# Elliptic curve cryptography (ed25519) Python3 beginner tutorial (part 1)

<center><img src='jupy_images/elliptic_curve_pic.png' width="500" height="500"></center>

In [1]:
# importing elliptic curve (ed25519)
import dumb25519
from dumb25519 import Scalar, Point

Treat an elliptic curve group of points like you do vectors:
You can add/subtract points (G + H, G - H) and you can do scalar multiplication with it (x * G or xG for short).

Difference #1: the scalars. in vector calculus, the scalar is real numbers. <br>
On the other hand, our scalar is integers modulo a large prime number l. in other words, our scalars are only from 0 to (l - 1) (the remainders when any integer is divided by l).

Visualize it as a Finite Field with a finite amout of integers (in this case, the large prime number is; 2**255 - 19)

<img src='jupy_images/finite_field.png' width="600" height="600">

In [2]:
# Here's the l:
print("l = " + str(dumb25519.l))

l = 7237005577332262213973186563042994240857116359379907606001950938285454250989


In [3]:
# scalar initialize
one = Scalar(1)
two = Scalar(2)
sum = one + two

Scalar(\<num>)

In [4]:
print("Addition:")
print(str(one) + " + " + str(two) + " = " + str(sum) + "\n")

print("Woah! It's written differently. This is because relevant types of data have a standard \
format (it's in hex).")
print("Here's the more normal-looking equation:")
print(str(one.x) + " + " + str(two.x) + " = " + str(sum.x))
# note : .x is to convert Scalar into int

Addition:
0100000000000000000000000000000000000000000000000000000000000000 + 0200000000000000000000000000000000000000000000000000000000000000 = 0300000000000000000000000000000000000000000000000000000000000000

Woah! It's written differently. This is because relevant types of data have a standard format (it's in hex).
Here's the more normal-looking equation:
1 + 2 = 3


In [5]:
# other operations
diff = one - two
print("Substraction:")
print(str(one) + " - " + str(two) + " = " + str(diff) + "\n")
print("In a more simple term:")
print(str(one.x) + " - " + str(two.x) + " = " + str(diff.x) + "\n\n")

print("What?! Not -1? Again, our numbers are only from 0 to (l - 1). Hence -1 becomes \
\"the same\" with (l - 1).")

Substraction:
0100000000000000000000000000000000000000000000000000000000000000 - 0200000000000000000000000000000000000000000000000000000000000000 = ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010

In a more simple term:
1 - 2 = 7237005577332262213973186563042994240857116359379907606001950938285454250988


What?! Not -1? Again, our numbers are only from 0 to (l - 1). Hence -1 becomes "the same" with (l - 1).


In [6]:
prod = one * two
print("Product:")
print(str(one) + " * " + str(two) + " = " + str(prod) + "\n")

print("In a more simple term:")
print(str(one.x) + " * " + str(two.x) + " = " + str(prod.x))

Product:
0100000000000000000000000000000000000000000000000000000000000000 * 0200000000000000000000000000000000000000000000000000000000000000 = 0200000000000000000000000000000000000000000000000000000000000000

In a more simple term:
1 * 2 = 2


<br>We have something like "division", but we do not use slash.<br>
Instead, inversion (analogous to "reciprocal") is performed on the supposed divisor, then perform multiplication.

In [7]:
quot = one * two.invert()
print("Division:")
print(str(one) + " / " + str(two) + " = " + str(quot) + "\n")
print("In a more simple term:")
print(str(one.x) + " / " + str(two.x) + " = " + str(quot.x) + "\n\n")

print("...Yeah this doesn't make much sense. 1/2 becomes \"the same\" with... that quotient.\n\
To make sense of this, we multiply the \"quotient\" and 2. The product should be 1 \
like x * (1/x) = 1.")

Division:
0100000000000000000000000000000000000000000000000000000000000000 / 0200000000000000000000000000000000000000000000000000000000000000 = f7e97a2e8d31092c6bce7b51ef7c6f0a00000000000000000000000000000008

In a more simple term:
1 / 2 = 3618502788666131106986593281521497120428558179689953803000975469142727125495


...Yeah this doesn't make much sense. 1/2 becomes "the same" with... that quotient.
To make sense of this, we multiply the "quotient" and 2. The product should be 1 like x * (1/x) = 1.


In [8]:
prod2 = two * quot
print(str(two.x) + " * " + str(quot.x) + " = " + str(prod2.x))

2 * 3618502788666131106986593281521497120428558179689953803000975469142727125495 = 1


<br>Exponent is also possible. the power should be a natural number only.

