In [78]:
from random import randrange
import math

In [79]:
def to_hex_64chunks(t):
    res = []
    while t > 0:
        res.append(t % 2^64)
        t = t >> 64
    return res

def hex_64chunks_to_string(chunks):
    res = [hex(chunk).upper().replace('X', 'x') for chunk in chunks]
    res_string = '{' + ', '.join(res) + '}'
    return res_string

def from_hex_64chunks(chunks):
    res = 0
    for chunk in chunks[::-1]:
        res = res << 64
        res += chunk
    return res

def get_prime_details(pow_2, pow_3, cofactor, bits):
    res = {}

    res["pow_2"] = pow_2
    res["pow_3"] = pow_3
    res["cofactor"] = cofactor

    p = 2^pow_2 * 3^pow_3 * cofactor - 1
    res["p"] = p
    res["p_bits"] = math.ceil(math.log2(p))

    R = 1 << bits
    res["R"] = R
    res["R_bits"] = bits

    p1 = int(1 + p)
    res["p1"] = p1
        
    px2 = p * 2
    res["px2"] = px2
    
    R = IntegerModRing(2^(bits))
    temp = R(p)
    temp = temp^-1
    temp = -1 * temp
    pinv_R = int(temp)
    res["pinv_R"] = pinv_R # Modulo AND additive inverse: p * pinv_R === -1 mod R

    P = IntegerModRing(p)
    R2 = 2^(bits * 2)
    temp = P(R2)
    R2_p = int(temp)
    res["R2_p"] = R2_p

    R = 2^(bits)
    temp = P(R)
    R_p = int(temp)
    res["R_p"] = R_p

    return res

def print_prime_details(prime_details):
    for key in prime_details.keys():
        if "bits" in key:
            print(key, ':', prime_details[key])
            continue
        print(key, ':', hex_64chunks_to_string(to_hex_64chunks(prime_details[key])))

def print_prime_details2(pow_2, pow_3, cofactor, bits):
    print('p = 2^{} * 3^{} * {} - 1'.format(pow_2, pow_3, cofactor))
    p = 2^pow_2 * 3^pow_3 * cofactor - 1
    
    print('p bits = {}'.format(math.log(p, 2)))

    print('prime')
    temp = p
    print(hex_64chunks_to_string(to_hex_64chunks(temp)))

    print('primeplus1')
    temp = int(1 + p)
    print(hex_64chunks_to_string(to_hex_64chunks(temp)))
        
    print('prime*2')
    temp = p * 2
    print(hex_64chunks_to_string(to_hex_64chunks(temp)))
    
    print('Mont prime_inv mod R')
    R = IntegerModRing(2^(bits))
    temp = R(p)
    temp = temp^-1
    temp = -1 * temp
    temp = int(temp)
    print(hex_64chunks_to_string(to_hex_64chunks(temp)))

    P = IntegerModRing(p)
    R2 = 2^(bits * 2)
    print('Mont R^2 mod prime')
    temp = P(R2)
    temp = int(temp)
    print(hex_64chunks_to_string(to_hex_64chunks(temp)))

    print('Mont R mod prime')
    R = 2^(bits)
    temp = P(R)
    temp = int(temp)
    print(hex_64chunks_to_string(to_hex_64chunks(temp)))

def check_supersingular(p):
    F2.<a> = GF(p^2, modulus=x^2 + 1) # Note; not using GF(p^2) because of a limitation in Sage
    A = F2(6)
    B = F2(1)
    C = F2(1)
    S = B^1 * (1 - A^2/3)
    T = B^3 * A / 3 * (2*A^2/9 - 1)
    E = EllipticCurve(F2, [S, T]) # v^2 = u^3 + (B^2(1 - A^2/3))u + B^3 * A / 3(2A^2/9 - 1)
    return E.is_supersingular()

def to_mont(prime_details, elem):
    return (elem << prime_details["R_bits"]) % prime_details["p"]

def mont_red(prime_details, m_elem):
    m = ((m_elem & ((1 << prime_details["R_bits"]) - 1)) * prime_details["pinv_R"]) & ((1 << prime_details["R_bits"]) - 1)
    t = (m_elem + m * prime_details["p"]) >> prime_details["R_bits"]
    if t >= prime_details["p"]:
        print("@@@@@@@")
        return t - prime_details["p"]
    else:
        return t

