## A Demonstration of the Elliptic Curve (EC) Cryptosystem
The elliptic curve cryptosystem demonstrated below combines [Diffie&ndash;Hellman](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange) style symmetric key agreement with a digital signature to provide for the confidentiality, integrity and authenticy of a message exchanged between two parties (Alice and Bob) over an insecure channel. A third party (Eve), listening on this channel, has no practical way of learning the content of the message, nor any way of tampering with it without the receiving party knowing the message has been corrupted.

The key&ndash;agreement component of this cryptosystem provides for message confidentiality, and is known by the initials *ECDH*, which is short for [*Elliptic&ndash;Curve Diffie&ndash;Hellman*](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman) (alternatively *ECDHE*, the last *E* standing for *Ephemeral*, to indicate that the session key negotiated by the message&ndash;exchanging parties is to be used only once and then discarded). The digital signature component of this cryptosystem provides for message integrity and authenticity, and is known by the initials *ECDSA*, for [*Elliptic Curve Digital Signature Algorithm*](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm).

Elliptic curve cryptography represents a novel approach to the [discrete logarithm problem](https://en.wikipedia.org/wiki/Discrete_logarithm) (DLP) introduced by Diffie and Hellman in their 1976 paper [*New Directions in Cryptography*](https://ee.stanford.edu/~hellman/publications/24.pdf). The Diffie&ndash;Hellman protocol remains to this day the basis for key agreement over insecure channels. Elliptic&ndash;curve DLP has the advantage of requiring much shorter key lengths than traditional DH, however, to achieve equivalent security levels. This makes EC the only practical choice in size&ndash; and/or power&ndash;constrained applications, such as contactless smartcards and smart phones. Whereas an EC key of 256 bits in length provides 128&ndash;bit security (today considered the minimum acceptible security level), DH and [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) keys must be at least 3,072 bits in length to provide the same level of security.

### The Source Code
The following sequence of function calls to the [ec](https://github.com/dchampion/crypto/tree/master/src/ec.py) module illustrates a session in which Alice signs and encrypts a private message, and then transmits this message, together with the signature, to Bob over an insecure channel. Meanwhile, an adversary (Eve) intecepts the message&ndash;signature pair transmitted on the insecure channel.

It is assumed that Alice, Bob and Eve all possess their own copy of the [ec](https://github.com/dchampion/crypto/tree/master/src/ec.py) module; but that only Alice and Bob possess the signing and encryption keys generated by this module to provide the aforementioned protections.

At the top of each code snippet is a line&ndash;comment to indicate who (i.e., Alice, Bob and/or Eve) is invoking the code. Illustrative code snippets, i.e., those that are not part of the protocol, but rather merely informative, are not commented.

In [1]:
import os
os.chdir("..")

# Alice and Bob (and possibly Eve)
from src import curves
from src import ec
from tests import sym

Alice and Bob both import the modules `curves` and `ec`, and a module `sym` that implements a symmetric cipher they have agreed in advance will be used to encrypt and decrypt messages (the `sym` cipher used here is for illustrative purposes only, and in a real-world setting would be replaced with a cryptographically&ndash;strong symmetric cipher such as 3DES or AES).

In [2]:
# Alice
ec.new_curve(curves.Curve(17,2,2,5,1,19,1), 5)

The `ec` module uses a NIST&ndash;/SECG&ndash;sanctioned ellipctic curve by default; specifically, the [*secp256k1*](https://www.secg.org/sec2-v2.pdf#subsubsection.2.4.1) curve (we assume this curve is secure because it has secured the Bitcoin blockchain since 2009). For the purposes of this demonstration, however, Alice will define a much smaller (and therefore much less secure) curve.

An elliptic curve is defined by the congruence relation *y<sup>2</sup> &Congruent; x<sup>3</sup> + ax + b (mod p)*, where *x* and *y* are coordinates on a cartesian plane, *a* and *b* are constant coefficients, and *p* is a prime modulus that confines results to a finite integral field.