In [9]:
exp = two ** 3
print(str(two.x) + " ** 3 = " + str(exp.x))

2 ** 3 = 8


<br>Get a random scalar &emsp; (dumb25519.random_scalar())

In [10]:
rnd_scalar = dumb25519.random_scalar()
print("Random scalar: " + str(rnd_scalar) + " or \n" + str(rnd_scalar.x))

Random scalar: d621422e4a84773267b76fc317cb4666d96ae076d1845b537e171b0145c7cb06 or 
3073922353525398904697431485067558830120207409144055460147229295928812904918


<br>Other Scalar operations in dumb25519: <br>
Comparsion (does not account for overflow), true truncated division ("//"), etc.
We are done with Scalars.

<br><br><br>Differences #2: the elliptic curve points. <br>
These are actually points (x,y) but the x and y are integers modulo another large (not necessarily prime) number q (the value is in dumb25519.q) <br>
We usually do not initialize points like we initialize scalar. instead, we use
either one of the two:

1) get a random point

In [11]:
rnd_point = dumb25519.random_point()
actual_point = (rnd_point.x, rnd_point.y)   # coords

print("\nRandom point: " + str(rnd_point) + " or \n" + str(actual_point))


Random point: 65747b430ff52e5d78851503a3fb77307189272d0fe55d07722db69686e7cb91 or 
(27554407936770438201587502344656223779879798825325581517210796315925052545769, 8049586311976289875296465230278523473626174339668128923459267261778211075173)


2) using the "base generator" G

In [12]:
print("Base generator: " + str(dumb25519.G) + " or \n" + str((dumb25519.Gx, dumb25519.Gy)))

Base generator: 5866666666666666666666666666666666666666666666666666666666666666 or 
(15112221349535400772501151409588531511454012693041857206046113283949847762202, 46316835694926478169428394003475163141307993866256225615783033603165251855960)


<br>Now to produce another point from G (or any other point), we can do, as being said earlier, 
addition/subtraction of points (G + H, G - H) and scalar multiplication xG for scalar x.

In [13]:
twoG = dumb25519.G + dumb25519.G
zero = dumb25519.G - dumb25519.G

print("G + G = " + str(twoG))
print("G - G = " + str(zero))

G + G = c9a3f86aae465f0e56513864510f3997561fa2c9e85ea21dc2292309f3cd6022
G - G = 0100000000000000000000000000000000000000000000000000000000000000


<br>Here is the "zero" point:


In [14]:
print("    Z = " + str(dumb25519.Z))
print("Are G - G and Z the same?")

    Z = 0100000000000000000000000000000000000000000000000000000000000000
Are G - G and Z the same?


<br><p style="font-size: 24px">This is how Point addition looks like :</p>

<img src="jupy_images\elliptic_curve_addition.jpeg">

<br> <p style="font-size: 24px"> Introducing to Discrete Logarithm Problem (DLP)</p>

In [15]:
for i in range(15):
    another_point = Scalar(i) * dumb25519.G
    print(str(i) + " * G = " + str(another_point))
print("\n\nThose last points look \"random\". This IS a big reason why we use elliptic curves in cryptography:")
print("\nIf I give you a random point P (i.e. from dumb25519.random_point()), it is assumed to be \
impossible to find the x \nsuch that P = xG. The problem of finding x is called \"Discrete Logarithm \
Problem\" (DLP) and the impossibility \nassumption is called Discrete Logarithm (DL) assumption.")

0 * G = 0100000000000000000000000000000000000000000000000000000000000000
1 * G = 5866666666666666666666666666666666666666666666666666666666666666
2 * G = c9a3f86aae465f0e56513864510f3997561fa2c9e85ea21dc2292309f3cd6022
3 * G = d4b4f5784868c3020403246717ec169ff79e26608ea126a1ab69ee77d1b16712
4 * G = 2f1132ca61ab38dff00f2fea3228f24c6c71d58085b80e47e19515cb27e8d047
5 * G = edc876d6831fd2105d0b4389ca2e283166469289146e2ce06faefe98b22548df
6 * G = f47e49f9d07ad2c1606b4d94067c41f9777d4ffda709b71da1d88628fce34d85
7 * G = b862409fb5c4c4123df2abf7462b88f041ad36dd6864ce872fd5472be363c5b1
8 * G = b4b937fca95b2f1e93e41e62fc3c78818ff38a66096fad6e7973e5c90006d321
9 * G = c0f1225584444ec730446e231390781ffdd2f256e9fcbeb2f40dddc2c2233d7f
10 * G = 2c7be86ab07488ba43e8e03d85a67625cfbf98c8544de4c877241b7aaafc7fe3
11 * G = 1337036ac32d8f30d4589c3c1c595812ce0fff40e37c6f5a97ab213f318290ad
12 * G = f9e42d2edc81d23367967352b47e4856b82578634e6c1de72280ce8b60ce70c0
13 * G = 801f40eaaee1ef8723279a28b2cf4037b889dad

<br> <p style="font-size: 24px"> Notes on Cryptographic Hash Functions</p>

dumb25519 provides two hash functions: hash_to_scalar() and hash_to_point() that outputs a Scalar and a Point respectively. <br>
Any data that can be converted to string can be input there.

