# Topics in Computer Science - Bitcoin: Programming the Future of Money - ITCS 4010 & 5010 - Spring 2025 - UNC Charlotte

# Homework 3 - Elliptic Curves (110 Points)

# <font color="blue"> Submission instructions</font>

1. Click the Save button at the top of the Jupyter Notebook.
2. Please make sure to have entered your name above.
3. Select Cell -> All Output -> Clear. This will clear all the outputs from all cells (but will keep the content of all cells). 
4. Select Cell -> Run All. This will run all the cells in order, and will take several minutes.
5. Once you've rerun everything, create a PDF version of the Jupypter notebook which includes visually all executed cells. This can be done in different ways depending on your specific Python/Jupyter setup. You can do that either by exporting into PDF (PDF via LaTeX / PDF via HTML), or by exporting into an HTML file first and then print the HTML site as a PDF and save that PDF.
6. Look at the PDF file and make sure all your solutions are there, displayed correctly.
7. Submit **both** your PDF and the notebook file .ipynb on Gradescope.
8. Make sure your your Gradescope submission contains the correct files by downloading it after posting it on Gradescope.

### 1. Build Calendar (8 Points)
There are 365 days in a year. That means there are seven months with 31 days, four months with 30 days, and one month with 28 days. Write `Calendar` function that creates a list called `date` that indexes all dates from 0 – 364. So, date[0] = "Jan 1", date[1] = "Jan 2", and so on, until date[364] = "Dec 31". Spell all months using their three-letter abbreviation. 

Then write a function `FutureDay` that accepts two parameters: a start date from the date list and a positive integer representing the number of days. The function should calculate and return the future date by adding the specified number of days to the start date.

For example, FutureDay("Jan 3", 2) = "Jan 5".  

In [1]:
def Calendar():
    date = []
    months = [
        ("Jan", 31), ("Feb", 28), ("Mar", 31), ("Apr", 30), ("May", 31), ("Jun", 30),
        ("Jul", 31), ("Aug", 31), ("Sep", 30), ("Oct", 31), ("Nov", 30), ("Dec", 31)
    ]
    
    for month, days in months:
        for day in range(1, days + 1):
            date.append(f"{month} {day}")
    
    return date

def FutureDay(start, increment):
    date = Calendar()
    start_index = date.index(start)
    future_index = (start_index + increment) % len(date)
    return date[future_index]

Run the following cell to test your code:

In [2]:
print(FutureDay("Jan 3", 2) == "Jan 5")
print(FutureDay("Jan 20", 100))
print(FutureDay("Jul 4", 1000))
print(FutureDay("Dec 26", 11)) 

True
Apr 30
Mar 31
Jan 6


### 2. Build a Finite Field (15 Points)
**a.)** Write a funtion `buildfield` that takes the order of the finite field as input and returns the finite field set. In case that the the order of the finite field is not admissible, the function should print a suitable error message instead.

Hint: Recall what orders of finite fields are admissible. You can revisit [Jimmy Song's _Programming Bitcoin_: Chapter 1](https://github.com/jimmysong/programmingbitcoin/blob/master/ch01.asciidoc) to revisit this.

In [3]:
def is_prime(n): # This function checks whether the number n is a prime or not.
    if any(n % i == 0 for i in range(2, int(n ** 0.5) + 1)) or n < 2:
        return False
    else:
        return True
    
def is_power_of_prime(n): # This function checks whether the number n is a power of a prime (such that n = p^k for any prime p) or not.
    for i in range(2, int(n ** 0.5) + 1):
        if is_prime(i):
            power = i
            while power <= n:
                power *= i
                if power == n:
                    return True
    return False    
    
# The following function returns the finite field set of integers between 0 and order-1 if one of the two statements are true:
# order is a prime
# order is a power of a prime.
# In Chapter 1 of Jimmy Song's book, it is explained that those are the two cases in which a finite field of the said order exists.
# More details and a mathematical proof of the fact that these are the only to cases can be found, for example, here:
# https://people.math.harvard.edu/~landesman/assets/finite-fields.pdf.
def buildfield(order): 
    if is_prime(order) or is_power_of_prime(order):
        return set(range(order))
    else:
        print("Error: The order of the finite field must be a prime number.")
        return None


