In the ECDSA algorithm (verification signature) you have to calculate a new point using the next formula: (x0,y0) = u1*P+U2*P_a
How can I calculate the coordenates of this new point?, i try that sentence in SAGE but it doesn't work.
X = (Integer(u1)*P)+(Integer(u2)*P_a)
Can you help me?. Thank you very much.
You can download code and try to execute in SAGE here: https://dl.dropbox.com/u/39374382/question.sws
If P1 and P2 are points on (the same) elliptic curve E and a,b are integers then
Q = a*P1 + b*P2
certainly works. And you can get the coordinates out of the point Q using Q.xy().
Example:
sage: E = EllipticCurve('389a1')
sage: P1,P2 = E.gens(); P1,P2
((-1 : 1 : 1), (0 : -1 : 1))
sage: Q = 3*P1-2*P2; Q
(-5/49 : 62/343 : 1)
sage: Q.xy()
(-5/49, 62/343)
Related
I'm trying to create an implementation of the Pohlig-Hellman algorithm in order to create a utility to craft / exploit backdoors in implementations of the Diffie-Hellman protocol. This project is inspired by this 2016 white-paper by NCC Group.
I currently have an implementation, here, that works for relatively small exponents – i.e. Given a linear congruence, g^x = h (mod n), for some specially-crafted modulus, n = pq, where p and q are prime, my implementation can solve for values of x smaller than min{ p, q }.
However, if x is larger than the smallest prime factor of n, then my implementation will give an incorrect solution. I suspect that the issue may not be with my implementation of Pohlig-Hellman, itself, but with the arguments I am passing to it. All the code can be found at the link, provided above, but I'll copy the relevant code snippets, here:
#
# Implementation of Pohlig-Hellman algorithm
#
# The `crt` function implements the Chinese Remainder Theorem, and the `pollard` function implements
# Pollard's Rho algorithm for discrete logarithms (see /dph/crt.py and /dph/pollard.py).
#
def pohlig(G, H, P, factors):
g = [pow(G, divexact(P - 1, f), P) for f in factors]
h = [pow(H, divexact(P - 1, f), P) for f in factors]
if Config.verbose:
x = []
total = len(factors)
for i, (gi, hi) in enumerate(zip(g, h), start=1):
print('Solving discrete logarithm {}/{}...'.format(str(i).rjust(len(str(total))), total))
result = pollard(gi, hi, P)
x.append(result)
print(f'x = 0x{result.digits(16)}')
else:
x = [pollard(gi, hi, P) for gi, hi in zip(g, h)]
return crt(x, factors)
Above is my implementation of Pohlig-Hellman, and below is where I call it to exploit a backdoor in some implementation of the Diffie-Hellman protocol.
def _exp(args):
g = args.g
h = args.h
p_factors = list(map(mpz, args.p_factors.split(',')))
try:
p_factors.remove(2)
except ValueError:
pass
q_factors = list(map(mpz, args.q_factors.split(',')))
try:
q_factors.remove(2)
except ValueError:
pass
p = 2 * _product(*p_factors) + 1
q = 2 * _product(*q_factors) + 1
if Config.verbose:
print(f'p = 0x{p.digits(16)}')
print(f'q = 0x{q.digits(16)}')
print()
print(f'Compute the discrete logarithm modulo `p`')
print(f'-----------------------------------------')
px = pohlig(g % p, h % p, p, p_factors)
if Config.verbose:
print()
print(f'Compute the discrete logarithm modulo `q`')
print(f'-----------------------------------------')
qx = pohlig(g % q, h % q, q, q_factors)
if Config.verbose:
print()
x = crt([px, qx], [p, q])
print(f'x = 0x{x.digits(16)}')
Here is a summary of what I am doing:
Choose a prime p = 2 * prod{ p_i } + 1, where p_i denotes a set of primes.
Choose a prime q = 2 * prod{ q_j } + 1, where q_j denotes a set of primes.
Inject n = pq as the backdoor modulus in some implementation of Diffie-Hellman.
Wait for a victim (e.g. Alice computes A = g^a (mod n), and Bob computes B = g^b (mod n)).
Solve for Alice's or Bob's secret exponent, a or b, and compute their shared secret key, K = A^b = B^a (mod n).
Step #5 is done by performing the Pohlig-Hellman algorithm twice to solve for x (mod p) and x (mod q), and then the Chinese Remainder Theorem is used to solve for x (mod n).
