In [1]:
from sage.all import (
    EllipticCurve,
    randint,
    ZZ,
    discrete_log,
    GF,
    matrix,
    block_matrix,
    set_random_seed
)
from sage.modules.free_module_integer import IntegerLattice

import quaternion as quat
import endomorphism as End
#import elliptic_curve as elc
#import parameter_generate as param 
import random as rand
import time
import compression
import sympy
#import supersingular
#import d2isogeny
#import utilities_festa
from SQIPrime import SQIPrime_Sigma
from SQIPrime import SQIPrime

In [2]:
from theta_structures.couple_point import CouplePoint
#from theta_isogenies.product_isogeny import EllipticProductIsogeny
from theta_isogenies.product_isogeny_sqrt import EllipticProductIsogenySqrt
#from utilities.strategy import optimised_strategy
from utilities.discrete_log import BiDLP_power_two
#from utilities.discrete_log import BiDLP
from utilities.fast_sqrt import sqrt_Fp4
#from montgomery_isogenies.kummer_isogeny import KummerLineIsogeny_Velu
#from montgomery_isogenies.kummer_line import KummerLine
#from montgomery_isogenies.kummer_line import KummerPoint

In [3]:
from Crypto.Hash import SHAKE256

In [4]:
def speed_up_sagemath():
    """
    First we set proof.all(False) for general speed ups which
    keeping everything correct (enough)
    
    Then, we apply a monkey patch to cache the vector_space which
    helps with the performance of polynomial computations
    """
    # Skips strong primality checks and other slow things
    proof.all(False)
    
    # Cache vector spaces to improve performance
    p = 2**127 - 1 # Arbitrary large prime
    to_patch = [GF(3), GF(3**2), GF(p), GF(p**2)]
    for x in to_patch:
        type(x).vector_space = cached_method(type(x).vector_space)



def print_info(str, banner="="):
    """
    Print information with a banner to help
    with visibility during debug printing
    """
    print(banner * 80)
    print(f"{str}".center(80))
    print(banner * 80)


In [5]:
speed_up_sagemath()

# SQIPrime specific functions

## Setup functions

In [6]:
# In Supersingular

#Compute GF(p**4), its restriction GF(p**2) such that GF(p**2)=F_p[x]/(x**2+1) but without necessary root 1. 
def calcFields(p):
    assert p % 4 == 3
    R = PolynomialRing(GF(p), name="x")
    x = R.gens()[0]
    Fp2 = GF(p**2, modulus=x**2+1, name="i")
    z = Fp2.random_element()
    while z.is_square():
        z = Fp2.random_element()
    t = ZZ(z + z**p)
    n = ZZ(z**(p+1))
    print(t,n)
    R = PolynomialRing(ZZ, name="x")
    x = R.gens()[0]
    Fp4 = GF(p**4, modulus=x**4 - t*x**2 + n, name="z")
    Fp2 = Fp4.subfield(2)
    i = Fp2(-1).sqrt(all = True)[0]
    return Fp4, Fp2, i


#Compute a random point in E(Fp**4)[l**e].
def point_ord_4(E, l, e):
    #assert is_prime(l)
    p = E.base_ring().characteristic()
    assert (p**2 - 1) % l**e == 0
    
    P = (p**2 - 1)//(l**e)*E.random_point()
    while (l**(e-1)*P).is_zero():
        P = (p**2 - 1)//(l**e)*E.random_point()
    assert (l**e*P).is_zero()
    if P[1][0] >= (p**2 - 1)//2 or (P[1][0] == 0 and P[1][1] >= (p**2 - 1)//2):   # even if the seed of random_point is fixed, the sign of point is random.
        P = -P
    return P

#Compute a basis of E(Fp**4)[l**e].
def basis_4(E, l, e):
    P = point_ord_4(E, l, e)
    Q = point_ord_4(E, l, e)
    if l == 2:
        while (l**(e-1))*(P-Q) == E(0):
            Q = point_ord_4(E, l, e)
    else:
        while (l**(e-1)*P).weil_pairing(l**(e-1)*Q, l) == 1:
            Q = point_ord_4(E, l, e)
    return P, Q





def sample_ran_element(E, Fp4, Fp2, zeta, twist):
    w = Fp2.random_element()
    w = Fp4([w[0],0,w[1],0])
    A = E.a_invariants()[1]
    yw = w**3 + A*w**2+w 
    t = sqrt_Fp4(yw, zeta)
    if twist:
        while t[1] == 0:
            w = Fp2.random_element()
            w = Fp4([w[0],0,w[1],0])
            yw = w**3 + A*w**2+w 
            t = sqrt_Fp4(yw, zeta)
        return E([w,t])
    else:
        while t[1] != 0:
            w = Fp2.random_element()
            w = Fp4([w[0],0,w[1],0])
            yw = w**3 + A*w**2+w 
            t = sqrt_Fp4(yw, zeta)
        return E([w,t])



def Basis_comput(E,Fp4, Fp2, zeta, twist,l, e):
    P = sample_ran_element(E, Fp4, Fp2, zeta, twist)
    Q = sample_ran_element(E, Fp4, Fp2, zeta, twist)
    if twist:
        P = ((p-1)/(l**e))*P        
        Q = ((p-1)/(l**e))*Q
    else:
        P = ((p+1)/(l**e))*P        
        Q = ((p+1)/(l**e))*Q
    if l == 2:
        A = (l**(e-1))*P
        while A == E(0):
            P = sample_ran_element(E, Fp4, Fp2, zeta, twist)
            P = ((p+1)/(l**e))*P
            A = (l**(e-1))*P
        B = (l**(e-1))*Q
        while B == E(0) or A == B:
            Q = sample_ran_element(E, Fp4, Fp2, zeta, twist)
            Q = ((p+1)/(l**e))*Q
            B = (l**(e-1))*Q
    else:
        while (l**(e-1)*P).weil_pairing(l**(e-1)*Q, l) == 1:
            Q = sample_ran_element(E, Fp4, Fp2, zeta, twist)
            if twist:
                Q = ((p-1)/(l**e))*Q
            else:
                Q = ((p+1)/(l**e))*Q

    return P, Q

def two_order(E,P,e):
    for i in range(e):
        if P == E(0):
            return i
        P = 2*P
    return e

In [7]:
#Add to endomorphism

def image_matrices(basis, N, zeta2, F2):
    one = [1,0,0,0]
    Ms = []
    for alpha in [one[-i:]+one[:-i] for i in range(1, 4)]:
        Ms.append(image_matrix(alpha, basis, N, zeta2, F2))
    return Ms


def image_matrix(alpha, basis, N, zeta2, F2):
    P, Q = basis
    aP, aQ = [End.action(alpha, R, zeta2, F2) for R in [P, Q]]
    return (aP,aQ)


def action_image(alpha, images_list, basis):
    retP, retQ = alpha[0]*basis[0], alpha[0]*basis[1]
    for i in range(1,4):
        retP += alpha[i]* images_list[i-1][0]        
        retQ += alpha[i]* images_list[i-1][1]
    return (retP, retQ)




In [8]:
# Small functions 

def arity(n):
    return (ZZ(int(n) & int(~(int(n - 1)))).nbits())-1


In [9]:

def FindPrecomputedBasis(E,basis, Qalgebra, Basis0, image_action, zeta, d):
    assert E == EllipticCurve(Fp4, [0, Fp4(0), 0, 1, 0])
    p = E.base_ring().characteristic()
    P,Q = basis[0],basis[1]
    Ideal_0 = Qalgebra.ideal(Basis0)
    assert d*P == E(0) and d*Q == E(0)
    c=1
    while gcd(c,d) != 1 or c * d < p:
        c = rand.randint(p>>64,p)
    c *=  d
    alpha = quat.FullRepresentInteger(c,p)
    a, b = rand.randint(1, d), rand.randint(1, d)
    R,S = E(0), E(0)
    while R == E(0):
        while( a % d == 0 or b % d == 0):
            a, b = rand.randint(1, d), rand.randint(1, d)
        vP = action_image(alpha,image_action, basis)
        R = a*vP[0] + b*vP[1]
    alpha_endo = Qalgebra(0)
    for j in range(4):
        alpha_endo += Basis0[j]*alpha[j]
    Ideal_P = Ideal_0*(alpha_endo.conjugate())+ (Ideal_0*d)
    
    inter_image = image_matrices((R,S), d, zeta, Fp4)
    n = rand.randint(p<<10, p<<32)
    while gcd(n,d) != 1:
        n = rand.randint(p<<10, p<<32)
    iota = quat.FullRepresentInteger(n,p)
    wP = action_image(iota, inter_image ,(R,S))
    S = wP[0] 
    while R.weil_pairing(S, d) == 1:
        while gcd(n,d)  != 1 or n*d<p:
            n = rand.randint(4*p, p*d)
        iota = quat.FullRepresentInteger(n,p)
        wP = action_image(iota, inter_image, vP)
        S  = wP[0] 

    return (R,S), iota, Ideal_P

## KeyGen Functions

In [10]:
def Kani_double_path(E0, p , q , e , zeta, basis, action_matrices, Quat_alg, Basis0):
    P0,Q0= basis[0],basis[1]
    
    alpha = quat.FullRepresentInteger(q*(2**e-q),p)
    vP = End.action_by_matrices(alpha, [1, 0], action_matrices)
    alphaP = vP[0]*P0 + vP[1]*Q0
    vQ = End.action_by_matrices(alpha, [0, 1], action_matrices)
    alphaQ = vQ[0]*P0 + vQ[1]*Q0

