n - 1)/4) * Jacobi(n, m)

In [9]:
# Some Additional Tests:
for k in range(20):
    condition = True # The condition checks that p = 3 mod 4, disc != 0, and P is a generator
    while condition:
        condition = False
        p = random_prime(10^5, proof = True)
        condition = mod(p,4) == 1
        a = randint(1, p - 1)
        x = randint(1, p - 1)
        y = randint(1, p - 1)
        b = mod(y^2 - x^3 - a*x, p)
        condition = condition or 4*a^3 + 27*b^2 == 0
        E = EllipticCurve(GF(p),[a,b]);
        P = E([x, y ,1])
        condition = condition or E.order() != P.order()
    # Square root algorithm for the case when p = 3 mod 4
    m = p - 1
    while (not int(m) & 1):
        m = m/2
    repeat = True
    i = 0
    express = 0
    # We have to find a value for x_Q such that y_Q exists
    while repeat:
        i = randint(0, p-1)
        express = i^3 + a*i+b
        repeat = Jacobi(express, p) != 1
    ans = power_mod(express, (m + 1)/2 , p) # y_Q = ans
    P = (x, y)
    Q = (i, ans)
    print ("p: " + str(p) + " | a: " + str(a) + " | b: " + str(b) + " | P: " + str(P) + " | Q: " + str(Q))
    index = ind(p, a, b, P, Q, True)
    print("ind_P(Q) = " + str(index))
    print("#######################")

p: 66959 | a: 13340 | b: 58080 | P: (66083, 39177) | Q: (17785, 5018)
m = 259


Found a match at i = 43 and j = 197, where the left and right hand sides are equal to (666 : 48161 : 1)


Therefore, ind_P(Q) = im + j = 11334
(17785 : 5018 : 1) = [11334] (66083 : 39177 : 1) = (17785 : 5018 : 1). True
ind_P(Q) = 11334
#######################
p: 34939 | a: 22816 | b: 25295 | P: (20400, 4779) | Q: (14366, 13346)
m = 188


Found a match at i = 128 and j = 2, where the left and right hand sides are equal to (811 : 27532 : 1)
Therefore, ind_P(Q) = im + j = 24066
(14366 : 13346 : 1) = [24066] (20400 : 4779 : 1) = (14366 : 13346 : 1). True
ind_P(Q) = 24066
#######################
p: 61667 | a: 58935 | b: 52331 | P: (37097, 47822) | Q: (31269, 60520)
m = 248


Found a match at i = 201 and j = 153, where the left and right hand sides are equal to (50340 : 29993 : 1)
Therefore, ind_P(Q) = im + j = 50001
(31269 : 60520 : 1) = [50001] (37097 : 47822 : 1) = (31269 : 60520 : 1). True
ind_P(Q) = 50001
#######################


p: 43591 | a: 7093 | b: 35888 | P: (26574, 36992) | Q: (18188, 16903)
m = 209


Found a match at i = 15 and j = 199, where the left and right hand sides are equal to (17358 : 17613 : 1)


Therefore, ind_P(Q) = im + j = 3334
(18188 : 16903 : 1) = [3334] (26574 : 36992 : 1) = (18188 : 16903 : 1). True
ind_P(Q) = 3334
#######################
p: 22147 | a: 2774 | b: 15040 | P: (3122, 13432) | Q: (18067, 9610)
m = 149


Found a match at i = 111 and j = 84, where the left and right hand sides are equal to (4955 : 8350 : 1)
Therefore, ind_P(Q) = im + j = 16623
(18067 : 9610 : 1) = [16623] (3122 : 13432 : 1) = (18067 : 9610 : 1). True
ind_P(Q) = 16623
#######################
p: 96211 | a: 49869 | b: 9740 | P: (11787, 94641) | Q: (72284, 44475)
m = 310


Found a match at i = 26 and j = 243, where the left and right hand sides are equal to (66846 : 79289 : 1)


Therefore, ind_P(Q) = im + j = 8303
(72284 : 44475 : 1) = [8303] (11787 : 94641 : 1) = (72284 : 44475 : 1). True
ind_P(Q) = 8303
#######################
p: 59167 | a: 4696 | b: 4149 | P: (37731, 40881) | Q: (41083, 10666)
m = 244


Found a match at i = 218 and j = 146, where the left and right hand sides are equal to (28571 : 9810 : 1)
Therefore, ind_P(Q) = im + j = 53338
(41083 : 10666 : 1) = [53338] (37731 : 40881 : 1) = (41083 : 10666 : 1). True
ind_P(Q) = 53338
#######################
p: 15107 | a: 2426 | b: 13696 | P: (8698, 1168) | Q: (14411, 5625)
m = 123


Found a match at i = 121 and j = 84, where the left and right hand sides are equal to (14523 : 1004 : 1)
Therefore, ind_P(Q) = im + j = 14967
(14411 : 5625 : 1) = [14967] (8698 : 1168 : 1) = (14411 : 5625 : 1). True
ind_P(Q) = 14967
#######################
p: 563 | a: 216 | b: 496 | P: (59, 439) | Q: (488, 399)
m = 24
Found a match at i = 7 and j = 21, where the left and right hand sides are equal to (157 : 142 : 1)
Therefore, ind_P(Q) = im + j = 189
(488 : 399 : 1) = [189] (59 : 439 : 1) = (488 : 399 : 1). True
ind_P(Q) = 189
#######################
p: 72647 | a: 15797 | b: 9792 | P: (47933, 9352) | Q: (14572, 39109)
m = 270


