# Chapter 5 - Eliptic Curve

## Exercise 58. 
Consider the curve E1(F) from example 70 and compute the set of all curve points (x,y) ∈ E1(F).


In [49]:
F_5 = GF(5)
a, b = (F_5(1), F_5(1))
E11_F5 = EllipticCurve(F_5,[a,b])
points = E11_F5.points()
assert len(points) == 9
points

[(0 : 1 : 0), (0 : 1 : 1), (0 : 4 : 1), (2 : 1 : 1), (2 : 4 : 1), (3 : 1 : 1), (3 : 4 : 1), (4 : 2 : 1), (4 : 3 : 1)]

## Exercise 59. 
Consider the curve TJJ_13 from example 71 and compute the set of all curve points (x, y) ∈ T JJ_13.

In [50]:
F_13 = GF(13)
a, b = (F_13(8), F_13(8))
TJJ_13 = EllipticCurve(F_13,[a,b])
TJJ_points = TJJ_13.points()
assert len(TJJ_points) == 20
TJJ_points

[(0 : 1 : 0), (1 : 2 : 1), (1 : 11 : 1), (4 : 0 : 1), (5 : 2 : 1), (5 : 11 : 1), (6 : 5 : 1), (6 : 8 : 1), (7 : 2 : 1), (7 : 11 : 1), (8 : 5 : 1), (8 : 8 : 1), (9 : 4 : 1), (9 : 9 : 1), (10 : 3 : 1), (10 : 10 : 1), (11 : 6 : 1), (11 : 7 : 1), (12 : 5 : 1), (12 : 8 : 1)]

## Exercise 60. 
Look up the definition of curve BLS12-381, implement it in Sage, and compute the number of all curve points.

In [51]:
# parameters taken from https://hackmd.io/@benjaminion/bls12-381#Curve-equation-and-parameters
p_hex = "0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab"
Fp = GF(int(p_hex, 16))
# y^2 = x^3 + 4 (y^2 = x^3 + a x + b)
a, b = (Fp(0), Fp(4))
E = EllipticCurve(Fp,[a,b])
point_number = E.order()
print(f"BLS12_381 has to many points to display (~2^{log(point_number, 2).n(digits=1)})")

BLS12_381 has to many points to display (~2^380.)


## Exercise 61. 
Let F be a finite field, let (a,b) and (a',b') be two pairs of parameters, and let $c \in F^∗$ be an invertible field element such that $a' = a \cdot c^4$ and $b' = b \cdot c^6$ hold. Show that the function I from (5.3) maps curve points onto curve points.

**help material:**

$E_{a,b}(F) = \{(x, y) \in F x F \ | \ y^2 = x^3 + a \cdot x + b \} $

discriminant $E_{a,b}(F): 4a^3 + 27b^2 \not\equiv 0 ( \mod p )$

$E_{a',b'}(F) = \{(x, y) \in F x F \ | \ y^2 = x^3 + (a \cdot c^4) \cdot x + b \cdot c^6 \} $

discriminant $E_{a',b'}(F): 4 (a \cdot c^4)^3 + 27(b \cdot c^6)^2 \not\equiv 0 ( \mod p ) \rightarrow c^{12} \cdot (4 xa^3 + 27 b^2) \not\equiv 0 ( \mod p )$

**solution:**

applying the map $\textit{I}$ to all pair (x, y) $\in E_{a,b}(F)$ you get points (x', y') $\in E_{a',b'}(F)$ as:

$ E_{'a,'b}(\textit{I}(x, y)) = \{(x, y) \in F x F \ | \ c^3 \cdot y)^2 = (c^2 \cdot x)^3 + (a \cdot c^4) \cdot (c^2 \cdot x) + b \cdot c^6 \}  \rightarrow \{(x, y) \in F x F \ | \ c^6 \cdot y^2 = c^6 \cdot (x^3 + (a \cdot x) + b) \} \rightarrow \{(x, y) \in F x F \ | \ y^2 = x^3 + a \cdot x + b \} \rightarrow E_{a,b}(F)$

## Exercise 62.
Consider the Tiny-jubjub curve from example 71 and the elliptic curve E7,5(F13).

Show that TJJ_13 and E7,5(F13) are isomorphic. Then compute the set of all points from
E7,5(F13), construct I and map all points of TJJ_13 onto E7,5(F13).