def compute_y(E, x):
    R.<y> = PolynomialRing(E.base_ring())
    a = E.a_invariants()
    L = (y^2 + (a[0]*x + a[2])*y - (x^3 + a[1]*x^2 + a[3]*x + a[4])).roots()
    return [l[0] for l in L]

def gen_2ea_generators(E, prime_details, mont_gen=False):
    ea = prime_details["pow_2"]
    eb = prime_details["pow_3"]
    while(True):
        P = (3**eb) * E.random_point()
        # Check if order of P is correct,
        # and if we are generating points from a Montgomery curve E, that 2^ea(P) is not (0 : 0 : 1)
        if P.order() == (2**ea) and (not mont_gen or 2**(ea - 1) * P != E(0, 0)):
            while(True):
                Q = (3**eb) * E.random_point()
                # Check if order of Q is correct
                if Q.order() == (2**ea):
                    # Now check if P and Q are linearly independent
                    if (2**(ea - 1) * P != 2**(ea - 1) * Q):
                        # And if we are generating points from a Montgomery curve E, that 2^ea(Q) is (0 : 0 : 1)
                        if (not mont_gen) or  2**(ea - 1) * Q == E(0, 0):
                            return P, Q


def gen_mont_2ea_generators(A, B, prime_details):
    # Get the isomorphic short Weierstrass Model
    # https://eprint.iacr.org/2017/212.pdf, 2.4
    F.<a> = GF(prime_details['p']^2, modulus=x^2 + 1)
    E2 = EllipticCurve([B^2*(1 - A^2/3), B^3 * (A/3) * ((2*A^2)/9 - 1)])
    while(True):
        wP, wQ = gen_2ea_generators(E2, prime_details, mont_gen=False)
        mP0 = wP[0] / B - A/3
        mP1 = wP[1] / (B^2)
        mQ0 = wQ[0] / B - A/3
        mQ1 = wQ[1] / (B^2)

        # Some assertions to check if P, Q are indeed of the right order
        ea = prime_details["pow_2"]
        P0 = mP0
        Q0 = mQ0
        for j in range(ea - 1):
            P0 = ((P0^2 - 1)^2)/(4*P0*(P0^2 + A*P0 + 1))
            Q0 = ((Q0^2 - 1)^2)/(4*Q0*(Q0^2 + A*Q0 + 1))
        assert(4*P0*(P0^2 + A*P0 + 1) == 0)
        assert(4*Q0*(Q0^2 + A*Q0 + 1) == 0) # The last xDBL should be not possible, since we go to inf
        assert(P0 != Q0)                    # They should also be linearly independent
    
        if (P0 != 0 and Q0 != 0):
            # We want one of the generator points to be (0 : 0 : 1) when multiplied by 2^ea
            continue
        else:
            if (P0 == 0):
                return {
                    "P0": mQ0,
                    "P1": mQ1,
                    "Q0": mP0,
                    "Q1": mP1
                }
            else:                
                return {
                    "P0": mP0,
                    "P1": mP1,
                    "Q0": mQ0,
                    "Q1": mQ1
                }
        


        
def get_isog(E, R, l):
    """ Calculate the (codomain of the) isogeny using SageMath's implementation.

    Keyword arguments:
    E -- the domain elliptic curve
    R -- the point in E with order l^e, which generates the kernel of isogeny
    l -- the exponent base of order of R
    """
    ord = int(math.log(R.order(), l))
    RA = R
    EA = E
    # Pushing kernel point through each consecutive isogeny
    # TODO Use strategy 
    for i in range(ord - 1, 0, -1):
        next_kernel_point = (l**i) * RA
        isog = EA.isogeny(next_kernel_point)
        EA = isog.codomain()
        RA = isog(RA)
    return EA

# Calculate the (codomain of the) isogeny using Montgomery formulas
def get_mont_2_isog(E, R):
    """ Calculate the (Montgomery form of the codomain of the) isogeny using Montgomery formulas

