In [47]:
from sage.all import *
from sage.groups.generic import discrete_log_rho
import time
import random

# --------------------------------------------
# 2. Hardened + fast curve generator
# --------------------------------------------
def generate_curve(bits=32, min_prime_ratio=0.9, verbose=True):
    """
    Generate a secure curve E / F_p with:
      • pseudo‑Mersenne prime p (fast reduction)
      • prime |E|  (cofactor = 1)     – or, if not possible quickly,
      • cofactor ≤ 4 and prime subgroup ≥ min_prime_ratio * p
      • twist also has a ≥ 128‑bit prime factor (twist security)

    Returns (E, p, N)  where N = |E|.
    """
    # --- choose a pseudo‑Mersenne prime p = 2^k - c  (tiny c) ---
    while True:
        k = bits
        c = randint(1, 2**16)          # small random c
        p = 2**k - c
        p = next_prime(p)              # ensure primality
        if p.nbits() == bits:          # stay in range
            break

    if verbose: print(f"Prime p (pseudo‑Mersenne): {p}")

    # --- hunt for a good (a, b) ---
    tries = 0
    while True:
        tries += 1
        a = randint(0, p - 1)
        b = randint(0, p - 1)

        E = EllipticCurve(GF(p), [a, b])
        N = E.order()                  # one SEA run

        # security checks
        if N.is_prime():
            cofactor = 1
        else:
            fac = factor(N)
            largest_prime = max(pf for pf, _e in fac)
            cofactor       = N // largest_prime

            if (largest_prime < min_prime_ratio * p) or (cofactor > 4):
                continue  # subgroup too small or cofactor too big

        break  # passed all filters

    if verbose:
        print(f"Found curve after {tries} tries:")
        print(f"  y² = x³ + {a}x + {b}  over 𝔽_{p}")
        print(f"  |E|      = {N}")
        print(f"  Cofactor = {cofactor}")

    return E, p, N


# -------------------------
# 3. Fast generator finder
# -------------------------
def find_generator(E):
    """
    Returns a point G of prime order n on E together with n.

    Strategy:
    1. Compute |E| once, factor it once.
    2. Pick the *largest* prime divisor ℓ of |E| (very likely > 50 % of |E|).
    3. Let h = |E| / ℓ be the cofactor.
    4. For random P, set G = h·P.  Then G has order either 1 or ℓ.
       Repeat until G ≠ O.
    """
    N = E.order()                # one SEA run
    fac = factor(N)              # one integer factorisation
    ell = max(p for p, _e in fac)  # choose largest prime factor
    h   = N // ell               # cofactor

    while True:
        P = E.random_point()
        G = h * P
        if not G.is_zero():      # success: G now has order ell
            break

    n = ell
    print(f"Curve order  |E| : {N}")
    print(f"Cofactor h     : {h}")
    print(f"Prime order n  : {n}")
    print(f"Generator G    : {G}")
    return G, n

# -------------------------
# 4. Key generation
# -------------------------
def generate_keypair(G, n):
    d = randint(1, n - 1)
    Q = d * G
    print(f"Private key d: {d}")
    print(f"Public key Q: {Q}")
    return d, Q

# -------------------------
# 5. Solve ECDLP using Pollard’s Rho
# -------------------------
def solve_ecdlp(Q, G, n):
    print("\nSolving ECDLP with Pollard’s Rho...")
    t0 = time.time()
    d_hat = discrete_log_rho(Q, G, ord=n, operation='+')
    elapsed = time.time() - t0
    print(f"Recovered d: {d_hat}")
    print(f"Time elapsed: {elapsed:.4f} s")
    return d_hat, elapsed

# -------------------------
# 6. Full demo (if needed)
# -------------------------
def run_demo(bits=16):
    print("=== ECC Demo ===")
    E, a, b = generate_curve(bits)
    G, n = find_generator(E)
    d, Q = generate_keypair(G, n)
    d_hat, t = solve_ecdlp(Q, G, n)
    print(f"\nSuccess: {d == d_hat}")

In [None]:
run_demo(10)

=== ECC Demo ===
Prime p (pseudo‑Mersenne): 733


Exception ignored in: <bound method IPythonKernel._clean_thread_parent_frames of <sage.repl.ipython_kernel.kernel.SageKernel object at 0x7f781c539cd0>>
Traceback (most recent call last):
  File "/home/francisco-cardenoso/miniforge3/envs/sage/lib/python3.11/site-packages/ipykernel/ipkernel.py", line 775, in _clean_thread_parent_frames
    def _clean_thread_parent_frames(

  File "signals.pyx", line 355, in cysignals.signals.python_check_interrupt
KeyboardInterrupt: 
