# Elliptic curves

In this chapter we demystify what elliptic curves are.

The topic can seem complicated, but you don't need to dive infinitely deep into mathematics. Read the TL;DR part and you are good to go. Read the sections below to reinforce your understanding.

# TL;DR

I just want to use elliptic curves. I want to understand **what** they do, not **how**. Great, you are in good company. Even experts treat curves as a black box that does what you expect. Have you ever driven a car? It's a thing that moves you around. You don't need to hold an engineering degree to understand that. That is the **what**. Could you ever build a car? No! That is the **how**.

Elliptic curves are a set of 2D points. Each point has a number attached to it: There is a zeroth point, a first point, a second point, and so on. You can add these points like integers: The first point plus the second point equals the third point: 1 + 2 = 3; and so on. So the curve points behave like integers.

There is one important difference from integers: If you see a point (its x and y coordinates), then it is difficult to know the number of this point. Is it the first point, the tenth, the thousandth? We cannot do division like for integers. We have to add the first point onto itself 1 + 1 + ... until we reach the point that we saw. This is fast for a few million iterations, but what if we have 2^256 many points? Oops, this takes longer than the universe will last!

This is some intuition.

**What** does it mean that points behave like integers? **Why** can we not do division? We will cover this below.

**Why** do points behave like integers? This is so complex that we will not explain it here. Honestly, I don't know myself.

# Jupyter setup

Run the following snippet to set up your jupyter notebook for the workshop.

In [None]:
import sys

# Add project root so we can import local modules
root_dir = sys.path.append("..")
sys.path.append(root_dir)

# Curve in real 2D space

I chose a particular curve for us to work with. There are many different curves and I chose one with good properties. Trust me :)

This is what our curve looks like in real 2D space. That is, the coordinates are real numbers.

We can clearly see the curvy nature of our equation. It looks like a curve!

Sadly, real space is not very useful to us. In particular, we cannot add points like integers in this space. Sad.

In [None]:
import plot_curve_real

plot_curve_real.plot()

# Curve in finite 2D space

I also chose a finite space for us to work with. Again, good properties :)

Most importantly, the space is tiny: Just $7 \times 7 = 49$ points! This it not secure (at all), but it will be useful to show some properties that would be hard to show for very large spaces.

This is what our curve looks like our finite space. Each black square is a point with the point number printed on.

In [None]:
import plot_curve_finite

plot_curve_finite.plot()

# Coordinates

Curves consist of points. Points have coordinates.

Coordinates are natural numbers from zero up to some maximum. They cannot be arbitrarily large. If you go over the maximum then you end back at the beginning (zero). Think of a clock where twelve is equal to zero, thirteen is equal to one, and so on. This is called modular arithmetic.

In [None]:
from local.ec.core import Coordinate, MAX_COORDINATE

print(f"Coordinates range from 0 to {MAX_COORDINATE}\n")

x = Coordinate(10)
print(f"x = {x}")

y = Coordinate(MAX_COORDINATE)
print(f"y = {y}")

z = x + y
print(f"x + y = {z}")

# Points

Points live in 2D space. That is, they have x and y coordinates.

Each point has a number associated with it. For now, we don't know much about this number.

We write points as uppercase letters like so: $A, B, C$.

In [None]:
from local.ec.core import AffinePoint, random_point

A = random_point()
B = random_point()
C = random_point()

print(f"A = {A}")
print(f"B = {B}")
print(f"C = {C}")

# Addition

We can add two points $A$ and $B$ to obtain a sum point $A + B$.

This point addition is different from adding the x and y coordinates! We plug in two points with some coordinates and we get out a point with entirely different coordinates! The result jumps around the 2D plane in unpredictable ways. More on this later. For now, treat point addition as a black box that adds points.

If $a$ is the number of $A$ and $b$ is the number of $B$, then $a + b$ is the number of $A + B$.

In [None]:
Sum = A + B
print(f"  A + B\n= {A} + {B}\n= {Sum}")

# Zero

There is a point $O$ that has the number zero. We call it the zero point.

As expected, adding $O$ to any point $A$ gives us back the same point:

$A + O = O + A = A$.

For technical reasons, $O$ doesn't have xy coordinates. It is also called the "point at infinity". All you need to know is that it is a special point with the number zero.