    Keyword arguments:
    E -- the domain elliptic curve, in Montgomery form By^2 = x^3 + Ax^2 + x. (B = 1)
    R -- the point in E with order 2^e, which generates the kernel of isogeny
    """
    # Verify E is in the right Montgomery form
    a = E.a_invariants()
    assert(a[0] == a[2] == a[4] == 0 and a[3] == 1)

    ord = int(math.log(R.order(), 2))
    A = a[1]
    B = E.base_ring()(1)
    RAx = R[0]
    T.<x> = PolynomialRing(E.base_ring())
    
    for i in range(ord - 1, 0, -1):
        # Apply Montgomery xDBL formula to get the x-coordinate of next 2-order kernel point
        # https://eprint.iacr.org/2017/212.pdf, 3.1 eq 8
        next_kernel_x = RAx
        for j in range(i):
            next_kernel_x = ((next_kernel_x^2 - 1)^2)/(4*next_kernel_x*(next_kernel_x^2 + A*next_kernel_x + 1))

        # Rational x-coordinate map for isogeny
        isog_x = x*(x*next_kernel_x - 1)/(x - next_kernel_x)
        # Push initial kernel generator point x-coordinate through isogeny
        RAx = isog_x(x=RAx)
        # Coefficient of Montgomery curve codomain
        A = 2*(1 - 2*next_kernel_x^2)
        B = next_kernel_x*B
    return {
        "A": A,
        "B": B
    }

def gen_claw_instance(E, prime_details, P, Q):
    # (exponent of) Order of kernel point
    ea      = prime_details["pow_2"]
    ea_h    = ea / 2
    # Kernel point
    s = randrange(0, 2**ea)
    R = P + s*Q
    Rea_h = (2**int(ea_h)) * R
    # Generating codomains of isogenies
    #   By Sage functions
    mid_E_EA    = get_isog(E, Rea_h, 2)
    wEA         = get_isog(E, R, 2)
    wPA, wQA    = gen_2ea_generators(wEA, prime_details)
    #   By Montgomery formulas
    mEA         = get_mont_2_isog(E, R)
    mGens       = gen_mont_2ea_generators(mEA["A"], mEA["B"], prime_details)
     # Check if the two codomains (Sage vs Mont formulas) are isomorphic
    assert(wEA.j_invariant() == 256*(mEA["A"]^2 -3)^3/(mEA["A"]^2 - 4))
    return {
        "P0": P[0],
        "P1": P[1],
        "Q0": Q[0],
        "Q1": Q[1],
        "E_A": E.a_invariants()[1],
        "E_B": E.base_ring()(1),
        "mid_jinv": mid_E_EA.j_invariant(),
        "PA0": mGens["P0"],
        "PA1": mGens["P1"],
        "QA0": mGens["Q0"],
        "QA1": mGens["Q1"],
        "EA_A": mEA["A"],
        "EA_B": mEA["B"],
    }

In [80]:
# Wrapping in a function to mute output, and for posterity
def gen_supersingular_curves():
    BITS = 64
    log3_2 = math.log(2, 3)
    for pow_2 in range(10, 32):
        for pow_3 in range(math.floor(log3_2 * pow_2) - 5, math.floor(log3_2 * pow_2) + 5):
            if is_prime(2^pow_2 * 3^pow_3 - 1):
                if 1/5 <= 2^pow_2 /  3^pow_3 <= 5/1:
                    p = 2^pow_2 * 3^pow_3 - 1
                    if check_supersingular(p):
                        print_prime_details(get_prime_details(pow_2, pow_3, 1, BITS))
                        print('')
    print_prime_details(get_prime_details(32, 20, 23, 128))

In [81]:
# Wrapping in a function to mute output, and for posterity
def verify_p434():
    lA, lB = 2, 3
    eA, eB = 216, 137 # p434 = 2^216*3^137-1
    p = lA ^ eA * lB ^ eB - 1
    assert p.is_prime()
    assert p % 4 == 3 # Necessary for below curve to be supersingular.
    #print("Is supersingular: ", check_supersingular(p))
    prime_details = get_prime_details(eA, eB, 1, 448)
    print_prime_details(prime_details)
    assert(p == from_hex_64chunks(to_hex_64chunks(p)))

