# Step by Step Computation

In [1]:
#takes a in Ea:y^2=x3+ax^2+, and x coordinate
#Both must be in the field of F_p^2

def two_multiplication(a,x,times=1):
    while(times>0):
        x=((x^2-1)^2/((4*x)*(x^2+a*x+1)))
        times=times-1
    return x


#takes a in Ea:y^2=x3+ax^2+, and x coordinate
#Both must be in the field of F_p^2

def three_multiplication(b,y,t=1):
    while(t>0):
        y = y*((y^4-6*y^2-4*b*y-3)/(3*y^4+4*b*y^3+6*y^2-1))^2
        t=t-1
    return y

In [2]:
#input: alpha is, α in G = {O, (α, 0)} ; x, x-coordinate
#output: (x's image, new a)

def two_isogeny_velu(alpha,x):
    return (x*(alpha*x-1)/(x-alpha),2*(1-2*alpha^2))


#input: a in Montgomery curve ;beta is, β in G = {O, (β, γ), (β, −γ)}; x, x-coordinate
#output: (x's image, new a)

def three_isogeny_velu(a,beta,x):
    return ((x*(beta*x-1)^2)/(x-beta)^2,(a*beta-6*beta^2+6)*beta)
    

## Public Key Generations

In [3]:
#generates field K = Fp^2 with generator i
p=2^4*3^3-1
_.<I> = GF(p)[] 
K.<i> = GF(p^2, modulus=I^2+1)
p,K

(431, Finite Field in i of size 431^2)

In [4]:
# Define (supersingular) E = x^3 + (172*i+162)*x^2 + x
P = K([162,172])  #fetch point = (172i+162) in K
E = EllipticCurve(K,[0,P,0,1,0])
E 

Elliptic Curve defined by y^2 = x^3 + (172*i+162)*x^2 + x over Finite Field in i of size 431^2

In [5]:
#P_A and Q_A both must be 2^4 torsion points
P_A = E.random_point()
Q_A = E.random_point()
while P_A.order() != 2^4:
    P_A = 3^3 * E.random_point()

while Q_A.order() != 2^4:
    Q_A = 3^3 * E.random_point()
    
P_A,Q_A

((384*i + 250 : 3*i + 118 : 1), (182*i + 122 : 129*i + 172 : 1))

In [6]:
#P_B and Q_B both must be 3^3 torsion points
P_B = E.random_point()
Q_B = E.random_point()
while P_B.order() != 3^3:
    P_B = 2^4 * E.random_point()

while Q_B.order() != 3^3:
    Q_B = 2^4 * E.random_point()
    
P_B,Q_B

((259*i + 332 : 288*i + 94 : 1), (101*i + 330 : 104*i + 74 : 1))

In [7]:
print((E, P_A, Q_A, P_B, Q_B))  #public parameters

(Elliptic Curve defined by y^2 = x^3 + (172*i+162)*x^2 + x over Finite Field in i of size 431^2, (384*i + 250 : 3*i + 118 : 1), (182*i + 122 : 129*i + 172 : 1), (259*i + 332 : 288*i + 94 : 1), (101*i + 330 : 104*i + 74 : 1))


## Alice's public key generations

In [8]:
#Alice's private key, k_A and Sa = Pa + Ka*Qa
#k_A = randint in {0, 2^4-1}
k_A = 9
S_A = P_A + k_A * Q_A
S_A.order(), S_A, k_A #k_A should be private

(16, (121*i + 44 : 61*i + 228 : 1), 9)

### phi_A0

In [9]:
#3 times 2-multiplication to get R_A
a = K([162,172])
R_A = two_multiplication(a,S_A[0],3); R_A

390*i + 160

In [10]:
a_1 = two_isogeny_velu(R_A,S_A[0])[1]
S_A_new = two_isogeny_velu(R_A,S_A[0])[0] #output: (x's image, new a)
P_B_new = two_isogeny_velu(R_A,P_B[0])[0]
Q_B_new = two_isogeny_velu(R_A,Q_B[0])[0]
print(a_1,S_A_new, P_B_new, Q_B_new)

