# ECC Demonstration

Import my ECC package into the environment

In [2]:
from ECC import *

### Key Generation
Declare the bit size we want to use

In [26]:
bitSize = 17

Generate a set of ECC keys with appropriate bitsize

In [27]:
ECC_keys = generate_ECC.KeyGen(bitSize, True, True)     # initalise object True sets verbose and demo flag on KeyGen
ECC_keys.generateCurve()                                # create a curve
ECC_keys.generateKeys()                                 # runs generator

Generating  17 bit prime... 
10 rounds of Miller-Rabin needed (according to FISC)
Trial-Division prime list generated, size:  54
New candidate... 73511
New candidate... 102685
New candidate... 85433
New candidate... 78295
New candidate... 93459
New candidate... 85305
New candidate... 71449
New candidate... 79377
New candidate... 76523
New candidate... 122915
New candidate... 106153
New candidate... 126141
New candidate... 74815
New candidate... 93635
New candidate... 129123
New candidate... 73219
New candidate... 91449
New candidate... 120465
New candidate... 108519
New candidate... 119995
New candidate... 79589
Prime of  17 bits found: 79589
Checked 21 candidates in 0.00 s

Checking: y^2 = x^3 + 3 % 79589

y^2 = x^3 + 3 % 79589
Checked 1 curves
k = 44482  G = (63483, 16824)   Q = (52402, 34768)
Public-Key: {
    Curve: y^2 = x^3 + 3 % 79589
    Base-Point: (63483, 16824)
    Order(Base): 79590
    Public-Point: (52402, 34768)
}
Private-Key: 44482
n is 17 bits



True

### Brute Force Algorithm

Very trivial:

- Simply keep adding G to itself until we reach the required Q 
- $O(p)$ for prime $p$

In [4]:
# pass it public keys, and True verbose & demo flag
bf = brute_force.BFSolver(ECC_keys.curve, ECC_keys.Q, ECC_keys.G, True, True) 
# run solver
bf.solve()                                                                

'116213.G = (4282, 115112)'

k: 116213
Time taken: 3.426 s
Space used: 4 bytes
Numbers checked: 116213


True

### Pollard's-$\lambda$ method

An extremely probabilistic method:

- Based around setting a "trap"
- Which a "wild kangaroo" falls into
- The distance travelled before falling into the trap helps is calculate $k$
- Theoretically grows wit $O(\sqrt{p})$
- Often fails with the "wild kangaroo" entering a cycle in a safe zone

In [5]:
# pass it public keys, and True verbose & demo flag
lamb = pollard_lambda.PLSolver(ECC_keys.curve, ECC_keys.Q, ECC_keys.G, True, True) 
# run solver
lamb.solve()  

'Trap: (78201, 96909) Wild: (78201, 96909)'

k: 116213
Time taken: 0.228 s
Space used: 80 bytes
Numbers checked: 1025


True

### Make it a bit harder

In [28]:
bitSize = 26

ECC_keys = generate_ECC.KeyGen(bitSize, True)     # initalise object True sets verbose flag on KeyGen
ECC_keys.generateCurve()                          # create a curve
ECC_keys.generateKeys()                           # runs generator

Prime of  26 bits found: 55526413
Checked 7 candidates in 0.00 s

y^2 = x^3 + 3x + 5 % 55526413
Checked 1 curves
k = 54083830  G = (37183393, 5584089)   Q = (31269417, 24605831)
Public-Key: {
    Curve: y^2 = x^3 + 3x + 5 % 55526413
    Base-Point: (37183393, 5584089)
    Order(Base): 55533056
    Public-Point: (31269417, 24605831)
}
Private-Key: 54083830
n is 26 bits



True

### Baby Step - Giant Step Algorithm

This algorithm is essentialyl brute-force, trading space for time:

- We compute a hash table of results upto $s \leftarrow \sqrt{ord(G)}$
- Giant steps incremet $i$ calculating: $P \leftarrow Q - G.(i*s)$
- When $P$ is found in the hash table we calculate $k \leftarrow hash(P) + i*s$
- $O(\sqrt{p})$ for space and time complexity

In [7]:
# pass it public keys, and True verbose & demo flag
bsgs = baby_step.BGSolver(ECC_keys.curve, ECC_keys.Q, ECC_keys.G, True, True)    
# run solver
bsgs.solve()                                                              

'(42896506, 33779202) - (45692157, 9536010) * 40377873 = (10482692, 11187616)'

k: 40378014
Time taken: 3.097 s
Space used: 55904 bytes
Numbers checked: 12768


True

### Pohlig-Hellman

A "special purpose" algorithm:

- If $ord(G)$ is a "smoooth number" we can decompose the problem 
- Making new sub-problems over each of the prime factors
- Then recombine the solutions using the CRT
- It's time complexity grows with the square root of the largest prime factor of $ord(G)$.
- So worst case is $O(\sqrt{p})$ where $ord(G) \equiv p$

In [8]:
# pass it public keys, and True verbose & demo flag
ph = pohlig_hellman.PHSolver(ECC_keys.curve, ECC_keys.Q, ECC_keys.G, True, True) 
# run solver
ph.solve()  

{17: 1, 659: 1, 4357: 1}
17^1: G'=(30417447, 9422730) Q'=(35646582, 40245245); ord = 17
659^1: G'=(7976615, 32580535) Q'=(12736686, 28754677); ord = 659
4357^1: G'=(15215002, 39500999) Q'=(23817113, 4446234); ord = 4357
k: 40378014
Time taken: 0.012 s
Space used: 139
Numbers checked: 145