    F2.<a> = GF(p^2, modulus=x^2 + 1)
    A = F2(6)
    B = F2(1)
    C = F2(1)
    S = B^1 * (1 - A^2/3)
    T = B^3 * A / 3 * (2*A^2/9 - 1)
    E = EllipticCurve(F2, [0, A, 0, 1, 0])
    print(E)

    m_xPA0 = from_hex_64chunks([0x05ADF455C5C345BF, 0x91935C5CC767AC2B, 0xAFE4E879951F0257, 0x70E792DC89FA27B1, 0xF797F526BB48C8CD, 0x2181DB6131AF621F, 0x00000A1C08B1ECC4])
    m_xPA1 = from_hex_64chunks([0x74840EB87CDA7788, 0x2971AA0ECF9F9D0B, 0xCB5732BDF41715D5, 0x8CD8E51F7AACFFAA, 0xA7F424730D7E419F, 0xD671EB919A179E8C, 0x0000FFA26C5A924A])

    m_xQA0 = from_hex_64chunks([0xFEC6E64588B7273B, 0xD2A626D74CBBF1C6, 0xF8F58F07A78098C7, 0xE23941F470841B03, 0x1B63EDA2045538DD, 0x735CFEB0FFD49215, 0x0001C4CB77542876])
    m_xQA1 = from_hex_64chunks([0xADB0F733C17FFDD6, 0x6AFFBD037DA0A050, 0x680EC43DB144E02F, 0x1E2E5D5FF524E374, 0xE2DDA115260E2995, 0xA6E4B552E2EDE508, 0x00018ECCDDF4B53E])

    m_xRA0 = from_hex_64chunks([0x01BA4DB518CD6C7D, 0x2CB0251FE3CC0611, 0x259B0C6949A9121B, 0x60E17AC16D2F82AD, 0x3AA41F1CE175D92D, 0x413FBE6A9B9BC4F3, 0x00022A81D8D55643])
    m_xRA1 = from_hex_64chunks([0xB8ADBC70FC82E54A, 0xEF9CDDB0D5FADDED, 0x5820C734C80096A0, 0x7799994BAA96E0E4, 0x044961599E379AF8, 0xDB2B94FBF09F27E2, 0x0000B87FC716C0C6])

    xPA0 = mont_red(prime_details, m_xPA0)
    xPA1 = mont_red(prime_details, m_xPA1)
    xPA = F2(xPA0 + xPA1 * a)
    yPA_roots = compute_y(E, xPA)
    #print(yPA_roots)

    PA1 = E(xPA, yPA_roots[0])
    PA2 = E(xPA, yPA_roots[1])

    xQA0 = mont_red(prime_details, m_xQA0)
    xQA1 = mont_red(prime_details, m_xQA1)
    xQA = F2(xQA0 + xQA1 * a)
    yQA_roots = compute_y(E, xQA)
    #print(yQA_roots)

    QA1 = E(xQA, yQA_roots[0])
    QA2 = E(xQA, yQA_roots[1])

    xRA0 = mont_red(prime_details, m_xRA0)
    xRA1 = mont_red(prime_details, m_xRA1)
    xRA = F2(xRA0 + xRA1 * a)

    print("2^eA:\t\t", 2^eA)
    print("Order PA:\t", PA1.order())
    print("Order QA:\t", QA1.order())
    print("Order PA + QA:\t", (PA1 + QA1).order())

    print("xRA:\t\t", xRA)
    print((PA1 - QA1)[0] == xRA)
    print((PA2 - QA1)[0] == xRA)
    print((PA1 - QA2)[0] == xRA)
    print((PA2 - QA2)[0] == xRA)

    m_xPB0 = from_hex_64chunks([0x6E5497556EDD48A3, 0x2A61B501546F1C05, 0xEB919446D049887D, 0x5864A4A69D450C4F, 0xB883F276A6490D2B, 0x22CC287022D5F5B9, 0x0001BED4772E551F])
    m_xPB1 = from_hex_64chunks([0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000])

    m_xQB0 = from_hex_64chunks([0xFAE2A3F93D8B6B8E, 0x494871F51700FE1C, 0xEF1A94228413C27C, 0x498FF4A4AF60BD62, 0xB00AD2A708267E8A, 0xF4328294E017837F, 0x000034080181D8AE])
    m_xQB1 = from_hex_64chunks([0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000])

