In [97]:
from sage.all import (
    EllipticCurve,
    randint,
    ZZ,
    discrete_log,
    GF,
    matrix,
    block_matrix,
    set_random_seed
)
from sage.modules.free_module_integer import IntegerLattice

import quaternion as quat
import endomorphism as End
import elliptic_curve as elc
import parameter_generate as param
import d2isogeny
import supersingular
import compression
import richelot_isogenies as richelot
import utilities_festa as utilities
import random as rand
from utilities.strategy import optimised_strategy


In [12]:
#SQIPrime Stuff to compute

In [29]:
#Compute GF(p^4), its restriction GF(p^2) such that GF(p^2)=F_p[x]/(x^2+1) with root i. 
def calcFields(p):
    assert p % 4 == 3
    R = PolynomialRing(GF(p), name="x")
    x = R.gens()[0]
    Fp2 = GF(p**2, modulus=x**2+1, name="i")
    z = Fp2.random_element()
    while z.is_square():
        z = Fp2.random_element()
    t = ZZ(z + z**p)
    n = ZZ(z**(p+1))
    R = PolynomialRing(ZZ, name="x")
    x = R.gens()[0]
    Fp4 = GF(p**4, modulus=x**4 - t*x**2 + n, name="z")
    Fp2 = Fp4.subfield(2)
    i = Fp2(-1).sqrt()
    return Fp4, Fp2, i

#Compute a random point in E(Fp^4)[l^e].
def point_ord_4(E, l, e):
    assert is_prime(l)
    p = E.base_ring().characteristic()
    assert (p^2 - 1) % l**e == 0
    P = (p^2 - 1)//(l**e)*E.random_point()
    while (l**(e-1)*P).is_zero():
        P = (p^2 - 1)//(l**e)*E.random_point()
    assert (l**e*P).is_zero()
    if P[1][0] >= (p^2 - 1)//2 or (P[1][0] == 0 and P[1][1] >= (p^2 - 1)//2):   # even if the seed of random_point is fixed, the sign of point is random.
        P = -P
    return P
    
def basis_4(E, l, e):
    P = point_ord_4(E, l, e)
    Q = point_ord_4(E, l, e)
    while (l**(e-1)*P).weil_pairing(l**(e-1)*Q, l) == 1:
        Q = point_ord_4(E, l, e)
    return P, Q



In [30]:
def image_matrices(basis, N, zeta2, F2):
    one = [1,0,0,0]
    Ms = []
    for alpha in [one[-i:]+one[:-i] for i in range(1, 4)]:
        Ms.append(image_matrix(alpha, basis, N, zeta2, F2))
    return Ms
    
def image_matrix(alpha, basis, N, zeta2, F2):
    P, Q = basis
    aP, aQ = [End.action(alpha, R, zeta2, F2) for R in [P, Q]]
    return (aP,aQ)

def action_image(alpha, images_list, basis):
    retP, retQ = alpha[0]*basis[0], alpha[0]*basis[1]
    for i in range(1,4):
        retP += alpha[i]* images_list[i-1][0]        
        retQ += alpha[i]* images_list[i-1][1]
    return (retP, retQ)



In [46]:
image_action_2 =  image_matrices(Basis_2, q, zeta, Fp4)
alpha=[0,0,0,2]
print(action_image(alpha, image_action_2, Basis_2)[0])
vP = End.action_by_matrices(alpha, [1, 0], action_matrices_2)
vP[0]*Basis_2[0] + vP[1]*Basis_2[1]


(4417796384799466535270653410996022843738211028631409493418472968760704010008484643314*z^2 + 5276011983880659506065805611948706365878823140207941827132466406210734709086921580063 : 4669241696968583596307076539261848755297664586548523538863719218345398261288319806708*z^2 + 3517365244553552965873890133882044847163405663203162395942292893994048411847501056683 : 1)


(4417796384799466535270653410996022843738211028631409493418472968760704010008484643314*z^2 + 5276011983880659506065805611948706365878823140207941827132466406210734709086921580063 : 4669241696968583596307076539261848755297664586548523538863719218345398261288319806708*z^2 + 3517365244553552965873890133882044847163405663203162395942292893994048411847501056683 : 1)

In [42]:
def FindPrecomputedBasis(E,basis, Qalgebra, Basis0, image_action, zeta, d):
    assert E == EllipticCurve(Fp4, [0, Fp4(0), 0, 1, 0])
    p = E.base_ring().characteristic()
    P,Q = basis[0],basis[1]
    Ideal_0 = Qalgebra.ideal(Basis0)
    assert d*P == E(0) and d*Q == E(0)
    c=1
    while gcd(c,d) != 1 or c * d < p:
        c = rand.randint(p>>64,p)
    c *=  d
    alpha = quat.FullRepresentInteger(c,p)
    a, b = rand.randint(1, d), rand.randint(1, d)
    R,S = E(0), E(0)
    while R == E(0):
        while( a % d == 0 or b % d == 0):
            a, b = rand.randint(1, d), rand.randint(1, d)
        vP = action_image(alpha,image_action, basis)
        R = a*vP[0] + b*vP[1]
    alpha_endo = Qalgebra(0)
    for j in range(4):
        alpha_endo += Basis0[j]*alpha[j]
    Ideal_P = Ideal_0*conjugate(alpha_endo)+ (Ideal_0*d)
    
    inter_image = image_matrices((R,S), d, zeta, Fp4)
    n = rand.randint(p<<10, p<<32)
    while gcd(n,d) != 1:
        n = rand.randint(16*p, 128*p)
    iota = quat.FullRepresentInteger(n,p)
    wP = action_image(iota, inter_image ,(R,S))
    S = wP[0] 
    while R.weil_pairing(S, d) == 1:
        while gcd(n,d)  != 1 or n*d<p:
            n = rand.randint(4*p, p*d)
        iota = quat.FullRepresentInteger(n,p)
        wP = action_image(iota, inter_image, vP)
        S  = wP[0] 

    return (R,S), iota, Ideal_P

In [43]:
(R,S), iota, Ideal_P = FindPrecomputedBasis(E0, Basis_q, Q, O0_basis,image_action_q, zeta, q)
image_RS = image_matrices((R,S), q, zeta, Fp4)
Im = action_image(iota, image_RS, (R,S))
assert Im[0]==S

In [None]:
#Ideal Computation
#To check tomorrow as we do not have the same values in each cases