329*i + 8 222*i + 194 268*i + 214 20*i + 246


In [11]:
E_a1 = EllipticCurve(K,[0,a_1,0,1,0]);
print(E_a1)
print("j_invariant:"+ str(E_a1.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (329*i+8)*x^2 + x over Finite Field in i of size 431^2
j_invariant:344*i + 190


### phi_A1

In [12]:
#2 times 2-multiplication to get new R_A
R_A_1 = two_multiplication(a_1,S_A_new,2); R_A_1

84*i + 29

In [13]:
a_2 = two_isogeny_velu(R_A_1,S_A_new)[1]
S_A_1 = two_isogeny_velu(R_A_1,S_A_new)[0] #output: (x's image, new a)
P_B_1 = two_isogeny_velu(R_A_1,P_B_new)[0]
Q_B_1 = two_isogeny_velu(R_A_1,Q_B_new)[0]
print(a_2,S_A_1, P_B_1, Q_B_1)

338*i + 295 311*i + 78 132*i + 159 402*i + 256


In [14]:
E_a2 = EllipticCurve(K,[0,a_2,0,1,0]);
print(E_a2)
print("j_invariant:"+ str(E_a2.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (338*i+295)*x^2 + x over Finite Field in i of size 431^2
j_invariant:350*i + 65


### phi_A2

In [15]:
#1 2-multiplication to get new R_A
R_A_2 = two_multiplication(a_2,S_A_1,1); R_A_2
#

320*i + 286

In [16]:
a_3 = two_isogeny_velu(R_A_2,S_A_1)[1]
S_A_2 = two_isogeny_velu(R_A_2,S_A_1)[0] #output: (x's image, new a)
P_B_2 = two_isogeny_velu(R_A_2,P_B_1)[0]
Q_B_2 = two_isogeny_velu(R_A_2,Q_B_1)[0]
print(a_3,S_A_2, P_B_2, Q_B_2)

109*i + 97 244*i + 304 317*i + 239 107*i + 206


In [17]:
E_a3 = EllipticCurve(K,[0,a_3,0,1,0]);
print(E_a3)
print("j_invariant:"+ str(E_a3.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (109*i+97)*x^2 + x over Finite Field in i of size 431^2
j_invariant:389*i + 141


### phi_A3

In [18]:
#0 time 2-multiplication to get new R_A
R_A_3 = two_multiplication(a_3,S_A_2,0);

In [19]:
a_4 = two_isogeny_velu(R_A_3,P_B_2)[1]
#S_A_3 = two_isogeny_velu(R_A_2,S_A_2)[0]  
P_B_3 = two_isogeny_velu(R_A_3,P_B_2)[0]
Q_B_3 = two_isogeny_velu(R_A_3,Q_B_2)[0]
print(a_4, P_B_3, Q_B_3)

79*i + 368 156*i + 324 243*i + 253


In [20]:
E_a4 = EllipticCurve(K,[0,a_4,0,1,0]);
print(E_a4)
print("j_invariant:"+ str(E_a4.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (79*i+368)*x^2 + x over Finite Field in i of size 431^2
j_invariant:306*i + 426


### PK_A


In [21]:
#(E_A : y^2 = x^3 + 415x^2 + x, phi_A(Pb) , Phi_A(Qb))
print("E_A, phi_A(Pb) ,  Phi_A(Qb)")
print(a_4, P_B_3, Q_B_3)
pk_A=list((a_4, P_B_3, Q_B_3)); 
pk_A

E_A, phi_A(Pb) ,  Phi_A(Qb)
79*i + 368 156*i + 324 243*i + 253


[79*i + 368, 156*i + 324, 243*i + 253]

## Bob's public key generations

In [22]:
#Bob's private key, k_A and Sb = Pb + Kb*Qb
#k_b = randint in {0, 3^3-1}
k_B = 5
S_B = P_B + k_B * Q_B
S_B.order(), S_B, P_A.order(),Q_A.order()

