In [1]:
import random

from ECC import inv_mod, ECC

ecc = ECC(
    p=10177,
    a=1,
    b=-1,
    g=(1, 1),
    n=10331,
)


class PollardRhoSequence:

    def __init__(self, point1, point2):
        self.point1 = point1
        self.point2 = point2

        self.add_a1 = random.randrange(1, ecc.n)
        self.add_b1 = random.randrange(1, ecc.n)
        self.add_x1 = ecc.add(
            ecc.mul(self.add_a1, point1),
            ecc.mul(self.add_b1, point2),
        )

        self.add_a2 = random.randrange(1, ecc.n)
        self.add_b2 = random.randrange(1, ecc.n)
        self.add_x2 = ecc.add(
            ecc.mul(self.add_a2, point1),
            ecc.mul(self.add_b2, point2),
        )

    def __iter__(self):
        partition_size = ecc.p // 3 + 1

        x = None
        a = 0
        b = 0

        while True:
            if x is None:
                i = 0
            else:
                i = x[0] // partition_size

            if i == 0:
                # x is either the point at infinity (None), or is in the first
                # third of the plane (x[0] <= ecc.p / 3).
                a += self.add_a1
                b += self.add_b1
                if x == self.add_x1:
                    x = ecc.double(x)
                else:
                    x = ecc.add(x, self.add_x1)
            elif i == 1:
                # x is in the second third of the plane
                # (ecc.p / 3 < x[0] <= ecc.p * 2 / 3).
                a *= 2
                b *= 2
                x = ecc.double(x)
            elif i == 2:
                # x is in the last third of the plane (x[0] > ecc.p * 2 / 3).
                a += self.add_a2
                b += self.add_b2
                x = ecc.add(x, self.add_x2)
            else:
                raise AssertionError(i)

            a = a % ecc.n
            b = b % ecc.n

            yield x, a, b


def log(p, q, counter=None):
    assert ecc.is_on_curve(p)
    assert ecc.is_on_curve(q)

    # Pollard's Rho may fail sometimes: it may find a1 == a2 and b1 == b2,
    # leading to a division by zero error. Because PollardRhoSequence uses
    # random coefficients, we have more chances of finding the logarithm
    # if we try again, without affecting the asymptotic time complexity.
    # We try at most three times before giving up.
    for i in range(3):
        sequence = PollardRhoSequence(p, q)

        tortoise = iter(sequence)
        hare = iter(sequence)

        # The range is from 0 to ecc.n - 1, but actually the algorithm will
        # stop much sooner (either finding the logarithm, or failing with a
        # division by zero).
        for j in range(ecc.n):
            x1, a1, b1 = next(tortoise)

            x2, a2, b2 = next(hare)
            x2, a2, b2 = next(hare)

            if x1 == x2:
                if b1 == b2:
                    # This would lead to a division by zero. Try with
                    # another random sequence.
                    break

                x = (a1 - a2) * inv_mod(b2 - b1, ecc.n)
                logarithm = x % ecc.n
                steps = i * ecc.n + j + 1
                return logarithm, steps

    raise AssertionError('logarithm not found')


x = random.randrange(1, ecc.n)
p = ecc.g
q = ecc.mul(x, p)

print('ecc: {}'.format(ecc))
print('ecc order: {}'.format(ecc.n))
print('p = (0x{:x}, 0x{:x})'.format(*p))
print('q = (0x{:x}, 0x{:x})'.format(*q))
print(x, '* p = q')

y, steps = log(p, q)
print('log(p, q) =', y)
print('Took', steps, 'steps')

assert x == y


ecc: y^2 = (x^3 + 1x - 1) mod 10177
ecc order: 10331
p = (0x1, 0x1)
q = (0x1bc6, 0x21e4)
2372 * p = q
log(p, q) = 2372
Took 216 steps