In [16]:
yet_another_scalar = dumb25519.hash_to_scalar("tutorial", Scalar(12))
yet_another_point =  dumb25519.hash_to_point("tutorial", dumb25519.G)

print("\nHash scalar: " + str(yet_another_scalar))
print("Hash point: " + str(yet_another_point))

# note that the output of hash_to_scalar() is NOT the discrete log of the output of hash_to_point().


Hash scalar: a0613cb244a233af5e6a6d2890a9cbd6995aa9178466f40d1e555d87ecd4580b
Hash point: 9ab576fc2b3764df7591b9d21b5b91bfb4629595f6e5b8287ef95297b54c812d


# Exercises

Exercises 1 : What is (-1)G + G ?

In [17]:
# <your code here>

<br>Exercies 2 : What is (1/x)*(xG) ? is Z == Z + dumb25519.random_point()?

In [18]:
# <your code here>

<br>There is another reason we use elliptic curves; the Diffie-Hellman (DH) key exchange<br><br>
Exercies 3 : Implement DH key exchange (just use variables). <br> Alice and Bob wants to share a secret scalar only they would know.
<br> Using the generator G and dumb25519.hash_to_scalar(), how would they do it?<br>
 Show that after the key exchange, Alice and Bob has a shared secret.

In [19]:
# <your code here>

# if alice_final == bob_final:
    # print("DH key exchange successful.")
# else:
    # print("DH key exchange failed.")

<br> Exercise 4 : Monero cryptocurrency uses Pedersen commitment to hide amounts in the blockchain. <br>
Implement Pedersen commitment: given a scalar x, it must output a pair (r, rG + xH) where r is
a random Scalar. <br> For Monero, r should never be in the blockchain, only the rG + xH is. <br><br>

Then demonstrate the homomorphicity of Pedersen commitment: <br> 
Show that pedersen(x1) + pedersen(x2) = (r1 + r2)G + (x1 + x2)H <br> 
Where r1 and r2 are the 'r' output of pedersen(x1) and pedersen(x2), respectively.

In [20]:
H = dumb25519.hash_to_point("Pedersen")

def pedersen(amount):
    # <your code here>
    pass


# test for homomorphicity
# commit2 = (r1 + r2) * G + (x1 + x2) * H
# if commit1 == commit2:
    # print("You demonstrated that Pedersen commitment is homomorphic!")
# else:
    # print("Something's wrong :(")

<br> Exercise 5 : Implement Elgamal point encryption scheme. <br>
This is rarely used because the points are rarely encrypted (if ever). <br><br>
Here's the scenario: <br>
&emsp; Alice must send the point Y to Bob securely. Bob generates a random keypair (x, xG). <br>
&emsp; x is the private key, and P = xG is the public key to be shared to Alice. Alice encrypts <br>
&emsp; Y using P, and sends the cipher to Bob. Bob then decrypts the cipher using x. <br><br>
Just like in DH key exchange, just use variables. <br>
Encryption: given a point Y and point P, it must output a pair (rG, Y + rP) where r is a random scalar. <br>
Decryption: given a cipher pair (C1, C2) and a scalar x, output Y = C2 - x * C1. <br><br>

Then demonstrate the homomorphicity of Elgamal encryption scheme. <br>
Using two plaintexts 69000 * H and 420 * H, encrypt both separately, then pairwise add the two ciphers, then decrypt the "sum" cipher. <br>
 What is the decrypted plaintext? 

In [21]:
bob_prvkey = dumb25519.random_scalar()
bob_pubkey = bob_prvkey * dumb25519.G

plain1 = Scalar(69000) * H
plain2 = Scalar(420) * H

def elgamal_enc(plain: Point, bob_pubkey: Point) -> tuple:
    # <your code here>
    pass

def elgamal_dec(cipher: tuple, bob_prvkey: Scalar) -> Point:
    # <your code here>
    pass

# <your code here>

# test for homomorphicity
expected_dec = Scalar(69420) * H
# if actual_dec == expected_dec:
    # print("You demonstrated that Elgamal is homomorphic!")
# else:
    # print("Something's wrong :(")