    P1 = ( - q)*P0
    Q1 = ( - q)*Q0
    P2 = alphaP
    Q2 = alphaQ

    Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
    kernel = (Pa, Qa)
    #Phi = EllipticProductIsogeny(kernel, n, optimised_strategy(n), zeta)
    Phi = EllipticProductIsogenySqrt(kernel, e, None, zeta)

    print(Phi.codomain())
        
    Ideal_0 = Quat_alg.ideal(Basis0)
    alpha_endo = make_endo(Quat_alg, O0_basis, alpha)
    I_tau=(Ideal_0*(alpha_endo)) + (Ideal_0)*(q)
    I_rho=(Ideal_0*conjugate(alpha_endo)) + (Ideal_0)*(2**e-q)

    return Phi, I_tau, I_rho


def Extended_Kani_double_path(E0, p , q , e , basis, action_matrices, Quat_alg, Basis0):
    P0,Q0= basis[0],basis[1]
    P0_, Q0_ = 2**(e-q.nbits())*basis[0],2**(e-q.nbits())*basis[1]
    
    alpha = quat.FullRepresentInteger(q*(2**q.nbits()-q)*(2**e-q*(2**q.nbits()-q)),p)
    vP = End.action_by_matrices(alpha, [1, 0], action_matrices)
    alphaP = vP[0]*P0 + vP[1]*Q0
    vQ = End.action_by_matrices(alpha, [0, 1], action_matrices)
    alphaQ = vQ[0]*P0 + vQ[1]*Q0

    P1 = (2**e-q*(2**q.nbits() - q))*P0
    Q1 = (2**e-q*(2**q.nbits() - q))*Q0
    P2 = alphaP
    Q2 = alphaQ

    Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
    kernel = (Pa, Qa)
    #Phi = EllipticProductIsogeny(kernel, n, optimised_strategy(n), zeta)
    Phi1 = EllipticProductIsogenySqrt(kernel, e)

    P2_, Q2_ = eval_basis_unsmooth(E0, E0, Phi1, q*(2**q.nbits() - q), (P0_,Q0_), 2**q.nbits(), position=True)

    P1_ = (2**q.nbits() - q)*P0_
    Q1_ = (2**q.nbits() - q)*Q0_

    Pa, Qa = CouplePoint(P1_,P2_), CouplePoint(Q1_, Q2_)
    kernel = (Pa, Qa)
    #Phi = EllipticProductIsogeny(kernel, n, optimised_strategy(n), zeta)
    Phi2 = EllipticProductIsogenySqrt(kernel, q.nbits())
    
    Ideal_0 = Quat_alg.ideal(Basis0)
    alpha_endo = make_endo(Quat_alg, O0_basis, alpha)
    I_tau=(Ideal_0*(alpha_endo)) + (Ideal_0)*(q)
    I_rho=(Ideal_0*conjugate(alpha_endo)) + (Ideal_0)*((2**q.nbits()-q)*(2**e-q*(2**q.nbits()-q)))

    return Phi1, Phi2, I_tau, I_rho


def sample_random_matrix(F):
    d = F.characteristic()
    Mn=[]
    for i in range(4):
        Mn.append(F(rand.randint(1, d)))
    M = Matrix([[Mn[0],Mn[1]],[Mn[2],Mn[3]]])
    assert M.determinant()%d != 0
    return M

In [11]:
#Kani_double_path(E0, p , q , e , zeta, Basis_2, action_matrices_2, Quat_alg, O0_basis)

In [12]:
def eval_basis_unsmooth(E0, E1, Phi, N, Basis, b_order, position=True):
    """
    Compute the image of a basis "basis" 
    """
    P = Basis[0]    
    Q = Basis[1]
    PQ = P+Q
    Good_order = True
    if position:
        X = Phi(CouplePoint(P, E1(0)))
        Y = Phi(CouplePoint(Q, E1(0)))
        XY = Phi(CouplePoint(PQ, E1(0)))
        if not (X[0] + Y[0] == XY[0] or X[0] + Y[0] == -XY[0]):
            Y[0] = -Y[0]
        Pd, Qd = X[0], Y[0]
        if not Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N:
            Good_order = False
            if not (X[1] + Y[1] == XY[1] or X[1] + Y[1] == -XY[1]):
                Y[1] = -Y[1]
            Pd, Qd = X[1], Y[1]
        assert Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N
    if not position:
        X = Phi(CouplePoint(E0(0),P))
        Y = Phi(CouplePoint(E0(0),Q))
        XY = Phi(CouplePoint(E0(0),PQ))
        if not (X[0] + Y[0] == XY[0] or X[0] + Y[0] == -XY[0]):
            Y[0] = -Y[0]
        Pd, Qd = X[0], Y[0]
        if not Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N:
            Good_order = False
            if not (X[1] + Y[1] == XY[1] or X[1] + Y[1] == -XY[1]):
                Y[1] = -Y[1]
            Pd, Qd = X[1], Y[1]
        assert Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N

    return Pd,Qd

In [13]:
def eval_basis_unsmooth_SpecialDomain_old(E0, P1 ,Q1 , P2, Q2, N, Basis, basis_order ,zeta, position):    
    Rs  = []
    Res = []
    for i in range(len(Basis)):
        P = Basis[i][0]    
        Q = Basis[i][1]
        PQ = P+Q
        if position[i]:
            Rs.append((P , E0(0)))
            Rs.append((Q , E0(0)))
            Rs.append((PQ , E0(0))) 
        else:
            Rs.append((E0(0) , P))
            Rs.append((E0(0) , Q))
            Rs.append((E0(0) , PQ)) 
            
    Xs = d2isogeny.D2IsogenyImage(E0, E0, P1, Q1, P2, Q2, e, Rs, None, zeta)
    for i in range(0,int(len(Xs)/3)):
         X = Xs[3*i]
         Y = Xs[3*i+1]
         XY = Xs[3*i+2]
         if not (X[0] + Y[0] == XY[0] or X[0] + Y[0] == -XY[0]):
             Y[0] = -Y[0]
         Pd, Qd = X[0], Y[0]
         if not Pd.weil_pairing(Qd, basis_order[i]) == Basis[i][0].weil_pairing(Basis[i][1], basis_order[i])**N[i]:
            if not (X[1] + Y[1] == XY[1] or X[1] + Y[1] == -XY[1]):
                Y[1] = -Y[1]
            Pd, Qd = X[1], Y[1]
            assert Pd.weil_pairing(Qd, basis_order[i]) == Basis[i][0].weil_pairing(Basis[i][1], basis_order[i])**N[i]
         Res.append((Pd,Qd))
    return Res


In [14]:
#Dim 2

def eval_basis_unsmooth(E0, E1, Phi, N, Basis, b_order, position=True):
    """
    Compute the image of a basis "basis" 
    """
    P = Basis[0]    
    Q = Basis[1]
    PQ = P+Q
    Good_order = True
    if position:
        X = Phi(CouplePoint(P, E1(0)))
        Y = Phi(CouplePoint(Q, E1(0)))
        XY = Phi(CouplePoint(PQ, E1(0)))
        if not (X[0] + Y[0] == XY[0] or X[0] + Y[0] == -XY[0]):
            Y[0] = -Y[0]
        Pd, Qd = X[0], Y[0]
        if not Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N:
            Good_order = False
            if not (X[1] + Y[1] == XY[1] or X[1] + Y[1] == -XY[1]):
                Y[1] = -Y[1]
            Pd, Qd = X[1], Y[1]
        assert Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N
    if not position:
        X = Phi(CouplePoint(E0(0),P))
        Y = Phi(CouplePoint(E0(0),Q))
        XY = Phi(CouplePoint(E0(0),PQ))
        if not (X[0] + Y[0] == XY[0] or X[0] + Y[0] == -XY[0]):
            Y[0] = -Y[0]
        Pd, Qd = X[0], Y[0]
        if not Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N:
            Good_order = False
            if not (X[1] + Y[1] == XY[1] or X[1] + Y[1] == -XY[1]):
                Y[1] = -Y[1]
            Pd, Qd = X[1], Y[1]
        assert Pd.weil_pairing(Qd, b_order) == P.weil_pairing(Q, b_order)**N

    return Pd,Qd


def compute_endo(E0, p , q , e , basis, action_matrices):
    P0,Q0= basis[0],basis[1]