In [45]:
Ideal_P.norm()

1733124013302036320718171822563477047667

In [51]:
Q = QuaternionAlgebra(-1, -p)
O0_basis = (Q((1,0,0,0)),Q((0,1,0,0)),Q((0,1/2,1/2,0)),Q((1/2,0,0,1/2)))

Ideal_0 = Q.ideal(O0_basis)
assert Ideal_0.right_order() == Ideal_0.left_order()
assert Ideal_0.is_integral()
Ideal_0.right_order()

Order of Quaternion Algebra (-1, -5478933360105376520327544909088205666389913038264237243530502186841753491867814592511) with base ring Rational Field with basis (1/2 + 1/2*k, 1/2*i + 1/2*j, j, k)

In [59]:
alpha_endo = Q(0)
for i in range(4):
    alpha_endo += O0_basis[i]*alpha[i]
alpha_endo

-11776973863690823715571178087351796816015213074695057332559763 - 42677738730087437964177968661217985594809368870172381091899883*i + 3202173214672078119*j + 2288969200457936412*k

In [65]:
I = Ideal_0*conjugate(alpha_endo)+ (Ideal_0*q)
I.right_order()

Order of Quaternion Algebra (-1, -5478933360105376520327544909088205666389913038264237243530502186841753491867814592511) with base ring Rational Field with basis (1/2 + 1733124013302036320718171822563477047667/2*k, 1/3466248026604072641436343645126954095334*i + 2721560234974109659751734093928868056177/3466248026604072641436343645126954095334*j + 2942051337433669563303991637113627630550071529479572878398678482603760500643296/1733124013302036320718171822563477047667*k, j + 1003047726320503976094624032642653498434*k, 1733124013302036320718171822563477047667*k)

In [67]:
q

1733124013302036320718171822563477047667

In [None]:
#SQIPrime SETUP:

In [3]:
#Fix the prime field
p = 2 ^ 273 * 19 ^ 2 -1
q= 1733124013302036320718171822563477047667
Fp4, Fp2, zeta = param.calcFields(p)
#Fp4.base_ring()

#Compute the Standard basis
E0 = EllipticCurve(Fp4, [0, Fp4(0), 0, 1, 0]) #Curves are in the Montgomery model
Basis_2 = basis_4(E0,2,273)
Basis_q = basis_4(E0,q,1)
action_matrices_2 = End.action_matrices(Basis_2, 2^273, zeta, Fp4)
image_action_q =  image_matrices(Basis_q, q, zeta, Fp4)
#image_action_2 =  image_matrices(Basis_2, q, zeta, Fp4)

#Compute the Precomputed Basis.
Quat_alg = QuaternionAlgebra(-1, -p)
O0_basis = (Q((1,0,0,0)),Q((0,1,0,0)),Q((0,1/2,1/2,0)),Q((1/2,0,0,1/2)))
(R,S), iota, Ideal_P = FindPrecomputedBasis(E0, Basis_q, Quat_alg, O0_basis,image_action_q, zeta, q)
image_q = image_matrices((R,S), q, zeta, Fp4)
Im = action_image(iota, image_q, (R,S))
assert Im[0]==S


NameError: name 'param' is not defined

In [None]:
#SQIPrime KeyGen

In [398]:
R,S = NonSmoothRandomIsog(273, q, basis2, action_matrices, strategy, True)

In [399]:
R.curve()

Elliptic Curve defined by y^2 = x^3 + (5264815805662272042150242956617979690985558890988056461059201972517704382646220818306*i+3380888534640681589487218976860051796789414652290119301138385217698324773251323623731)*x^2 + x over Finite Field in i of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^2

In [418]:
E0t=E0.quadratic_twist()


In [2]:
def point_ord_twist(E, l, e):
    assert is_prime(l)
    p = E.base_ring().characteristic()
    assert (p - 1) % l**e == 0
    P = (p - 1)//(l**e)*E.random_point()
    while (l**(e-1)*P).is_zero():
        P = (p - 1)//(l**e)*E.random_point()
    assert (l**e*P).is_zero()
    if P[1][0] >= (p - 1)//2 or (P[1][0] == 0 and P[1][1] >= (p - 1)//2):   # even if the seed of random_point is fixed, the sign of point is random.
        P = -P
    return P
    
def basis_twist(E, l, e):
    P = point_ord_twist(E, l, e)
    Q = point_ord_twist(E, l, e)
    while (l**(e-1)*P).weil_pairing(l**(e-1)*Q, l) == 1:
        Q = point_ord_twist(E, l, e)
    return P, Q

def point_ord_4(E, l, e):
    assert is_prime(l)
    p = E.base_ring().characteristic()
    assert (p^2 - 1) % l**e == 0
    P = (p^2 - 1)//(l**e)*E.random_point()
    while (l**(e-1)*P).is_zero():
        P = (p^2 - 1)//(l**e)*E.random_point()
    assert (l**e*P).is_zero()
    if P[1][0] >= (p^2 - 1)//2 or (P[1][0] == 0 and P[1][1] >= (p^2 - 1)//2):   # even if the seed of random_point is fixed, the sign of point is random.
        P = -P
    return P
    
def basis_4(E, l, e):
    P = point_ord_4(E, l, e)
    Q = point_ord_4(E, l, e)
    while (l**(e-1)*P).weil_pairing(l**(e-1)*Q, l) == 1:
        Q = point_ord_4(E, l, e)
    return P, Q



In [4]:
P,Q = basis2
Pq,Qq= basisq
alpha = quat.FullRepresentInteger(q*(2^273-q),p)
vP = End.action_by_matrices(alpha, [1, 0], action_matrices)
alphaP = vP[0]*P + vP[1]*Q
vQ = End.action_by_matrices(alpha, [0, 1], action_matrices)
alphaQ = vQ[0]*P + vQ[1]*Q

X = D2IsogenyImage(E0, E0, (2**273 - q)*P, (2**273 - q)*Q, alphaP, alphaQ, 273, [(Pq, E0(0))], strategy, True)

NameError: name 'basis2' is not defined

## Response in separate part (for Debug)

In [180]:
chall = rand.randint(0,q)  


In [181]:
E_A,(R,S) = public_key 
Phi_A, I_tau, I_rho, Mask_matrix = secret_key
E_1, BasisE1_2 = commit
I_psi, disc_log_image, deg_1 = secret_commit
ker_chall = R + chall*S 
ker_dual_chall = -chall*R + S 