EDIT
The x that I am referring to in the description of step #5 is either Alice's secret exponent, a, or Bob's secret exponent, b, depending on which we choose to solve for, since only one is needed to compute the shared secret key, K.
I would like to expand the symbol function $f(x)$ as a Taylor series in SageMath
$$\delta f(x)=\delta x\frac{d}{dx}f+\frac12(\delta x)^2\frac{d^2}
{dx^2}f+O((\delta x)^3)$$
with
$$\delta x = a_1(\delta t)^{\frac12}+a_2(\delta t)+a_3(\delta t)^{\frac32}+O((\delta t)^2)$$
And expand and collect the same power terms of $\delta t$ up to a designated power, say, $\frac32$. $f$ is just a symbol, I just need Mathsage to produce the symbols of derivatives $\frac{d}{dx}$.
How should one set this up in SageMath?
Is this what you want to do?
sage: f = function('f', nargs=1)(x)
sage: f
f(x)
sage: f.taylor(x, 0, 2)
1/2*x^2*D[0, 0](f)(0) + x*D[0](f)(0) + f(0)
With sympy, you would do something like this to get the Taylor series.
import sympy
dt = sympy.Symbol('dt')
a1 = sympy.Symbol('a1')
a2 = sympy.Symbol('a2')
a3 = sympy.Symbol('a3')
dx = a1*dt**(1/2) + a2*dt + a3*dt**(3/2)
from sympy.abc import x
f = sympy.Function('f')(x)
df = dx*sympy.diff(f,x) + 1/2*dx**2*sympy.diff(f,x,2)
df.series(x)
This is assuming x and δx are independent.
I have a problem in Galois Field in SageMath. I can't convert a binary to polynomial.
If I have a binary number, 1010101 how do I convert this number in polynomial 1010101 = x^6+x^4+x^2+1.
I do not know if there is an inbuilt way (I presume you have already looked also), but you can always do the following:
sage: P.<x> = PolynomialRing(ZZ)
sage: binString = "1010101"
sage: arrayOfTerms = [0]*len(binString)
sage: binString = binString[::-1] #Flip it so that the first digit corresponds to the constant term
sage: for i in xrange(len(binString)):
....: arrayOfTerms[i] = (x**i)*int(binString[i])
....:
sage: poly = sum(arrayOfTerms)
sage: poly
x^6 + x^4 + x^2 + 1
My first Fortran lesson is to plot the probability density function of the radial Sturmian functions. In case you are interested, the radial Sturmian functions are used to graph the momentum space eigenfunctions for the hydrogen atom.
In order to produce these radial functions, one needs to first produce some polynomials called the Gegenbauer polynomials, denoted
Cba(x),
where a and b should be stacked atop each other. One needs these polynomials because the Sturmians (let's call them R_n,l) are defined like so,
R_n,l(p) = N pl⁄(p2 + k2)l+2 Cn - l - 1l + 1(p2 - k2⁄p2 + k2),
where N is a normalisation constant, p is the momentum, n is the principle quantum number, l is the angular momentum and k is a constant. The normalisation constant is there so that when I come to square this function, it will produce a probability distribution for the momentum of the electron in a hydrogen atom.
Gegenbauer polynomials are generated using the following recurrence relation:
Cnl(x) = 1⁄n[2(l + n - 1) x Cn - 1l(x) - (2l + n - 2)Cn - 2l(x)],
with C0l(x) = 1 and C1l(x) = 2lx, as you may have noticed, l is fixed but n is not. At the start of my program, I will specify both l and n and work out the Gegenbauer polynomial I need for the radial function I wish to plot.
The problems I am having with my code at the moment are all in my subroutine for working out the value of the Gegenbauer polynomial Cn-l-1l+1(p2 - k2⁄p2 + k2) for incremental values of p between 0 and 3. I keep getting the error
Unclassified statement at (1)
but I cannot see what the issue is.
program Radial_Plot
implicit none
real, parameter :: pi = 4*atan(1.0)
integer, parameter :: top = 1000, l = 50, n = 100
real, dimension(1:top) :: x, y
real increment
real :: a=0.0, b = 2.5, k = 0.3
integer :: i
real, dimension(1:top) :: C
increment = (b-a)/(real(top)-1)
x(1) = 0.0
do i = 2, top
x(i) = x(i-1) + increment
end do
Call Gegenbauer(top, n, l, k, C)
y = x*C
! y is the function that I shall be plotting between values a and b.
