In [1]:
import sympy as sp

In [2]:
def points_on_elliptic_curve(p, a, b):
    # Initialize the set of points on the curve
    points = set()
    # Loop through all possible x values to find possible points on the curve
    for x in range(p):
        # Calculate the right side of the elliptic curve equation
        rhs = (x**3 + a*x + b) % p
        # Check for y values that satisfy the equation y^2 = x^3 + ax + b
        for y in range(p):
            if pow(y, 2, p) == rhs:
                points.add((x, y))
    
    # Include the point at infinity
    points.add('infinity')
    
    return points

def hasse_theorem(p, number_of_points):
    # The Hasse theorem provides a bound for the number of points on the curve
    lower_bound = p + 1 - 2*sp.sqrt(p)
    upper_bound = p + 1 + 2*sp.sqrt(p)
    return lower_bound <= number_of_points <= upper_bound

In [3]:
def format_output(points, number_of_points, is_valid, p):
    # Initialize formatted output string
    formatted_output = "Points:\n"
    # Sort the points excluding 'infinity' for display
    sorted_points = sorted([point for point in points if point != 'infinity'])
    # Add each point to the formatted output
    for point in sorted_points:
        formatted_output += f"- {point}\n"
    # Add the point at infinity with its symbolic representation 'I'
    formatted_output += "- I\n\n"
    # Add the number of points
    formatted_output += f"#E(F_p) = {number_of_points}\n"
    # Calculate Hasse interval
    lower_bound = p + 1 - 2*sp.sqrt(p)
    upper_bound = p + 1 + 2*sp.sqrt(p)
    # Add the Hasse interval to the formatted output
    formatted_output += f"Hasse Interval = [{lower_bound.evalf()}, {upper_bound.evalf()}]\n"
    # Add validity of the Hasse theorem to the formatted output
    formatted_output += f"Hasse = {is_valid}\n"

    return formatted_output

In [4]:
# Example usage of the functions
p = 167  # a prime number
a = -3   # coefficient a in the curve equation
b = 64  # coefficient b in the curve equation

# Calculate points on the elliptic curve
points = points_on_elliptic_curve(p, a, b)

# Calculate the number of points
number_of_points = len(points)

# Verify the number of points using the Hasse theorem
is_valid = hasse_theorem(p, number_of_points)

In [5]:
# Use the previously computed points, number of points, and validity to format the output
output = format_output(points, number_of_points, is_valid, p)
print(output)

Points:
- (0, 8)
- (0, 159)
- (1, 79)
- (1, 88)
- (2, 20)
- (2, 147)
- (4, 28)
- (4, 139)
- (5, 72)
- (5, 95)
- (9, 76)
- (9, 91)
- (10, 52)
- (10, 115)
- (14, 42)
- (14, 125)
- (15, 80)
- (15, 87)
- (19, 55)
- (19, 112)
- (21, 54)
- (21, 113)
- (24, 17)
- (24, 150)
- (26, 19)
- (26, 148)
- (27, 36)
- (27, 131)
- (30, 33)
- (30, 134)
- (31, 6)
- (31, 161)
- (32, 2)
- (32, 165)
- (34, 45)
- (34, 122)
- (36, 55)
- (36, 112)
- (40, 22)
- (40, 145)
- (41, 15)
- (41, 152)
- (53, 73)
- (53, 94)
- (56, 50)
- (56, 117)
- (57, 65)
- (57, 102)
- (61, 57)
- (61, 110)
- (62, 8)
- (62, 159)
- (66, 17)
- (66, 150)
- (69, 82)
- (69, 85)
- (70, 62)
- (70, 105)
- (71, 81)
- (71, 86)
- (72, 39)
- (72, 128)
- (77, 17)
- (77, 150)
- (79, 7)
- (79, 160)
- (83, 63)
- (83, 104)
- (84, 0)
- (85, 83)
- (85, 84)
- (86, 60)
- (86, 107)
- (90, 29)
- (90, 138)
- (91, 5)
- (91, 162)
- (92, 16)
- (92, 151)
- (94, 83)
- (94, 84)
- (98, 77)
- (98, 90)
- (99, 56)
- (99, 111)
- (101, 29)
- (101, 138)
- (104, 47)
- (104,

In [6]:
def elliptic_add(p1, p2, a, b, p):
    # Handle the identity element cases (point at infinity)
    if p1 == "infinity":
        return p2
    if p2 == "infinity":
        return p1
    if p1 == p2:
        # Use the doubling formula
        if p1[1] == 0:  # The tangent is vertical, so the result is the point at infinity
            return "infinity"
        else:
            lam = (3 * p1[0]**2 + a) * sp.mod_inverse(2 * p1[1], p) % p
    else:
        # Use the addition formula
        if p1[0] == p2[0]:
            return "infinity"
        else:
            lam = (p2[1] - p1[1]) * sp.mod_inverse(p2[0] - p1[0], p) % p

    x3 = (lam**2 - p1[0] - p2[0]) % p
    y3 = (lam * (p1[0] - x3) - p1[1]) % p
    return (x3, y3)

def elliptic_mult(k, p1, a, b, p):
    r = "infinity"
    while k > 0:
        if k & 1:
            r = elliptic_add(r, p1, a, b, p)
        p1 = elliptic_add(p1, p1, a, b, p)
        k >>= 1
    return r