In [52]:
# Define the elliptic curves E8,8 and E7,5 over GF(13)
E75 = EllipticCurve(F_13, [7, 5])

# Check for isomorphism
# We need to find a non-zero u such that a2 = u^4 * a1 and b2 = u^6 * b1
def isomorphic_curves(E1, E2):
    isomorphic, u_value = (False,None)
    F = E1.base_field()
    assert E1.base_field() == E2.base_field()

    a1, b1 = E1.a4(), E1.a6()
    a2, b2 = E2.a4(), E2.a6()
    for u in F:
        if u != 0 and a2 == u^4 * a1 and b2 == u^6 * b1:
            return (True, u)
    return (isomorphic, u_value)

def map_point(E1, E2, P, u):
    if P == E1(0):
        return E2(0)  # Map the point at infinity to itself
    x, y = P.xy()
    x_new = u^2 * x 
    y_new = u^3 * y
    return E2(x_new, y_new)

isomorphic, c = isomorphic_curves(TJJ_13, E75)
assert isomorphic, "The curves are not isomorphic."
print(f"value of c for the map I: {c}")

# Compute all points on E7,5(F13)
# Construct the isomorphism and map points from E8,8(F13) to E7,5(F13)
points_E75 = E75.points()
assert len(TJJ_points) == len(points_E75)
print("Points on E7,5(F13):")

difference = points_E75
for p in TJJ_points:
    mapped_point = map_point(TJJ_13, E75, p, c)
    difference = [point for point in difference if point != mapped_point]

assert len(difference) == 0
print("we have proved isomorphism as I maps to each and everysingle element of E75 once and the opposite can be done as well")

value of c for the map I: 6
Points on E7,5(F13):
we have proved isomorphism as I maps to each and everysingle element of E75 once and the opposite can be done as well


## Exercise 63. 

Consider the commutative group (TJJ_13, $\oplus$) of the Tiny-jubjub curve from example 71.
1. Compute the inverse of (10,10), $\mathcal{O}$, (4,0) and (1,2).
2. Solve the equation $x \oplus (9,4)=(5,2)$ for some $x \in TJJ_13$.


In [53]:
# ---- 1 ------
def inverse(P):
    if TJJ_13(0) == P:
        return P
    else:
        x, y = P.xy()
        return TJJ_13(x, -y)

for p in [TJJ_13(*p) for p in [(10, 10), (4, 0), (1, 2)]] + [TJJ_13(0)]:
    p_inv = inverse(p) 
    print(f"value: {p} inv: {p_inv}")

# ---- 2 ------
def chord_rule(P, Q):
    x1, y1 = P.xy()
    x2, y2 = Q.xy()

    x3 = ((y2 - y1) / (x2 - x1))^2 - x1 - x2
    y3 = ((y2 - y1) / (x2 - x1)) * (x1 -x3) - y1
    return TJJ_13(x3, y3)

P, Q = TJJ_13(9,4), TJJ_13(5, 2)

P_inv = inverse(P)
sol = chord_rule(Q, P_inv)
assert chord_rule(sol, P) == Q

value: (10 : 10 : 1) inv: (10 : 3 : 1)
value: (4 : 0 : 1) inv: (4 : 0 : 1)
value: (1 : 2 : 1) inv: (1 : 11 : 1)
value: (0 : 1 : 0) inv: (0 : 1 : 0)


## Exercise64. 

Consider example 79 and compute the set $\{[1](0,1),[2](0,1),...,[8](0,1,[9](0,1)\}$ using the tangent rule only.

In [54]:
G = E11_F5(0,1)

E11_F5_points = [ x * G for x in range(1, E11_F5.order() + 1)]
E11_F5_points

[(0 : 1 : 1),
 (4 : 2 : 1),
 (2 : 1 : 1),
 (3 : 4 : 1),
 (3 : 1 : 1),
 (2 : 4 : 1),
 (4 : 3 : 1),
 (0 : 4 : 1),
 (0 : 1 : 0)]

## Exercise 65. 

Consider example 80 and compute the scalar multiplications [10](5, 11) as well as [10](9, 4) and [4](9, 4) with pen and paper using the algorithm from exercise 38.

