#  <font color="green">Implementation of IdealToIsogeny algorithm</font>

## <font color="green">0. Prime Search</font>

## <font color="green">1. Prerequisites</font>

### Load required libraries

In [272]:
load('const.sage')
load('quaternion_tools.sage')
load('isogeny.sage')

In [None]:
load('isogeny.sage')


In [21]:
set_verbose(-1)
load('idiso.sage')

I: (1/2 + 3/2*QA_i + 4881/2*QA_j + 28707/2*QA_k, 5/2*QA_i + 2343/2*QA_j + 8688*QA_k, 3125*QA_j + 6250*QA_k, 15625*QA_k)
I1 : Fractional ideal (1/2 + 3/2*QA_i + 1/2*QA_j + 7/2*QA_k, 5/2*QA_i + 1/2*QA_j + QA_k, QA_j + 2*QA_k, 5*QA_k)
do eval test..
after 22 : (362778324138479241673648472972832454050790923971670*Fp2_i^2 + 198063490804717206341393068574377353339257489132991, 136405556493094555904276400543722393363446357027691*Fp2_i^2 + 237919746714753070465744769893674644217600154721983, 357348830087998933739062898640950762859207722892112*Fp2_i^2 + 314917556908378411867604271796545291745459363591218)
0-th curve : (112790356202843159708344289856167771097505084570407*Fp2_i^2 + 62818312445422349304566296359128181285361854522043, 139244931963911233081355780275952881006452982478289*Fp2_i^2 + 370298178899256366367887897034908481454262787929777, 49784560897897982864690463775025563753570653900829*Fp2_i^2 + 283057436111415572038043209386316020370325534703931)
1-th curve : (5955365179928916674393450

KeyboardInterrupt: 

### Cornaccia algorithm

In [273]:
def cornacchia(d, m):
    try: 
        (x,y) = DiagonalQuadraticForm(QQ, [1,d]).solve(m)
        if not x.is_integer() or not y.is_integer() : raise Exception("No solution")
        return x, y
    except: raise Exception("No solution")

## <font color="green">2. Setting the lab environment</font>

### 1. Get a random ideal $I$ of norm $\ell^e$

In [274]:
I = GetRandomIdealElle()
assert(I.norm() == ell^6)

### 2. Extract the first ideal factor $I_1$
+ $I = I_1 \cdot I_2 \cdot ... \cdot I_k$ and $n(I_i) = \ell$

In [275]:
ellO0 = QA.ideal(O0.basis()).scale(ell)
I1 = AddIdeal(I, ellO0)

### 3. Compute corresponding isogeny $\phi_1$ to $I_1$
+ $ker(\phi_1) = ker(I_1)$

In [276]:
#load('isogeny.sage')
phi1_kernel_generator = left_O0_ideal_to_isogeny_kernel(I1)
phi1 = Isogeny(Fp(0), phi1_kernel_generator, 2^e1*3^e2*ell)
assert(I1.norm() == ell)

### 4. Get the codomain curve $E_1$ of $\phi_1$ and the dual isogeny $\hat{\phi}_1$

In [277]:
E1 = phi1.codomain_curve
phi1_dual = phi1.dual_isogeny()

In [278]:
cofactor = phi1_dual.domain_P.order() // 3^16
T = cofactor * phi1_dual.codomain_P
ellT = phi1.eval(T)
if ellT != phi1.degree * cofactor * phi1_dual.domain_P:
    phi1_dual.codomain_P *= -1
    phi1_dual.codomain_Q *= -1
    assert -ellT == phi1.degree * cofactor * phi1_dual.domain_P
else: assert ellT == phi1.degree * cofactor * phi1_dual.domain_P

T = cofactor * phi1.codomain_P
ellT = phi1_dual.eval(T)
assert ellT == phi1_dual.degree * cofactor * phi1.domain_P

### 5. Compute the right order $\mathcal{O}_1$ of $I_1$
+ $\mathcal{O}_1 \cong End(E_1)$

In [279]:
O1 = I1.right_order()

### 6. Extract the second ideal factor $I_2$
+ $\bar{I_1} I \cap \ell \mathcal{O}_1 = I_2$

In [280]:
I2 = I1.conjugate() * I
I2 = I2.scale(1/ell)
ellO1 = QA.ideal(O1.basis()).scale(ell)
I2 = AddIdeal(I2, ellO1)

assert(I2.norm() == ell and I2.left_order() == O1)

