Вариант $4, M = 61$


$$y^2=x^3+ax+b$$
$$4a^3 + 27b^2 \neq 0(mod M)$$

Возьмем $a = 2, b = -5$: $$4*2^3+27*(-5)^2 \mod 61 = 36$$

In [2]:
def generate_group(a, b, m)
    em_group = ['O']
    m.times do |x|
        y_2 = x**3 + a*x + b
        m.times do |y|
            if y_2 % m == y**2 % m
                em_group.push([x, y])
            end
        end
    end
    em_group
end

:generate_group

In [3]:
generate_group(1, 0, 23).size == 24

true

In [4]:
a = 2
b = -5
m = 61
em_g = generate_group(a, b, m)
em_g

["O", [0, 19], [0, 42], [7, 13], [7, 48], [10, 10], [10, 51], [12, 10], [12, 51], [13, 12], [13, 49], [14, 12], [14, 49], [15, 17], [15, 44], [16, 6], [16, 55], [17, 1], [17, 60], [19, 11], [19, 50], [22, 16], [22, 45], [24, 9], [24, 52], [29, 15], [29, 46], [31, 18], [31, 43], [32, 3], [32, 58], [34, 12], [34, 49], [35, 22], [35, 39], [36, 27], [36, 34], [39, 10], [39, 51], [40, 5], [40, 56], [42, 28], [42, 33], [45, 25], [45, 36], [49, 16], [49, 45], [50, 17], [50, 44], [51, 16], [51, 45], [52, 23], [52, 38], [53, 4], [53, 57], [54, 2], [54, 59], [57, 17], [57, 44]]

In [5]:
def bits(n)
    while n > 0
        yield n & 1
        n >>= 1
    end
end

:bits

In [6]:
def extended_eucledian_algorithm(a, m)
  r0, r1 = a, m
  s, t = 1, 0
  until r1.zero?
    q, r2 = r0.divmod(r1) # Euclidean algorithm
    r0, r1 = r1, r2
    s, t = t, s - q * t # extended Euclidean algorithm
  end
  gcd = r0
  t = (gcd - s * a) / m # from Bézout's Identity
  [gcd, s, t]
end

def inverse_of(n, p)
    gcd, x, y = extended_eucledian_algorithm(n, p)
    raise RuntimeError unless (n*x + p*y) % p == gcd && gcd == 1
    x % p
end

:inverse_of

In [7]:
def get_lambda(p1, p2, m, a = 1)
    x1, y1 = p1
    x2, y2 = p2
    
    if p1 != p2
        ((y2-y1)*inverse_of((x2-x1+m)%m, m))%m
    else
        ((3*x1*x1+a)*inverse_of((2*y1)%m, m))%m
    end
end

get_lambda([16, 5], [16, 5], 23, 9) == 11

true

In [8]:
def point_add(p1, p2, m, a = 1)
    return p2 if p1 == 'O'
    return p1  if p2 == 'O'
    begin
        l = get_lambda(p1, p2, m, a)
    rescue
        return 'O'
    end
    x_3 = (l**2 - p1[0] - p2[0])%m
    y_3 = (-(p1[1]+l*((x_3-p1[0])%m)))%m
    [x_3, y_3]
end

def point_multiply(n, p, m, a = 1)
    result = 'O'
    addend = p
    bits(n) do |bit|
        result = result == 0 ? addend : point_add(result, addend, m, a) if bit == 1                
        addend = point_add(addend, addend, m, a)
    end
    result
end

point_add([16, 5], [16, 5], 23, 9) == [20, 20]

true

In [9]:
point_multiply(241, [52, 194], 211, 0)

"O"

In [10]:
def factors(n)
    factors_arr = []
    (2...(n-1)).each do |i|
        if n%i == 0
            flag = false
            factors_arr.each do |j|
                if i%j == 0
                    flag = true;
                    break;
                end
            end
            factors_arr.push(i) unless flag
        end
    end
    factors_arr.any? ? factors_arr.sort : [n]
end 

:factors

In [11]:
factors(59)

[59]

In [12]:
def get_gen_point(group, c, m, a)
    h = group.size / c
    group.shuffle!
    group.each do |i|
        return i unless point_multiply(h, i, m, a) == 'O'
    end
end

:get_gen_point

In [13]:
factors(em_g.size)

[59]

In [19]:
g = get_gen_point(em_g, factors(em_g.size)[-1], m, a)

[19, 11]

In [20]:
require 'digest/sha1'

class Client
    def initialize(g, m, a, q)
        @g = g
        @m = m
        @a = a
        @q = q
    end
        
    def generate_keys
        @nU = rand(0..(@m/@a))
        @nUG = point_multiply(@nU, @g, @m, @a)
        puts "Keys generated: #{@nU}, #{@nUG}"
    end
        
    def get_pub_key
        @nUG
    end
    
    def set_common_priv(pub_key)
        @pub_key = pub_key
        @common_priv = point_multiply(@nU, pub_key, @m, @a)
        puts "Common private key set: #{@common_priv}"
    end
        
    def sign_message(msg)
        m = Digest::SHA1.digest msg.encode
        q_len = @q.to_s(2).size
        h_m = m.unpack("C*").inject(0) { |sum, (byte, index)| sum * 256 + byte }.to_s(2)[0...q_len].to_i(2)
        r = 0
        s = 0
        while r == 0 || s == 0 do
            k = rand(1...@q)
            k_g = point_multiply(k, @g, @m, @a)
            next if k_g == 'O' || k_g[0] % @q == 0
            r = k_g[0] % @q
            s = (inverse_of(k, @q)*(h_m+@nU*r))% @q
        end
        puts "Sign is #{r} #{s}"
        [msg, [r, s]]
    end
    
    def verify_sign(msg_cort)
        msg, sign = msg_cort
        m = Digest::SHA1.digest msg.encode
        q_len = @q.to_s(2).size
        h_m = m.unpack("C*").inject(0) { |sum, (byte, index)| sum * 256 + byte }.to_s(2)[0...q_len].to_i(2)
        r, s = sign
        return false unless (1...@q).cover?(r) && (1...@q).cover?(s)
        w = inverse_of(s, @q) % @q
        u_1 = (h_m * w) % @q
        u_2 = (r * w) % @q
        p = point_add(point_multiply(u_1, @g, @m, @a), point_multiply(u_2, @pub_key, @m, @a), @m, @a)
        return false if p == 'O'
        puts "r* is #{p[0]}"
        p[0] % @q == r
    end
end

:verify_sign

### Key exchange

In [27]:
client_A = Client.new(g, m, a, em_g.size)
client_B = Client.new(g, m, a, em_g.size)
client_A.generate_keys
client_B.generate_keys
client_A.set_common_priv client_B.get_pub_key
client_B.set_common_priv client_A.get_pub_key

Keys generated: 21, [54, 59]
Keys generated: 11, [52, 38]
Common private key set: [42, 33]
Common private key set: [42, 33]


### ECDSA

In [35]:
message = 'Подписанное сообщение'
client_A.sign_message message

Sign is 19 14


["Подписанное сообщение", [19, 14]]

In [36]:
client_B.verify_sign(client_A.sign_message(message))

Sign is 31 49
r* is 31


true