We call it "$O$" (letter o) because it looks like "0" (number zero).

In [None]:
from local.ec.core import ZERO_POINT

print(f"Zero = {ZERO_POINT}\n")

Sum1 = A + ZERO_POINT
Sum2 = ZERO_POINT + A

assert Sum1 == A
print("A + Zero = A")

assert Sum2 == A
print("Zero + A = A")

# One

There is a point $I$ that has the number one. We call it the one point.

Adding $I$ onto $O$ gives $I$. Adding $I$ to $I$ gives the second point. Adding $I$ onto the second point gives the third point, and so on.

We call it "$I$" (letter i) because it looks like "1" (number one).

In [None]:
from local.ec.core import ONE_POINT

print(f"One = {ONE_POINT}\n")

current = ZERO_POINT

for i in range(10):
    print(f"{i}th point: {current}")
    current += ONE_POINT

# Iterating over the curve

Every point has a number. Adding the one point $I$ onto some point $A$ with number $a$ gives a point $I + A$ that has number $1 + a$.

Like with coordinates, the number of points is limited. There is a "largest" or "last" point, let's call it $Z$, that has the highest number $z$. If we add $I$ to $Z$, we end up at the zero point $I + Z = O$ again. Again, this is like a clock where twelve is equal to zero and thirteen is equal to one.

We can add $I$ onto itself to iterate over all points in order: zeroth, first, second, ... We are guaranteed to reach all points like this. This might seem obvious, but this is not always the case. Here it is the case because the number of points $n = z + 1$ is a prime number.

In [None]:
from local.ec.core import NUMBER_POINTS
from local.primes import is_prime

print(f"Number of points = {NUMBER_POINTS}")

assert is_prime(NUMBER_POINTS)
print(f"{NUMBER_POINTS} is prime\n")

current = ZERO_POINT

for i in range(30):
    print(f"{i:2}th point = {i % NUMBER_POINTS:2}th point: {current}")
    
    current = current + ONE_POINT
    if current == ZERO_POINT:
        print("\nThe cycle repeats")

# Parentheses

Parentheses don't matter.

We can add points $A$ and $B$ first and then add their sum to point $C$. We can add points $B$ and $C$ first and then add their sum to point $A$. We arrive at the same point in both cases.

This means we can omit parentheses altogether:

$(A + B) + C = A + (B + C) = A + B + C$.

In [None]:
Sum1 = (A + B) + C
Sum2 = A + (B + C)
Sum3 = A + B + C

assert Sum1 == Sum2
print("(A + B) + C = A + (B + C)")

assert Sum2 == Sum3
print("A + (B + C) = A + B + C")

# Order

Order doesn't matter.

Adding point $A$ to point $B$ is the same as adding point $B$ to point $A$:

$A + B = B + A$.

In [None]:
Sum1 = A + B
Sum2 = B + A

assert Sum1 == Sum2
print("A + B = B + A")

# Minus

Each point $A$ has an inverse point $-A$ ("minus $A$").

Adding $A$ to $-A$ gives the zero point $O$:

$A + (-A) = O$

It is natural to write this as point negation:

$A - A = O$

Where this handy inverse point comes from is complicated. That is the **why** that I will only skim over. Roughly speaking, the inverse comes from the properties of point addition.

Looking at point $A$, it is not obvious what its inverse should be. Looking at the coordinates of two points $A$ and $B$, it is hard to see if they are inverses of each other. The inverse is similarly chaotic as point addition. That being said, we can compute the inverse of a point somewhat efficiently.

In [None]:
MinusA = -A
print(f" A = {A}")
print(f"-A = {MinusA}\n")

Sum1 = A + MinusA
Sum2 = A - A

assert Sum1 == ZERO_POINT
print("A + (-A) = Zero")

assert Sum2 == ZERO_POINT
print("A - A = Zero")

# Scalars

We have been talking about the numbers of points. Theses numbers are called scalars.

Points behave like integers. Scalars **are** literally integers: You can add, subtract, multiply, divide and do all the beautiful things you can do with integers.

There are as many scalars as there are points, so $n$ many. All scalar operations are modulo $n$.

We write scalars as lowercase letters like so: $a, b, c$.