In [182]:
#Compute the corresponding ideal
matrixbc = Mask_matrix.transpose() * Matrix([[Fq(1)],[Fq(chall)]])
print(matrixbc)
Ideal_0 = Quat_alg.ideal(O0_basis)
C = Quat_alg(matrixbc[0][0])+Quat_alg(matrixbc[1][0])*iota_end


I_varphi = pushforward(C*Ideal_P*(C**(-1)), C*I_rho)

assert I_varphi.norm() == q

I_rhoI_varphi =multiply_ideals(I_rho,I_varphi)


#print(I_rhoI_varphi)
#I_varphi2 = pushforward(Ideal_P,I_rho)
#assert I_varphi2 == I_varphi
#assert I_varphi.left_order() == I_rho.right_order()

# Compute the answer ideal
J = multiply_ideals(I_rhoI_varphi.conjugate(), I_psi)
I_sigma, Minkowski_reduced_basis = small_equivalent_ideal(J)
i=1
while I_sigma.norm() % 2 == 0 and i < 4:
    I_sigma = chi(Minkowski_reduced_basis[i],J)
    i +=1
while I_sigma.norm() %2 == 0 or I_sigma.norm()*q > 2**e:
    det = generate_small_norm_quat_random(Minkowski_reduced_basis, coeff_bound, search_bound)
    I_sigma = chi(det, J)
d = I_sigma.norm()

#Compute kappa 
I_rhoI_varphiI_sigma = multiply_ideals(I_rhoI_varphi, I_sigma)



[                                      1]
[745178752435255190734328154363895032692]


In [183]:
J

Fractional ideal (1/2 + 977047035384166648680216013417459081373065066188637044903663998863811765268526836912445710816918727997481703213533580887514879902941933278397307245806037363571785*j + 1087193747098868587440996593926404707008528054995903489617101831306094034877480781898509828526141951512975432089329904035212724615343806654382739524515153747158647/2*k, 1/2*i + 280791314149106915789120574920914495652584265458960620523500808862293397492173839126069417403611154970759660596942094639150557332513606517694043770678789454489997/2*j + 917866891629452059747857966487071621791609271302482989706562945731887548067179251852705524874113089823439076606016223305028746355760857385607980635630451405564740*k, 1448590395556976809662396023521649769641031538413282731965546614747974004981579032356878647411934990598618910782534540261415445136995166778031571800192773655802275*j, 1448590395556976809662396023521649769641031538413282731965546614747974004981579032356878647411934990598618910782534540261415445136

In [189]:
# Compute images of kappa using EvalTorsion.

#Compute corresponding endomorphism
auto = left_isomorphism(I_rhoI_varphiI_sigma,I_psi)
Gamma = multiply_ideals(I_psi, I_rhoI_varphiI_sigma.conjugate(), auto)
gamma = left_isomorphism(Quat_alg.ideal(O0_basis),Gamma)
gamma = Quat_alg([0,1,0,0])*gamma

assert gamma.reduced_norm() % q == 0

gamma_list = component_endo(gamma)

#Compute different points
X1 = deg_1*(disc_log_image[0][0] * Basis_2[0] + disc_log_image[0][1] * Basis_2[1])
Y1 = deg_1*(disc_log_image[1][0] * Basis_2[0] + disc_log_image[1][1] * Basis_2[1])

assert X1.weil_pairing(Y1, 2**e) == BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e)**(deg_1)

#if X1.weil_pairing(Y1, 2**e) == BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e)**(-deg_1):
#    X1, Y1 = Y1, X1
    
vP = End.action_by_matrices(gamma_list, [1, 0], action_matrices_2)
X2 = vP[0]*X1 + vP[1]*Y1
vQ = End.action_by_matrices(gamma_list, [0, 1], action_matrices_2)
Y2 = vQ[0]*X1  + vQ[1]*Y1

X3, Y3 = eval_basis_unsmooth(E0, E0, Phi_A, 2**e - q, (X2,Y2), 2**e, False)

assert X3.curve() == Y3.curve() == E_A

lambda_ = Z2e(q*deg_1)**(-1)

X4, Y4 =  lambda_*X3, lambda_*Y3

assert(X4.weil_pairing(Y4, 2**e) == (BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e))**(d*q))

In [190]:
auto = left_isomorphism(I_rhoI_varphiI_sigma,I_psi)
Gamma = multiply_ideals(I_psi, I_rhoI_varphiI_sigma.conjugate(), auto)
gamma = left_isomorphism(Quat_alg.ideal(O0_basis),Gamma)
gamma = Quat_alg([0,1,0,0])*gamma
gamma_list = component_endo(gamma)

gamma_list2 = component_endo(gamma.conjugate())


In [191]:
X,Y = action_image(gamma_list2, image_action_q, Basis_q)
(Mask_matrix[0,0]*X + chall*Mask_matrix[0,1]*Y)+(Mask_matrix[1,0]*X + chall*Mask_matrix[1,1]*Y)

(0 : 1 : 0)

In [192]:
Quat_alg([0,1,0,0])

i

In [193]:
# Construct auxiliary endomorphism.
sigma = quat.FullRepresentInteger(d*(2**e-(q*d)),p)
vP = End.action_by_matrices(sigma, [1, 0], action_matrices_2)
sigmaP = vP[0]*Basis_2[0] + vP[1]*Basis_2[1]
vQ = End.action_by_matrices(sigma, [0, 1], action_matrices_2)
sigmaQ = vQ[0]*Basis_2[0] + vQ[1]*Basis_2[1]

P2,Q2 = eval_basis_unsmooth(E0,E0, Phi_A, q, (sigmaP,sigmaQ), 2**e, True)
P1 = (-d*q)*Basis_2[0]
Q1 = (-d*q)*Basis_2[1]

assert(P2.weil_pairing(Q2, 2**e)==  Basis_2[0].weil_pairing(Basis_2[1], 2**e) **(-((q*d)**2)))
Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
kernel = (Pa, Qa)
Phi_delta = EllipticProductIsogenySqrt(kernel, e, None, zeta)



