1
from sage.all import GF
2

3

4
def attack(p, a2, a4, a6, Gx, Gy, Px, Py):
5
    """
6
    Solves the discrete logarithm problem on a singular curve (y^2 = x^3 + a2 * x^2 + a4 * x + a6).
7
    :param p: the prime of the curve base ring
8
    :param a2: the a2 parameter of the curve
9
    :param a4: the a4 parameter of the curve
10
    :param a6: the a6 parameter of the curve
11
    :param Gx: the base point x value
12
    :param Gy: the base point y value
13
    :param Px: the point multiplication result x value
14
    :param Py: the point multiplication result y value
15
    :return: l such that l * G == P
16
    """
17
    x = GF(p)["x"].gen()
18
    f = x ** 3 + a2 * x ** 2 + a4 * x + a6
19
    roots = f.roots()
20

21
    # Singular point is a cusp.
22
    if len(roots) == 1:
23
        alpha = roots[0][0]
24
        u = (Gx - alpha) / Gy
25
        v = (Px - alpha) / Py
26
        return int(v / u)
27

28
    # Singular point is a node.
29
    if len(roots) == 2:
30
        if roots[0][1] == 2:
31
            alpha = roots[0][0]
32
            beta = roots[1][0]
33
        elif roots[1][1] == 2:
34
            alpha = roots[1][0]
35
            beta = roots[0][0]
36
        else:
37
            raise ValueError("Expected root with multiplicity 2.")
38

39
        t = (alpha - beta).sqrt()
40
        u = (Gy + t * (Gx - alpha)) / (Gy - t * (Gx - alpha))
41
        v = (Py + t * (Px - alpha)) / (Py - t * (Px - alpha))
42
        return int(v.log(u))
43

44
    raise ValueError(f"Unexpected number of roots {len(roots)}.")
45

46