# Elliptic curve cryptography (ed25519) Python3 beginner tutorial (part 1)

<center><img src='jupy_images/elliptic_curve_pic.png' width="500" height="500"></center>

In [None]:
# importing elliptic curve (ed25519)
import dumb25519
from dumb25519 import Scalar, Point

<p style="font-size: 24px"> Treat an elliptic curve group of points like you do vectors:
You can add/subtract points (G + H, G - H) and you can do scalar multiplication with it (x * G or xG for short). </p>

<p style="font-size: 24px"> Difference #1: the scalars. in vector calculus, the scalar is real numbers. <br>
On the other hand, our scalar is integers modulo a large prime number l. in other words, our scalars are only from 0 to (l - 1) (the remainders when any integer is divided by l). </p>

<br><p style="font-size: 24px"> Visualize it as a Finite Field with a finite amout of integers (in this case, the large prime number is; 2**255 - 19) </p>

<img src='jupy_images/finite_field.PNG' width="400" height="400">

In [None]:
# Here's the l:
print("l = " + str(dumb25519.l))

In [None]:
# scalar initialize
one = Scalar(1)
two = Scalar(2)
sum = one + two

<p style="font-size: 24px"> Scalar(< num >) </p>

In [None]:
print("Addition:")
print(str(one) + " + " + str(two) + " = " + str(sum) + "\n")

print("Here's the more normal-looking equation:")
print(str(one.x) + " + " + str(two.x) + " = " + str(sum.x))
# note : .x is to convert Scalar into int

<p style="font-size: 24px"> Woah! It's written differently. This is because relevant types of data have a standard \
format (it's in hex). </p> <br>

In [None]:
# other operations
diff = one - two
print("Substraction:")
print(str(one) + " - " + str(two) + " = " + str(diff) + "\n")

print("In a more simple term:")
print(str(one.x) + " - " + str(two.x) + " = " + str(diff.x))

<p style="font-size: 24px"> What?! Not -1? Again, our numbers are only from 0 to (l - 1). Hence -1 becomes 
"the same" with (l - 1). </p> <br>

In [None]:
prod = one * two
print("Product:")
print(str(one) + " * " + str(two) + " = " + str(prod) + "\n")

print("In a more simple term:")
print(str(one.x) + " * " + str(two.x) + " = " + str(prod.x))

<br><p style="font-size: 24px"> We have something like "division", but we do not use slash.<br>
Instead, inversion (analogous to "reciprocal") is performed on the supposed divisor, then perform multiplication. </p>

quot = one * two.invert()
print("Division:")
print(str(one) + " / " + str(two) + " = " + str(quot) + "\n")

print("In a more simple term:")
print(str(one.x) + " / " + str(two.x) + " = " + str(quot.x))

<p style="font-size: 24px"> ...Yeah this doesn't make much sense. 1/2 becomes \"the same\" with... that quotient.\n\
To make sense of this, we multiply the \"quotient\" and 2. The product should be 1 \
like x * (1/x) = 1." </p><br>

In [None]:
prod2 = two * quot
print(str(two.x) + " * " + str(quot.x) + " = " + str(prod2.x))

<br><p style="font-size: 24px"> Exponent is also possible. the power should be a natural number only. </p>

In [None]:
exp = two ** 3
print(str(two.x) + " ** 3 = " + str(exp.x))

<br><p style="font-size: 24px"> Get a random scalar :&emsp;dumb25519.random_scalar() </p>

In [None]:
rnd_scalar = dumb25519.random_scalar()
print("Random scalar: " + str(rnd_scalar) + " or \n" + str(rnd_scalar.x))

<br><p style="font-size: 24px"> Other Scalar operations in dumb25519: <br>
Comparsion (does not account for overflow), true truncated division ("//"), etc.
We are done with Scalars. </p>

<br><br><br> <p style="font-size: 24px"> Differences #2: the elliptic curve points. <br>
These are actually points (x,y) but the x and y are integers modulo another large (not necessarily prime) number q (the value is in dumb25519.q) <br>
We usually do not initialize points like we initialize scalar. instead, we use
either one of the two: </p>

<p style="font-size: 18px"> 1) get a random point </p>

In [None]:
rnd_point = dumb25519.random_point()
actual_point = (rnd_point.x, rnd_point.y)   # coords

print("\nRandom point: " + str(rnd_point) + " or \n" + str(actual_point))

<br><p style="font-size: 18px"> 2) using the "base generator" G </p>

In [None]:
print("Base generator: " + str(dumb25519.G) + " or \n" + str((dumb25519.Gx, dumb25519.Gy)))

<p style="font-size: 24px"><br>Now to produce another point from G (or any other point), we can do, as being said earlier, 
addition/subtraction of points (G + H, G - H) and scalar multiplication xG for scalar x.</p>

In [None]:
twoG = dumb25519.G + dumb25519.G
zero = dumb25519.G - dumb25519.G

print("G + G = " + str(twoG))
print("G - G = " + str(zero))

<br><p style="font-size: 24px"> Here is the "zero" point: </p>


In [None]:
print("    Z = " + str(dumb25519.Z))
print("Are G - G and Z the same?")

