# Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography (ECC) leverages algebraic structure of elliptic curves over finite fields in order to generate public keys. It can solve the problem of performance-heavy operations with too large keys (f.ex. 2048-bit RSA), as usually for ECC 256 bits are used.

## 2 NIST elliptic curves

### 2.1 NIST Standard

National Institute of Standards and Technology (NIST) is an American national institute, working under the provisions of the Federal Information Security Management Act. It defines the standars of the curves and its parameters for different key-lengths, in order to achieve implementation with base security accepted by the USA government. As well, it outlines key-establishment schemes, key-derivation and key-pair managements methods, as well as recommendations for DLC-based (Discrete Logarithm Cryptography) key-agreement schemes[[4]](#references). 

For each key-length NIST provides two types of fields[[5]](#references): 
* **prime field**: it contains a prime number $p$ of elements, which are the integers modulo $p$, with the field arithmetic being implemented in terms of the arithmetic of integers modulo $p$;
* **binary field**: it contains $2^m$ elements (with $m$ being the degree of the field) which are bit strings of length $m$, and the field arithmetic is implemented in terms of operations on bits. 

As well, two types of curves are given: 
* **pseudorandom** curves: with coefficients that are generated from the output of the seeded hash function;
* **special** curves: with coefficients and the field being selected to optimize the efficiency of the arithmetic operations on the curve.

The special curves over prime fields are known as *Edwards* or *Montgomery* curves; meanwhile over binary field they are referred as *Koblitz* curves. 

In this paper, there will be inspected in detail psudorandom curves over prime fields. 

### 2.2 NIST pseudorandom curves over prime fields

#### 2.2.1 Curves parameters


Due to NIST official publication on *Recommended Elliptic Curves for Federal Government Use*[[6]](#references), all the pseudorandom curves over prime field curves are defined by: 

$$ E: y^2 = x^3 - 3x + b \mod p $$

with $a$ having a static value of $a=-3$ in every case for the reasons of efficiency. 

<div align="center">
<img width="600" align="center" src="assets/nist-basic-curve.png" />
</div>
<div align="center">
Fig. 2.1: Examples of curve E with different coefficients b, interactive access: <a href="https://www.desmos.com/calculator/shiz2q2qk4">desmos tool</a>
</div>

The following parameters are specifying the curves in details: 

* $p$: prime modulus 
* $n$: the order 
* $SEED$: the 160-bit long input seed to the domain parameter generation (SHA-1 algorithm)
* $c$: the output of the SHA-1 algorithm
* $b$: the coefficient of the curve, that grants satisfaction of condition $b^2c=-27 \mod p$
* $G$: the base point with two values: 
  * $Gx$: the $x$ coordinate of the base point
  * $Gy$: the $y$ coordinate of the base point

The parameters $p$ and $n$ are always given in decimal value, meanwhile the rest in hexadecimal. 

#### 2.2.2 P-256: 256-bit length curve


|     param     | value                                                                          |
| :-----------: | :----------------------------------------------------------------------------- |
|  $p_{(10)}$   | 115792089210356248762697446949407573530086143415290314195533631308867097853951 |
|  $n_{(10)}$   | 115792089210356248762697446949407573529996955224135760342422259061068512044369 |
| $SEED_{(16)}$ | c49d3608 86e70493 6a6678e1 139d26b7 819f7e90                                   |
|  $c_{(16)}$   | 7efba166 2985be94 03cb055c 75d4f7e0 ce8d84a9 c5114abc af317768 0104fa0d        |
|  $b_{(16)}$   | 5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e 27d2604b        |
|  $G_{x(16)}$  | 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296        |
|  $G_{y(16)}$  | 4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5        |