    #Sample the Endomorphisms
    alpha = quat.FullRepresentInteger(q*(2**e-q),p)
    vP = End.action_by_matrices(alpha, [1, 0], action_matrices)
    vP = (vP[0] % 2**e, vP[1] % 2**e)
    alphaP = vP[0]*P0 + vP[1]*Q0
    vQ = End.action_by_matrices(alpha, [0, 1], action_matrices)
    vQ = (vQ[0] % 2**e, vQ[1] % 2**e)

    alphaQ = vQ[0]*P0 + vQ[1]*Q0

    #Sample the Endomorphisms
    P1 = (2**e - q)*P0
    Q1 = (2**e - q)*Q0
    P2 = alphaP
    Q2 = alphaQ

    return P1, Q1, P2,Q2, alpha  



def Special_isogeny_1(E0, P1, Q1, P2, Q2, e, Rs):
    P1, P2 = P1 - P2, P1 + P2
    Q1, Q2 = Q1 - Q2, Q1 + Q2
    e = e-1
    for i in range(len(Rs)):
        Rs[i] = (Rs[i][0]-Rs[i][1],Rs[i][0] + Rs[i][1])
    return P1, Q1, P2, Q2, e, Rs
        
def iota_auto(R,E0, zeta):
    return E0([-R[0], zeta*R[1], R[2]])

def Special_isogeny_2(E0, P1, Q1, P2, Q2, e, zeta,  Rs):
        P1, P2 = (P1 + iota_auto(P2, E0, zeta)), (iota_auto(P1, E0, zeta) + P2)
        Q1, Q2 = (Q1 + iota_auto(Q2, E0, zeta)), (iota_auto(Q1, E0, zeta) + Q2)
        e = e-1
        for i in range(len(Rs)):
            Rs[i] = (Rs[i][0] + iota_auto(Rs[i][1], E0, zeta), iota_auto(Rs[i][0],E0 ,zeta) + Rs[i][1])
        return P1, Q1, P2, Q2, e, Rs



def eval_basis_unsmooth_SpecialDomain(E0, P1 ,Q1 , P2, Q2, e, N, Basis, basis_order ,zeta, position):    
    Rs  = []
    Res = []
    E1 = E0
    E2 = E0
    for i in range(len(Basis)):
        P = Basis[i][0]    
        Q = Basis[i][1]
        PQ = P+Q
        if position[i]:
            Rs.append((P , E0(0)))
            Rs.append((Q , E0(0)))
            Rs.append((PQ , E0(0))) 
        else:
            Rs.append((E0(0) , P))
            Rs.append((E0(0) , Q))
            Rs.append((E0(0) , PQ)) 


    #Check bad cases in E0xE0
    while e >=0 :
        
        T1 = 2**(e-1)*P1
        T2 = 2**(e-1)*P2
        S1 = 2**(e-1)*Q1
        S2 = 2**(e-1)*Q2

        if (T1.is_zero() or T2.is_zero() or S1.is_zero() or S2.is_zero()):
            #print("Special Case n1",t)

            
            if T1.is_zero():
                T1, S1 = S1, T1
                T2, S2 = S2, T2
            assert not T1.is_zero()
            if not S1.is_zero():
                assert S1 == T1
                S2 -= T2
            assert T2.is_zero() or T2 == S2
            phi1 = E1.isogeny(T1)
            phi2 = E2.isogeny(S2)
            e = e-1
            P1, Q1 = phi1(P1), phi1(Q1)
            P2, Q2 = phi2(P2), phi2(Q2)
            E1 = P1.curve()
            E2 = P2.curve()
            for i in range(len(Rs)):
                Rs[i] = (phi1(Rs[i][0]),phi2(Rs[i][1]))
        else:
            if P1.curve() == P2.curve() == E0:
                if S1[0] == 0:
                    T1, S1 = S1, T1
                    T2, S2 = S2, T2
                elif not T1[0] == 0:
                    T1 += S1
                    T2 += S2
                assert T1[0] == 0
                
                if T2[0] == 0:
                    if S1 == S2:
                        #print("Special Case n1",t)
                        P1, Q1, P2, Q2, e, Rs = Special_isogeny_1(E0, P1, Q1, P2, Q2, e, Rs)
                            
            
                    else:
                        #print("Special Case n2",t)
                        P1, Q1, P2, Q2, e, Rs = Special_isogeny_2(E0, P1, Q1, P2, Q2, e, zeta,  Rs)
                            
                else:
                    #print("OUT",t)
                    break
            else:
                    #print("OUT",t)
                    break

    
    Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
    kernel = (Pa, Qa)
    Phi = EllipticProductIsogenySqrt(kernel, e, None, zeta)
    Xs = [Phi(CouplePoint(R[0],R[1])) for R in Rs]
    
    for i in range(0,int(len(Xs)/3)):
         X = Xs[3*i]
         Y = Xs[3*i+1]
         XY = Xs[3*i+2]
         if not (X[0] + Y[0] == XY[0] or X[0] + Y[0] == -XY[0]):
             Y[0] = -Y[0]
         Pd, Qd = X[0], Y[0]
         if not Pd.weil_pairing(Qd, basis_order[i]) == Basis[i][0].weil_pairing(Basis[i][1], basis_order[i])**N[i]:
            if not (X[1] + Y[1] == XY[1] or X[1] + Y[1] == -XY[1]):
                Y[1] = -Y[1]
            Pd, Qd = X[1], Y[1]
            assert Pd.weil_pairing(Qd, basis_order[i]) == Basis[i][0].weil_pairing(Basis[i][1], basis_order[i])**N[i]
         Res.append((Pd,Qd))
    return Res


In [15]:
#t0 = time.perf_counter_ns()
#t=5
#for ti in range(t):
#    P1, Q1, P2,Q2, alpha  = compute_endo(E0, p , q , e , Basis_2, action_matrices_2)
#    Res = eval_basis_unsmooth_SpecialDomain(E0, P1 ,Q1 , P2, Q2,e, [q,q], [Basis_2,Basis_q], [2**e, q] ,zeta, [True,True])
#t1 = time.perf_counter_ns()

#print("SQIPrime Response algorithm took on average ",float(t1-t0)/10**6/t, "ms." )


## Compress Class

In [16]:

def integer_to_bytes(n, byte_len=None):
    """
    Represent an integer n as bytes in big-endian
    """
    n = int(n)
    if byte_len is None:
        byte_len = (n.bit_length() + 7) // 8
    return n.to_bytes(byte_len, 'big')

def bytes_to_integer(b):
    """
    Represent bytes as an integer in big-endian
    """
    return ZZ(int.from_bytes(b, 'big'))

def compress_curve(E,p_byte_len ):
    A = E.a_invariants()[1]
    return integer_to_bytes(A[0], p_byte_len)+ integer_to_bytes(A[2], p_byte_len)

def decompress_curve(Fp4,R,p_byte_len):
    a_bytes = R[:p_byte_len]
    b_bytes = R[p_byte_len:]
    a_int = bytes_to_integer(a_bytes)
    b_int = bytes_to_integer(b_bytes)
    A = Fp4([a_int,0, b_int,0])
    return EllipticCurve(Fp4, [0, A, 0, 1, 0])


def compress_points(E, Ps, p_byte_len):
    A = E.a_invariants()[1]
    Rs=[]
    for P in Ps:
        w = P.x()
        bool = sqrt_Fp4(w**3+A*w**2+w, zeta) == P.y()        
        Rs.append((integer_to_bytes(w[0], p_byte_len)+ integer_to_bytes(w[2], p_byte_len), bool))
    return R.tuple()

def decompress_points(E, Fp4,Rs,p_byte_len):
    A = E.a_invariants()[1]
    Ps=[]
    for R in Rs:
        a_bytes = R[0][:p_byte_len]
        b_bytes = R[0][p_byte_len:]
        a_int = bytes_to_integer(a_bytes)
        b_int = bytes_to_integer(b_bytes)
        X = Fp4([a_int,0, b_int,0])
        Y= sqrt_Fp4(X**3+A*X**2+X, zeta)
        if not R[1]:
            Y = -Y
        Ps.append(E([X,Y]))
    return Ps 

def Hash(Byte_length, m):
    shake = SHAKE256.new(m)
    return shake.read(Byte_length)


## Signature functions

In [17]:
#Stolen from realease 10.4.
# Add to ideal class

def chi(a, I):
    r"""
    From section 3.2 in Antonin's thesis.
    Calculates the equivalent ideal of I, of norm(a)
    Based on the surjection from I \ {0} to the set of equivalent ideals of I
    Obtained by a → I * (a_bar / n(I))
    """
    return I * (a.conjugate() / I.norm())


def make_endo(Quat_alg, Basis0, alpha):
    assert len(alpha) == 4
    alpha_endo = Quat_alg(0)
    for j in range(4):
        alpha_endo += Basis0[j]*alpha[j]
    return alpha_endo


def component_endo(gamma):
    return [gamma[0]-gamma[3], gamma[1]-gamma[2],2*gamma[2],2*gamma[3]]


def endo_reduction(gamma, q):
    return [gamma[i]%q for i in range(len(gamma))]


# Setup

In [18]:
p117 = 2**247 * 79 - 1
q117 = 168118140144706967996895604212334429
e117 = 247
window117 = [14]


p130 = 2**273 * 19**2 - 1
q130= 1733124013302036320718171822563477047667
e130 = 273
window130 = [15]

p186 = 2**397 * 3**2 * 7**2 * 11**2 -1
q186 = 139608035310883914672048824597166248641399835557000865381
e186 = 397
window186 = [17]

p240 = 2**499 * 3**2 * 7**2 -1 
q240 = 2464280664223269984651655821505754297856674907148353228398431687157640139
e240 = 499
window240 = [24]


In [23]:
sqiprime117 = SQIPrime(p130, q130, e130, window130)

In [26]:
pk, sk = sqiprime117.KeyGen()


In [27]:
for i in range(10):
    mes = integer_to_bytes(i)
    pk, sk = sqiprime117.KeyGen()
    sign = sqiprime117.Sign(sk, pk, mes)
    print(sqiprime117.Verif(pk, mes, sign))

