I need to write the invalid curve attack. But I have a one problem I got infinity point for target point when I multiply in low order. But for random target point it works perfectly I need for fixed secp256k1 coordinates.
from sage.all import *
# I need the invalid curve attack.
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
D = K(2)
W = E.sextic_twist(D)
R.<x> = K[]
Kext.<z> = K.extension(x ** 3 - D)
iso = E.change_ring(Kext).isomorphism_to(W.change_ring(Kext))
lowOrder = iso.codomain().order() // 10903
basePoint = iso.codomain().random_point()
basePoint *= lowOrder
target = iso(G)
# Here I got infinity point (0 : 1 : 0) not real point. Here I need to get a real low order point, for invalid curve attack.
target *= lowOrder
print(target)
for i in range(10903 + 1):
Q = i * basePoint
if Q[0] == target[0] and Q[0] != 0 and target[0] != 0:
print(i)
you should rewrite the code to skip invalid public key like 0:1:0 . i believe this is for order 2. skip it.