In [55]:
TJJ_13(5, 11) * 10, TJJ_13(9, 4) * 10, TJJ_13(9, 4) * 4

((0 : 1 : 0), (4 : 0 : 1), (7 : 11 : 1))

## Exercise 66. 

Consider example 81 and compute the set (5.23) by inserting all points from the projective plane F5P2 into the defining projective Short Weierstrass equation.


In [56]:
P = ProjectiveSpace(F_5, 2)

a = E11_F5.a4()
b = E11_F5.a6()

E11_F5_curve_points = [(x, y, z) for (x, y, z) in P.rational_points() if  y^2 * z == x^3 + a * x * z^2 + b * z^3]
len(E11_F5_points) == len(E11_F5.points())
E11_F5_curve_points

[(0, 1, 1),
 (0, 4, 1),
 (2, 1, 1),
 (2, 4, 1),
 (3, 1, 1),
 (3, 4, 1),
 (4, 2, 1),
 (4, 3, 1),
 (0, 1, 0)]

## Exercise 67. 

Compute the projective representation of the Tiny-jubjub curve (example 71) and the logarithmic order of its large prime-order subgroup with respect to the generator [7 : 11 : 1] in projective coordinates.


In [57]:
TJJ_13_G = TJJ_13(7, 11)
TJJ_order = TJJ_13.order()
largest_prime = factor(TJJ_order)[-1][0]

result = []
last = TJJ_13_G
for x in range(largest_prime):
    result.append([x + 1, last])
    last += TJJ_13_G

assert len(result) == largest_prime
assert result[-1][1] == TJJ_13(0)
result

[[1, (7 : 11 : 1)],
 [2, (8 : 5 : 1)],
 [3, (8 : 8 : 1)],
 [4, (7 : 2 : 1)],
 [5, (0 : 1 : 0)]]

## Exercise 68. 

Consider example 81 again. Compute the following expression for projective points on E1(F5P2) using algorithm 7:

- [0:1:0]⊕[4:3:1]
- [0:3:0]⊕[3:1:2]
- [0:4:1]⊕[3:4:1]
- [4:3:1]⊕[4:2:1]
  
and then solve the equation [X :Y :Z]⊕[0:1:1]=[2:4:1] for some point [X :Y :Z] from the projective Short Weierstrass curve $E_1(F_5P^2)$.


In [70]:
coordinates = [[0, 1, 0], [4, 3], [0,3, 0], [3, 1, 2], [0, 4, 1], [3, 4, 1], [4, 2, 1]]
points = [E11_F5(*point) for point in coordinates]

def get_log_index(p):
    return E11_F5_points.index(p) + 1

def log_sum(p1, p2):
    l, m = get_log_index(p1), get_log_index(p2)
    result = (l + m) * G
    assert result == p1 + p2
    print(f"{p1} + {p2} = ({l} + {m}) * G")
    return result

log_sum(points[0], points[1])
log_sum(points[2], points[3])
log_sum(points[4], points[5])
log_sum(points[1], points[6])

# --- [X :Y :Z]⊕[0:1:1]=[2:4:1] ---

p2 = E11_F5(0, 1)
p2_ind = get_log_index(p2)
p3 = E11_F5(2, 4)
p3_ind = get_log_index(p3)
x = (p3_ind - p2_ind) * G
x_ind = get_log_index(x)
assert x + p2 == p3
print(f"[X :Y :Z] = {x}")
print(f"[{x_ind}]G + [{p2_ind}]G = [{p3_ind}]G")


(0 : 1 : 0) + (4 : 3 : 1) = (9 + 7) * G
(0 : 1 : 0) + (4 : 3 : 1) = (9 + 7) * G
(0 : 4 : 1) + (3 : 4 : 1) = (8 + 4) * G
(4 : 3 : 1) + (4 : 2 : 1) = (7 + 2) * G
[X :Y :Z] = (3 : 1 : 1)
[5]G + [1]G = [6]G


## Exercise 69. 

Compare the affine addition law for Short Weierstrass curves with the projective addition rule. Which branch in the projective rule corresponds to which case in the affine law?