#### 2.2.3 P-521: 512-bit length curve

|     param     | value                                                                                                                                                         |
| :-----------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|  $p_{(10)}$   | 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151 |
|  $n_{(10)}$   | 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449 |
| $SEED_{(16)}$ | d09e8800 291cb853 96cc6717 393284aa a0da64ba                                                                                                                  |
|  $c_{(16)}$   | 0b4 8bfa5f42 0a349495 39d2bdfc 264eeeeb 077688e4 4fbf0ad8 f6d0edb3 7bd6b533 28100051 8e19f1b9 ffbe0fe9 ed8a3c22 00b8f875 e523868c 70c1e5bf 55bad637           |
|  $b_{(16)}$   | 051 953eb961 8e1c9a1f 929a21a0 b68540ee a2da725b 99b315f3 b8b48991 8ef109e1 56193951 ec7e937b 1652c0bd 3bb1bf07 3573df88 3d2c34f1 ef451fd4 6b503f00           |
|  $Gx_{(16)}$  | c6 858e06b7 0404e9cd 9e3ecb66 2395b442 9c648139 053fb521 f828af60 6b4d3dba a14b5e77 efe75928 fe1dc127 a2ffa8de 3348b3c1 856a429b f97e7e31 c2e5bd66            |
|  $Gy_{(16)}$  | 118 39296a78 9a3bc004 5c8a5fb4 2c7d1bd9 98f54449 579b4468 17afbd17 273e662c 97ee7299 5ef42640 c550b901 3fad0761 353c7086 a272c240 88be9476 9fd16650           |


## 1 Elliptic curves

### 1.1 Elliptic curve: definition 

Elliptic curves are defined over a field $K$ and describe points in its cartesian product $K^2$; they are smooth and projective affine algebraic structures. 

The Weierstrass equation of an elliptic curve $E$ over a field $K$ is [[1]](#references): 

$$ E : y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6 $$

what in case of the fields with characteristic different than 2 or 3 (i.e. the smallest number of summands $n$ of the field's identity element $e$ so $ne=0$), the affinitic equation of the elliptic curve can be simplified to: 

$$ E : y^2 = x^3 + Ax + B $$ $$A, B \in K$$ 


### 1.2 Elliptic curve: point addition 

The structure of elliptic curves fulfills the necessary requirements for its points to form an algebraic group with a certain addition law. 

<div align="center">
<img width="500" src="assets/operations-on-ec.png" >
</div>
<div align="center">
Fig. 1.1: Operations on en elliptic curve [[2]](#references)
</div>

With $P, Q \in E$ - being two points on an elliptic curve group $E$ - and $L$ being the line connecting those points, the third point $R$ can be defined where the intersection of $L$ with $E$ happens. Then, the result of $P+Q$ is located on the residual point of the intersection $R'$. 

The coordinates of the result ($x_{res}$, $y_{res}$) can be calculated as:
$$x_{res} = s^2-x_p-x_q$$
$$y_{res} = -y_p+s(x_p-x_{res})$$
with $s$ being the slope of the line $L$ through $P$ and $Q$: 
$$s= y_p-y_q/x_p-x_q$$

With $O$ being the neutral point in the group $E$, the following properties are fullfiled: 
- $P + O = P$
- $P + Q = Q + P$
- if $P \in E$ then there exists a point $Q$ such that $P + Q = O$
- if $P, Q \in E$ then $P + Q \in E$
- for $P, Q, R \in E$ is satisfied $(P + Q) + R = P + (Q + R)$ 

### 1.4 Multiplication of EC point with integer

Any point $P$ on the elliptic curve can be added to itself resulting in: 
$$ P + P = 2 * P $$

Continuing the addition multiple $n$ times yeilds to: 

$$ P * n = P + P + ... + P (n-times)$$

As multiplication is defined by the point addition, it always results in another point on the elliptic curve. 

For point doubling, i.e. $R = 2*P = P + P$, the following formula holds: 
$$x_{R} = s^2-2x_p$$
$$y_{R} = -y_p+s(x_p-x_{res})$$
with $s$: 
$$s= (3x_p^2+a)/2y_p$$

### 1.5 Elliptic Curves over finite field

The ECs used in ECC are strictly defined over finite field $Fp$, with $p$ being a prime number bigger than 3. Hence, the field is a square matrix with dimensions $p \times p$. Hence, the points of a given curve are limited to integer coordinates within its field matrix and all algebraic operations will result in a point within that field.   



## 3 Brainpool elliptic curves

### 3.1 Brainpool standard 

Brainpool elliptic curves are curves which are standardized by the Internet Engineering Task Force (IETF) - an international open standards organization - and are described in RFC-5639[[8]](#references).  

It presents a set of domain parameters defining cryptographically strong groups on elliptic curves for different key-length encryption schemes.