## <font color="green">3. Experiments</font>

+ Compute the generator $\alpha_2$ of $I_2$ such that $I_2 = \alpha_2 \mathcal{O_1} + \ell \mathcal{O_1}$
+ Hopefully $n(\alpha_2)$ is as small as possible
+ Note that $\alpha_2 \in I_2 \subset \mathcal{O}_1$

In [281]:
I2_generator = ideal_generator(I2)

+ Compute the reduced basis $\{o_{11}, o_{12}, o_{13}, o_{14}\}$ of $\mathcal{O_1}$

In [282]:
O1_basis = GetReducedBasis(O1.basis())

+ Try to find the $\beta \in \mathcal{O}_1$ such that $n(\alpha_2) + n(\beta) = 2^{e_1}\cdot 3^{e_2} | \sqrt{\#E_1(\mathbb{F}_{p^k})}$
+ $\mathrm{ord}_{2}(\#E_1(\mathbb{F}_{p^k})) \approx \mathrm{ord}_2(\#E_1(\mathbb{F}_{p^2}))=2 \times \mathrm{ord}_2(p+1)$ regardless of the extension size $k$
    + So it must be satisfied that $2^e < (p+1)$
+ Find the coefficients $\{c_1, c_2, c_3, c_4\}$ such that $n(\beta) = n(\sum_{i}{c_i o_{1i}}) = 2^e - n(\alpha_2)$

In [283]:
import random
I2_basis = GetReducedBasis(I2.basis())
I2_generator = I2_basis[2]
e1 = 148
e2 = 16
gram = matrix([[1,0,0,0],[0,1,0,0],[0,0,prime,0],[0,0,0,prime]])
M_O1 = matrix([vector(v.coefficient_tuple()) for v in O1_basis])
G = M_O1 * gram * M_O1.transpose()

x0,x1 = 0, 0
k = 100
for i in range(k^2):
    I2_gen = I2_generator + random.randint(-k, k) * I2_basis[1] + random.randint(-k, k) * I2_basis[0]
    if gcd(I2_gen.reduced_norm() ,6) != 1: continue
    target = 2^e1*3^e2 - I2_gen.reduced_norm()
    assert target > 0
    if kronecker(-G[1][1], target) != 1: continue
    try:
        x0,x1 = cornacchia(G[1][1], target)
        break
    except:
        print("no solution of cornacchia algorithm")
beta = O1_basis[0]*x0 + O1_basis[1]*x1
print((beta.reduced_norm() + I2_gen.reduced_norm()).factor())
assert gcd(beta.reduced_norm(), I2_gen.reduced_norm()) == 1

no solution of cornacchia algorithm
no solution of cornacchia algorithm
no solution of cornacchia algorithm
no solution of cornacchia algorithm
no solution of cornacchia algorithm
no solution of cornacchia algorithm
no solution of cornacchia algorithm
2^148 * 3^16


In [284]:
N = 2^e1*3^e2
N_alpha = I2_gen.reduced_norm()
N_beta = beta.reduced_norm()
x_value = Integer(mod(N_beta, N)^-1)

In [285]:
P1, Q1 = get_basis(E1, N)

In [286]:
psi_P1 = eval_endomorphism(x_value * I2_gen * beta, P1, N, phi1, phi1_dual)
psi_Q1 = eval_endomorphism(x_value * I2_gen * beta, Q1, N, phi1, phi1_dual)

In [287]:
points = [P1, Q1, psi_P1, psi_Q1]
points = [E1((e[0], e[1])) for e in points]
assert points[0].weil_pairing(points[1], N)*points[2].weil_pairing(points[3], N) == 1
ell_P, ell_Q = get_basis(E1, ell)
points = points + [ell_P, ell_Q]


In [288]:
load('../01. jacobian_isogeny/22_isogeny.sage')
points = [(points[0], points[2]), (points[1], points[3]), (points[4], E1(0)), (points[5], E1(0))]
a, b = 148, 16
kernel2 = [(3^b*2^(a-1)*D[0], 3^b*2^(a-1)*D[1]) for D in [points[0], points[1]]]
E_start = E1
h, points, isog = Gluing22(E_start, E_start, kernel2, eval_points = points)

In [289]:
kernel22 = [3^b * 2 * D for D in points[:2]]
j, points = isogeny_22(kernel22, points, a-2)