In [None]:
from local.ec.core import Scalar, random_scalar

a = random_scalar()
b = random_scalar()

print("{} + {} = {}".format(a, b, a + b))
print("{} - {} = {}".format(a, b, a - b))
print("{} * {} = {}".format(a, b, a * b))
print("{} / {} = {}".format(a, b, a / b))

# Multiplication

Let $A$ be a point with number $a$ and $B$ be a point with number $b$.

This means $A$ can be obtained by adding $I$ onto itself $a$ many times: $A = I + I + \ldots + I$ ($a$ many times). Similarly, $B$ is obtained by adding $I$ onto itself $b$ many times.

Adding $A$ to $B$ results in a point $A + B$ with number $a + b$. Point addition implicitly performs an addition of point numbers.

We can use scalars to directly work on point numbers:

$A = a * I$

$B = b * I$

$A + B = (a * I) + (b * I) = (a + b) * I$

This is called scalar multiplication.

In [None]:
A = a * ONE_POINT
B = b * ONE_POINT

print(f"A = {A} = {a} * {ONE_POINT}")
print(f"B = {B} = {b} * {ONE_POINT}\n")

Sum = A + B

print(f"A + B = {Sum}\n")

SumAlt = (a + b) * ONE_POINT

assert Sum == SumAlt
print("A + B = a * One + b * One = (a + b) * One")

# Pulling multiplication inside addition

We can pull multiplication "inside" addition:

$(a + b) * C = a * C + b * C$.

You can add scalars $a$ and $b$ first and then multiply them with point $C$. You can multiply $a$ with $C$ and $b$ with $C$ first, and then add the resulting points. You arrive at the same point in both cases.

Each point has a number, including $C = c * I$ for some $c$. Let's translate the above equation:

The LHS means "point number $(a + b) * c$".

The RHS means "point number $a * c$ plus point number $a * c$".

Scalars are integers, so both sides describe the same point number $(a + b) * c = a * c + a * c$. So both sides describe the same point. So they are equal!

In [None]:
Sum1 = (a + b) * C
Sum2 = a * C + b * C

assert Sum1 == Sum2
print("(a + b) * C = a * C + b * C")

# Discrete logarithm

The discrete logarithm takes a point $A$ and returns its number $a$:

$A \div I = a$

It is the inverse operation of multiplying a point's number with $I$:

$a * I = A$

This is effectively division by $I$, but colloquially we call it logarithm.

We could divide by other nonzero points, but this is uncommon.

In [None]:
a = Scalar(10)
A = a * ONE_POINT

A_div_One = A.discrete_log()

assert a == A_div_One
print("A ÷ One = (a * One) ÷ One = a")

# Hardness of the discrete logarithm

Cryptography is interested in functions that are easy to compute but impossible to reverse. This is called a one-way function.

Scalar multiplication is such a one-way function:

We can compute $a * I = A$ somewhat fast. However, computing $A \div I = a$ may take longer than the predicted lifetime of the universe. What went wrong?

Point addition is not adding x and y coordinates. It is a somewhat magical operation that spits out very different coordinates than the input coordinates. If the inputs change, then the output changes chaotically and unpredictably. Same inputs always result in the same outputs, but a slight change in the inputs leads to a massive change in the output.

Think of a hash function. It takes an input string and returns a fixed-length output string. Slight changes in the input string result in a completely different output string. At the same time, the same input always results in the same output. The output string is like a short fingerprint of the input. Point addition is like a hash function.

When we compute the discrete logarithm, we only see a 2D point. We have no idea how many times point addition jumped across the 2D plane before it arrived here.

![double pendulum that swings chaotically](../double-pendulum.gif)

How many seconds did the pendulum swing before it arrived at a particular point?

Ehm, I dunno. It could be a very short time, a very long time, or anything in between. The pendulum swings chaotically!

# Guess the next point

The sequence of points in order (first, second, third, ...) is pseudorandom. We cannot predict the coordinates of the next point based on the previous points.

I prepared a guessing game. Look at the current point, guess where the next point will be and click next.

Hint: **You will almost always lose 😈.**

Interactive plots don't seem to work in jupyter, so you have to run this on the command line:

```
python3 hardness_dlog.py
```

The script uses a bigger curve than the one shown here to make it more interesting.