The curves are described with regard to Wierstrass' definition: 
$$ E : y^2 = x^3 + Ax + B $$

### 3.2 Brainpool curves 

### 3.3.1 Curves parameters 

The Brainpool curves are defined with similar parameters to NIST standard; used in the official publication symbols are: 

* $p$: prime number (modulus) specifying the base field, $p >3$ 
* $a$ and $b$: the coefficients of the $E$, satisfying $4a^3 + 27b^2 \mod p \ne 0$
* $G$: the base point with two values: 
  * $x$: the $x$ coordinate of the base point
  * $y$: the $y$ coordinate of the base point
* $q$: the prime order of the group generated by base point $G$ (equivalent of NIST $n$ parameter), such that $qG=0$
* $h$: the cofactor of $G$ in $E$, $h = E($Fp$)/q$

In the further implementations, the given here parameters naming convention will be used. 

### 3.3.2 brainpoolP256r1: 256-bit length curve

The curve for 256-bit length key is identified by the Curve-ID `brainpoolP256r1`, and has the following parameters:


|    param    | value                                                            |
| :---------: | :--------------------------------------------------------------- |
| $p_{(16)}$  | A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377 |
| $q_{(16)}$  | A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7 |
| $a_{(16)}$  | 7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9 |
| $b_{(16)}$  | 26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6 |
| $Gx_{(16)}$ | 8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262 |
| $Gy_{(16)}$ | 547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997 |
| $h_{(10)}$  | 1                                                                |


### 3.3.3 brainpoolP512r1: 512-bit length curve

The curve for 512-bit length key is identified by the Curve-ID `brainpoolP512r1`, and has the following parameters:

|    param    | value                                                                                                                            |
| :---------: | :------------------------------------------------------------------------------------------------------------------------------- |
| $p_{(16)}$  | AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3 |
| $q_{(16)}$  | AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069 |
| $a_{(16)}$  | 7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA |
| $b_{(16)}$  | 3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723 |
| $Gx_{(16)}$ | 81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822 |
| $Gy_{(16)}$ | 7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892 |
| $h_{(10)}$  | 1                                                                                                                                |


## 4 Implementation: Elliptic curve over finite prime field and ECDH

### 4.1 Preeliminary considerations 

In order to achieve certain level of security, the selection of the curve parameters and the base point is important; hence, in this realization, the Brainpool defined curves will be used. 

Apart of that, the required protection depends on the implementation and its environment: if the hardware that runs it is completely secured and separated, the time-invariant implementation may be sufficient. If the implementation of ECC is located on the physically accessible device, it has to be robust against side-channel attacks (power consumption and its analysis, electromagnetic emanations, active fault injection, etc.), then more security measures needs to be taken, with techniques of randomization being essential in it[[3]](#references). In this lab, the hardware vurnerabilities are not taken in considerations, hence the focus will be on achieving time-constant implementation.

Furthermore, all the processing will be performed on a personal machine. This has to be taken in consideration when evaluating time measurements of the processes execution. 
Below are presented the specifications of the processor.

In [3]:
%run systemInfo.py

[+] Architecture : 64bit
[+] System Name : Linux
[+] Operating System Version : #101~18.04.1-Ubuntu SMP Fri Oct 22 09:25:04 UTC 2021
[+] Platform : Linux-5.4.0-90-generic-x86_64-with-glibc2.27
[+] Processor : x86_64
[+] System Uptime : 117:3 hours
[+] Total number of processes : 887
[+] Number of Physical cores : 4
[+] Number of Total cores : 8
[+] Max Frequency : 4900.00Mhz
[+] Min Frequency : 400.00Mhz
[+] Current Frequency : 2600.76Mhz
[+] Total CPU Usage : 9.9%
[+] Processor 0 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 1 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 2 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 3 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 4 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 5 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 6 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Processor 7 :  Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz
[+] Total Memory present : 15.34 Gb
[+] To

### 4.2 ECDH: Elliptic Curve Diffie-Hellman Key Exchange

The ECDH (Elliptic Curve Diffie-Hellman Key Exchange) is the scheme that allows derivation of the shared secret key over an insecure channel, based on the private-public key pairs of both sides. It follows the traditional Diffie–Hellman Key Exchange, nevertheless, the key pairs are of elliptic curve type and point multiplication is performed instead of the modular exponentiation.