(27, (354*i + 163 : 384*i + 10 : 1), 16, 16)

### phi_B0

In [23]:
#2 times 3-multiplication to get R_B
b = K([162,172]) #a = 162+172i
R_B = three_multiplication(b,S_B[0],2);R_B

253*i + 234

In [24]:
b_1 = three_isogeny_velu(b,R_B,S_B[0])[1]
S_B_new = three_isogeny_velu(b,R_B,S_B[0])[0] #output: (x's image, new a)
P_A_new = three_isogeny_velu(b,R_B,P_A[0])[0]
Q_A_new = three_isogeny_velu(b,R_B,Q_A[0])[0]
print(a_1,S_B_new, P_A_new, Q_A_new)

329*i + 8 384*i + 214 132*i + 83 377*i + 132


In [25]:
E_b1 = EllipticCurve(K,[0,b_1,0,1,0]);
print(E_b1)
print("j-invariant: "+str(E_b1.j_invariant()))



Elliptic Curve defined by y^2 = x^3 + (19*i+205)*x^2 + x over Finite Field in i of size 431^2
j-invariant: 106*i + 379


### phi_B1

In [26]:
#1 times 3-multiplication to get R_B
R_B = three_multiplication(b_1,S_B_new,1);R_B

264*i + 201

In [27]:
b_2 = three_isogeny_velu(b_1,R_B,S_B_new)[1]
S_B_1 = three_isogeny_velu(b_1,R_B,S_B_new)[0] #output: (x's image, new a)
P_A_1 = three_isogeny_velu(b_1,R_B,P_A_new)[0]
Q_A_1 = three_isogeny_velu(b_1,R_B,Q_A_new)[0]
print(b_2,S_B_1, P_A_1, Q_A_1)

248*i + 421 104*i + 100 294*i + 164 285*i + 306


In [28]:
E_b2 = EllipticCurve(K,[0,b_2,0,1,0]);
print(E_b2)
print("j-invariant:", str(E_b2.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (248*i+421)*x^2 + x over Finite Field in i of size 431^2
j-invariant: 87*i + 190


### phi_B2


In [29]:
#0 times 3-multiplication to get R_B
R_B = three_multiplication(b_2,S_B_1,0);R_B

104*i + 100

In [30]:
b_3 = three_isogeny_velu(b_2,R_B,P_A_1)[1]
#S_B_1 = three_isogeny_velu(a_2,R_B,S_B_new)[0] #output: (x's image, new a)
P_A_2 = three_isogeny_velu(b_2,R_B,P_A_1)[0]
Q_A_2 = three_isogeny_velu(b_2,R_B,Q_A_1)[0]
print(b_3, P_A_2, Q_A_2)

346*i + 429 73*i + 379 326*i + 225


In [48]:
E_b3 = EllipticCurve(K,[0,b_3,0,1,0]);
print(E_b3)
print("j invariant: "+str(E_b3.j_invariant()))



Elliptic Curve defined by y^2 = x^3 + (346*i+429)*x^2 + x over Finite Field in i of size 431^2
j invariant: 241


### PK_B

In [50]:
#(E_B : y^2 = x^3 + 415x^2 + x, phi_B(Pb) , Phi_A(Qb))
print("E_B, phi_B(Pa) ,  Phi_B(Qa)")
print(b_3, P_A_2, Q_A_2)
pk_B=list((b_3, P_A_2, Q_A_2)); 
pk_B

E_B, phi_B(Pa) ,  Phi_B(Qa)
346*i + 429 73*i + 379 326*i + 225


[346*i + 429, 73*i + 379, 326*i + 225]