Run the following cell to test your code:

In [4]:
print(buildfield(3) == {0,1,2})

True


In [5]:
print(buildfield(31))

{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30}


In [6]:
print(buildfield(4))

{0, 1, 2, 3}


In [7]:
print(buildfield(12))

Error: The order of the finite field must be a prime number.
None


**b.)** Provide an example of a set $F_{p} = \{0,1,2,3,\dots, p-1\}$ with a choice of $p$ and an element $a \in F_p$ that _does not have a multiplicative inverse_ (when defining addition and multiplication as for finite fields), and explain why.

Two possible ways to answer this:
1) Example:
Let’s take the set F₇ = {0, 1, 2, 3, 4, 5, 6} (corresponding to $p=7$). We learned that this set constitutes a finite field since $7$ is a prime number. In any finite field, every nonzero number has a multiplicative inverse, which is a number that, when multiplied with it, gives 1 (mod 7). <br> For example:<br>
The inverse of 3 in F₇ is 5 because $3 \cdot 5 = 15$, and $15 \operatorname{mod} 7 = 1$. <br>
The inverse of 2 in F₇ is 4, because $2 \cdot 4 = 8$, and $8 \operatorname{mod} 7 = 1$. <br>
However, for the element $0 \in $ F₇, we did not require the existence of a multiplicative inverse (similar as for usual real number arithmetic: There is no number $x$ such that $0 \cdot x = 1$, or in other words, division by $0$ is not possible). <br>
Indeed, if we apply the mod-arithmetic that is needed in finite fields, we see that $0 \cdot 0 \operatorname{mod} = 0$,  $0 \cdot 1 \operatorname{mod} = 0$, $0 \cdot 2 \operatorname{mod} = 0$, $0 \cdot 3 \operatorname{mod} = 0$, $0 \cdot 4 \operatorname{mod} = 0$, $0 \cdot 5 \operatorname{mod} = 0$ and $0 \cdot 6 \operatorname{mod} = 0$. This shows that $a = 0 \in$  F₇ does not have a multiplicative inverse.

2) We can pick a choice of $p$ such that $p$ is neither a prime nor a power of a prime, for example, $p=6$. In this case, $F_6 = \{0, 1, 2, 3, 4, 5\}$ is such that there exists a non-$0$ element without an multiplicative inverse. In particular, we have for $a= 2$ that <br>
$2 \cdot 0 = 0$, <br> $2 \cdot 1 = 2$, <br> $2 \cdot 2 = 4$, <br> $2 \cdot 3 = 0$, <br> $2 \cdot 4 = 2$ and <br> $2 \cdot 5 = 4$, <br> which shows that there is no element $x \in F_6$ such that $2 \cdot x = 1$, so no multiplicative inverse for $2$ exists.

### 3. Scalar Multiplication (11 Points)
#### a.) 
Implement a function `scalar_multiply` that accepts the order of a finite field `order` and a scalar `k` as arguments, and returns a set of elements resulting from the scalar multiplication of `k` with each element in the finite field.

In [8]:
def scalar_multiply(order, k):
    finite_field = buildfield(order)
    if finite_field is None:
        return None
    return { (k * x) % order for x in finite_field }

Run the following four cells to test your code:

In [9]:
k = [3,17,256,977]
order = 11
for i in k:
    print(scalar_multiply(order, i))

{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10}


In [10]:
order = 13
for i in k:
    print(scalar_multiply(order, i))

{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}


In [11]:
order = 27
for i in k:
    print(scalar_multiply(order, i))

{0, 3, 6, 9, 12, 15, 18, 21, 24}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26}
{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26}


In [12]:
order = 3
for i in k:
    print(scalar_multiply(order, i))

{0}
{0, 1, 2}
{0, 1, 2}
{0, 1, 2}


#### b.)
From the output sets obtained from scalar_multiply for finite fields of orders 11, 13, 27, and 3 what patterns or properties do you observe? Provide a brief explanation of your findings.