True
True
True
True
True
True
True
True
True
True


In [28]:
chall = rand.randint(0,q117)
sign = sqiprime117.Response(sk, pk, sec, com, chall)
sign

NameError: name 'com' is not defined

In [29]:
#Fix the prime field
p = p117
q= q117
e = e117
window = window240


Fp4, Fp2, zeta = calcFields(p)
Fq = GF(q) 
Z2e = Integers(2**e)

#Fp4.base_ring()


#Compute the Standard basis
E0 = EllipticCurve(Fp4, [0, 0, 0, 1, 0]) #Curves are in the Montgomery model
#Basis_2 = basis_4(E0,2,e)
Basis_2= Basis_comput(E0, Fp4, Fp2, zeta, False,2, e)
#Basis_q = basis_4(E0,q,1)
Basis_q = Basis_comput(E0, Fp4, Fp2, zeta, True,q, 1)
action_matrices_2 = End.action_matrices(Basis_2, 2**e, zeta, Fp4)
image_action_q =  image_matrices(Basis_q, q, zeta, Fp4)
#image_action_2 =  image_matrices(Basis_2, q, zeta, Fp4)

#Compute the Precomputed Basis.
Quat_alg = QuaternionAlgebra(-1, -p)
O0_basis = (Quat_alg((1,0,0,0)),Quat_alg((0,1,0,0)),Quat_alg((0,1/2,1/2,0)),Quat_alg((1/2,0,0,1/2)))
Basis_q, iota, Ideal_P = FindPrecomputedBasis(E0, Basis_q, Quat_alg, O0_basis,image_action_q, zeta, q)
image_action_q = image_matrices(Basis_q, q, zeta, Fp4)
iota_end = make_endo(Quat_alg, O0_basis, iota)
Im = action_image(iota, image_action_q, Basis_q)
assert Im[0]==Basis_q[1]
assert q*Basis_q[0] == E0(0) and q*Basis_q[0] == E0(0)

6623435729119185267495434064884374241620787410226872084033732000468691521806 14620776862072490894821862540230162076835195432858449448788883103770789978951


In [30]:
zeta

6023983689016758459914690608845200820280357037530714683709027749309696345454*z2 + 7099662976916286461216467599364661388991736078842655812810482861058753692407

# Key Generation

In [31]:
def SQIprime_KeyGen():
    P1, Q1, P2,Q2, alpha = compute_endo(E0, p , q*(2**q.nbits()-q) , e , Basis_2, action_matrices_2)
    P0_, Q0_ = 2**(e-q.nbits())*Basis_2[0],2**(e-q.nbits())*Basis_2[1]

    Ideal_0 = Quat_alg.ideal(O0_basis)
    alpha_endo = make_endo(Quat_alg, O0_basis, alpha)
    #I_tau=(Ideal_0*(alpha_endo) + q) + (Ideal_0)*(q)
    I_rho=Ideal_0*(conjugate(alpha_endo))+ (Ideal_0)*((2**q.nbits()-q)*(2**e-q*(2**q.nbits()-q)))

    #assert I_tau.norm() == q
    #assert I_rho.norm() == (2**q.nbits()-q)*(2**e-q*(2**q.nbits()-q))
    size1= q*(2**q.nbits() - q)
    size2 = 2**e-q*(2**q.nbits()-q)

    Res = eval_basis_unsmooth_SpecialDomain(E0, P1,Q1,P2,Q2, e, 
                                                [size1, size2,size2], 
                                                [(P0_,Q0_), Basis_q,Basis_2], [2**q.nbits(), q, 2**e],zeta, [True,False, False]
                                               )
    
    #Res = eval_basis_unsmooth_SpecialDomain(E0, P1,Q1,P2,Q2, e, [q*(2**q.nbits() - q), 2**e-q*(2**q.nbits()-q),2**e-q*(2**q.nbits()-q)], [(P0_,Q0_), Basis_q,Basis_2], [2**q.nbits(), q, 2**e],zeta, [True,False, False])
    rho1_BasisEA_q = Res[1]
    rho1_BasisEA_2 = Res[2]
    P2_, Q2_ = Res[0][0],Res[0][1]
    
    P1_ = (-q)*P0_
    Q1_ = (-q)*Q0_
    

    
    Pa, Qa = CouplePoint(P1_,P2_), CouplePoint(Q1_, Q2_)
    kernel = (Pa, Qa)
    Phi_A2 = EllipticProductIsogenySqrt(kernel, q.nbits(), None, zeta)
    
    E_A1 = Phi_A2.domain()[1]
    
    Mask_matrix = random_matrix(Fq,2,2) 
    
    tau_BasisEA_2 = eval_basis_unsmooth(E0, E_A1, Phi_A2, q, Basis_2, 2**e, True)
    E_A = tau_BasisEA_2[0].curve()

    
    assert rho1_BasisEA_q[0].curve() == E_A1

    rho_BasisEA_q = eval_basis_unsmooth(E0, E_A1, Phi_A2, 2**q.nbits()-q, rho1_BasisEA_q,q, False)
    rho_BasisEA_2 = eval_basis_unsmooth(E0, E_A1, Phi_A2, 2**q.nbits()-q, rho1_BasisEA_2,2**e, False)

    assert rho_BasisEA_q[0].curve() == E_A

    R,S = (Mask_matrix[0][0]*rho_BasisEA_q[0]+Mask_matrix[0][1]*rho_BasisEA_q[1]), (Mask_matrix[1][0]*rho_BasisEA_q[0]+Mask_matrix[1][1]*rho_BasisEA_q[1])
    
    public_key = (E_A,(R,S))

    secret_key = (I_rho, tau_BasisEA_2,rho_BasisEA_2, Mask_matrix)
    return public_key, secret_key

In [32]:
public_key, secret_key = SQIprime_KeyGen()

In [33]:
public_key, secret_key

((Elliptic Curve defined by y^2 = x^3 + (859368811792807935634853386021217061531493293746701782376639632438983468046*z^2+16240083479585854227083319701628386003305506783783079700010603252312245204062)*x^2 + x over Finite Field in z of size 17866357519039022340746304327512392032047517165206258904525681907470971174911^4,
  ((14049355717113885930694603594557144533006863301059906822893168120171283923407*z^2 + 13613005778098013631855675854451921364639615962579727740686287828546358720521 : 8180346814878648470547551269244546352085834683018719945223749067274497086781*z^3 + 10573386398846576524632174344722426888778638296246669626154433347582136039923*z : 1),
   (17447419678193691056165350530978502580811114092870756954670517006384730468419*z^2 + 14194226593618970315401877747539502461959199840394858097277180544456996808113 : 9301644604796669538780855213043524428647795751698002935375451363820542585868*z^3 + 9864215302214651156188220864137279307120311246679182690119018651433810174301*z : 1))),
 (
  

# Signature

## Commit

In [34]:
def SQIprime_Commit():    
    deg_1 = 1

    while not sympy.isprime(deg_1:=rand.randint(0,2**int(e/2))):
        pass
    P1, Q1, P2,Q2, alpha = compute_endo(E0, p , deg_1 , e , Basis_2 , action_matrices_2)

    Ideal_0 = Quat_alg.ideal(O0_basis)
    alpha_endo = make_endo(Quat_alg, O0_basis, alpha)
    I_psi=(Ideal_0*(alpha_endo)) + (Ideal_0)*(deg_1)
    
    Image_BasisE1_2 =  eval_basis_unsmooth_SpecialDomain(E0, P1 ,Q1 , P2, Q2,e, [deg_1], [Basis_2], [2**e],zeta, [True])[0]  
    E_1 = Image_BasisE1_2[0].curve()

    
    #BasisE1_2 = Basis_comput(E_1,Fp4, Fp2, zeta, False ,2, e)

    # Compute discrete log for the dual of phi_1. 
    #disc_log_=[]
    #disc_log_image.append(BiDLP_power_two(BasisE1_2[0],Image_BasisE1_2[0],Image_BasisE1_2[1], e, window))
    #disc_log_image.append(BiDLP_power_two(BasisE1_2[1],Image_BasisE1_2[0],Image_BasisE1_2[1], e, window))

    commit = E_1
    secret_commit = I_psi, Image_BasisE1_2, deg_1
    return commit, secret_commit

In [35]:
commit, secret_commit = SQIprime_Commit()

In [36]:
secret_commit

(Fractional ideal (1/2 + 2425954220003115489303536411330504574*j + 3461996357910935671574797246550341327/2*k, 1/2*i + 2394458311658805432154659561472002139/2*j + 2425954220003115489303536411330504574*k, 2928227334784870551864728404011171733*j, 2928227334784870551864728404011171733*k),
 ((5769948661868193270757640535051512065457490753666965398872778109186155649256*z^2 + 381510637640920582866265590468611757976679119243665905630353898972477913119 : 11946310089202276532970978435972521685393601679559637713934777725793764362304*z^2 + 15608422266003881041180967884132884488600280933722290145579486437436342690761 : 1),
  (7406385341526153926532050991794948358618673700150831328398908377492851476230*z^2 + 8176981675494771877535963808670518904881467729791163845252545583858193839900 : 12898583834142101253138471623871116826808884820131113087032755613510740060686*z^2 + 6115020187732682450029910029049397989053250150995189407256081878747673361429 : 1)),
 2928227334784870551864728404011171733)