## Shared Secret Computation

### Computes S_A' = phi_B(S_A) = phi_B(P_A) +[k_A] phi_B(Q_A) 


#### Notes: since in the previous computation, we ignored the y coordinate when mapped P_A, Q_A through isogenies, this will cause a problem in the computation of shared secret : as the basis points phi_B(P_A) ,  phi_B(Q_A) should retain their orders on E_B, thus Alice can keep composing e_A isogenies on E_B to maps phi_B(S_A) into kernel . With only x-coordinates obtained, We can't check if phi_B(P_A) ,  phi_B(Q_A) has remained the same order as original or not. To proceed the shared secret part,  we will  use  .isogeny() method to obtain phi_B(P_A) ,  phi_B(Q_A). We check the correctness by comparing the x(phi_B(P_A)) and x(phi_B(Q_A)) with our pk_B[1], pk_B[2].

In [51]:
iso_a = E.isogeny(S_A,codomain = E_a4)
phiA_Pb = iso_a(P_B)
phiA_Qb = iso_a(Q_B)
Q_B.order(),phiA_Qb.order(), P_B.order(), phiA_Pb.order()

(27, 27, 27, 27)

In [52]:
iso_b = E.isogeny(S_B,codomain = E_b3)
phiB_Pa = iso_b(P_A)
phiB_Qa = iso_b(Q_A)
Q_A.order(),phiB_Qa.order(), P_A.order(), phiB_Pa.order()

(16, 16, 16, 16)

In [53]:
#we proceed the computation using these ptrs:
(phiA_Pb,phiA_Qb,phiB_Pa,phiB_Qa) 

((156*i + 324 : 268*i + 351 : 1),
 (243*i + 253 : 64*i + 99 : 1),
 (73*i + 379 : 135*i + 229 : 1),
 (326*i + 225 : 321*i + 195 : 1))

#### We can see that our step-by-step isogeny composition for x-coordinates are correctly computed, which can be checked by looking at pk_a[1], pk_a[2], pk_b[1], pk[2] in the above. We will use these latest generated points and proceed the shared secret computation.

## Alice's S_A'= phi_B(S_A) =  phi_B(Pa)+[kA] phi_B(Qa) 

In [54]:
#Alice computes S_A' = phi_B(S_A) =  phi_B(Pa)+[kA] phi_B(qa) 
PhiB_Sa = phiB_Pa + k_A * phiB_Qa
PhiB_Sa, PhiB_Sa.order()

((129*i + 265 : 231*i + 425 : 1), 16)

### phi_A0'

In [55]:
#3 times 2-multiplication to get Ra
#start with curve E_b: y^2 = x^3 + (109*i + 97)x^2 +x
Ra= two_multiplication(pk_B[0],PhiB_Sa[0],3); Ra

28*i + 221

In [56]:
(PhiB_Sa_new,a1) = two_isogeny_velu(Ra,PhiB_Sa[0])  #output: (x's image, new a)

#As we don't need to move the basis points, so comment out this 2 lines
#P_B_new = two_isogeny_velu(R_A,P_B[0])[0]
#Q_B_new = two_isogeny_velu(R_A,Q_B[0])[0]

print(a1,PhiB_Sa_new)

61*i 32*i


In [57]:
Ea1 = EllipticCurve(K,[0,a1,0,1,0]);
print(Ea1)
print("j_invariant:"+ str(Ea1.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + 61*i*x^2 + x over Finite Field in i of size 431^2
j_invariant:19


### phi_A1'

In [58]:
#2 times 2-multiplication to get Ra
Ra= two_multiplication(a1,PhiB_Sa_new,2); Ra

305*i

In [59]:
(PhiB_Sa_1,a2) = two_isogeny_velu(Ra,PhiB_Sa_new)  #output: (x's image, new a)
print(a2,PhiB_Sa_1)

149 189


In [60]:
Ea2 = EllipticCurve(K,[0,a2,0,1,0]);
print(Ea2)
print("j_invariant:"+ str(Ea2.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + 149*x^2 + x over Finite Field in i of size 431^2
j_invariant:4


### phi_A2'

In [61]:
#1 times 2-multiplication to get Ra
Ra= two_multiplication(a2,PhiB_Sa_1,1); Ra