In [194]:
#Evaluate points
T, U = eval_basis_unsmooth(E0, E_A, Phi_delta, 2**e-q*d, (X4,Y4), 2**e, False)
V, W = eval_basis_unsmooth(E0, E_A, Phi_delta, 2**e-q*d, (ker_chall,ker_dual_chall), q, False)
E_delta = T.curve()
assert V.curve() == E_delta
assert T.weil_pairing(U, 2**e) == X4.weil_pairing(Y4,2**e)**(-q*d)
inver = int(Z2e(q*d)**(-1))
T,U = inver*T, inver*U
assert T.weil_pairing(U,2**e) == BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e)**((-1))
signature2 = E_1, BasisE1_2, E_delta, T,U,V

In [195]:
signature2

(Elliptic Curve defined by y^2 = x^3 + (1320003985884288247106730111784819426967755964105386742959697899914803192511775584144*z^2+3975349083809857667534922415878330164739106996313536237915344271018724222626618005727)*x^2 + x over Finite Field in z of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^4,
 ((4338925680859150594347428678004836706029094742997267280349210972465795705331701560858*z^2 + 1135354979525087571452207032865813384163087718844273384375839434474118230165890566895 : 1578931467657040920530335992280987895909022843568541490300982224862603535436721893662*z^2 + 70493036017534123201376440807400127558982849175260993464832363575590820001945499218 : 1),
  (1784374356772282532412542109026530181092624644890485305521965623607927385147334311435*z^2 + 3319361039380011665376153010169059313645931304806873592040351007253763532631256690814 : 25549268420931103216283906304905951955893506649908358390965500269317853383674932523*z^2 + 61983451646216334

In [41]:
# Evaluate a point on E1 x E2 under the action of Phi
R1 = E1(0)
R2 = E2(476711*i + 497008, 316369*i + 137958)
R = CouplePoint(R1, R2)
print(Phi(R))
# Output:
#
# [(145212*i + 486924 : 68908*i + 135992 : 1), (427043*i + 16946 : 474919*i + 326000 : 1)]

[(145212*i + 486924 : 68908*i + 135992 : 1),(427043*i + 16946 : 474919*i + 326000 : 1)]


In [30]:
E1t = E1.quadratic_twist(2+i)
E2t= E2.quadratic_twist(2+i)
basis2 = basis_twist(E2t,22621,1)
basis2

((290032*i + 302573 : 492133*i + 143361 : 1),
 (101436*i + 235007 : 335241*i + 184484 : 1))

In [26]:
factor(497663-1)

2 * 11 * 22621

In [173]:
def Kani_double_path(E0,p,q,n, zeta, basis, action_matrices):
    P0,Q0= basis[0],basis[1]
    
    alpha = quat.FullRepresentInteger(q*(2^271-q),p)
    vP = End.action_by_matrices(alpha, [1, 0], action_matrices)
    alphaP = vP[0]*P0 + vP[1]*Q0
    vQ = End.action_by_matrices(alpha, [0, 1], action_matrices)
    alphaQ = vQ[0]*P0 + vQ[1]*Q0

    P1 = (2**n - q)*P0
    Q1 = (2**n - q)*Q0
    P2 = alphaP
    Q2 = alphaQ

    Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
    kernel = (Pa, Qa)
    Phi = EllipticProductIsogeny(kernel, n, optimised_strategy(n), zeta)
    return Phi        


In [174]:
Phi = Kani_double_path(E0, p,q,271, zeta, Basis_2, action_matrices_2)

114
114
66
66
38
38
22
22
16
16
9
9
5
5


In [91]:
Phi.get_codomain()

(Elliptic Curve defined by y^2 = x^3 + (1298344374003009488363955025577530905991487325295984195749707052209317924289709040768*z^2+1119494818426987499085383591784759453261608789476123159475992427574470299976811069711)*x^2 + x over Finite Field in z of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^4,
 Elliptic Curve defined by y^2 = x^3 + (1640880021282110431510652512013724153167938572902082099706966066851466421276757600675*z^2+5196910900053377979863127750917059135551900243105380650477404866899106750804250130349)*x^2 + x over Finite Field in z of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^4)

In [5]:
p = 2^273 * 19^2 -1
Fp4, Fp2, i = param.calcFields(p)
Fp4.base_ring()
q= 1733124013302036320718171822563477047667


In [21]:
Fp4.characteristic()

5478933360105376520327544909088205666389913038264237243530502186841753491867814592511

In [66]:
A1 = Fp4(0)
E1 = EllipticCurve(Fp4, [0, A1, 0, 1, 0]) # Curves are in the Montgomery model
Basis2 = basis_4(E1,2,273)
P=Basis2[0]
Q=Basis2[1]
action_matrices = End.action_matrices(Basis2, 2^273, i, Fp4)


AssertionError: 

In [82]:
alpha = quat.FullRepresentInteger(q*(2^271-q),p)
vP = End.action_by_matrices(alpha, [1, 0], action_matrices)
alphaP = vP[0]*P + vP[1]*Q
vQ = End.action_by_matrices(alpha, [0, 1], action_matrices)
alphaQ = vQ[0]*P + vQ[1]*Q
print(alphaP, alphaQ)

NameError: name 'action_matrices' is not defined

In [80]:
# We will compute an isogeny chain of length 271
n = 271

# Points for the kernel of order 2^(n+2)
P1 = (2**271 - q)*P
Q1 = (2**271 - q)*Q
P2 = alphaP
Q2 = alphaQ

# Construct the kernel into the expected type
Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
kernel = (Pa, Qa)


NameError: name 'alphaP' is not defined

In [81]:
Phi = EllipticProductIsogeny(kernel, 271, optimised_strategy(271), i)


TypeError: 'function' object is not subscriptable

In [76]:
R1 = E1.random_element()
R2 = E1.random_element()
print(R1,R2)
R = CouplePoint(R1, R2)


(3806726461714634234269617567032355635343117850944913249091021623218418577549112287711*z^3 + 5298408522495524844605880618216213358574988221142294203702019708368890319072472491111*z^2 + 3017184119141012081297751686202994411475785125270025422763030622728219773373702823075*z + 1981832029695873790861203782506749278383522275477167669451340592191911031456402712284 : 473763033863641870322597957708406301757441721850565201153980386409162991656520192366*z^3 + 2753705545620056451183302428945235971695139258808794488717620536489626439963283894581*z^2 + 2337120641155418469960056697421315979096068730893832730816901980653041507092733283517*z + 622644407833406606306382545640367118731088314611331939884221470849179833784380259788 : 1) (3276530538532118615691739974371725996705283303781915992558396774504518170095345722261*z^3 + 710788111221357820362489456956697958608126884692362714376407949178591079230519742556*z^2 + 5180402310472850960243612107484943833187932699903365940057171970819604966545070215923*z + 

