# Elliptic curve cryptography 
## Tutorial/playground (part 3)

In [None]:
extern crate kn0syseccrs as ecc;
extern crate num;
extern crate hex;

Unlike part 1 and part 2 tutorials, this tutorial is not much about
the elliptic curve stuff. 

Instead, this is about proving systems.proving systems involves two characters: Prover and Verifier.

Prover has a secret and he must convince the Verifier about facts regarding the secret, WITHOUT revealing the secret.

There are two "versions" of proving systems: interactive and non-interactive.
* interactive
    * in the interactive version, Verifier is involved *during* the creation of full proof by Prover.
    * in cryptography papers, it is the interactive version hat is usually presented.
* non-interactive
    * in the non-interactive version, the full proof is created by Prover alone, and Verifier will only verify the full proof. 
    * in actual implementations of cryptography, it is the non-interactive version that is usually implemented. we'll cover both here.

### Exercise: implement Schnorr protocol

read more: https://en.wikipedia.org/wiki/Proof_of_knowledge#Schnorr_protocol

note: the wiki uses "multiplicative notation" for the group binary operation

(more common overall), but these tutorials (and Monero resources) use

"additive notation" (more commonly seen when dealing with elliptic curves)

Schnorr protocol is among the simplest proving system currently used!

here's the scenario:
* Prover has a secret scalar x. he sends the commitment `P = xG` to Verifier.
* by the Discrete Logarithm (DL) assumption (see part 1), Verifier will not be able to crack the value of x.
* however the Verifier still wants to be convinced that the Prover really knows x. How would the Prover do that?

Schnorr protocol allows Prover to do this!


### interactive

In [None]:
struct SchnorrProof {
   g: ecc::Point,
   p: ecc::Point,
   c: ecc::Scalar,
   q: ecc::ScalarPoint,
   s: ecc::Scalar
}

impl SchnorrProof {
    /**
    * Use SchnorrProof::init(scalar, point) to create a new proof
    */
    fn init(x: ecc::Scalar, p: ecc::Point) {
      // we won't store the secret x here
        
      // let q = rg.

      // <-     code here       ->
      
      // now Prover would send P and Q to Verifier.
      // once Verifier receives P and Q, she gives
      // an interactive challenge c to Prover.
      let c = ecc::Scalar::random().unwrap();

      // once Prover received the challenge c, let s = r + c * x.
      
      // <-     code here       ->

      // Prover would send s to Verifier. This completes the full proof.
   }

    /**
     * once Verifier receives the full proof, she can now verify it.
     */
     fn verify() {
        // return s *g == q + c * p

        // <-     code here       ->

     }
}

### non-interactive

In [None]:
struct NISchnorrProof {
    g: ecc::Point,
    p: ecc::Point,
    q: ecc::Scalar,
    s: eccLLScalar
}

impl NISchnorrProof {
    /**
    * Use SchnorrProof.init(scalar, point) to create a new proof
    */
    fn init(x: ecc::Scalar, p: ecc::Point) {
        // we won't store the secret x here

        // let r be a random scalar (don't store it though)
        // let q = rg.

        // <-     code here       ->
        
        /* Unlike in interactive version, Prover must generate the challenge
           themself. however, he should not be able to cheat by manipulating the
           challenge. hence, the challenge instead should be the hash of the
           partial proof data. this trick is called "Fiat-Shamir heuristic".
           c = hash_to_scalar("Schnorr Proof", p.get_hex_value(), q.toHex())
           Not in stored in the proof!
         */

        // let s = r + c * x.
        
        // <-     code here       ->

        // now Prover would send the full proof (p, q, s) to Verifier.

    }

    /**
     * once Verifier receives the full proof, she can now verify it.
     */
     fn verify() {
        //  s * g == q + hash_to_scalar("Schnorr Proof", p, q) * p

        // <-     code here       ->
     }
}

### Testing

```rust

//test 1 (should work)
let prvkey = ecc::Scalar::random().unwrap();
let pubkey = ecc::G.clone();
const proof1 = SchnorrProof::init(prvkey, pubkey);
// also try NISchnorrProof
if proof1::verify() {
    println!("Proof1 Verified!");
} else {
    println!("Something's wrong (T_T)!");
}
// test 2 (should NOT work)
let prvkey2 = ecc::Scalar::random().unwrap();
let s =  ecc::Scalar::new(num::BigInt::from(1)).unwrap();
let s2 = prvkey2 + s;
let pubkey2 = ecc::Point::G.clone() * s2;
let proof2 = SchnorrProof::init(prvkey2, pubkey2);
// also try NISchnorrProof
if proof2::verify() {
    println!("Proof2 Verified!");
} else {
    println!("Something's wrong (T_T)!")
}
```