# P-256 curve parameters
a = -3
b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
p = 2**256 - 2**224 + 2**192 + 2**96 - 1

# Points provided by the user
P = (5139147556, 84992513513819837562679639329935059290744880011754896240095105442438501460580)
Q = (957, 106068017933963908069108378434410615354534760345589368572553274269533297279953)
R = (39147563, 86800512523116406738886579531519493100624547860931014107623369720327567099304)

# Perform the operations
P_plus_Q = elliptic_add(P, Q, a, b, p)
P17 = elliptic_mult(17, P, a, b, p)
P_plus_29Q = elliptic_add(P, elliptic_mult(29, Q, a, b, p), a, b, p)
P_plus_Q_plus_R = elliptic_add(P_plus_Q, R, a, b, p)
P5 = elliptic_mult(5, P, a, b, p)
P5_plus_47Q = elliptic_add(P5, elliptic_mult(47, Q, a, b, p), a, b, p)
P5_plus_47Q_plus_131R = elliptic_add(P5_plus_47Q, elliptic_mult(131, R, a, b, p), a, b, p)

In [7]:
print('          P + Q =', P_plus_Q)
print('            17P =', P17)
print('        P + 29Q =', P_plus_29Q)
print('      P + Q + R =', P_plus_Q_plus_R)
print('5P + 47Q + 131R =', P5_plus_47Q_plus_131R)

          P + Q = (70080563902474660685014643574954286003305136526954517743428749117055603385364, 102817281760810435925299871406466683251351115534973220072977695964583963694190)
            17P = (6767482609142533773727106561141486021988565046507560472655419434998143805142, 111849450923862212349083160889673641820507651447758924512379621060157659132486)
        P + 29Q = (85770230561767378375651721422453530671836821484546392654290517587029149330503, 109289525563572793074808101103724966387806510899333588476506211211325308580228)
      P + Q + R = (10078325695723211088410985734864258926108196424648752194418952354939491493398, 83162779257944430915141041076225903572090104654488309266745131800763293112040)
5P + 47Q + 131R = (60003140733697602815862847258574814281333745187497680713195857338569721153623, 113621516247140099510908544142253158409830215142911456940902986653313431422677)


Teniendo en cuenta lo anterior, has una funcion que haga esto "Dado un valor α y un mensaje m codificado a un punto M∈P256 calcular y mostrar los valores:

    (Pk,sk) resultantes de la generación de llaves de ElGamal sobre P256 utilizando el α dado.

    (V,C) resultantes del cifrado con ElGamal sobre P256.

    Nota: Se debe mostrar (β,V,C)=E(Pk,M)

    El punto M resultante del descifrado con ElGamal sobre P256 utilizando los valores (V,C) del inciso anterior.
", estos son los inputs esperados "alpha = 8043
M = (681515878241, 42867525214630099613645669273136473583026733865738235463867590073359574198973)", "M_ec = ECPoint(a, b, FP(M[0], p), FP(M[1], p))
egec = ElGamalEC(q, G)
Pk, sk = egec.keygen(alpha)", "(V, C) = egec.encrypt(Pk, M_ec)" y "M_dec = egec.decrypt(sk, V, C)
assert M_ec == M_dec". Estas son funciones ElGamal que tienes que tener en cuenta "def Gen(q, g):
    if not isprime(q):
        raise ValueError("q debe ser un número primo.")
    alpha = randint(2, q - 1)
    u = pow(g, alpha, q)
    pk = u
    sk = alpha
    return pk, sk", "def Enc(pk, m, q, g):
    if not isinstance(m, str):
        raise TypeError("El mensaje debe ser una cadena de texto.")

    # Determinar el tamaño de cada submensaje
    k = len(m) // 4
    if len(m) % 4 != 0:  # Ajustar si no es un múltiplo exacto de 4
        k += 1

    # Dividir el mensaje en submensajes
    submensajes = [m[i * 4: (i + 1) * 4] for i in range(k)]

    resultados = []
    for submensaje in submensajes:
        # Convertir submensaje a un número entero
        submensaje_int = int.from_bytes(submensaje.encode(), 'big')
        if not (1 < submensaje_int < q):
            raise ValueError(f"El valor entero del submensaje '{submensaje}' ({submensaje_int}) debe estar en el rango de 1 a q-1.")
        
        beta = randint(2, q - 1)
        v = pow(g, beta, q)
        c = (submensaje_int * pow(pk, beta, q)) % q
        resultados.append((beta, v, c))

    return resultados" y "def Dec(sk, ciphers, q):
    message_parts = []

    for v, c in ciphers:
        w = pow(mod_inverse(v, q), sk, q)
        m_int = (c * w) % q
        try:
            # Calculamos el número de bytes a partir del valor máximo esperado en el cifrado
            num_bytes = max(1, (m_int.bit_length() + 7) // 8)
            m_bytes = m_int.to_bytes(num_bytes, byteorder='big')
            m_part = m_bytes.decode('utf-8', errors='ignore')  # Ignorar caracteres no decodificables
            message_parts.append(m_part)
        except (ValueError, UnicodeDecodeError, OverflowError) as e:
            message_parts.append(f"<cannot decode {m_int}: {str(e)}>")

    return ''.join(message_parts)"