In [37]:
commit

Elliptic Curve defined by y^2 = x^3 + (5682612750618915792901960273746460788409625678251382438047103888180229451617*z^2+3829967814827306641907015030286098919805373880340938658037840962266952877730)*x^2 + x over Finite Field in z of size 17866357519039022340746304327512392032047517165206258904525681907470971174911^4

## Challenge

In [38]:
#Challenge
chall = rand.randint(0,q)  


## Response

In [39]:
def SQIprime_Response(secret_key, public_key, secret_commit, commit, chall):
    #Loading
    E_A,(R,S) = public_key 
    I_rho, tau_BasisEA_2,rho_BasisEA_2, Mask_matrix = secret_key
    E_1 = commit
    I_psi, Image_BasisE1_2, deg_1 = secret_commit
    ker_chall = R + chall*S 

    deg_rho = (2**q.nbits()-q)*(2**e-q*(2**q.nbits()-q))
    
    #Compute the challenge ideal
    matrixbc = Mask_matrix.transpose() * Matrix([[Fq(1)],[Fq(chall)]])
    C = Quat_alg(matrixbc[0][0])+Quat_alg(matrixbc[1][0])*iota_end

    I_rhoI_varphi = (Ideal_P*(C**(-1))).intersection(I_rho)



    # Compute the answer ideal
    
    J = I_psi.conjugate()*I_rhoI_varphi


    norm_J = q*deg_1*(2**q.nbits()-q)*(2**e-q*(2**q.nbits()-q))
    
    #assert norm_J == J.norm()
    beta = J.minimal_element()
    d = beta.reduced_norm()/norm_J
    assert d*q < 2**e
    e2 = arity(d)
    EVEN = e2 == 0

    #Minkowski_reduced_basis = J.reduced_basis()
    #EVEN = True
    #e2=0
    
    #for beta in Minkowski_reduced_basis:
    #    d = beta.reduced_norm()/norm_J
    #    if d % 2 == 1 and d*q < 2**e:
    #        EVEN = False
    #        break
    #if EVEN:
    #    d = Minkowski_reduced_basis[0].reduced_norm()//norm_J
    #    beta = Minkowski_reduced_basis[0]
    #    e2 = arity(d)    
        
    I_sigma = chi(beta, J)

    
    I_psiI_sigma = I_psi*I_sigma 

    # Compute images of kappa using EvalTorsion.
    
    #Compute corresponding endomorphism
    #gamma2 = (I_rhoI_varphi.conjugate()*I_psiI_sigma).minimal_element()
    gamma = (I_psiI_sigma.conjugate()*I_rhoI_varphi).minimal_element()
    #print(gamma == gamma2.conjugate())

    
    
    gamma_list = component_endo(gamma)
    gamma_list = endo_reduction(gamma_list, 2**e)

    #Compute different points

    
    #vP = End.action_by_matrices(gamma_list, [(disc_log_image[0][0]), (disc_log_image[0][1])], action_matrices_2)
    #vQ = End.action_by_matrices(gamma_list, [(disc_log_image[1][0]), (disc_log_image[1][1])], action_matrices_2)

    vP = End.action_by_matrices(gamma_list, [1,0], action_matrices_2)
    vQ = End.action_by_matrices(gamma_list, [0,1], action_matrices_2)

    
    #vP = ((deg_rho*vP[0])%2**e, (deg_rho*vP[1])%2**e)
    #vQ = ((deg_rho*vQ[0])%2**e, (deg_rho*vQ[1])%2**e)

    X3 = vP[0]*Image_BasisE1_2[0] + vP[1]*Image_BasisE1_2[1]
    Y3 = vQ[0]*Image_BasisE1_2[0] + vQ[1]*Image_BasisE1_2[1]
    
    Z2e = Integers(2**e)
    lambda_ = Z2e(deg_1)**(-1)
    
    X4, Y4 =  lambda_*X3, lambda_*Y3

    #assert X4.weil_pairing(Y4, 2**e) == rho_BasisEA_2[0].weil_pairing(rho_BasisEA_2[1], 2**e)**(q*d)


        
    e_auxiliary = e - e2
    d_auxiliary = d>>e2

    
    
    #assert(X4.weil_pairing(Y4, 2**e) == (rho_BasisEA_2[0].weil_pairing(rho_BasisEA_2[1], 2**e))**(d*q))

    # Construct auxiliary endomorphism.
    sigma = quat.FullRepresentInteger(d_auxiliary*(2**e_auxiliary-(q*d_auxiliary)),p)
    vP = End.action_by_matrices(sigma, [1, 0], action_matrices_2)
    vP = ((vP[0])%2**e_auxiliary, (vP[1])%2**e_auxiliary)    
    
    vQ = End.action_by_matrices(sigma, [0, 1], action_matrices_2)
    vQ = ((vQ[0])%2**e_auxiliary, (vQ[1])%2**e_auxiliary)

    sigmaP = (2**e2*vP[0])*Basis_2[0] + (2**(e2)*vP[1])*Basis_2[1]
    sigmaQ = (2**e2*vQ[0])*Basis_2[0] + (2**e2*vQ[1])*Basis_2[1]

    
    #P2, Q2 = 2**e2*d_auxiliary*(2**e_auxiliary-(q*d_auxiliary))*tau_BasisEA_2[0], 2**e2*d_auxiliary*(2**e_auxiliary-(q*d_auxiliary))*tau_BasisEA_2[1]
    P2, Q2 = -(q*(d_auxiliary**2)*2**e2)*tau_BasisEA_2[0], -(q*(d_auxiliary**2)*2**e2)*tau_BasisEA_2[1]

    P1 = (d_auxiliary*q)*sigmaP
    Q1 = (d_auxiliary*q)*sigmaQ

    assert P2.curve() == E_A


    #assert(P2.weil_pairing(Q2, 2**e_auxiliary)==  sigmaP.weil_pairing(sigmaQ, 2**e_auxiliary) **(-((q*d_auxiliary)**2)))
    Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
    kernel = (Pa, Qa)
    Phi_delta = EllipticProductIsogenySqrt(kernel, e_auxiliary, None, zeta)

    
     #Evaluate points
    Image_BasisE_delta_2 = eval_basis_unsmooth(E0, E_A, Phi_delta, 2**e_auxiliary-q*d_auxiliary,rho_BasisEA_2 , 2**e, False)
    #V, W = eval_basis_unsmooth(E0, E_A, Phi_delta, 2**e-q*d, (ker_chall,ker_dual_chall), q, False)
    V = Phi_delta(CouplePoint(E0(0), ker_chall))
    E_delta = Image_BasisE_delta_2[0].curve()

    

    BasisE_delta_2 = Basis_comput(E_delta, Fp4, Fp2, zeta, False ,2, e)
    #print(2**(e-1)*BasisE_delta_2[0],2**(e-1)*BasisE_delta_2[1])


     #Compute discrete log for the dual of phi_1. 
    disc_log_image=[]
    disc_log_image.append(BiDLP_power_two(BasisE_delta_2[0],Image_BasisE_delta_2[0],Image_BasisE_delta_2[1], e, window))
    disc_log_image.append(BiDLP_power_two(BasisE_delta_2[1],Image_BasisE_delta_2[0],Image_BasisE_delta_2[1], e, window))


    #T = (disc_log_image[0][0]*X4 +  disc_log_image[0][1]*Y4)*(2**e_auxiliary- q*d_auxiliary)
    #U = (disc_log_image[1][0]*X4 +  disc_log_image[1][1]*Y4)*(2**e_auxiliary- q*d_auxiliary)
    
    T = -(disc_log_image[0][0]*X4 +  disc_log_image[0][1]*Y4)
    U = -(disc_log_image[1][0]*X4 +  disc_log_image[1][1]*Y4)

    
    #assert T.weil_pairing(U, 2**e) == BasisE_delta_2[0].weil_pairing(BasisE_delta_2[1],2**e)**(q*d*(2**e_auxiliary-q*d_auxiliary))

    
    if V[0].curve() == E_delta:
        V = V[0]
    elif V[1].curve() == E_delta:
        V = V[1]
    else:
        print("Problem with the auxiliary isogeny")

    assert V.curve() == E_delta
    
    #assert T.weil_pairing(U, 2**e_auxiliary) == X4.weil_pairing(Y4,2**e_auxiliary)**(-q*d_auxiliary)


    
    #Z2e = Integers(2**e_auxiliary)
    #inver = int(Z2e(q*d_auxiliary)**(-1))
    #T,U = inver*T, inver*U
    

    assert T.curve() == E_1
    signature = E_1, E_delta, BasisE_delta_2, T,U,V, e2
    return signature



In [40]:
signature = [0]
while signature[-1] == 0:
    chall = randint(0,q)
    signature = SQIprime_Response(secret_key, public_key, secret_commit, commit, chall)


In [41]:
chall = randint(0,q)
signature = SQIprime_Response(secret_key, public_key, secret_commit, commit, chall)

In [42]:
def SQIprime_sign(secret_key, public_key, Message):
    
    commit, secret_commit = SQIprime_Commit()
    