In [290]:
load('../01. jacobian_isogeny/33_isogeny.sage')
kernel33 = [2 * D for D in points[:2]]
j, points = isogeny_33(kernel33, points, b)

In [291]:
G1 = points[0][0]
G2 = points[1][0]
h = j.curve().hyperelliptic_polynomials()[0]
G3, r3 = h.quo_rem(G1*G2)
assert r3 == 0
delta = Matrix(G.padded_list(3) for G in (G1, G2, G3))
assert delta.determinant() == 0

AssertionError: 

In [None]:
assert False

In [292]:
import random
load('../01. jacobian_isogeny/22_isogeny.sage')
load('../01. jacobian_isogeny/33_isogeny.sage')

# I2_gen = -219 + 4901/10*QA_i + 1/10*QA_j
# beta = 4335595445855235293281540 - 123842055992385158191272201*QA_i

for case in range(10):
    I2_basis = GetReducedBasis(I2.basis())
    I2_generator = I2_basis[2]
    assert IdealContains(I2, I2_generator)
    gram = matrix([[1,0,0,0],[0,1,0,0],[0,0,prime,0],[0,0,0,prime]])
    M_O1 = matrix([vector(v.coefficient_tuple()) for v in O1_basis])
    G = M_O1 * gram * M_O1.transpose()

    x0,x1 = 0, 0
    k = 100
    for i in range(k^2):
        I2_gen = I2_generator + random.randint(-k, k) * I2_basis[1] + random.randint(-k, k) * I2_basis[0]
        assert IdealContains(I2, I2_gen)
        if gcd(I2_gen.reduced_norm() ,6) != 1: continue
        target = 2^e1*3^e2 - I2_gen.reduced_norm()
        assert target > 0
        if kronecker(-G[1][1], target) != 1: continue
        try:
            x0,x1 = cornacchia(G[1][1], target)
            break
        except:
            continue
    beta = O1_basis[0]*x0 + O1_basis[1]*x1
    assert beta.reduced_norm() + I2_gen.reduced_norm() == 2^e1*3^e2
    assert gcd(beta.reduced_norm(), I2_gen.reduced_norm()) == 1
    print(I2_gen)
    print(I2_gen.reduced_norm().factor())
    print(beta)
    print(beta.reduced_norm().factor())

    N = 2^e1*3^e2
    N_alpha = I2_gen.reduced_norm()
    N_beta = beta.reduced_norm()
    x_value = Integer(mod(N_beta, N)^-1)

    P1, Q1 = get_basis(E1, N)

    psi_P1 = eval_endomorphism(x_value * I2_gen * beta, P1, N, phi1, phi1_dual)
    psi_Q1 = eval_endomorphism(x_value * I2_gen * beta, Q1, N, phi1, phi1_dual)

    points = [P1, Q1, psi_P1, psi_Q1]
    points = [E1((e[0], e[1])) for e in points]
    assert points[0].weil_pairing(points[1], N)*points[2].weil_pairing(points[3], N) == 1
    ell_P, ell_Q = get_basis(E1, ell)
    points = points + [ell_P, ell_Q]

    points = [(points[0], points[2]), (points[1], points[3]), (points[4], E1(0)), (points[5], E1(0))]
    a, b = 148, 16
    kernel2 = [(3^b*2^(a-1)*D[0], 3^b*2^(a-1)*D[1]) for D in [points[0], points[1]]]
    E_start = E1
    h, points, isog = Gluing22(E_start, E_start, kernel2, eval_points = points)
    print(h.clebsch_invariants())

    kernel22 = [3^b * 2 * D for D in points[:2]]
    j, points = isogeny_22(kernel22, points, a-2)
    print(j.curve().clebsch_invariants())

    kernel33 = [2 * D for D in points[:2]]
    j, points = isogeny_33(kernel33, points, b)
    print(j.curve().clebsch_invariants())

    G1 = points[0][0]
    G2 = points[1][0]
    h = j.curve().hyperelliptic_polynomials()[0]
    G3, r3 = h.quo_rem(G1*G2)
    assert r3 == 0
    delta = Matrix(G.padded_list(3) for G in (G1, G2, G3))
    if delta.determinant() == 0 : print("%d : success"%(case))
    else : print("%d : failed"%(case))