_YOUR ANSWER HERE_

(b) The results show that when the order $p$ of the set $F_p$ is prime (or a power of a prime), multiplying by any scalar that is not a divisor of the order $n$ still gives all elements in the field. When the field order is not prime, such as in the case of $p=27$, a divisor scalar multiple such as $k=3$ leads to a strict subset of of $F_p$ (such as $\{0,3,6,9,12,15,18,21,24\}$. A similar case is $F_3$ with a scalar $k=3$. Since $3 \operatorname{mod} 3 = 0$, the scalar multiplication results in the singleton set $\{0\}$.

#### c.)

Revisit the class on finite fields in view of the results of part a) and b). Please explain for what statement this empirical observation was used in class.

(c) This observation was used in class (Class 9 on "Finite Fields (part 2) & Elliptic Curves") to prove Fermat's Little Theorem (see slides 13 and 14 in that class).

### 4. Exponentiation (6 Points)

Implement the function `findpow` that calculates the power of each element in a finite field of the order `order` raised to a given `exponent` and returns the resulting powers as a list.

In [13]:
def findpow(order, exponent):
    finite_field = buildfield(order)
    if finite_field is None:
        return None
    try:
        return [pow(x, exponent, order) if x != 0 else 0 for x in sorted(finite_field)]
    except ValueError:
        print("Error: base is not invertible for the given modulus.")
        return None

Run the following cells to test your code:

In [14]:
print(findpow(3, 9) == [0,1,2])

True


In [15]:
print(findpow(31, -3)[17] == 29)

True


In [16]:
print(sorted(findpow(29, 66)))

[0, 1, 1, 4, 4, 5, 5, 6, 6, 7, 7, 9, 9, 13, 13, 16, 16, 20, 20, 22, 22, 23, 23, 24, 24, 25, 25, 28, 28]


### 5. Finite Field Class (15 Points)
Define a class `FieldElement` to represent an element denoted by its smallest positive integer representation `num` within a finite field of the order `p`. This class includes the following core functionalities:

* In the `__init__` constructor, we ensure that the `num` lies between `0` and `p - 1`. If it doesn't, a `ValueError` is raised; otherwise, the constructor parameter values are assigned to the objects.
* The `__eq__` method determines if two FieldElement objects are equal. When the values of `num` and `p` of one element are equal to `num` and `p` of second element are identical, respectively, the method returns `True`.
* `__add__` method overloads addition, `__sub__` method overloads subtraction for finite field.
* Similarly, `__mul__`, `__pow__`, `__truediv__` and `__rmul__` methods overload finite field multiplication, exponentiation, division, and scalar multiplication respectively

In [17]:
class FieldElement:
    def __init__(self, num, prime):
        #check if 0 > num >= prime. Raise ValueError if num is out of range.
        if num < 0 or num >= prime:
            raise ValueError(f'Num {num} not in field range 0 to {prime-1}')
        #Initialize num and prime
        self.num = num
        self.prime = prime

    def __repr__(self):
        return 'FieldElement_{}({})'.format(self.prime, self.num)

    def __eq__(self, other):
        if other is None:
            return False
        #Return True if the FieldElement objects are equal
        return self.num == other.num and self.prime == other.prime

    def __ne__(self, other):
        # This should be the inverse of the == operator
        return not (self == other)

    def __add__(self, other):
        # Two numbers have to be in same field, otherwise raise error
        if self.prime != other.prime:
            raise TypeError('Cannot add two numbers in different Fields')
        # Perform addition of two finite field elements
        num = (self.num + other.num) % self.prime
        # Return an element of the same class
        return self.__class__(num, self.prime)