In [77]:
pR = Phi(R, False)

In [80]:
pR[0][0]

1299942197876484127806379949850289144053340515556936313058907724990375033820792739973*z^3 + 1630715268269691476461070388887895902794949229226582064678385510855082245728985826250*z^2 + 627340278844875935871704974789694305457262070542208562552470414566210622332741656477*z + 4128499289387128728300160735820080810277697794156028275894387417317105385401783202570

In [10]:
Phi.get_codomain()

(Elliptic Curve defined by y^2 = x^3 + (3507620228121402869662975466949301445112779805353034324824971962397494564439613159579*z^2+2250885721927554515536490698352862144597876122751415366058670998249872228500223049995)*x^2 + x over Finite Field in z of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^4,
 Elliptic Curve defined by y^2 = x^3 + (5299125203262756052531511806394295362696767637538289245621857693344474713606224920430*z^2+2675015951448856443891871555327708612398445489780170242266943012180784432858170491813)*x^2 + x over Finite Field in z of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^4)

In [96]:
Fp4(2934022918931637204230961800318379470446117529284437550121110975616765342322762830938*zeta + 1968939872507130549154094223962484332278895650423413275561453812519053984051779968891).sqrt()

2898350185561546846343749076501202959712216849878867543999153539168503346700272044901*z^3 + 4625614561824061242402115279669670466680463771254783148454856814115812375282529968489*z

In [101]:
I=(O0*conjugate(alpha_endo)) + (O0)*(q)
J=(O0*(alpha_endo)) + (O0)*(2**273-q)
print(I.left_order(),"\n", I.right_order())
print("\n\n")
print(J.left_order(),"\n", J.right_order())
J.norm() == 2**273-q
#J.left_order()
I*J.right_order()

The history saving thread hit an unexpected error (OperationalError('attempt to write a readonly database')).History will not be written to the database.


NameError: name 'O0' is not defined

In [102]:
I0 = Quat_alg.ideal(O0_basis)
alpha = [-94057375826662661995299354549754677588432706075336129095567, 185332559562373761474906978898434774484779843965512633032411, 4352888709408981831, 473724351991622496]
alpha_endo = Quat_alg(0)
for j in range(4):
    alpha_endo += O0_basis[j]*alpha[j]
alpha_endo

-94057375826662661995299354549754677588432469213160133284319 + 370665119124747522949813957796869548969564040819734675046653/2*i + 4352888709408981831/2*j + 236862175995811248*k

In [104]:
def RandomEquivalentIdeal(I, e, q, Minkowski_reduced_basis):
    # TODO: what's a good initial small search?
    coeff_bound = min((floor(logp / 10)), 7)
    # TODO: what's a good search bound?
    search_bound = max(coeff_bound**4, 4096)
    nI = ZZ(I.norm())
    Minkowski_reduced_basis = reduced_basis(I)
    alpha = generate_small_norm_quat_random(Minkowski_reduced_basis, coeff_bound, search_bound)
    N = ZZ(alpha.reduced_norm())// nI
    while N % 2 == 0 or  N*q > 2**e:
        alpha =  
        N = ZZ(alpha.reduced_norm())// nI
    J = chi(alpha, I)
    return J, N, alpha
    
    

SyntaxError: invalid syntax (3772761559.py, line 11)

In [107]:
from utilities.fast_sqrt import sqrt_Fp2

In [145]:
x=Fp2([0,-1])
y=sqrt_Fp2(x)
y*2

5478933360105376520327544909088205666389909727997371836641129615133572395626653548543*z2 + 3310266865406889372571708181096241161043968

In [146]:
p

5478933360105376520327544909088205666389913038264237243530502186841753491867814592511

In [None]:
def sqrt_Fp4(x, canonical=False):
    """
    Fast computation of square-roots in SageMath using that p = 3 mod 4
    """
    F = x.parent()
    x0, x1, x2, x3 = x.list()
    z = F.gen()

    
    
    if x1 == x3 == 0:
        lx0 = Fp2([x0,x2]).is_square()
        if lx0:
            y0 = sqrt_Fp2([x0,x2])
            root = F(y)
            if canonical:
                return canonical_root(root)
            return root

        else:
            y1 = sqrt_Fp(-x0)
            root = F([0, y1])
            if canonical:
                return canonical_root(root)
            return root

    delta = x0**2 + x1**2
    sqrt_delta = sqrt_Fp(delta)

    y02 = (x0 + sqrt_delta) / 2
    if not y02.is_square():
        y02 -= sqrt_delta

    y0 = sqrt_Fp(y02)
    y1 = x1 / (y0 + y0)
    root = F([y0, y1])

    if canonical:
        return canonical_root(root)
    return root


In [149]:
x=Fp2([0,1])

In [150]:
Fp4(x)

5478933360105376520327544909088205666389913038264237243530502186841753491867814592510*z^2

In [155]:
Fp2.gen()

z2

In [154]:
zeta

2942753535763096284326002166907520023690185806098102310836236699963060970838893431129*z2 + 2781270039533818001324577455954119058949320635922086962039992048232205077009663462848

In [4]:
Q.maximal_order()

NameError: name 'Q' is not defined

In [5]:
Q = QuaternionAlgebra(-1, -p)
O0_basis = (Q((1,0,0,0)),Q((0,1,0,0)),Q((0,1/2,1/2,0)),Q((1/2,0,0,1/2)))


In [8]:
I0 =Q.ideal(O0_basis)
a = I0.random_element()
I1 = I0*a
reduced_basis(I1)