end program Radial_Plot
Subroutine Gegenbauer(top1, n1, l1, k1, CSub)
! This subroutine is my attempt to calculate the Gegenbauer polynomials evaluated at a certain number of values between c and d.
implicit none
integer :: top1, i, j, n1, l1
real :: k1, increment1, c, d
real, dimension(1:top1) :: x1
real, dimension(1:n1 - l1, 1:top1) :: C1
real, dimension(1:n1 - l1) :: CSub
c = 0.0
d = 3.0
k1 = 0.3
n1 = 50
l1 = 25
top1 = 1000
increment1 = (d - c)/(real(top1) - 1)
x1(1) = 0.0
do i = 2, top1
x1(i) = x1(i-1) + increment1
end do
do j = 1, top1
C1(1,j) = 1
C1(2,j) = 2(l1 + 1)(x1(i)^2 - k1^2)/(x1(i)^2 + k1^2)
! All the errors occurring here are all due to, and I quote, 'Unclassifiable statement at (1)', I can't see what the heck I have done wrong.
do i = 3, n1 - l1
C1(i,j) = 2(((l1 + 1)/n1) + 1)(x1(i)^2 - k1^2)/(x1(i)^2 + k1^2)C1(i,j-1) - ((2(l1+1)/n1) + 1)C1(i,j-2)
end do
CSub(j) = Cn(n1 - l1,j)^2
end do
return
end Subroutine Gegenbauer
As francesalus correctly pointed out, the problem is because you use ^ instead of ** for exponentiation. Additionally, you do not put * between the terms you are multiplying.
C1(1,j) = 1
C1(2,j) = 2*(l1 + 1)*(x1(i)**2 - k1**2)/(x1(i)**2 + k1**2)
do i = 3, n1 - l1
C1(i,j) = 2 * (((l1 + 1)/n1) + 1) * (x1(i)**2 - k1**2) / &
(x1(i)**2 + k1**2)*C1(i,j-1) - ((2(l1+1)/n1) + 1) * &
C1(i,j-2)
end do
CSub(j) = Cn(n1 - l1,j)**2
Since you are beginning I have some advice. Learn to put all subroutines and functions to modules (unless they are internal). There is no reason for the return statement at the and of the subroutine, similarly as a stop statement isn't necessary at the and of the program.
how can i calculate the polynomial that has the tangent lines (1) y = x where x = 1, and (2) y = 1 where x = 365
I realize this may not be the proper forum but I figured somebody here could answer this in jiffy.
Also, I am not looking for an algorithm to answer this. I'd just like like to see the process.
Thanks.
I guess I should have mentioned that i'm writing an algorithm for scaling the y-axis of flotr graph
The specification of the curve can be expressed as four constraints:
y(1) = 1, y'(1) = 1 => tangent is (y=x) when x=1
y(365) = 1, y'(365) = 0 => tangent is (y=1) when x=365
We therefore need a family of curves with at least four degrees of freedom to match these constraints; the simplest type of polynomial is a cubic,
y = a*x^3 + b*x^2 + c*x + d
y' = 3*a*x^2 + 2*b*x + c
and the constraints give the following equations for the parameters:
a + b + c + d = 1
3*a + 2*b + c = 1
48627125*a + 133225*b + 365*c + d = 1
399675*a + 730*b + c = 0
I'm too old and too lazy to solve these myself, so I googled a linear equation solver to give the answer:
a = 1/132496, b = -731/132496, c = 133955/132496, d = -729/132496
I will post this type of question in mathoverflow.net next time. thanks
my solution in javascript was to adapt the equation of a circle:
var radius = Math.pow((2*Math.pow(365, 2)), 1/2);
var t = 365; //offset
this.tMax = (Math.pow(Math.pow(r, 2) - Math.pow(x, 2), 1/2) - t) * (t / (r - t)) + 1;
the above equation has the above specified asymptotes. it is part of a step polynomial for scaling an axis for a flotr graph.
well, you are missing data (you need another point to determine the polynomial)
a*(x-1)^2+b*(x-1)+c=y-1
a*(x-365)^2+b*(x-365)+c=y-1
you can solve the exact answer for b
but A depends on C (or vv)
and your question is off topic anyways, and you need to revise your algebra