    def __sub__(self, other):
        # Two numbers have to be in same field, otherwise raise error
        if self.prime != other.prime:
            raise TypeError('Cannot subtract two numbers in different Fields')
        # Perform subtraction of two finite field elements
        num = (self.num - other.num) % self.prime
        return self.__class__(num, self.prime)

    def __mul__(self, other):
        # Two numbers have to be in same field, otherwise raise error
        if self.prime != other.prime:
            raise TypeError('Cannot multiply two numbers in different Fields')
        # Perform muliplication of two finite field elements
        num = (self.num * other.num) % self.prime
        return self.__class__(num, self.prime)

    def __pow__(self, exponent):
        #Implement finite field exponentation
        n = exponent % (self.prime - 1) 
        # The latter line makes the subsequent exponentiation cheaper for larger exponents: 
        # Due to Fermat's Little Theorem, any element taken to the power self.prime-1 is 1 anyways, so it is sufficient
        # to take the exponentiation order itself modulo self.prime-1.
        num = pow(self.num, n, self.prime)
        return self.__class__(num, self.prime)

    def __truediv__(self, other):
        # Two numbers have to be in same field, otherwise raise error
        if self.prime != other.prime:
            raise TypeError('Cannot divide two numbers in different Fields')
        # perform division of two finite field elements
        # Hint: Use fermat's little theorem:
        num = (self.num * pow(other.num, self.prime - 2, self.prime)) % self.prime
        return self.__class__(num, self.prime)

    def __rmul__(self, coefficient):
        # Implement scalar multiplication: Multiply the scalar 'coeffiecient' with finite field element.
        num = (self.num * coefficient) % self.prime
        return self.__class__(num, self.prime)

#### Testcases

Let a = 13 and b = 9 in $F_{19}$. In the cell(s) below, print results of the following computations:
1. a + b
2. a - b
3. a * b
4. 4 * a
5. a / b
6. $a^{3086}$

In [18]:
# ADD YOUR CODE HERE BELOW
# ADD YOUR CODE HERE BELOW
a = FieldElement(13, 19)
b = FieldElement(9, 19)
print(f'a + b = {a + b}')
print(f'a - b = {a - b}')
print(f'a * b = {a * b}')
print(f'4 * a = {4 * a}')
print(f'a / b = {a / b}')
print(f'a^3086 = {a ** 3086}')

a + b = FieldElement_19(3)
a - b = FieldElement_19(4)
a * b = FieldElement_19(3)
4 * a = FieldElement_19(14)
a / b = FieldElement_19(12)
a^3086 = FieldElement_19(16)


### 6. Elliptic curve: Point Class (10 Points)

Define the class `Point` that represents a point on the elliptic curve. 

* Complete the method `point_on_curve` that returns `True` if the point is on the elliptic curve.
* `__eq__` overloads equal operator for Points. Two points are equal if their (x,y) coordiantes and curve coeffiecients 'a' and 'b' are equal.
* `__ne__` should implement the inverse of '==' operator.



In [19]:
class Point:
    def __init__(self, x, y, a, b):
        self.a = a
        self.b = b
        self.x = x
        self.y = y
        # x being None and y being None represents the point at infinity
        if self.x is None and self.y is None:
            return
        # The following condition makes sure that the point with coordinates (x,y) actually lies on the elliptic curve.
        if not(self.point_on_curve()):
            raise ValueError('({}, {}) is not on the curve'.format(x, y))

    def point_on_curve(self):
        if self.x is None and self.y is None:
            return True
        return (self.y ** 2) == (self.x ** 3 + self.a * self.x + self.b)

    def __eq__(self, other):
        return (self.x == other.x and self.y == other.y and
                self.a == other.a and self.b == other.b)

    def __ne__(self, other):
        # this should be the inverse of the == operator
        return not self.__eq__(other)

    def __repr__(self):
        if self.x is None:
            return 'Point(infinity)'
        return f'(Point({self.x}, {self.y}, {self.a}, {self.b}))'

Run the following cells to test your code:

In [20]:
print(Point(-1, -1, 5, 7) == Point(-1, -1, 5, 7))