More formally, to define the curve above, we supply the following domain parameters to the `curves.Curve` object, which is the first parameter we pass to the `ec.new_curve` function:

* A field parameter *p* (17) (this is also the prime modulus)
* A coefficient *a* (2)
* A coefficient *b* (2)
* An *x*&ndash;coordinate for the base point *G* (5)
* A *y*&ndash;coordinate for the base point *G* (1)
* The order *n* of the base point *G* (19)
* The cofactor *h* of the curve point group, which is the total number of points on the curve divided by the order of *G*, or *n* (1)

Alice also supplies an optional, second parameter to the `ec.new_curve` function: 

* This parameter specifies the number of iterations to test the curve's strength against a certain class of attacks (5 is the value Alice supplies because the default&mdash;100&mdash;will cause this small curve to fail validation).

If any of these parameters is invalid, the function `ec.new_curve` will raise an exception. As it turns out, a curve with these parameters is valid (albeit wholly insecure due to its small size).

In [3]:
print(ec._curve)

Curve curve parameters:
 p:  17
 a:  2
 b:  2
 Gx: 5
 Gy: 1
 n:  19
 h:  1


Here, we print the aforementioned domain parameters to the console.

In [4]:
pt = ec._curve.G()
print(pt) # Print base point
while pt != ec._i:
    pt = ec._add(ec._curve.G(), pt)
    print(pt) # Print remaining points...

[5, 1]
[6, 3]
[10, 6]
[3, 1]
[9, 16]
[16, 13]
[0, 6]
[13, 7]
[7, 6]
[7, 11]
[13, 10]
[0, 11]
[16, 4]
[9, 1]
[3, 16]
[10, 11]
[6, 14]
[5, 16]
[None, None]


Here, we print all the points on the curve to the console. Note that the first point in the list, the base point `[5, 1]`, comes from the coordinates Alice specified in the 4<sup>th</sup> and 5<sup>th</sup> parameters to the `curves.Curve` object we passed to the `ec.new_curve` function. Also note that the last point is `[None, None]`, which in an elliptic&ndash;curve point group is the identity element (this is also referred to as the *point at infinity*).

The total number of points in the group is 19, which Alice specified in the 6<sup>th</sup> parameter to `curves.Curve` object (this can be verified by counting the coordinate pairs in the list above).

In [5]:
# Alice
dA, QA = ec.generate_keypair()

Alice begins by generating a pair of keys, and stores them in *dA* and *QA*; these are her private and public keys, respectively. The suffixed capital letter *A* denotes that these keys belong to Alice.

Alice transmits her public key *QA* to Bob, but she must keep her private key *dA* secret.

In [6]:
print(dA, QA)

1 [5, 1]


If we print Alice's keys, we see that her private key is an integer, and her public key a point on the curve. Note that her private key is the 1&ndash;based index of the curve in the list we printed above; that is, it is the *dA*<sup>th</sup> point in the list.

More formally, using elliptic curve math, the base point `[5, 1]` is *added* to itself *dA* times to arrive at the point represented by the public key *QA*. *dA* is selected randomly from the range *1 < dA < n - 1*, where *n* is the number of points on the curve, to produce the public key.

In [7]:
# Bob
dB, QB = ec.generate_keypair()

Next, it's Bob's turn to generate a key pair (suffixed with the capital letter *B* this time to denote these keys belong to Bob). As with Alice's keys, Bob transmits his public key *QB* to Alice, but keeps his private key *dB* secret.

In [8]:
print(dB, QB)

16 [10, 11]


If we print Bob's keys, we see a familiar pattern.

In [9]:
# Alice
kSessionA = ec.generate_session_key(dA, QB)

Next, Alice computes a session key *kSessionA*, using her private key *dA* and Bob's public key *QB*.

If you are familiar with traditional Diffie&ndash;Hellman, you might recognize a pattern here. The essential property of DH is expressed in the signature of the function `ec.generate_session_key`; namely, a secret session key is computed using one party's private key in combination with the other party's public key (in the present case these are Alice's private key *dA* and Bob's public key *QB*).