-119/2 + 8187/5*QA_i + 1/10*QA_k
5 * 617 * 3095231 * 254477753 * 6143867688449 * 263313212863566673
-54397141268751875176457746 - 111340034318652124964365095*QA_i
17 * 903273660017128313244259286235441518771084269279973
(275163641574147341286342636615268997963025253443512*Fp2_i^2 + 127258123306713697290654408996451444021032234320713, 51849276886004677844110823478614362619037642476950*Fp2_i^2 + 126581677345831093266058328756978088780713505522484, 137753882013535313180246968109314666939050388323212*Fp2_i^2 + 259644353601331498907500495596110649496776198672506, 343621639322740477319632199096065844233355806854537*Fp2_i^2 + 289051410753426258211847701543361084118248948184545)
(164025938127979491722251243836773452666487762158528*Fp2_i^2 + 226194617743853738522896606325183714635902096980253, 149647007282438276133983737949388803637845117594139*Fp2_i^2 + 320757210107259860435924711308399126343809765009848, 77185444335740032711463886266687454760667777161615*Fp2_i^2 + 2791294121980468002217866550

KeyboardInterrupt: 

In [None]:
load('../01. jacobian_isogeny/22_isogeny.sage')
kernel22 = [D for D in points[:2]]
prodE, eval_points = Splitting22(kernel22, [points[2], points[3]])

In [None]:
print(eval_points)

[((217681384236001118232143045409478000596796809013471*Fp2_i^2 + 213052435544866963096056658728022462815072557879709 : 217575137782513305318290947178346955315997005146879*Fp2_i^3 + 354512674135835281378964823815002048206768340628496*Fp2_i : 1), (157271264800523852986476289815525272233912789229822*Fp2_i^2 + 56880086213987454445252619131375661647846608821902 : 144777345766818464557002921507128515193559612507604*Fp2_i^3 + 249949666982062834605542624331672405197171330592696*Fp2_i : 1)), ((366001795385812304401668034514116123212454592161177*Fp2_i^2 + 268360151052555436165135994966191533776122252746445 : 354151999919731032642549544607893411255953191331973*Fp2_i^3 + 309251391409297574738728199143362245425129164853364*Fp2_i : 1), (341999281521453162741513911253593759989459549463812*Fp2_i^2 + 191476377378440474857750183759707383215810818261188 : 211765567622185912025873313411961799971766465496595*Fp2_i^3 + 7811662083241675113916649488081804563423427885595*Fp2_i : 1))]


In [None]:
assert E1.j_invariant() in [T.j_invariant() for T in prodE]
P, Q = E1(0), E1(0)
if prodE[0].j_invariant() == E1.j_invariant():
    P, Q = eval_points[0][0], eval_points[1][0]
else:
    P, Q = eval_points[0][1], eval_points[1][1]

second_kernel = E1(0)
if P.is_zero(): second_kernel = ell_Q
elif Q.is_zero(): second_kernel = ell_P
else:
    assert P.weil_pairing(Q, P.order()) == 1

    r = P.discrete_log(Q)
    second_kernel = ell_P * r - ell_Q
print("second kernel :", second_kernel)


second kernel : (190109187736188721217378289285843068400227307187967*Fp2_i^2 + 215889668914670661327335186988343309364958840599297 : 326102712949964461182852671185483986295906132819430*Fp2_i^2 + 335029515558269756534411781187261354934571241310845 : 1)


In [None]:
O2 = I2.right_order()

In [None]:
I3 = I2.conjugate() * I1.conjugate() * I
I3 = I3.scale(ell^-2)
ellO2 = QA.ideal(O2.basis()).scale(ell)
I3 = AddIdeal(I3, ellO2)
assert I3.norm() == ell and I3.left_order() == O2

In [None]:
load('isogeny.sage')
phi2 = Isogeny(phi1.codomain_coeff, second_kernel, 2^e1*3^e2*ell)

In [None]:
load('isogeny.sage')
E2 = phi2.codomain_curve
phi2_dual = phi2.dual_isogeny()

In [None]:
cofactor = phi2_dual.domain_P.order() // 3^16
T = cofactor * phi2_dual.codomain_P
ellT = phi2.eval(T)
if ellT != phi2.degree * cofactor * phi2_dual.domain_P:
    phi2_dual.codomain_P *= -1
    phi2_dual.codomain_Q *= -1
    assert -ellT == phi2.degree * cofactor * phi2_dual.domain_P
else: assert ellT == phi2.degree * cofactor * phi2_dual.domain_P

T = cofactor * phi2.codomain_P
ellT = phi2_dual.eval(T)
assert ellT == phi2_dual.degree * cofactor * phi2.domain_P