True


In [21]:
print(Point(-1, -1, 5, 7) != Point(-1, -1, 5, 7))

False


In [22]:
print(Point(3, 0, 5, 7))

ValueError: (3, 0) is not on the curve

The ValueError above is a correct outcome, as the point with coordinates $(x,y)=(3,0)$ indeed does not lie on the elliptic curve $S_{5,7}= \{(x,y) \in \mathbb{R} \times \mathbb{R}: y^2 = x^3 + 5 x + 7\}$. This is due to the fact that $y^2 = 0$, but $x^3 + 5 x + 7 = 27+5*3+7 = 49 \neq 0$.

### 7. Point Addition (10 Points)

Implement the `__add__` method for the Point class to overload the addition operator.

In [23]:
def __add__(self, other):
    # Check if the points are on the same curve
    if self.a != other.a or self.b != other.b:
        raise TypeError(f"Points {self}, {other} are not on the same curve")
    # In P1 (self), if x is the point at infinity, return point P2 (other). similarly, if x2 is the point at infinity in P2, return point P1.
    if self.x is None:
        return other
    if other.x is None:
        return self
    # Return the correct results for point addition for each of the cases specified below:
    # Case 1a: When the x coordinates of two points are equal (i.e., the points are opposite to one another over the x-axis on the curve) and P1.y not equal to P2.y.     
    if self.x == other.x and self.y != other.y:
        # Return point at infinity
        return self.__class__(None, None, self.a, self.b)  # Return point at infinity
    
    # Case 2: When P1.x not equal to P2.x. 
    if self.x != other.x:
        s = (other.y - self.y) / (other.x - self.x)
        x3 = s * s - self.x - other.x
        y3 = s * (self.x - x3) - self.y
        return self.__class__(x3, y3, self.a, self.b)

    # Case 1b: When P1 equals P2 and the y coordinate is 0 (Tangent to the vertical line) 
    if self == other:
        if self.y.num == 0: 
            return self.__class__(None, None, self.a, self.b)

    # Case 3: When P1 equals P2 (and y coordinate is not 0)   
        s = (3 * self.x**2 + self.a) / (2 * self.y)
        x3 = s**2 - 2 * self.x
        y3 = s * (self.x - x3) - self.y
        return self.__class__(x3, y3, self.a, self.b)


Point.__add__ = __add__


#### Testcases

#### a.

In $F_{223}$ on the elliptic curve secp256k1, what is the sum of the points:
1. $A=(192,105)$ and $B=(17,56)$?
2. $A=(192,105)$ and $B=(192,105)$?
3. $A=(143,98)$ and $B=(76, 66)$?

Write code below that prints the outputs of the respective elliptic curve point addtions.

In [24]:

prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)


A1 = Point(FieldElement(192, prime), FieldElement(105, prime), a, b)
B1 = Point(FieldElement(17, prime), FieldElement(56, prime), a, b)
print(A1 + B1) 

A2 = Point(FieldElement(192, prime), FieldElement(105, prime), a, b)
print(A2 + A2)  

A3 = Point(FieldElement(143, prime), FieldElement(98, prime), a, b)
B3 = Point(FieldElement(76, prime), FieldElement(66, prime), a, b)
print(A3 + B3)  


(Point(FieldElement_223(170), FieldElement_223(142), FieldElement_223(0), FieldElement_223(7)))
(Point(FieldElement_223(49), FieldElement_223(71), FieldElement_223(0), FieldElement_223(7)))
(Point(FieldElement_223(47), FieldElement_223(71), FieldElement_223(0), FieldElement_223(7)))


#### b.
In the elliptic curve $y^2 = x^3 + 5x + 7$, What is the sum of the points:
1. $A=(-1,-1)$ and $B=(-1,1)$?
2. $A=(-1,-1)$ and $B=(2,5)$?

Write code below that prints the outputs of the respective elliptic curve point addtions.