## Verification

In [43]:
#Verification
def SQIprime_verify(public_key, chall, signature):
    #Load 
    E_A,(R,S) = public_key
    E_1, E_delta, BasisE_delta_2, T,U,V, e2 = signature
    ker_chall = R + chall*S 
    pos = 0
    
    e_auxiliary = e - e2
    E_1auxiliary = E_1
    
    #Check points validity
    if not (V.curve() ==E_delta or (U.curve() == T.curve() == E_1)):
        return False

    #Even Case
    if e2 !=0:
        
        T_aux = 2**e_auxiliary*T
        U_aux = 2**e_auxiliary*U

        if two_order(E_1, T_aux, e2) >= e2:
            kernel_sigma2 = T_aux
        else:
            kernel_sigma2 = U_aux

        sigma2 = E_1.isogeny(kernel_sigma2)
        E_1auxiliary = sigma2.codomain()
        T_inter, U_inter = sigma2(T), sigma2(U)

        Pa, Qa = CouplePoint((2**e2)*BasisE_delta_2[0],T_inter), CouplePoint((2**e2)*BasisE_delta_2[1], U_inter)
  
    else:
        #Odd case
        Pa, Qa = CouplePoint(BasisE_delta_2[0],T), CouplePoint(BasisE_delta_2[1], U)
    
    kernel = (Pa, Qa)
    Phi_verif = EllipticProductIsogenySqrt(kernel, e_auxiliary, None, zeta)

    #Check codomain
    if Phi_verif.codomain()[0].j_invariant() == E_A.j_invariant():
        pos = 0
    elif Phi_verif.codomain()[1].j_invariant() == E_A.j_invariant():
        pos = 1
    else:
        return False

    
    #Compute point
    Inter_point = Phi_verif(CouplePoint(V,E_1auxiliary(0)))
    bool1 = (Phi_verif.codomain()[pos]).isomorphism_to(E_A)(Inter_point[pos]).x() == ((2**e_auxiliary) * (ker_chall)).x()
    bool2 = Inter_point[1-pos] == Phi_verif.codomain()[1-pos](0)

    #Counter attacks

    W = sample_ran_element(E_delta, Fp4, Fp2, zeta, True)
    W = ((p-1)//q)*W
    #W = point_ord_4(E_delta, q,1)
    Inter_point2 = Phi_verif(CouplePoint(W,E_1auxiliary(0)))
    bool3 = (Inter_point2[1-pos] != Phi_verif.codomain()[1-pos](0))
    return bool1 and bool2 and bool3

In [44]:
speed_up_sagemath()

t0 = time.perf_counter_ns()
for i in range(10):
    print(SQIprime_verify(public_key, chall, signature))
t1 = time.perf_counter_ns()

print("SQIPrime Verify algorithm took on average",float(t1-t0)/10**6/10, "ms." )


True
True
True
True
True
True
True
True
True
True
SQIPrime Verify algorithm took on average 215.1899166 ms.


In [45]:
E1 = signature[0]
P,Q = signature[2]

In [46]:
P,Q

((16704847337553689248324652724650893217375807860009646449355799834905845090983*z^2 + 16637983296940972805831058998657720118879289768334401240459148607692586411380 : 6106854017040273793141645026740347977663914792924447878434131010705370954233*z^2 + 15284347162643862177449442787478397388016189413883536072767705662096965612772 : 1),
 (11250401035287430933636041868858799680727757623739762515214029843749177208565*z^2 + 14475213007215545414116307960636477453737171437172570621438073131612868144569 : 756844354935990763104207212753589459985245953016115716792241594743223143361*z^2 + 233297886944050489976227337087448708786738553089559180476547005081416272859 : 1))

In [47]:
aa= compression.compress_curve(E1,32)
compression.decompress_curve(Fp4, aa, 32)

Elliptic Curve defined by y^2 = x^3 + (5682612750618915792901960273746460788409625678251382438047103888180229451617*z^2+3829967814827306641907015030286098919805373880340938658037840962266952877730)*x^2 + x over Finite Field in z of size 17866357519039022340746304327512392032047517165206258904525681907470971174911^4

In [48]:
bb= compression.compress_points(E1,zeta,[P,Q],32)

In [49]:
compression.decompress_points(E1,Fp4,zeta,bb,32)

[(16704847337553689248324652724650893217375807860009646449355799834905845090983*z^2 + 16637983296940972805831058998657720118879289768334401240459148607692586411380 : 15298801153988591101098525102345156113341059018580089516531911091946540677267*z^2 + 12911050114873344983140735947526649892296017310970947847886739315459105845939 : 1),
 (11250401035287430933636041868858799680727757623739762515214029843749177208565*z^2 + 14475213007215545414116307960636477453737171437172570621438073131612868144569 : 3862242320040174129235939193009232329248959375382426105816381082138300237357*z^2 + 13791404360002553238633432928463646029112013116786986884330555427147350016170 : 1)]

In [50]:
m = integer_to_bytes(123)
shake = SHAKE256.new(m)
shake.read(16)


b"\x93\x80\xd1<\xf5\\=\xae\xb5'r\x9ex\x08\xda\xdd"

In [51]:
t0 = time.perf_counter_ns()
for i in range(t):
    m = integer_to_bytes(123)
    shake = SHAKE256.new(m)
    shake.read(16)
t1 = time.perf_counter_ns()

print("SQIPrime Key Generation took on average ",float(t1-t0)/10**6/t, "ms." )


NameError: name 't' is not defined

In [61]:
sqiprime117 = SQIPrime(p117, q117, e117, window117, pp117)

# Tiny speed test

In [62]:
t = 100


In [63]:
#SQIprime_KeyGen time 
speed_up_sagemath()
t0 = time.perf_counter_ns()
for i in range(t):
    public_key_test, secret_key_test = sqiprime117.KeyGen()
t1 = time.perf_counter_ns()

print("SQIPrime Key Generation took on average ",float(t1-t0)/10**6/t, "ms." )


SQIPrime Key Generation took on average  485.06564707999996 ms.


In [64]:
speed_up_sagemath()
t0 = time.perf_counter_ns()
for i in range(t):
    secret_commit_test, commit_test = sqiprime117.Commit()
t1 = time.perf_counter_ns()

print("SQIPrime Key Commitment took on average ",float(t1-t0)/10**6/t, "ms." )


SQIPrime Key Commitment took on average  279.42495542 ms.


In [65]:
#SQIprime_Response() time 
speed_up_sagemath()

t0 = time.perf_counter_ns()
for i in range(t):
    chall_test= rand.randint(0,q)
    signature_test = sqiprime117.Response(secret_key_test, public_key_test, secret_commit_test, commit_test, chall_test)
print(signature_test[-1])
t1 = time.perf_counter_ns()

print("SQIPrime Response algorithm took on average ",float(t1-t0)/10**6/t, "ms." )

2
SQIPrime Response algorithm took on average  390.77424209 ms.


In [66]:
#SQIprime_Verify() time 
speed_up_sagemath()
t0 = time.perf_counter_ns()
for i in range(t):
    valid = sqiprime117.Verify(public_key_test, chall_test, signature_test)
    if not valid:
        print("Problem in verifying the scheme")
t1 = time.perf_counter_ns()

print("SQIPrime Verify algorithm took on average",float(t1-t0)/10**6/t, "ms." )
valid

SQIPrime Verify algorithm took on average 200.68763125 ms.


True

In [49]:
Rs =compress_basis(E0,[Basis_2[0],Basis_2[1],Basis_q[0],Basis_q[1]], 32)
Rs

NameError: name 'compress_basis' is not defined

In [50]:
def integer_to_bytes(n, byte_len=None):
    """
    Represent an integer n as bytes in big-endian
    """
    n = int(n)
    if byte_len is None:
        byte_len = (n.bit_length() + 7) // 8
    return n.to_bytes(byte_len, 'big')

def bytes_to_integer(b):
    """
    Represent bytes as an integer in big-endian
    """
    return ZZ(int.from_bytes(b, 'big'))

def compress_curve(E,p_byte_len ):
    A = E.a_invariants()[1]
    return integer_to_bytes(A[0], p_byte_len)+ integer_to_bytes(A[2], p_byte_len)

def decompress_curve(Fp4,R,p_byte_len):
    a_bytes = R[:p_byte_len]
    b_bytes = R[p_byte_len:]
    a_int = bytes_to_integer(a_bytes)
    b_int = bytes_to_integer(b_bytes)
    A = Fp4([a_int,0, b_int,0])
    return EllipticCurve(Fp4, [0, A, 0, 1, 0])


def compress_points(E, Ps, p_byte_len):
    A = E.a_invariants()[1]
    Rs=[]
    for P in Ps:
        w = P.x()
        bool = sqrt_Fp4(w**3+A*w**2+w, zeta) == P.y()        
        Rs.append((integer_to_bytes(w[0], p_byte_len)+ integer_to_bytes(w[2], p_byte_len), bool))
    return R.tuple()

def decompress_points(E, Fp4,Rs,p_byte_len):
    A = E.a_invariants()[1]
    Ps=[]
    for R in Rs:
        a_bytes = R[0][:p_byte_len]
        b_bytes = R[0][p_byte_len:]
        a_int = bytes_to_integer(a_bytes)
        b_int = bytes_to_integer(b_bytes)
        X = Fp4([a_int,0, b_int,0])
        Y= sqrt_Fp4(X**3+A*X**2+X, zeta)
        if not R[1]:
            Y = -Y
        Ps.append(E([X,Y]))
    return Ps 