Whereas in traditional DH the public key is raised to the power of the private key (both integers), in ECDH the private key (an integer) is *multiplied* by the public key (a curve point). The result of both operations is a session key; in the former this key is an integer, and in the latter it is a curve point (*multiplication* is just another name for *repeated addition*, and in fact *addition* is the only operator supported by elliptic&ndash;curve point groups).

One additional implementation detail is worth noting here: One might wonder how it is that a curve point `[x, y]`, generated by the multiplication of an integer to the base point, is represented as an numeric key in a symmetric cipher. The answer is that just the x-coordinate of the public key&mdash;which itself is an integer in the range *0 < x < p*, where *p* is the prime modulus in the curve group&mdash;is used as the session key.

In [10]:
# Bob
kSessionB = ec.generate_session_key(dB, QA)

Now Bob computes a session key *kSessionB*, using his private key *dB* in combination with Alice's public key *QA*. If the essential property of DH holds, Alice's and Bob's session keys&mdash;*kSessionA* and *kSessionB*&mdash;should be identical.

Further, Eve, having only observed Alice's and Bob's public keys, cannot feasibly derive the session key with just that knowledge. The only way for Eve to find the session key is to add curve points repeatedly, starting with the base point, until she finds the  session key. With a standard EC key length of 256 bits, this would require ~2<sup>128</sup> trial point additions, a process that at current computer speeds would take many millenia (of course in the present example, using a curve with just 19 points, it would take Eve at most that many steps to find the session key).

In [11]:
print(kSessionA == kSessionB)

True


We prove here that *kSessionA* is in fact equivalent to *kSessionB*.

In [12]:
# Alice
mA = "Sign and encrypt me!"

Alice composes a message for Bob, and stores it in the variable *mA*.

In [13]:
# Alice
S = ec.sign(dA, mA)

Next, Alice signs the message and stores the signature in *S*. To sign the message, Alice must supply her private key *dA* to the signing function `ec.sign`.

In [14]:
# Alice
mAC = sym.encrypt(kSessionA, mA)

Next, Alice encrypts the message *mA*, supplying it and her session key *kSessionA* to the function `sym.encrypt`, and stores the ciphertext in *mAC*.

Alice is now ready to transmit the ciphertext *mAC*, along with the signature *S*, to Bob.

In [15]:
print(mAC)

33592815351635838866227505544962597712430178342446835123662584240068194629876


Here, we print the ciphertext *mAC*, revealing a seemingly random string of numbers that is wholly indistinguishable from its plaintext *mA* and, crucially, indecipherable to Eve.

In [16]:
# Bob
mB = sym.decrypt(kSessionB, mAC)

Bob, having received the ciphertext *mAC* and signature *S* from Alice, first decrypts the ciphertext *mAC*, supplying it and his session key *kSessionB* to the function `sym.decrypt`.

Bob stores the result in the variable *mB*.

In [17]:
print(mB)

Sign and encrypt me!


Here we print *mB*, proving that it matches the plaintext *mA* Alice encrypted into *mAC* and transmitted to Bob. Note Alice transmitted the ciphertext *mAC* to Bob, ***not*** the plaintext *mA*.

Thus far Alice has transmitted her message *confidentially* to Bob; what remains is for Bob to verify the *integrity* and *authenticity* of the message.

In [18]:
# Bob
print(ec.verify(QA, mB, S))

True


Finally, Bob verifies the *integrity* and *authenticity* of the message (the former property ensures the message has not been altered, and the latter that it was signed with Alice's private key). Bob performs this verification using the function `ec.verify`, supplying it Alice's public key *QA* and signature *S*, both of which were transmitted to him by Alice, and the plaintext of the message *mB* he decrypted in the previous step.

If the function `ec.verify` returns `True`, Bob can be satisfied that the conditions of confidentiality, integrity and authenticity have all been met, and the session is complete.

If the function returns `False`, Bob must reject the message and assume the system is being attacked.