In [25]:

## Test case set (b) - y² = x³ + 5x + 7 in F_19
prime = 19
a = FieldElement(5, prime)
b = FieldElement(7, prime)


A4 = Point(FieldElement(-1 % prime, prime), FieldElement(-1 % prime, prime), a, b)
B4 = Point(FieldElement(-1 % prime, prime), FieldElement(1 % prime, prime), a, b)
print(A4 + B4)  

A5 = Point(FieldElement(-1 % prime, prime), FieldElement(-1 % prime, prime), a, b)
B5 = Point(FieldElement(2 % prime, prime), FieldElement(5 % prime, prime), a, b)
print(A5 + B5)  

Point(infinity)
(Point(FieldElement_19(3), FieldElement_19(12), FieldElement_19(5), FieldElement_19(7)))


### 8. Point Addition: Associativity (10 Points)

Let `A = (x1, y1)`, `B = (x2, y2)` and `C = (x3, y3)` be three points in finite field. Using these points, demonstrate that point addition is associative.
Print `True` if point addition is associative. Otherwise, print `False`.

In [26]:
def check_associativity(A, B, C):
    left = (A + B) + C
    right = A + (B + C)
    return left == right

#### Testcases

Check the associativity for the following:

1. In $F_{223}$ on the elliptic curve secp256k1, for the points $A=(192, 105)$, $B=(76, 157)$ and $C=(170, 142)$.
2. In $F_{223}$ on the elliptic curve secp256k1, for the points $A=(192, 105)$, $B=(76, 157)$ and $C=(76, 66)$.
3. In $F_{19}$ on the elliptic curve $y^2 = x^3 + 5x + 7$, for the points $A=(18, 18)$, $B=(18, 1)$ and $C=(2, 5)$.

In [27]:
# YOUR CODE HERE
# Test cases
prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)

A1 = Point(FieldElement(192, prime), FieldElement(105, prime), a, b)
B1 = Point(FieldElement(76, prime), FieldElement(157, prime), a, b)
C1 = Point(FieldElement(170, prime), FieldElement(142, prime), a, b)
print(check_associativity(A1, B1, C1))

A2 = Point(FieldElement(192, prime), FieldElement(105, prime), a, b)
B2 = Point(FieldElement(76, prime), FieldElement(157, prime), a, b)
C2 = Point(FieldElement(76, prime), FieldElement(66, prime), a, b)
print(check_associativity(A2, B2, C2))

prime = 19
a = FieldElement(5, prime)
b = FieldElement(7, prime)
A3 = Point(FieldElement(18, prime), FieldElement(18, prime), a, b)
B3 = Point(FieldElement(18, prime), FieldElement(1, prime), a, b)
C3 = Point(FieldElement(2, prime), FieldElement(5, prime), a, b)
print(check_associativity(A3, B3, C3))

True
True
True


### 9. Scalar Multiplication: Point (10 Points)

Define the `__rmul__` method in the Point class to implement scalar multiplication.


In [28]:
def __rmul__(self, k):
    result = Point(None, None, self.a, self.b)  
    current = self

    while k > 0:
        if k & 1:  
            result = result + current  
        current = current + current  
        k >>= 1  

    return result


Point.__rmul__ = __rmul__

#### Testcases

In $F_{223}$ on the elliptic curve secp256k1, compute and print the following for the point A:

**a.)** $7 \cdot A$ where $A = (173, 35)$

**b.)** $8 \cdot A$ where $A = (66, 111)$

In [29]:

prime = 223


a = FieldElement(0, prime)
b = FieldElement(7, prime)


A1 = Point(FieldElement(173, prime), FieldElement(35, prime), a, b)
A2 = Point(FieldElement(66, prime), FieldElement(111, prime), a, b)


print(7 * A1)  
print(8 * A2)  


(Point(FieldElement_223(173), FieldElement_223(35), FieldElement_223(0), FieldElement_223(7)))
(Point(FieldElement_223(8), FieldElement_223(127), FieldElement_223(0), FieldElement_223(7)))


### 10. Invertibility (10 Points)

Write a function `additive_inverse` that returns the additive inverse of a given point.

