forked from 01BTC10/bitp0wn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
double.py
executable file
·130 lines (103 loc) · 3.87 KB
/
double.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/env python
from bitcoin import G, N, P, fast_multiply, inv
import random
#assumes p prime returns cube root of a mod p
def cuberoot(a, p):
if p == 2:
return a
if p == 3:
return a
if (p%3) == 2:
return pow(a,(2*p - 1)/3, p)
if (p%9) == 4:
root = pow(a,(2*p + 1)/9, p)
assert pow(root,3,p) == a%p
return root
if (p%9) == 7:
root = pow(a,(p + 2)/9, p)
assert pow(root,3,p) == a%p
return root
else:
print "Not implemented yet. See the second paper"
# Generate secret key & the corresponding public key and address
d = random.SystemRandom().randrange(1, N)
(x, y) = fast_multiply(G, d)
# Double Q, works only when A = 0 in ECDSA curve
Q2 = (
(9 * x ** 4 * inv(4 * y ** 2, P) - (2 * x)) % P,
(9 * x ** 3 * inv(2 * y, P) - (27 * x ** 6) * inv(8 * y ** 3, P) - y) % P
)
assert Q2 == fast_multiply(G, d*2)
# Double and triple Qx, works only for secp256k1 curve
Q2x = ((x**4 - 56 * x) * inv(4 * x**3 + 28, P)) % P
Q3x = ((x**9 - 672 * x**6 + 2352 * x**3 + 21952) * inv(9 * x**2 * (x**3 + 28)**2, P)) % P
assert Q2x == fast_multiply(G, d*2)[0]
assert Q3x == fast_multiply(G, d*3)[0]
# Double Qx and add G
Q2xp1 = (((Q2[0] * G[0]) * (Q2[0] + G[0]) - 2*Q2[1]*G[1] + 14) * inv((Q2[0] - G[0])**2, P)) % P
assert Q2xp1 == fast_multiply(G, (d*2)+1)[0]
# Eq 1.
assert (9*x**4) % P == ((x**3 + 7) * (8*x + 4*Q2x)) % P
# Eq 2.
assert (63 * x) % P == ((x**3 + 7) * (x - 4*Q2x)) % P
# (Eq 1.) / (Eq 2.)
assert (9 * x**3) % P == (63 * (8*x + 4*Q2x) * inv(x - 4*Q2x, P)) % P
# (Eq 1.) x (Eq 2.)
assert (567 * x**5) % P == ((x**3 + 7) * (x**3 + 7) * (8*x + 4*Q2x) * (x - 4*Q2x)) % P
# Double Qy, works only for secp256k1 curve
Q2y = ((y**4 + 126 * y**2 - 1323) * inv(8 * y**3, P)) % P
assert Q2y == fast_multiply(G, d*2)[1]
# Build Quartic equation with the relation of Qx and 2Qx
assert (x**4 - 4 * Q2[0] * x**3 - 56 * x - 28 * Q2[0]) % P == 0
assert ((x - 4*Q2[0]) * (x**3 + 7) * inv(63 * x, P)) % P == 1
# Depressed quartic version
_y = (x - Q2[0]) % P
assert (_y**4 + (-6*Q2[0]**2)*_y**2 + (-8*Q2[0]**3-56)*_y + (-3*Q2[0]**4-84*Q2[0])) % P == 0
p = (-6*Q2[0]**2)
q = (-8*Q2[0]**3-56)
r = (-3*Q2[0]**4-84*Q2[0])
assert (_y**4 + p*_y**2 + q*_y + r) % P == 0
# Resolvent cubic version with Descarte's solution
# ((U**3) + 2*p*(U**2) + ((p**2) - 4*r)*U - q**2) % P == 0
a = 1
b = 2*p % P
c = ((p**2) - 4*r) % P
d = (-(q**2)) % P
_p = ((3*(a)*(c) - (b**2)) * inv(3*(a**2), P)) % P
_q = ((2*(b**3) - 9*(a)*(b)*(c) + 27*(a**2)*(d)) * inv(27*(a**3), P)) % P
assert _p == (336 * Q2[0]) % P
assert _q == (448 * (Q2[0]**3 - 7)) % P
# Build Quartic equation with the relation of Qy and 2Qy
assert (y**4 - 8 * Q2[1] * y**3 + 126 * y**2 - 1323) % P == 0
assert (y**2 * (y**2 - 8 * Q2[1] * y + 126) - 1323) % P == 0
# Depressed quartic version
_x = (y - 2*Q2[1]) % P
assert (_x**4 + (126-24*Q2[1]**2)*_x**2 + (-64*Q2[1]**3+504*Q2[1])*_x + (-48*Q2[1]**4+504*Q2[1]**2-1323)) % P == 0
p = (126-24*Q2[1]**2)
q = (-64*Q2[1]**3+504*Q2[1])
r = (-48*Q2[1]**4+504*Q2[1]**2-1323)
assert (_x**4 + p*_x**2 + q*_x + r) % P == 0
# Resolvent cubic version with Ferrari's solution
# (8*(m**3) + 8*p*(m**2) + (2*(p**2) - 8*r)*m - q**2) % P == 0
a = 8
b = 8*p % P
c = (2*(p**2) - 8*r) % P
d = (-(q**2)) % P
# Resolvent depressed cubic
# t^3 + _pt + _q = 0 & m = t + (b/(3a))
_p = ((3*(a)*(c) - (b**2)) * inv(3*(a**2), P)) % P
_q = ((2*(b**3) - 9*(a)*(b)*(c) + 27*(a**2)*(d)) * inv(27*(a**3), P)) % P
assert _p == 0
assert _q == (10584 * (Q2[1]**2 - 7)) % P
t_cube = 10584 * (Q2[1]**2 - 7)
# We know Q2[0]**3 = Q2[1]**2 - 7 mod P
# Also 10584 = 2^3 * 3^3 * 7^2
# We can conclude cbrt(49*t^3) = 6*Q2[0]
assert t_cube % P == (inv(7,P)*(42*Q2[0])**3) % P
assert t_cube % P == (49*(6*Q2[0])**3) % P
"""
t = -6 * cuberoot(49, P) * Q2[0]
assert (t**3 + _p*t + _q) % P == 0
m = t - 8*Q2[1]**2 + 42
assert (8*(m**3) + 8*p*(m**2) + (2*(p**2) - 8*r)*m - q**2) % P
"""