In [51]:
Hash(16, integer_to_bytes(13))

b'f\xf3\xe3e\x8c\xd1\x8b\xe3\xd3\xd1\xdd\x895\xd5\xc7\xce'

In [52]:
t0 = time.perf_counter_ns()
for i in range(t):
    decompress_points(E0, Fp4,Rs,32)
t1 = time.perf_counter_ns()

print("SQIPrime Response algorithm took on average ",float(t1-t0)/10**6/t, "ms." )



NameError: name 'Rs' is not defined

## Precomputed setup

In [57]:
#pp117
p117 = 2**247 * 79 - 1
q117 = 168118140144706967996895604212334429
e117 = 247
window117 = [14]

t117=  1371914230417757366428392920863370364541612682108850587953449886929153531474
n117 = 10767692651943649319589436523002381625291898856497311446758414905083295076826

#Basis_E0_2
Point0 = [[11914771203870397572555265354151879208392109774443874530678186862526155601449,15318549611333786211143161343850308825997911094218171396895497268307466429140],[3608952323386837722498149193402655164370851614407642562521492705327034229269,4291592298971114016380288532491641706596429215978722754368907010530512129169]]
Point1 = [[9560622470033290547945459361858419932463346624790195203403553567121546634060,14854412416200276665548736097120849281343798401456182653425276893586706129833],[11853489859791651961198190232663337851409103396715842182978452929588334571431,5980448306270463575574187986161065936775733043204573015671456787630804457864]]

#Action_torsion2
action_2 = [
[(167891739519548982725428721111284100559112614269625404601166471140827195043, 172684642372986329571158037598140197748874263647889896749798417675396641331),  (14854389063369790965435500355391895421646244308852896697574738760720007410,  58264684772084211461233358983809469466805324530453822038399122624628136285)],
    [(83928917767786144984807220384361811140365419488837366047926280437509338596,  183150072292303833082406280797489622433454469089745773581387409400210765232), (191080188737101491486555087002074236773473512768440579032598096703180440221,  142227506523847049201854859710731758885552519311241860591639313327945992732)], 
    [(23494026642071768993645042868673601898649594213160357511498326455012562804,  125770308810849678929112667684824431994619093103886088741076418815768758948), (30917920061918270930726178814992533264594311407918279807780931003730311569, 202662397649561425193017037226419968127268344586918869128067267310442768525)]]

#Basis_E0_q
Point2 = [[7875284546222851635034633177564927624502084444991238411292604718337755348848,2646945819027089927366536082271355321769408502471268448490621351707509124471],[310144864298216408700644169053501948174892519134348421713355535379569540526,5160012028176448219956791155388053181406043963215951445842770253965819204246]]
Point3 = [[17809620210421405756385521950001261507809910849369583160915043758581624556578,7286148136277869000197174688475229389121721992848286100569909420666271607193],[8028238343556656246273612929450444358237242758909415528760419772545692408308,11790496902205414285834194692386444422621588826158845600052038018870461886652]]

#Ideal_P
Ideal = [(1/2 ,0, 134588137729279977940316288959545771, 97976921001638429982032817794701359/2), (0,1/2 , 238259359287775506011758390629967499/2, 134588137729279977940316288959545771), (0,0,168118140144706967996895604212334429,0),(0,0,0,168118140144706967996895604212334429)]

#Endomorphism
iota_basis = [123990604717324746307375563406954350088266,-1752162310992879163778168201332598893413326, 84100, 39548]

pp117=[]
pp117.append((t117,n117))
pp117.append((Point0,Point1))
pp117.append(action_2)
pp117.append((Point2,Point3))
pp117.append(Ideal)
pp117.append(iota_basis)


sqiprime117 = SQIPrime_Sigma(p117, q117, e117, window117, pp117)

In [60]:
for i in range(10):
    pk, sk = sqiprime117.KeyGen()
    sec, com = sqiprime117.Commit()
    chall = rand.randint(0,q117)
    sign = sqiprime117.Response(sk, pk, sec, com, chall)
    print(sqiprime117.Verify(pk, chall, sign))

True
True
True
True
True
True
True
True
True
True


In [100]:
#pp130
p130 = 2**273 * 19**2 - 1
q130= 1733124013302036320718171822563477047667
e130 = 273
window130 = [15]

t130=  2452632244215042236587883946340535900819817719306044826870828674667325358101294920360
n130 = 1466422228515388428908794422275031248599320990200925784434723046827791394899855676341


#Basis_E0_2
Point0 = [[802152706306822036512498493434265277729136169622940091922069964806932891999220145465,4141571747014391967399392552621026990096785372238311134054304525730030157120290498389],[160919961096821923258275839074589638874247540427673660851082438404401309413144475591,2814833417098866078608045110773612628453314584393440188811507004801627400401175980841]]
Point1 = [[3445262485486090416635557876197969216001380723018473825051551388354494818148155540065,1254781742894293759806774165208815066138774443188846048389292655192056355454958747595],[3698848314430207862120569604215439125728581496530913974787894032025190971532031088694,2486295705475538445347642585600134508195288001122570350432897918136182776376279066234]]


#Action_torsion2
action_2 = [
[(6345546499363383989866979296587784150161985876274168974347386061873347757755942974, 11759067393472414561371417842241846175802333894391629120575709441610780578478462523),  (5956951030222615074950047488723873823719153400233012479590872335584509118285349953,  8831554221150124376691316850470957307981817553820671035432398389211841970409748418)],
    [(4544993222018183966914259898503087271092830121867952073355525841347178059956350098,  15017670907177058841429134906100092587723474205551868940267264622279250458223051787), (8643193266014004860677120270231382403672877679112454145091836235571430296298262452,  10632107498495324399644036248555654187050973308226887936424258609738011668209341294)], 
    [(10990890860882218874702507578044445983395778488539897613061059076785956515676189145,  3357458945646960854429308991353564098617169406570033295793684104149113877228421380), (838228309056684062716688684364845218553646491211526329756198409673569832938957690, 4186209859631289491855788569014295474748024941554942396718725374299233212489502248)]]


#Basis_E0_q
Point2 = [[5092837171656275598195162307948633901112407150266955280917770443586800797563693263017,2203400066677010344057425997509323279580293517029639175293723249290931314642053632093],[3261845425850137852703262466766329926312314733314495395667714683540774691021422721689,3329219230165726745693462074219591037397452027388183623795655270705767481828932347963]]
Point3 = [[3484336597275161053270404255483124559637485502175099461867617734033391878550107958254,2156282431041995234807058305641714697986531024567538162380762167681392660834533456974],[4906201536034154568209666678165297706019121517090264956812761278775761895094955786276,4121818620214872289771234441495181321836295747090193858583848941989082725313463787089]]



#Ideal_P
Ideal = [(1/2 ,0, 1270110998062854321922106407256694151154, 1021326697982651975375944303619775216499/2), (0,1/2 , 2444921328621420666060399341507178878835/2, 1270110998062854321922106407256694151154), (0,0,1733124013302036320718171822563477047667,0),(0,0,0,1733124013302036320718171822563477047667)]


#Endomorphism
iota_basis = [-15737842864611160730910969411859942105794517334,-48552838654278724036186135725847980940716017681, 102894, 42461]


pp130=[]
pp130.append((t130,n130))
pp130.append((Point0,Point1))
pp130.append(action_2)
pp130.append((Point2,Point3))
pp130.append(Ideal)
pp130.append(iota_basis)



sqiprime130 = SQIPrime_Sigma(p130, q130, e130, window130, pp130)

In [101]:
for i in range(10):
    pk, sk = sqiprime130.KeyGen()
    com, sec = sqiprime130.Commit()
    chall = rand.randint(0,q130)
    sign = sqiprime130.Response(sk, pk, sec, com, chall)
    print(sqiprime130.Verify(pk, chall, sign))

True
True
True
True
True
True
True
True
True
True


In [102]:
#p186

p186 = 2**397 * 3**2 * 7**2 * 11**2 -1
q186 = 139608035310883914672048824597166248641399835557000865381
e186 = 397
window186 = [17]

t186=  2744129672068600833150548486852094618674761105783364207348105633690519129814523702143292827942270614125642391886528205064712
n186 = 16123821995401168995027757975359372930579609244068829574357770106285877712826076501574496175750809376751279413008073126996305



#Basis_E0_2
Point0 = [[12374456778935531011632826138365041751805961928686577683910741026009432084872724340975984339009347018516837344515662193726972,10131607246038867814230465582983224200218482134110546815276178148735943434071891122747269930429254077602380298141419944915062],
          [9157253117553815428914747787760701483062377882265273329576091137417503249165449577067856076812697892398227966818124781218056,9142703822960682291689886043748770569918299962248198551015952921563421403912373632643458819979668609089064567653423472109878]
         ]
Point1 = [[3489630129332496383864177027964766404791350188822479721556517621017090511522644765100838322100532846323751588748654525839457,13651499103953814021154629969183821071165793674154308190778954700558842213711783086519676659421418567611757175537580316594522],
          [4831772612198250594567504092057927754029265144336049529619122971731078855374370584763669811114617844143340567894087690337747,7896291086475571069354444029412583528827821078029550148270736869680524026748324350085730758267976078350227155827406223638082]
         ]