<br><br><p style="font-size: 24px">This is how Point addition looks like :</p>

<img src='jupy_images/elliptic_curve_addition.jpeg'>

<br><br> <p style="font-size: 24px"> Introducing to Discrete Logarithm Problem (DLP)</p>

In [None]:
for i in range(15):
    another_point = Scalar(i) * dumb25519.G
    print(str(i) + " * G = " + str(another_point))

<p style="font-size: 18px"> Note : Those last points look "random". This IS a big reason why we use elliptic curves in cryptography: <br>
If I give you a random point P (i.e. from dumb25519.random_point()), it is assumed to be impossible to find the x \nsuch that P = xG. <br>
The problem of finding x is called "Discrete Logarithm Problem" (DLP) and the impossibility assumption is called Discrete Logarithm (DL) assumption."<br> </p>

<br> <p style="font-size: 24px"> Notes on Cryptographic Hash Functions</p>

dumb25519 provides two hash functions: hash_to_scalar() and hash_to_point() that outputs a Scalar and a Point respectively. <br>
Any data that can be converted to string can be input there.

In [None]:
yet_another_scalar = dumb25519.hash_to_scalar("tutorial", Scalar(12))
yet_another_point =  dumb25519.hash_to_point("tutorial", dumb25519.G)

print("\nHash scalar: " + str(yet_another_scalar))
print("Hash point: " + str(yet_another_point))

# note that the output of hash_to_scalar() is NOT the discrete log of the output of hash_to_point().

# <br><br><br><br>Exercises

<p style="font-size: 16px"> Exercises 1 : What is (-1)G + G ?

In [None]:
# <your code here>

<br> <p style="font-size: 16px"> Exercies 2 : What is (1/x)*(xG) ? is Z == Z + dumb25519.random_point()? </p>

In [None]:
# <your code here>

<p style="font-size: 16px"> <br>There is another reason we use elliptic curves; the Diffie-Hellman (DH) key exchange<br><br>
Exercies 3 : Implement DH key exchange (just use variables). <br> Alice and Bob wants to share a secret scalar only they would know.
<br> Using the generator G and dumb25519.hash_to_scalar(), how would they do it?<br>
 Show that after the key exchange, Alice and Bob has a shared secret. </p>

In [None]:
# <your code here>

# if alice_final == bob_final:
    # print("DH key exchange successful.")
# else:
    # print("DH key exchange failed.")

<p style="font-size: 16px"><br> Exercise 4 : Monero cryptocurrency uses Pedersen commitment to hide amounts in the blockchain. <br>
Implement Pedersen commitment: given a scalar x, it must output a pair (r, rG + xH) where r is
a random Scalar. <br> For Monero, r should never be in the blockchain, only the rG + xH is. <br><br> </p>

<p style="font-size: 16px"> Then demonstrate the homomorphicity of Pedersen commitment: <br> 
Show that pedersen(x1) + pedersen(x2) = (r1 + r2)G + (x1 + x2)H <br> 
Where r1 and r2 are the 'r' output of pedersen(x1) and pedersen(x2), respectively. </p>

In [None]:
H = dumb25519.hash_to_point("Pedersen")

def pedersen(amount):
    # <your code here>
    pass


# test for homomorphicity
# commit2 = (r1 + r2) * G + (x1 + x2) * H
# if commit1 == commit2:
    # print("You demonstrated that Pedersen commitment is homomorphic!")
# else:
    # print("Something's wrong :(")

<p style="font-size: 16px"> <br> Exercise 5 : Implement Elgamal point encryption scheme. <br>
This is rarely used because the points are rarely encrypted (if ever). <br><br>
Here's the scenario: <br>
&emsp; Alice must send the point Y to Bob securely. Bob generates a random keypair (x, xG). <br>
&emsp; x is the private key, and P = xG is the public key to be shared to Alice. Alice encrypts <br>
&emsp; Y using P, and sends the cipher to Bob. Bob then decrypts the cipher using x. <br><br>
Just like in DH key exchange, just use variables. <br>
Encryption: given a point Y and point P, it must output a pair (rG, Y + rP) where r is a random scalar. <br>
Decryption: given a cipher pair (C1, C2) and a scalar x, output Y = C2 - x * C1. <br><br>

Then demonstrate the homomorphicity of Elgamal encryption scheme. <br>
Using two plaintexts 69000 * H and 420 * H, encrypt both separately, then pairwise add the two ciphers, then decrypt the "sum" cipher. <br>
 What is the decrypted plaintext? </p>

In [None]:
bob_prvkey = dumb25519.random_scalar()
bob_pubkey = bob_prvkey * dumb25519.G

plain1 = Scalar(69000) * H
plain2 = Scalar(420) * H

def elgamal_enc(plain: Point, bob_pubkey: Point) -> tuple:
    # <your code here>
    pass

def elgamal_dec(cipher: tuple, bob_prvkey: Scalar) -> Point:
    # <your code here>
    pass

# <your code here>

# test for homomorphicity
expected_dec = Scalar(69420) * H
# if actual_dec == expected_dec:
    # print("You demonstrated that Elgamal is homomorphic!")
# else:
    # print("Something's wrong :(")