188

In [62]:
(PhiB_Sa_2,a3) = two_isogeny_velu(Ra,PhiB_Sa_1)  #output: (x's image, new a)
print(a3,PhiB_Sa_2)

425 379


In [63]:
Ea3 = EllipticCurve(K,[0,a3,0,1,0]);
print(Ea3)
print("j_invariant:"+ str(Ea3.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + 425*x^2 + x over Finite Field in i of size 431^2
j_invariant:19


### phi_A3'

In [64]:
#0 times 2-multiplication to get Ra
Ra= two_multiplication(a3,PhiB_Sa_2,0); Ra

379

In [68]:
(_, a4) = two_isogeny_velu(Ra,1)  #output: (x's image, new a)
print(a4)  #PhiB_Sa' already has order 2, doesn't need to compute

392


## Alice' shared secret

In [93]:
Ea4 = EllipticCurve(K,[0,a4,0,1,0]);
print(Ea4)
print("j_invariant:"+ str(Ea4.j_invariant()))
Eab = Ea4

Elliptic Curve defined by y^2 = x^3 + 392*x^2 + x over Finite Field in i of size 431^2
j_invariant:241


## Bob's S_B'= phi_A(S_B) =  phi_A(Pb)+[kB] phi_A(Qb) 

In [70]:
#Alice computes S_A' = phi_B(S_A) =  phi_B(Pa)+[kA] phi_B(qa) 
PhiA_Sb = phiA_Pb + k_B* phiA_Qb
PhiA_Sb, PhiA_Sb.order()

((147*i + 32 : 264*i + 394 : 1), 27)

### phi_B0'

In [82]:
#2 times 3-multiplication to get Rb
Rb = three_multiplication(pk_A[0],PhiA_Sb[0],2);Rb

8*i + 10

In [83]:
(PhiA_Sb_new,b1)= three_isogeny_velu(pk_A[0],Rb,PhiA_Sb[0])
print(b1,PhiA_Sb_new)

17*i + 154 203*i + 120


In [84]:
Eb1 = EllipticCurve(K,[0,b1,0,1,0]);
print(Eb1)
print("j-invariant: "+str(Eb1.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (17*i+154)*x^2 + x over Finite Field in i of size 431^2
j-invariant: 81*i + 65


### phi_B1'

In [85]:
#1 times 3-multiplication to get Rb
Rb = three_multiplication(b1,PhiA_Sb_new,1);Rb

220*i + 126

In [86]:
(PhiA_Sb_1,b2)= three_isogeny_velu(b1,Rb,PhiA_Sb_new)
print(b2,PhiA_Sb_1)

329*i + 8 249*i + 318


In [87]:
Eb2 = EllipticCurve(K,[0,b2,0,1,0]);
print(Eb2)
print("j-invariant: "+str(Eb2.j_invariant()))

Elliptic Curve defined by y^2 = x^3 + (329*i+8)*x^2 + x over Finite Field in i of size 431^2
j-invariant: 344*i + 190


### phi_B2'

In [89]:
#1 times 3-multiplication to get Rb
Rb = three_multiplication(b2,PhiA_Sb_1,0);Rb

249*i + 318

In [91]:
(_,b3)= three_isogeny_velu(b2,Rb,1)
print(b3)

392


## Bob's shared secret

In [94]:
Eb3 = EllipticCurve(K,[0,b3,0,1,0]);
print(Eb3)
print("j-invariant: "+str(Eb3.j_invariant()))

Eba = Eb3

Elliptic Curve defined by y^2 = x^3 + 392*x^2 + x over Finite Field in i of size 431^2
j-invariant: 241


In [95]:
if Eab.j_invariant() == Eba.j_invariant():
    print("ALice and Bob have the same j-invariant, Eab, Eba are isomorphic, with j invariant: "+ str(Eab.j_invariant() ))

ALice and Bob have the same j-invariant, Eab, Eba are isomorphic, with j invariant: 241


# Alice and Bob shares the same secret!