#Action_torsion2
action_2 = [
[(221925552353006929861667165251862025144698480142449305051394347996836351731447476070546985900405067252098818758396317837, 124968776902560274135035441737455335604252639184226096956743246458181331555203230454203678189710185563129057693488743142),  
     (125297543066899278291618439643836410561223088964896573014140786581052501333895027116876182867461883207587045254269815657,  100855682407856643845322731248514459146514743961203634052438071570744601020657673258158683259612161677389077738197118835)],
    [(179150928959218402697994893921203754165135614105307615583292089343041703007500467330119827631729093817684692957949557287,  73004966415862423318789508138005681943335868472344526663476410544343819208443249153114497366782802042418707916708189619),
     (318116913173136131062996273363132669360130018558639058317788839247811217802380022772212108344781753671073139086144270389,  143630305801645171008995002579172730126077609998345323520540330224539249744604681998585841528288135111803203538643879385)], 
    [(164022144283397575804316401343134323337525180385121455997016624297433600470841468416794485058249947176198186314457149722,  223823406554778523197459567024356403989302303558645724029863959469754870397549376900655024270851898416077930670196790925),
     (298901659936378960654283599725405610603692169046628285249220937294271747143911030945023186465645316829272836140934654414, 158759090477465997902673495157242160953688043718531483106815795270147352281263680911911184101767281753289710182136286951)]
]


#Basis_E0_q
Point2 = [[12626799199846563667776043949549694459706988971799699444748079754195441736773342731797989718077641731366930365771002269114851,349953787233997958571505037289913557292469677393697142730793281255704322115735536312286412108535055475364060611902226943974],
          [3792390310537822306419727855998334540493543118623466581910562737771204056256513182600342621720825919214457805495442922050032,2349561182545344434209559057398706633101704274324098564512046396886318394930324595354822259413026793911993325552776680995873]
         ]
Point3 = [[4181523486436905133780824125519525980977065858367179189129686212181906694462592686739969856217245013201739725547722714631257,15652075884676866079350002691714119474718145429807329628393033489746668251114313270487135481535123427055376972532350843408715],
          [7623050598684746773152734558246343797909160555801404632389753023959788613431740271179874256751057804397873481164930405112697,3909461355485915366147272498763126674206369080864473373490781761221591732125762555587343723419351190882920898973955875861634]
         ]

#Ideal_P
Ideal = [(1/2 ,0, 111799832340486495188652959361954072660736754479629009215, 167676443915047513738544729125503367173629875830414775937/2), (0,1/2 , 111539626706720315605552920068829130109169795283586954825/2, 111799832340486495188652959361954072660736754479629009215), (0,0,139608035310883914672048824597166248641399835557000865381,0),(0,0,0,139608035310883914672048824597166248641399835557000865381)]


#Endomorphism
iota_basis = [5137738814354726358519137967052469370166658802774112542819620169408,-1404325963927972810848704903964066574422822437158539892681486788050, 45735, 16432]



pp186=[]
pp186.append((t186,n186))
pp186.append((Point0,Point1))
pp186.append(action_2)
pp186.append((Point2,Point3))
pp186.append(Ideal)
pp186.append(iota_basis)



sqiprime186 = SQIPrime_Sigma(p186, q186, e186, window186, pp186)



In [103]:
for i in range(10):
    pk, sk = sqiprime186.KeyGen()
    com, sec = sqiprime186.Commit()
    chall = rand.randint(0,q186)
    sign = sqiprime186.Response(sk, pk, sec, com, chall)
    print(sqiprime186.Verify(pk, chall, sign))

True
True
True
True
True
True
True
True
True
True


In [104]:
#p240

p240 = 2**499 * 3**2 * 7**2 -1 
q240 = 2464280664223269984651655821505754297856674907148353228398431687157640139
e240 = 499
window240 = [24]

t240=  693045578339544409110074003857008189720262219616499531844335537477418358427772651851153706554322855073017460523828748286806756991158728971392407295828081
n240 = 695161388861380828564646472914593619400953431720886999671267196566212600028596555716999418781881700605690401546451051996140616236229809473121678253708726



#Basis_E0_2
Point0 = [[108593063177871754454764607153771817572350568981166223349906037110916217514875586594552694287834706190197247136977232409326081843014100109860802483061800,318110838794343255561528645418321648204976385023328619651702070604735045217179276340547096911545650128316185640275416668444903278430979258887146970001885],
          [548036899958241949100165784708137716279983198213551116073050423393270760386479721072996215331986058855110818547280687652176291936749159296767271515978662,90109889716597863839501144148123711186682113416584179763900253368792504341444513891811874198153722626456384209180877213770963743174198552216842479826801]
         ]

Point1 = [[587833157677285445947531411789884181282163285818480613150980627148598557676973186737463109232668489969609066029344786286760344605419191577735496325972672,59315284737431754563311937556595031724420874591745153175389763031135175061076129140490695535054993414228702804260787659962548689578569108324714927605504],
          [261548432820264206569455293762983232549378355165243292490300172354760912190655721291747018726778993009601927783236563123738080397280283732928780848130444,98961817381834456804107581235753897219035211318979127848888031262703798410181100450060301487386057721427584184112529999822164458853595458993648493623265]
         ]


#Action_torsion2
action_2 = [
[(1185438652679329363798905643071588529308118610891355761474882381664722684600584585024980648768149737323826483991890811904844671268294006912788547411835, 1515365512149626155001653239920114377557637482480484738663042546977728990432591089393412039304685355995199918459818024778123387601815634183133068902453),  
     (1006938291574953565930916707758846245895431983726128684914416913594793759271133839042593422099302934869019655886401431223680030436170878808124683360270,  451256651268741571207689205342211046800202412130176633266763302383344213601752692416654397394802341251616858071889223599763957004648689613875716382853)],
    [(1494294252938158083985256638181854108323911062681735387622492963786763679121630916557907146082554556835780699800214767418230296909584176177183583149510,  1193272525556541262252973945519525015208683502962143256906438517664975592990774606797905810913626742763321843859933609402919152569803504570078782002308),
     (1198342991471254390865435663529056400983696271521859210271461485898581134624115707846297710952728532860824722652444795224779479434086771925367193466071,  142401051009912851021338210231945467784409960339797007119152720261303219080706360883727900080397521739662642263565268086378331363358520349480680645178)], 
    [(1614540060606358679049655728156131402368168356852126161068522191338964999587149846854703106203942582642354973959797510111115323050721893977196517243046,  1297295508923253839388184819341945195353503328742292569657571688217459385508644482920963438185064812332772874577863903944522128819542941883272309976430),
     (1114945406221895898046528530583634906308604514937157105221876413013256049917172906348881874178552935186889847938916871039534377714537475435496917304455, 22155243341712255956939120257668173740152666169406233673123492709101898615187430586931939959009495933088368103982525393493305222220802549467746551643)]
]


#Basis_E0_q
Point2 = [[371795474263631819880757041112411967378779282783200199630031784406042463509778665618652332986862927594816859687169205737359016453645256134477094066218994,439546761124321113448759345471543122212862568489000265080841177328621042567087862872785558894136976843343201749521163899857864917645690938414081735137288],
          [404246900092213605071672945317079655641088937217713629452647209930835727782527349766928371431994263095027596807626790010993042170506643458087132761309499,571698442772935794735176774569498820834188421710313287986277579115228566256735876413030174080655179356350500196984865187247691728524112064934297763268078]
         ]
Point3 = [[561457643600366077226171470133665718287798056280960105049159139347837115460542324972514198912348621274850363483951519608334123455170947116608155893259029,212059581749296361483954487555792015251522364312381247837332554603088157170016696109704852731423167406122897523217495305469223175738728478557482912044687],
          [461323228589262610015476987974415020864641745967324542004076070540099163539620739964784575449743091999983885077457075136329739333031476556536953786156792,99962042974332995331099644543309015150700947494536248197672096970114873752175023034315893953854902918436336376631914235885632178256996545411763202770094]
         ]

#Ideal_P
Ideal = [(1/2 ,0, 441165414043718980989607351008276078212256461350516168856057648618394950, 4075542332359996968878645500906438518040477656673130656716135122502354615/2), (0,1/2 , 853018996086543000424666142105070077672872157623575800080728251812925663/2, 441165414043718980989607351008276078212256461350516168856057648618394950), (0,0,2464280664223269984651655821505754297856674907148353228398431687157640139,0),(0,0,0,2464280664223269984651655821505754297856674907148353228398431687157640139)]


#Endomorphism
iota_basis = [-550385343674398044454077299908570666942499249273213761135728748903647941279709063,141926718208843806621959812621528332860397977982800225835362045587328179255313196, 98620, 42771]



pp240=[]
pp240.append((t240,n240))
pp240.append((Point0,Point1))
pp240.append(action_2)
pp240.append((Point2,Point3))
pp240.append(Ideal)
pp240.append(iota_basis)



sqiprime240 = SQIPrime_Sigma(p240, q240, e240, window240, pp240)



In [105]:
for i in range(10):
    pk, sk = sqiprime240.KeyGen()
    com, sec = sqiprime240.Commit()
    chall = rand.randint(0,q240)
    sign = sqiprime240.Response(sk, pk, sec, com, chall)
    print(sqiprime240.Verify(pk, chall, sign))

True
True
True
True
True
True
True
True
True
True
