# P 11.1

Consider the following data given below. 

Using SAGE, do the following:
    
1. Check that $qP = O_E$ and that $q$ is indeed a prime number.
2. Verify that $(S_1, S_2)$ is a valid signature for the document $D$ and the verification key $A$, knowing that $0 < \texttt{int}(y(P)), \texttt{int}(y(A)) < p/2$.


In [1]:
p   = 2^384 - 2^128 - 2^96 + 2^32 - 1
a   = -3
b   = 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575
xP  = 9927569721545390815034713904622759727440640009568502331607218669906608389108530937089042810199441312117717067185412
q   = 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643
xA  = 29400003852608672639867349879251432905099128866639045860503309429241268278901837643832541859075556345862458834761765
D   = 1415574695691915124168896603027864661322838868352349273945839601722462604573059900203151158258340990168334336
S1  = 13669797451316206272209337753571017954169997281397226685068093299839322753638412752144616602545722591906382790482469
S2  = 22724282496840316001698707302101306704785167815942863432725566208290642414916361973166625614388772211458477112104622

In [2]:
def find_y_for_x(x, a, b, p):
    y = PolynomialRing(GF(p), 'y').gen()
    poly = y^2 - x^3 - a*x - b

    roots = []
    for root in poly.roots():
        if int(root[0]) > 0 and int(root[0]) < int(p/2):
            roots.append(root[0])
    return roots[0]

In [3]:
E = EllipticCurve(GF(p), [0, 0, 0, a, b])
print(E)

P = E(xP, find_y_for_x(xP, a, b, p))
A = E(xA, find_y_for_x(xA, a, b, p))


print(f"\nP = {P}")
print(f"A = {A}")

# Check that qP = O_E, i.e. the order of P is q
print(f"\nqP = O_E ?\n>> {q == P.order()}")

# Check that q is prime
print(f"q is prime ?\n>> {is_prime(q)}")


Elliptic Curve defined by y^2 = x^3 + 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316*x + 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575 over Finite Field of size 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319

P = (9927569721545390815034713904622759727440640009568502331607218669906608389108530937089042810199441312117717067185412 : 11335415539847742054638194421863270641395141898512679240517549596468726158906956112765871606628444247441698387066910 : 1)
A = (29400003852608672639867349879251432905099128866639045860503309429241268278901837643832541859075556345862458834761765 : 5591125466805362989822198903344140189575231852793533288233047492474179712731680718968075632699616565274998339563954 : 1)

qP = O_E ?
>> True
q is prime ?
>> True


In [4]:
V_1 = (D * inverse_mod(S2,q)) % q
V_2 = (S1 * inverse_mod(S2,q)) % q

assert S1 == Integer((V_1 * P + V_2 * A)[0]) % q # Checks singature : x(V1*P + V2*A) mod q == S1
print(f"Is D^sig a valid signature for the document D and the verification key A ?\n>> {S1 == Integer((V_1 * P + V_2 * A)[0]) % q}")

Is D^sig a valid signature for the document D and the verification key A ?
>> True