NameError: name 'reduced_basis' is not defined

# Legacy Code

## Key Generation

In [314]:
#SQIPrime KeyGen:
def SQIprime_KeyGen():
    Phi_A, I_tau, I_rho = Kani_double_path(E0,p,q, e, zeta, Basis_2, action_matrices_2, Quat_alg, O0_basis) 
    #E_A = Phi_A.get_codomain()[0]
    Mask_matrix = Matrix([[1,0],[0,1]])  #sample_random_matrix(Fq) 
    tau_BasisEA_2 = eval_basis_unsmooth(E0,E0, Phi_A, q, Basis_2, 2**e, True)
    E_A = tau_BasisEA_2[0].curve()
    rho_BasisEA_q = eval_basis_unsmooth(E0,E0, Phi_A, 2**e-q, Basis_q,q, False)
    assert rho_BasisEA_q[0].curve() == E_A
    R,S = (Mask_matrix[0][0]*rho_BasisEA_q[0]+Mask_matrix[0][1]*rho_BasisEA_q[1]), (Mask_matrix[1][0]*rho_BasisEA_q[0]+Mask_matrix[1][1]*rho_BasisEA_q[1])
    public_key = (E_A,(R,S))
    secret_key = (Phi_A, I_tau, I_rho, Mask_matrix)
    return public_key, secret_key

In [315]:
public_key, secret_key = SQIprime_KeyGen()

ZeroDivisionError: 

In [None]:
secret_key[3]

In [177]:
public_key[0].j_invariant()

4274888328491923547373681883413660568112458147883287351175827875012828805471238142403*z^2 + 3551792438821654697644216446971653199798024936717085777550621335643931368838392371447

In [178]:
public_key

(Elliptic Curve defined by y^2 = x^3 + (4293755985199886650634805551460338680673992474479732949818988994436983676703877336472*z^2+1887763822976347246146679230830028110274052937726075577717113594052950203862745262603)*x^2 + x over Finite Field in z of size 5478933360105376520327544909088205666389913038264237243530502186841753491867814592511^4,
 ((5405796427949134498685185576445106551056045175354250256758864013376867170580675425761*z^2 + 2631827568257976038727470543512244496859919561572912356563483011584397777714544312750 : 2913583530324939136702640594084395568612970104615780506475192290940790911447686436585*z^3 + 4586231901645191559834270894842962515322156098416282566910457567890958567709323123388*z : 1),
  (233805661308317251603916372697855036853706524259843326396215270598975891238974014077*z^2 + 756778486162658379799701599683312125786026396121459073000867862865058883094628334645 : 2863892270324816807093304060922037492451472413564282297015968429386135359658154030708*z^3 + 6341835056990

## Signature

## Commit

In [489]:
#Commit
def SQIprime_Commit():    
    deg_1 = 1
    while not sympy.isprime(deg_1:=rand.randint(0,2**int(e/2))):
        pass
    Phi_1, I_psi, _ = Kani_double_path(E0, p , deg_1 , e, zeta, Basis_2, action_matrices_2, Quat_alg, O0_basis)
    assert deg_1 == I_psi.norm()
    Image_BasisE1_2 = eval_basis_unsmooth(E0, E0, Phi_1, deg_1, Basis_2, 2**e, True)
    E_1 = Image_BasisE1_2[0].curve()
    BasisE1_2 = basis_4(E_1, 2, e)
    disc_log_image=[]
    disc_log_image.append(BiDLP(BasisE1_2[0],Image_BasisE1_2[0],Image_BasisE1_2[1], 2**e))
    disc_log_image.append(BiDLP(BasisE1_2[1],Image_BasisE1_2[0],Image_BasisE1_2[1], 2**e))
    commit = E_1, BasisE1_2
    secret_commit = I_psi, disc_log_image, deg_1
    return commit, secret_commit

In [490]:
commit, secret_commit = SQIprime_Commit()

(Elliptic Curve defined by y^2 = x^3 + (6007254832126461042667391260941258129263631443782219414928176946763915430313*z^2+12578772999095571090947736908284911113330594444690938299524883946288436198834)*x^2 + x over Finite Field in z of size 17866357519039022340746304327512392032047517165206258904525681907470971174911^4, Elliptic Curve defined by y^2 = x^3 + (2755032211613202873916062554072456293631636878333556747655665700818350519766*z^2+10584302918702273187708840484638416652579119552596439715008157693159771770258)*x^2 + x over Finite Field in z of size 17866357519039022340746304327512392032047517165206258904525681907470971174911^4)


In [None]:
commit

## Challenge

In [181]:
#Challenge
chall = rand.randint(0,q)  


## Response

In [545]:
def SQIprime_Response(secret_key, public_key, secret_commit, commit, chall):
    #Loading
    E_A,(R,S) = public_key 
    Phi_A, I_tau, I_rho, Mask_matrix = secret_key
    E_1, BasisE1_2 = commit
    I_psi, disc_log_image, deg_1 = secret_commit
    ker_chall = R + chall*S 
    ker_dual_chall = -chall*R + S 

    #Compute the corresponding ideal
    matrixbc = Mask_matrix.transpose() * Matrix([[Fq(1)],[Fq(chall)]])
    Ideal_0 = Quat_alg.ideal(O0_basis)
    C = Quat_alg(matrixbc[0][0])+Quat_alg(matrixbc[1][0])*iota_end
    
    #It works, don't ask my why
    I_varphi = pushforward(C*Ideal_P*(C**(-1)), C*I_rho)
    
    assert I_varphi.norm() == q
    
        #TO DO: Compute without intermediary pushforward
    I_rhoI_varphi =multiply_ideals(I_rho,I_varphi)
    
    
    #print(I_rhoI_varphi)
    #I_varphi2 = pushforward(Ideal_P,I_rho)
    #assert I_varphi2 == I_varphi
    #assert I_varphi.left_order() == I_rho.right_order()
    
    # Compute the answer ideal
    J = multiply_ideals(I_rhoI_varphi.conjugate(), I_psi)
    I_sigma, Minkowski_reduced_basis = small_equivalent_ideal(J)
    i=1
    while I_sigma.norm() % 2 == 0 and i < 4:
        I_sigma = chi(Minkowski_reduced_basis[i],J)
        i +=1
    while I_sigma.norm() %2 == 0 or I_sigma.norm()*q > 2**e:
        det = generate_small_norm_quat_random(Minkowski_reduced_basis, coeff_bound, search_bound)
        I_sigma = chi(det, J)
    d = I_sigma.norm()
    
    #Compute kappa 
    I_rhoI_varphiI_sigma = multiply_ideals(I_rhoI_varphi, I_sigma) 
    # Compute images of kappa using EvalTorsion.
    