In [None]:
I3_generator = ideal_generator(I3)

In [None]:
O2_basis = GetReducedBasis(O2.basis())

### Computing $\beta$ such that $n(\beta) + n(\alpha_3) = 2^{e_1}\times 3^{e_2}$

In [None]:
import random
I3_basis = GetReducedBasis(I3.basis())
I3_generator = I3_basis[2]
e1 = 148
e2 = 16
gram = matrix([[1,0,0,0],[0,1,0,0],[0,0,prime,0],[0,0,0,prime]])
M_O2 = matrix([vector(v.coefficient_tuple()) for v in O2_basis])
G = M_O2 * gram * M_O2.transpose()

x,y = 0, 0
k = 100
for i in range(k^2):
    I3_gen = I3_generator + random.randint(-k, k) * I3_basis[1] + random.randint(-k, k) * I3_basis[0]
    if gcd(I3_gen.reduced_norm() ,6) != 1: continue
    target = 2^e1*3^e2 - I3_gen.reduced_norm()
    assert target > 0
    if kronecker(-G[1][1], target) != 1: continue
    try:
        x,y = cornacchia(G[1][1], target)
        break
    except:
        continue
beta = O2_basis[0]*x + O2_basis[1]*y
assert (beta.reduced_norm() + I3_gen.reduced_norm()) == 2^e1*3^e2
assert gcd(beta.reduced_norm(), I3_gen.reduced_norm()) == 1

### Compute $x \equiv \beta^{-1} \mod N$ 

In [None]:
N = 2^e1*3^e2
N_alpha = I3_gen.reduced_norm()
N_beta = beta.reduced_norm()
x_value = Integer(mod(N_beta, N)^-1)

In [None]:
P1, Q1 = get_basis(phi2.codomain_curve, N)
E2.is_on_curve(P1[0], P1[1])

True

In [None]:
load('isogeny.sage')
isog = IsogenyChain([phi1, phi2])
isog_dual = IsogenyChain([phi2_dual, phi1_dual])
psi_P1 = eval_endomorphism(x_value * I3_gen * beta, P1, N, isog, isog_dual)
psi_Q1 = eval_endomorphism(x_value * I3_gen * beta, Q1, N, isog, isog_dual)

#### Check if $e_N((P, \phi(P)), (Q, \phi(Q))) = e_N(P, Q)\cdot e_N(\phi(P), \phi(Q))$
+ where $\phi = [x] \circ \theta_{\alpha} \circ \theta_{\beta}$
+ $\theta_{\alpha}$ and $\theta_{\beta}$ are separable endomorphisms

In [None]:
points = [P1, Q1, psi_P1, psi_Q1]
points = [E2((e[0], e[1])) for e in points]
assert points[0].weil_pairing(points[1], N)*points[2].weil_pairing(points[3], N) == 1
[ell_P, ell_Q] = get_basis(E2, ell)
points = points + [ell_P, ell_Q]

### Computing Isogeny in hyperelliptic curves

In [None]:
load('../01. jacobian_isogeny/22_isogeny.sage')
points = [(points[0], points[2]), (points[1], points[3]), (points[4], E1(0)), (points[5], E1(0))]
a, b = 148, 16
kernel2 = [(3^b*2^(a-1)*D[0], 3^b*2^(a-1)*D[1]) for D in [points[0], points[1]]]
E_start = E2
h, points, isog = Gluing22(E_start, E_start, kernel2, eval_points = points)

In [None]:
kernel22 = [3^b * 2 * D for D in points[:2]]
j, points = isogeny_22(kernel22, points, a-2)

In [None]:
load('../01. jacobian_isogeny/33_isogeny.sage')
kernel33 = [2 * D for D in points[:2]]
K = Fp
j, points = isogeny_33(kernel33, points, b)

Interrupting Singular...


KeyboardInterrupt: Restarting Singular (WARNING: all variables defined in previous session are now invalid)

In [None]:
G1 = points[0][0]
G2 = points[1][0]
h = j.curve().hyperelliptic_polynomials()[0]
G3, r3 = h.quo_rem(G1*G2)
assert r3 == 0
delta = Matrix(G.padded_list(3) for G in (G1, G2, G3))
assert delta.determinant() == 0

AssertionError: 

In [None]:
print(I3_gen.reduced_norm().factor())
print(beta.reduced_norm().factor())

In [None]:
print(I3_gen)