Found a match at i = 254 and j = 168, where the left and right hand sides are equal to (27681 : 31106 : 1)
Therefore, ind_P(Q) = im + j = 68748
(14572 : 39109 : 1) = [68748] (47933 : 9352 : 1) = (14572 : 39109 : 1). True
ind_P(Q) = 68748
#######################
p: 35603 | a: 10887 | b: 10175 | P: (34298, 23898) | Q: (25953, 15711)
m = 190


Found a match at i = 167 and j = 91, where the left and right hand sides are equal to (25101 : 31097 : 1)
Therefore, ind_P(Q) = im + j = 31821
(25953 : 15711 : 1) = [31821] (34298 : 23898 : 1) = (25953 : 15711 : 1). True
ind_P(Q) = 31821
#######################
p: 77999 | a: 6251 | b: 24278 | P: (10310, 20604) | Q: (10424, 2010)
m = 280


Found a match at i = 190 and j = 26, where the left and right hand sides are equal to (43535 : 20086 : 1)
Therefore, ind_P(Q) = im + j = 53226
(10424 : 2010 : 1) = [53226] (10310 : 20604 : 1) = (10424 : 2010 : 1). True
ind_P(Q) = 53226
#######################


p: 92639 | a: 9643 | b: 68841 | P: (79202, 16529) | Q: (75405, 75118)
m = 305


Found a match at i = 60 and j = 7, where the left and right hand sides are equal to (26034 : 60158 : 1)


Therefore, ind_P(Q) = im + j = 18307
(75405 : 75118 : 1) = [18307] (79202 : 16529 : 1) = (75405 : 75118 : 1). True
ind_P(Q) = 18307
#######################
p: 42727 | a: 4447 | b: 29277 | P: (683, 2899) | Q: (6143, 27936)
m = 207


Found a match at i = 91 and j = 187, where the left and right hand sides are equal to (40594 : 40398 : 1)
Therefore, ind_P(Q) = im + j = 19024
(6143 : 27936 : 1) = [19024] (683 : 2899 : 1) = (6143 : 27936 : 1). True
ind_P(Q) = 19024
#######################


p: 62383 | a: 13709 | b: 47487 | P: (31136, 38631) | Q: (6509, 18169)
m = 251


Found a match at i = 117 and j = 28, where the left and right hand sides are equal to (47641 : 21347 : 1)


Therefore, ind_P(Q) = im + j = 29395
(6509 : 18169 : 1) = [29395] (31136 : 38631 : 1) = (6509 : 18169 : 1). True
ind_P(Q) = 29395
#######################
p: 28019 | a: 4425 | b: 21623 | P: (24197, 12897) | Q: (22942, 27851)
m = 168


Found a match at i = 97 and j = 10, where the left and right hand sides are equal to (7771 : 27849 : 1)
Therefore, ind_P(Q) = im + j = 16306
(22942 : 27851 : 1) = [16306] (24197 : 12897 : 1) = (22942 : 27851 : 1). True
ind_P(Q) = 16306
#######################
p: 27767 | a: 27492 | b: 19189 | P: (11959, 4771) | Q: (17643, 22194)
m = 167


Found a match at i = 161 and j = 47, where the left and right hand sides are equal to (6632 : 23787 : 1)
Therefore, ind_P(Q) = im + j = 26934
(17643 : 22194 : 1) = [26934] (11959 : 4771 : 1) = (17643 : 22194 : 1). True
ind_P(Q) = 26934
#######################
p: 80611 | a: 33701 | b: 70506 | P: (75418, 22796) | Q: (45590, 64805)
m = 284


Found a match at i = 72 and j = 193, where the left and right hand sides are equal to (6736 : 77694 : 1)


Therefore, ind_P(Q) = im + j = 20641
(45590 : 64805 : 1) = [20641] (75418 : 22796 : 1) = (45590 : 64805 : 1). True
ind_P(Q) = 20641
#######################
p: 54251 | a: 45709 | b: 20753 | P: (14284, 52137) | Q: (43534, 6383)
m = 233


Found a match at i = 89 and j = 133, where the left and right hand sides are equal to (50576 : 25590 : 1)


Therefore, ind_P(Q) = im + j = 20870
(43534 : 6383 : 1) = [20870] (14284 : 52137 : 1) = (43534 : 6383 : 1). True
ind_P(Q) = 20870
#######################
p: 80779 | a: 50168 | b: 17606 | P: (38397, 78031) | Q: (24095, 73355)
m = 285


Found a match at i = 15 and j = 226, where the left and right hand sides are equal to (68966 : 50769 : 1)


Therefore, ind_P(Q) = im + j = 4501
(24095 : 73355 : 1) = [4501] (38397 : 78031 : 1) = (24095 : 73355 : 1). True
ind_P(Q) = 4501
#######################


In [7]:
Jacobi(234512, 80779)

-1

In [6]:
is_prime(80779)

True