Sage is wonderful. It has a huge number of uses but I mostly use it for cryptography. Sage has the best (certainly open source) support I know of for a myriad of things like group theory and elliptic curves. Here's a short example for how easy it is to play around with a tiny elliptic curve:
sage: p = 19; p.is_prime()
True
sage: K = GF(p); K
Finite Field of size 19
sage: E = EllipticCurve(K, [5, 9]); E
Elliptic Curve defined by y^2 = x^3 + 5*x + 9 over Finite Field of size 19
sage: E.count_points(), E.order(), E.gens()
(19, 19, [(4 : 6 : 1)])
There are far too many things to name that sage can do, but the CLI has a great autocomplete. Here's an example: let's say you have ECDH with point compression, and you specify only an x coordinate. Point compression limits the effectiveness of invalid curve attacks, where an attacker gives you a maliciously picked Diffie-Hellman value that isn't actually on the curve you're supposed to be on. However, if the x coordinate doesn't map to a point on the curve, it's necessarily on its "nontrivial quadratic twist". Sage makes this easy to play with because sage makes pretty much everything easy to play with:
sage: E.lift_x(6, all=True)
[]
sage: E.quadratic_twist()
Elliptic Curve defined by y^2 = x^3 + 6*x + 13 over Finite Field of size 19
sage: E.quadratic_twist().lift_x(6, all=True)
[(6 : 6 : 1), (6 : 13 : 1)]
If you want to do a full-on invalid curve attack, the easiest way to do that is with Sage. You look up how the explicit formulas work in the EFD[efd], you write a ladder, you figure out how to create other elliptic curves for which the short Weierstrass doubling formulas still work (which parameter doesn't appear in the formula?), and then just let sage generate every possible curve and see which ones have the poor cryptographic properties you're after.
There's a reason the introduction to Cryptopals Set 8[set8] sends with the words:
> By the time you're done, you will have written an ad hoc, informally-specified, bug-ridden, slow implementation of one percent of SageMath.
As much as I'm a Clojure fanboy none of the Java libraries come even close. Unfortunately, sage is mildly annoying to use/install as a Python library (that would help interop significantly).
I haven’t used CAS for nontrivial algebra and number theory in a while (think half a decade), but IIRC Magma is a fair bit more powerful than Sage on these topics and more consistent as well. But alas, it’s not open source and not free. There’s a free calculator though subject to limits. http://magma.maths.usyd.edu.au/calc/
There's a reason the introduction to Cryptopals Set 8[set8] sends with the words:
> By the time you're done, you will have written an ad hoc, informally-specified, bug-ridden, slow implementation of one percent of SageMath.
As much as I'm a Clojure fanboy none of the Java libraries come even close. Unfortunately, sage is mildly annoying to use/install as a Python library (that would help interop significantly).
[efd]: https://www.hyperelliptic.org/EFD/g1p/auto-shortw.html
[set8]: https://cryptopals.com/sets/8