In [30]:
def additive_inverse(A):
    y = A.y
    if type(y) == FieldElement:
        order = y.prime
        y = (order - y.num) % order
        y = FieldElement(y, order)
    else:
        y = -y
    A = Point(A.x, y, A.a, A.b)
    return A  

#### Tescases

Compute the additive inverse for the following points:

1. $A = (66, 111)$ in $F_{223}$ on the elliptic curve secp256k1
2. $A = (-1, -1)$ in $F_{31}$ on the elliptic curve $y^2 = x^3 + 5x + 7$

Also, compute the sum of the point A with its additive inverse in each case.


In [31]:
# A = (66,111) in F_223 (secp256k1)
prime = 223
a = FieldElement(0, prime) 
b = FieldElement(7, prime)
x = FieldElement(66, prime) 
y = FieldElement(111, prime)
A1 = Point(x, y, a, b)  
A1_inverse = additive_inverse(A1)  
print(A1_inverse)  
print(A1 + A1_inverse) 

#A = (-1,-1) in F_31 (y² = x³ + 5x + 7)
prime = 31
a = FieldElement(5, prime) 
b = FieldElement(7, prime)
x = FieldElement(-1 % prime, prime) 
y = FieldElement(-1 % prime, prime)
prime_31 = 31
a_31 = 5
b_31 = 7

A2 = Point(x,y,a,b)  
A2_inverse = additive_inverse(A2)  
print(A2_inverse)  
print(A2 + A2_inverse) 

(Point(FieldElement_223(66), FieldElement_223(112), FieldElement_223(0), FieldElement_223(7)))
Point(infinity)
(Point(FieldElement_31(30), FieldElement_31(1), FieldElement_31(5), FieldElement_31(7)))
Point(infinity)


### 11. Discrete Logarithm Problem (15 Points)

Given the two points G=(`Gx`, `Gy`) and P=(`Px`, `Py`) on the secp256k1 elliptic curve with coordinates over the finite field $F_{p}$ with $p$=`prime`, what is the a scalar $s$ such that $s G = P$? Write a function that computes this $s$.


In [32]:
def GuessPrivateKey(P, G, prime):
#Finds the integer scalar s such that s * G = P
    s = 1
    current = G  # Start at G

    while current != P:
        current = current + G  # Keep adding G
        s += 1
        if s > prime:  # Avoid infinite loops if P is not a multiple of G
            return None
    return s


**a.)** Compute and print the value of s for the following choices:

`prime` $= 223$, $G = (154, 150)$ and $P = (47, 71)$.

In [33]:

prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)

# Define Points G and P
G = Point(FieldElement(154, prime), FieldElement(150, prime), a, b)
P = Point(FieldElement(47, prime), FieldElement(71, prime), a, b)

# Compute and print s
s = GuessPrivateKey(P, G, prime)
print(f"Computed s: {s}")  

Computed s: 19


**b.)** We recall that the prime order used in th finite field of Bitcoin's secp256k1 elliptic curve is $p_{\text{BTC}} := 2^{256} - 2^{32} - 977$, see, for example, [the corresponding section in Chapter 3 of "Programming Bitcoin](https://github.com/jimmysong/programmingbitcoin/blob/master/ch03.asciidoc#defining-the-curve-for-bitcoin) or [this link](https://learnmeabitcoin.com/technical/cryptography/elliptic-curve/#parameters). 