True

### Pollard's-$\rho$ method

Same as for the IFP:

- We aim to find two sets of numbers such that $a.G + b.Q = a'.G + b'.Q$, which rearranges to give us: $k \leftarrow \frac{a-a'}{b'-b} \; mod \; ord(G)$
- Found by generating a repeatable random sequence of points, which according to the birthday paradox must eventually cycle
- Send two runners around one twice as fast as the other to detect cycle 
- $O(\sqrt{p})$ according to birthday paradox
- But each "check" is only an addition not multiplication, so much faster

In [29]:
# pass it public keys, and True verbose & demo flag
rho = pollard_rho.PRSolver(ECC_keys.curve, ECC_keys.Q, ECC_keys.G, True, True)   
# run solver
rho.solve()                                                                

'X: (26853316, 53990554) Y: (26853316, 53990554)'

k: 54083830
Time taken: 0.938 s
Space used: 72 bytes
Numbers checked: 11571


True

### MOV Attack

Maps the ECDLP to the DLP:

- Works for a very small number of curves, which have a small embedding degree
- $\epsilon$, where $\epsilon$ is the lowest integer satisfying $p^{\epsilon} - 1 / card(E) \in N$ ($p$ is prime, $E$ is a curve over ${\bf F}_p$ and $card(E)$ is the number of points on the curve)
- Extremely efficient (subexponential) if it works
- But works for exponentially increasing amount of numbers 

In [7]:
from IPython.display import display, clear_output

solved = False
bitSize = 12

while not solved:
    clear_output(wait=True)
    
    ECC_keys = generate_ECC.KeyGen(bitSize, True)     # initalise object True sets verbose flag on KeyGen
    ECC_keys.generateCurve()                          # create a curve
    ECC_keys.generateKeys()                           # runs generator

    # pass it public keys, and True verbose & demo flag
    mov = mov_attack.MOVSolver(ECC_keys.curve, ECC_keys.Q, ECC_keys.G, True, True) 
    # run solver
    mov.solve()  
    
    solved = mov.k == ECC_keys.k

Prime of  12 bits found: 3931
Checked 3 candidates in 0.00 s

y^2 = x^3 + 9x % 3931
Checked 1 curves
k = 3874  G = (840, 1359)   Q = (1055, 2917)
Public-Key: {
    Curve: y^2 = x^3 + 9x % 3931
    Base-Point: (840, 1359)
    Order(Base): 3932
    Public-Point: (1055, 2917)
}
Private-Key: 3874
n is 12 bits

1448*a + 1732 2385*a + 563 3932
k: 3874
Time taken: 0.001 s
Space used: 30976 bytes
Numbers checked: 88


### Basic Analysis
Running the above algorithms on a variety of random inputs to create graphs showing general trends.

The below style code makes the format of the graphs nicer

In [11]:
%%html
<style>
.output_wrapper button.btn.btn-default,
.output_wrapper .ui-dialog-titlebar {
  display: none;
}
</style>

Runs each algorithm in a thread and plots the results.

In [2]:
%matplotlib notebook
from graphs_ECC import *

minBit = 3
bf_bit = 13
bsgs_bit = 21
ph_bit = 21
rho_bit = 21
mov_bit = 21

testGraphs(minBit, bf_bit, bsgs_bit, ph_bit, rho_bit, mov_bit)

<IPython.core.display.Javascript object>

Press Enter to stop.


<img src="imgs/ECC.png" alt="drawing" style="width:80%;"/>

## Try it yourself

Below you can select which solvers you want to use and enter your own curve to test against the solvers

In [13]:
from ECC.curves import * 

# SET YOUR OWN CURVE IN WEIERSTRASS FORM E: y^2 = x^3 + ax + b (mod fp)
a = 1
b = 1
fp = 419

# CREATE CURVE
C = Curve(a, b, fp)  

# GET GENERATOR POINT
G = C.getG()
print("Generator point:", G)

if G:
    ordG = C.order(G)
    print("Of order:", C.order(G))

    # SET k AND CALCULATE PUBLIC POINT 
    k = 135
    Q = G * k
    print("Public point:", Q)

    # PACKAGE ALL INTO KEY CLASS
    ECC_keys = generate_ECC.KeyGen(verbose = True)
    ECC_keys.setCurve(C)
    ECC_keys.setG(G)
    ECC_keys.setQ(Q)
    ECC_keys.setK(k)

Generator point: (22, 14)
Of order: 407
Public point: (262, 247)


In [14]:
import run_ECC

# SET SOLVERS ON/OFF 
bf = True     # brute-force
bsgs = True   # baby-step giant-step
pr = True     # pollard's - rho
pl = True     # pollard's lambda
ph = True     # pohlig-hellman
mov = True    # mov-attack

# PASS KEYS TO SOLVER
run_ECC.runSolvers(ECC_keys, bf, bsgs, pr, pl, ph, mov)

k: 135
Time taken: 0.005 s
Space used: 72 bytes
Numbers checked: 7
Success!
k: 135
Time taken: 2.093 s
Space used: 80 bytes
Numbers checked: 43173
Success!
{11: 1, 37: 1}
k: 135
Time taken: 0.001 s
Space used: 18
Numbers checked: 18
Success!
Not Suceptible to MOV attack
Fail!
