import logging
from sage.all import EllipticCurve
from sage.all import Qq
from sage.all import ZZ
def _gf_to_qq(n, qq, x):
return ZZ(x) if n == 1 else qq(list(map(int, x.polynomial())))
def _lift(E, p, Px, Py):
for P in E.lift_x(Px, all=True):
if (P.xy()[1] % p) == Py:
return P
def attack(G, P):
"""
Solves the discrete logarithm problem using Smart's attack.
More information: Smart N. P., "The Discrete Logarithm Problem on Elliptic Curves of Trace One"
More information: Hofman S. J., "The Discrete Logarithm Problem on Anomalous Elliptic Curves" (Section 6)
:param G: the base point
:param P: the point multiplication result
:return: l such that l * G == P
"""
E = G.curve()
assert E.trace_of_frobenius() == 1, f"Curve should have trace of Frobenius = 1."
F = E.base_ring()
p = F.characteristic()
q = F.order()
n = F.degree()
qq = Qq(q, names="g")
logging.info(f"Computing l % {p}...")
E = EllipticCurve(qq, [_gf_to_qq(n, qq, a) + q * ZZ.random_element(1, q) for a in E.a_invariants()])
Gx, Gy = _gf_to_qq(n, qq, G.xy()[0]), _gf_to_qq(n, qq, G.xy()[1])
Gx, Gy = (q * _lift(E, p, Gx, Gy)).xy()
Px, Py = _gf_to_qq(n, qq, P.xy()[0]), _gf_to_qq(n, qq, P.xy()[1])
Px, Py = (q * _lift(E, p, Px, Py)).xy()
l = ZZ(((Px / Py) / (Gx / Gy)) % p)
if n > 1:
G0 = p ** (n - 1) * G
G0x, G0y = _gf_to_qq(n, qq, G0.xy()[0]), _gf_to_qq(n, qq, G0.xy()[1])
G0x, G0y = (q * _lift(E, p, G0x, G0y)).xy()
for i in range(1, n):
logging.info(f"Computing l % {p ** (i + 1)}...")
Pi = p ** (n - i - 1) * (P - l * G)
if Pi.is_zero():
continue
Pix, Piy = _gf_to_qq(n, qq, Pi.xy()[0]), _gf_to_qq(n, qq, Pi.xy()[1])
Pix, Piy = (q * _lift(E, p, Pix, Piy)).xy()
l += p ** i * ZZ(((Pix / Piy) / (G0x / G0y)) % p)
return int(l)