    #Compute corresponding endomorphism
    auto = left_isomorphism(I_rhoI_varphiI_sigma,I_psi)
    Gamma = multiply_ideals(I_psi, I_rhoI_varphiI_sigma.conjugate(), auto)
    gamma = left_isomorphism(Quat_alg.ideal(O0_basis),Gamma)
    
    gamma_list2 = component_endo(gamma.conjugate())
    X,Y = action_image(gamma_list2, image_action_q, Basis_q)
    if (Mask_matrix[0,0]*X + chall*Mask_matrix[0,1]*Y)+(Mask_matrix[1,0]*X + chall*Mask_matrix[1,1]*Y) != E0(0):
        gamma= Quat_alg([0,1,0,0])*gamma
        gamma_list2 = component_endo(gamma.conjugate())
        X,Y = action_image(gamma_list2, image_action_q, Basis_q)
        assert (Mask_matrix[0,0]*X + chall*Mask_matrix[0,1]*Y)+(Mask_matrix[1,0]*X + chall*Mask_matrix[1,1]*Y) == E0(0)
    
    assert gamma.reduced_norm() == deg_1*d*q*(2**e-q)
    
    gamma_list = component_endo(gamma)

    #Compute different points
    
    vP = End.action_by_matrices(gamma_list, [deg_1*disc_log_image[0][0], deg_1*disc_log_image[0][1]], action_matrices_2)
    X2= vP[0]*Basis_2[0]+vP[1]*Basis_2[1]
    vQ = End.action_by_matrices(gamma_list, [deg_1*disc_log_image[1][0], deg_1*disc_log_image[1][1]], action_matrices_2)
    Y2 = vQ[0]*Basis_2[0]+vQ[1]*Basis_2[1]
    
    assert X2.weil_pairing(Y2, 2**e) == BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e)**(deg_1*deg_1*d*q*(2**e-q))
        
    X3, Y3 = eval_basis_unsmooth(E0,E0, Phi_A, 2**e - q, (X2,Y2), 2**e, False)

    assert(X3.weil_pairing(Y3, 2**e) == (X2.weil_pairing(Y2, 2**e))**(2**e -q))

    lambda_ = Z2e(- q*deg_1)**(-1)
    X4, Y4 =  lambda_*X3, lambda_*Y3

    assert(X4.weil_pairing(Y4, 2**e) == (BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e))**(d*q))

    # Construct auxiliary endomorphism.
    sigma = quat.FullRepresentInteger(d*(2**e-(q*d)),p)
    vP = End.action_by_matrices(sigma, [1, 0], action_matrices_2)
    sigmaP = vP[0]*Basis_2[0] + vP[1]*Basis_2[1]
    vQ = End.action_by_matrices(sigma, [0, 1], action_matrices_2)
    sigmaQ = vQ[0]*Basis_2[0] + vQ[1]*Basis_2[1]
    
    P2,Q2 = eval_basis_unsmooth(E0, E0, Phi_A, q, (sigmaP,sigmaQ), 2**e, True)
    P1 = (-d*q)*Basis_2[0]
    Q1 = (-d*q)*Basis_2[1]
    assert P2.curve() == E_A
    
    assert(P2.weil_pairing(Q2, 2**e)==  Basis_2[0].weil_pairing(Basis_2[1], 2**e) **(-((q*d)**2)))
    Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
    kernel = (Pa, Qa)
    Phi_delta = EllipticProductIsogenySqrt(kernel, e, None, zeta)
    
     #Evaluate points
    T, U = eval_basis_unsmooth(E0, E_A, Phi_delta, 2**e-q*d, (X4,Y4), 2**e, False)
    V, W = eval_basis_unsmooth(E0, E_A, Phi_delta, 2**e-q*d, (ker_chall,ker_dual_chall), q, False)
    E_delta = T.curve()
    assert V.curve() == E_delta
    assert T.weil_pairing(U, 2**e) == X4.weil_pairing(Y4,2**e)**(-q*d)
    inver = int(Z2e(q*d)**(-1))
    T,U = inver*T, inver*U
    assert T.weil_pairing(U,2**e) == BasisE1_2[0].weil_pairing(BasisE1_2[1], 2**e)**((-1))
    signature = E_1, BasisE1_2, E_delta, T,U,V
    return signature


In [547]:
signature = SQIprime_Response(secret_key, public_key, secret_commit, commit, chall)

ValueError: too many values to unpack (expected 4)

In [None]:
signature

In [None]:
        if False and (T1.is_zero() or T2.is_zero() or S1.is_zero() or S2.is_zero()):
            print("Special case 3",i)
            print(T1, T2, S1, S2)
            break

            if T1.is_zero():
                T1, S1 = S1, T1
                T2, S2 = S2, T2
            assert not T1.is_zero()
            if not S1.is_zero():
                assert S1 == T1
                S2 -= T2
            assert T2.is_zero() or T2 == S2
            KT1 = K0(T1)
            KT2 = K0(S2)
            phi1 = KummerLineIsogeny_Velu(K0, KT1,2, False)
            phi2 = KummerLineIsogeny_Velu(K0, KT2,2, False)

            e = e-1
            P1 = phi1(K0(P1)).curve_point()
            P2 = phi2(K0(P2)).curve_point()
            Q1 = phi1(K0(Q1)).curve_point()
            Q2 = phi2(K0(Q2)).curve_point()
            E1 = P1.curve()
            E2 = P2.curve()
            for i in range(len(Rs)):
                Rs[i] = (phi1(K0(Rs[i][0])).curve_point(),phi2(K0(Rs[i][1])).curve_point())