Compute and print the value of s for the following choices:

`prime` = $p_{\text{BTC}}$

`Gx` $= 0x754e3239f325570cdbbf4a87deee8a66b7f2b33479d468fbc1a50743bf56cc18$ 

`Gy` $= 0x0673fb86e5bda30fb3cd0ed304ea49a023ee33d0197a695d0c5d98093c536683$ 

`Px` $= 0x7e5c9db512f90042057f63659344a5dade96b7e2d8e7b0fdb66a1b87d7383004$ 

`Py` $= 0x7ce053860ea1d5a4cddc7f0774d1d55ae05335a1ee229b3375bc0732cae1eeb1$


In [34]:
# YOUR CODE HERE

pBTC = 2**256 - 2**32 - 977  # Bitcoin's secp256k1 prime field
a = FieldElement(0, pBTC)
b = FieldElement(7, pBTC)
# Define given G and P coordinates (in hexadecimal)
Gx = FieldElement(int("754e3239f325570cdbbf4a87deee8a66b7f2b33479d468fbc1a50743bf56cc18", 16),pBTC)
Gy = FieldElement(int("0673fb86e5bda30fb3cd0ed304ea49a023ee33d0197a695d0c5d98093c536683", 16),pBTC)
G = Point(Gx, Gy, a, b)
Px = FieldElement(int("7e5c9db512f90042057f63659344a5dade96b7e2d8e7b0fdb66a1b87d7383004", 16),pBTC)
Py = FieldElement(int("7ce053860ea1d5a4cddc7f0774d1d55ae05335a1ee229b3375bc0732cae1eeb1", 16),pBTC)
P = Point(Px, Py, a, b)

In [35]:
s = GuessPrivateKey(P, G, pBTC)
print("The value of scalar s is:", s)
print(s * G == P)

The value of scalar s is: 164
True


**c.)** Assume that the parameters are chosen as follows:

`prime` = $p_{\text{BTC}}$

$G$ = Generator Point used in Bitcoin's ECDSA scheme

`Px` $= 0x7e5c9db512f90042057f63659344a5dade96b7e2d8e7b0fdb66a1b87d7383004$ 

`Py` $= 0x7ce053860ea1d5a4cddc7f0774d1d55ae05335a1ee229b3375bc0732cae1eeb1$


**Note:** The Generator Point used in Bitcoin's ECDSA implementation is G = (`Gx`,`Gy`), where

`Gx` $= 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798$

`Gy` $= 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8$

Are you able to find $s$ for this choice of parameters? If yes, print it, if not, provide an estimate of how long it might take your computer to compute is and explain this estimate.

In [36]:
# YOUR CODE HERE
# Generator Point G in Bitcoin's secp256k1
Gx = FieldElement(int("79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798", 16),pBTC)
Gy = FieldElement(int("483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8", 16),pBTC)
G = Point(Gx, Gy, a, b)
print(G)

(Point(FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(55066263022277343669578718895168534326250603453777594175500187360389116729240), FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(32670510020758816978083085130507043184471273380659243275938904335757337482424), FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(0), FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(7)))


In [37]:
Px = FieldElement(int("7e5c9db512f90042057f63659344a5dade96b7e2d8e7b0fdb66a1b87d7383004", 16),pBTC)
Py = FieldElement(int("7ce053860ea1d5a4cddc7f0774d1d55ae05335a1ee229b3375bc0732cae1eeb1", 16),pBTC)
P = Point(Px, Py, a, b)
print(P)

(Point(FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(57155057307376023489291727633014446664914851876294023466156129981660543856644), FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(56483143425955974217186739714143823533732878887383796585155433022946097098417), FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(0), FieldElement_115792089237316195423570985008687907853269984665640564039457584007908834671663(7)))


In [38]:
s = GuessPrivateKey(P, G, pBTC)
print("The value of scalar s is:", GuessPrivateKey(P, G, pBTC))

The value of scalar s is: 10004


In [39]:
# We check whether we have indeed found the right scalar:
10004 * G == P

True

_Add your explanation here_

(c) We learned in class that in general, finding \( s \) in an equation $s G = P$ with the generator point $G$ used  in the secp256k1 curve as in the Bitcoin protocol, is computaitonally infeasible (difficulty of discrete logarithm). The number of possible values is so large that even the most powerful computers would take an impractical amount of time to compute it. <br>
However, the numbers are chosen here such that coincidentally, the solution of the discrete logarithm problem is found very quickly (as $s$ is very small compared to the group order).