    m_xRB0 = from_hex_64chunks([0x283B34FAFEFDC8E4, 0x9208F44977C3E647, 0x7DEAE962816F4E9A, 0x68A2BA8AA262EC9D, 0x8176F112EA43F45B, 0x02106D022634F504, 0x00007E8A50F02E37])
    m_xRB1 = from_hex_64chunks([0xB378B7C1DA22CCB1, 0x6D089C99AD1D9230, 0xEBE15711813E2369, 0x2B35A68239D48A53, 0x445F6FD138407C93, 0xBEF93B29A3F6B54B, 0x000173FA910377D3])

    xPB0 = mont_red(prime_details, m_xPB0)
    xPB1 = mont_red(prime_details, m_xPB1)
    xPB = F2(xPB0 + xPB1 * a)
    yPB_roots = compute_y(E, xPB)
    #print(yPB_roots)

    PB1 = E(xPB, yPB_roots[0])
    PB2 = E(xPB, yPB_roots[1])

    xQB0 = mont_red(prime_details, m_xQB0)
    xQB1 = mont_red(prime_details, m_xQB1)
    xQB = F2(xQB0 + xQB1 * a)
    yQB_roots = compute_y(E, xQB)
    #print(yQB_roots)

    QB1 = E(xQB, yQB_roots[0])
    QB2 = E(xQB, yQB_roots[1])

    xRB0 = mont_red(prime_details, m_xRB0)
    xRB1 = mont_red(prime_details, m_xRB1)
    xRB = F2(xRB0 + xRB1 * a)

    print("3^eB:\t\t", 3^eB)
    print("Order PB:\t", PB1.order())
    print("Order QB:\t", QB1.order())
    print("Order PB + QB:\t", (PB1 + QB1).order())

    print("xRB:\t\t", xRB)
    print((PB1 - QB1)[0] == xRB)
    print((PB2 - QB1)[0] == xRB)
    print((PB1 - QB2)[0] == xRB)
    print((PB2 - QB2)[0] == xRB)

In [82]:
lA, lB = 2, 3
eA, eB = 22, 15 # p63 = 2^22*3^15-1
p = lA ^ eA * lB ^ eB - 1
assert p.is_prime()
prime_details = get_prime_details(eA, eB, 1, 64)
print_prime_details(prime_details)
assert(p == from_hex_64chunks(to_hex_64chunks(p)))

F2.<a> = GF(p^2, modulus=x^2 + 1)
A = F2(6)
B = F2(1)
C = F2(1)
S = B^1 * (1 - A^2/3)
T = B^3 * A / 3 * (2*A^2/9 - 1)
E = EllipticCurve(F2, [0, A, 0, 1, 0])
print(E, E.is_supersingular())

pow_2 : {0x16}
pow_3 : {0xF}
cofactor : {0x1}
p : {0x36BC9ABFFFFF}
p_bits : 46
R : {0x0, 0x1}
R_bits : 64
p1 : {0x36BC9AC00000}
px2 : {0x6D79357FFFFE}
pinv_R : {0xA78BC6BC9AC00001}
R2_p : {0x25512E2FF61A}
R_p : {0x172AE9C4AD4B}
Elliptic Curve defined by y^2 = x^3 + 6*x^2 + x over Finite Field in a of size 60183678025727^2 True


In [83]:
P, Q = gen_2ea_generators(E, prime_details, mont_gen=True)
#print((2**(prime_details["pow_2"] - 1)) * P)
#print((2**(prime_details["pow_2"] - 1)) * Q)

claw_instance = gen_claw_instance(E, prime_details, P, Q)
for key in claw_instance.keys():
    print(key, ":\t", claw_instance[key])

P0 :		 9490514127007*a + 4631112608222
P1 :		 15294593243251*a + 56606521578175
Q0 :		 48040053775370*a + 55040460647431
Q1 :		 11843866221208*a + 58424386223555
E_A :		 6
E_B :		 1
mid_jinv :		 35283759357584*a + 59400151499685
PA0 :		 39146709939874*a + 11041382472738
PA1 :		 53763376490230*a + 6441735989315
QA0 :		 36266232019839*a + 59011533623142
QA1 :		 51518234471929*a + 47208515205880
EA_A :		 29001917383053*a + 12865911282797
EA_B :		 27071760411401*a + 8214298668176