In [60]:
#Setup
alpha = quat.FullRepresentInteger(q*(2**(e-2)-q),p)
vP = End.action_by_matrices(alpha, [1, 0], action_matrices_2)
vQ = End.action_by_matrices(alpha, [0, 1], action_matrices_2)
Fp22 = GF(p**2, modulus=x**2+1, name="i")
E0_F2 = EllipticCurve(Fp22, [0, Fp22(0), 0, 1, 0])
E0_F4 = EllipticCurve(Fp4, [0, Fp4(0), 0, 1, 0])
Basis_in_Fp2 = elc.basis(E0_F2, 2,e
Basis_in_Fp4 = basis_4(E0_F4, 2,e)
Image_in_Fp2 = vP[0]*Basis_in_Fp2[0] + vP[1]*Basis_in_Fp2[1],vQ[0]*Basis_in_Fp2[0] + vQ[0]*Basis_in_Fp2[1] 
Image_in_Fp4 = vP[0]*Basis_in_Fp4[0] + vP[1]*Basis_in_Fp4[1],vQ[0]*Basis_in_Fp4[0] + vQ[0]*Basis_in_Fp4[1] 
aP2, aQ2 = CouplePoint((2**(e-2)-q)*Basis_in_Fp2[0],Image_in_Fp2[0]), CouplePoint((2**(e-2)-q)*Basis_in_Fp2[1], Image_in_Fp2[1])
kernel_Fp2 = (aP2, aQ2)
aP4, aQ4 = CouplePoint((2**(e-2)-q)*Basis_in_Fp4[0],Image_in_Fp4[0]), CouplePoint((2**(e-2)-q)*Basis_in_Fp4[1], Image_in_Fp4[1])
kernel_Fp4 = (aP4, aQ4)
Point_F2 =  CouplePoint(Image_in_Fp2[0],Image_in_Fp2[1])
Point_F4 =  CouplePoint(Image_in_Fp4[0],Image_in_Fp4[1])

In [82]:
P0,Q0= Basis_2[0],Basis_2[1]

alpha = quat.FullRepresentInteger(q*(2**e-q),p)
vP = End.action_by_matrices(alpha, [1, 0], action_matrices_2)
alphaP = vP[0]*P0 + vP[1]*Q0
vQ = End.action_by_matrices(alpha, [0, 1], action_matrices_2)
alphaQ = vQ[0]*P0 + vQ[1]*Q0

P1 = (2**e - q)*P0
Q1 = (2**e - q)*Q0
P2 = alphaP
Q2 = alphaQ

Pa, Qa = CouplePoint(P1,P2), CouplePoint(Q1, Q2)
kernel = (Pa, Qa)



t0 = time.perf_counter_ns()
Phi = EllipticProductIsogenySqrt(kernel, e, None, zeta)
t1 = time.perf_counter_ns()
print("A (2^273,2^273) isogeny precomputation requires",float(t1-t0)/10**6, "ms." )
t0 = time.perf_counter_ns()
X = Phi(CouplePoint(Basis_q[0], E0(0)))
#X,Y = eval_basis_unsmooth(E0, E0, Phi, 2**e-q, Basis_2, 2**273, False)
t1 = time.perf_counter_ns()
print("An evaluation of a basis requires (2^273,2^273) isogeny computations",float(t1-t0)/10**6, "ms.")


A (2^273,2^273) isogeny precomputation requires 305.813708 ms.
An evaluation of a basis requires (2^273,2^273) isogeny computations 45.215208 ms.


In [80]:
# To do: test in Fp2

In [77]:
X = Phi(CouplePoint(Basis_q[0], E0(0)))
X

[(1871354564549173070946785336829579070245623133805142141718563653504581381482524350859*z^2 + 2272281760117994120797862004973377924668632949021723850179823675658865730202121300418 : 64242602298848229899809724023107662932595649736285913327594198912804837170872000803*z^3 + 3203508073520515069310606272557889522928888190889328023306535055225613853233753681218*z : 1),(3485335690224228483264208601606797107503850336489969924326546417269304377777124262250*z^2 + 3392569941082752989406318848491939306701023188874254166916154434447042652021311933117 : 3860079663271701766018819986192257524110404369752450493424730383291448178477550063137*z^3 + 5185082845169846548079698065507619143596410700611702007393516833402720790813964280520*z : 1)]

## differnence between Fp4 and Fp2 (2,2)-isogenies

In [165]:
#Setup
alpha = quat.FullRepresentInteger(q*(2**e-q),p)
vP = End.action_by_matrices(alpha, [1, 0], action_matrices_2)
vQ = End.action_by_matrices(alpha, [0, 1], action_matrices_2)
E0_F2 = EllipticCurve(Fp2, [0, Fp2(0), 0, 1, 0])
E0_F4 = EllipticCurve(Fp4, [0, Fp4(0), 0, 1, 0])
Basis_in_Fp2 = elc.basis(E0_F2, 2,e)
Basis_in_Fp4 = basis_4(E0_F4, 2,e)
Image_in_Fp2 = vP[0]*Basis_in_Fp2[0] + vP[1]*Basis_in_Fp2[1],vQ[0]*Basis_in_Fp2[0] + vQ[0]*Basis_in_Fp2[1] 
Image_in_Fp4 = vP[0]*Basis_in_Fp4[0] + vP[1]*Basis_in_Fp4[1],vQ[0]*Basis_in_Fp4[0] + vQ[0]*Basis_in_Fp4[1] 
aP2, aQ2 = CouplePoint((-q)*Basis_in_Fp2[0],Image_in_Fp2[0]), CouplePoint(-q*Basis_in_Fp2[1], Image_in_Fp2[1])
kernel_Fp2 = (aP2, aQ2)
aP4, aQ4 = CouplePoint((-q)*Basis_in_Fp4[0],Image_in_Fp4[0]), CouplePoint(- q*Basis_in_Fp4[1], Image_in_Fp4[1])
kernel_Fp4 = (aP4, aQ4)
Point_F2 =  CouplePoint(Image_in_Fp2[0],Image_in_Fp2[1])
Point_F4 =  CouplePoint(Image_in_Fp4[0],Image_in_Fp4[1])

AssertionError: 

In [164]:
t0 = time.perf_counter_ns()
Phi_Fp2 = EllipticProductIsogenySqrt(kernel_Fp2, e, None, None)
t1 = time.perf_counter_ns()
print("A (2^273,2^273) isogeny precomputation requires",float(t1-t0)/10**6, "ms." )
t0 = time.perf_counter_ns()
#Phi_Fp4(Point_F4)
t1 = time.perf_counter_ns()
print("An evaluation requires (2^273,2^273) isogeny computations",float(t1-t0)/10**6, "ms.")


NameError: name 'time' is not defined

In [None]:
t0 = time.perf_counter_ns()
Phi_Fp4 = EllipticProductIsogenySqrt(kernel_Fp4, e, None, zeta)
t1 = time.perf_counter_ns()
print("A (2^273,2^273) isogeny precomputation requires",float(t1-t0)/10**6, "ms." )
t0 = time.perf_counter_ns()
#Phi_Fp4(Point_F4)
t1 = time.perf_counter_ns()
print("An evaluation requires (2^273,2^273) isogeny computations",float(t1-t0)/10**6, "ms.")