Considering following properties: 
* $P_{base}$ - base point of the curve
* $A_{priv}$ - integer, private key of A 
* $A_{pub}$ - point on the curve, $A_{pub}=A*P_{base}$, public key of A 
* $B_{priv}$ - integer, private key of B 
* $B_{pub}$ - point on the curve, $B_{pub}=B*P_{base}$, public key of B
* $K$ - shared secret key, $K=A_{priv}*B_{priv}*P_{base}$

the algorithm executes following flow: 
```
┌──────────────────────────────────────────────────────────────┐
│              A                               B               │
│              │                               │               │
│    ┌─────────▼─────────┐           ┌─────────▼─────────┐     │
│    │   Choose A_priv   │           │   Choose B_priv   │     │
│    └─────────┬─────────┘           └─────────┬─────────┘     │
│              │                               │               │
│   ┌──────────▼───────────┐        ┌──────────▼───────────┐   │
│   │    Compute A_pub     │        │    Compute B_pub     │   │
│   │A_pub = A_priv*P_base │        │B_pub = B_priv*P_base │   │
│   └──────────┬───────────┘        └──────────┬───────────┘   │
│              │                               │               │
│     ┌────────▼─────────┐            ┌────────▼─────────┐     │
│     │  Exchange A_pub  └────────────►  Exchange B_pub  │     │
│     │    and B_pub     ◄────────────┐    and A_pub     │     │
│     └────────┬─────────┘            └────────┬─────────┘     │
│              │                               │               │
│      ┌───────▼─────────┐             ┌───────▼─────────┐     │
│      │   Compute K     │             │   Compute K     │     │
│      │  K=A_priv*B_pub │             │  K=B_priv*A_pub │     │
│      └─────────────────┘             └─────────────────┘     │
└──────────────────────────────────────────────────────────────┘
```

 
This results in both sides, A and B, having the same secret shared key that can be used for symmetric encryption. 

Based on that, the implementation will be divided into following steps: 
* curve data type definition 
* curve and field generation functions
* point addition function
* double-and-add algorithm for faster multiplication
* Diffie-Hellman algorithm for shared key generation

### 4.3 Definition of the curve parameters

The curve parameters were declared with use of Python's `dataclass`[[7]](#references), introduced in version 3.7. This allowed to keep the code cleaner and to approach further computations rather functionally than object oriented. 



In [4]:
%reset

In [5]:
from dataclasses import dataclass, field 
from typing import Callable, Any

@dataclass
class Point:
    x: int 
    y: int
    def __eq__(self, other):
        return self.x == other.x and self.y == other.y
    def __neq__(self, other):
        return not self == other

@dataclass 
class Field: 
    p: int # prime modulus 
    q: int # order of the base point 
    h: int = 1

@dataclass
class EllipticCurve:
    a: int # coefficient
    b: int # coefficient
    base: Point # base point
    field: Field
    inf: Point = Point(0, 0) # point of infinity
    name: str = "undefined" 


A list of elliptic curves registry was created. In order to extend it, the curve's name needs to be specified in the `ELLIPTIC_CURVES` enum, followingly the object should be instantiated as `EllipticCurve(...args)` and then added to a list `ELLIPTIC_CURVES_LIST`. Each curve can be later retrived with the function `getCurve(name)` where name is a key or a valid value of `ELLIPTIC_CURVES` enum. F.ex.: 

```python
ec1 = getCurve(ELLIPTIC_CURVES.bp512.value)
ec2 = getCurve('brainpoolP256r1')
```

TODO: automatize it more and read parameters of each curve from json file. 

In [6]:
from enum import Enum

# list of available curves 
class ELLIPTIC_CURVES(Enum):
    bp256 = 'brainpoolP256r1'
    bp512 = 'brainpoolP512r1'

brainpool_256 = EllipticCurve(
    name=ELLIPTIC_CURVES.bp256.value,
    a=0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9,
    b=0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6,
    base=Point(
        x=0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262,
        y=0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
    ),
    field=Field(
        p=0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377,
        q=0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7,
        h=1
    )
)

brainpool_512 = EllipticCurve(
    name=ELLIPTIC_CURVES.bp512.value,
    a=0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA,
    b=0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723,
    base=Point(
        x=0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822,
        y=0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892
    ),
    field=Field(
        p=0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3,
        q=0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069,
        h=1
    )
)

ELLIPTIC_CURVES_LIST = [brainpool_256, brainpool_512]

# function to retrieve a curve to work on 
getCurve: Callable[[ELLIPTIC_CURVES], EllipticCurve] = lambda name : next(filter(lambda ec: ec.name == name,  ELLIPTIC_CURVES_LIST))

In [7]:
print(getCurve(ELLIPTIC_CURVES.bp256.value))
print(getCurve(ELLIPTIC_CURVES.bp512.value))
print(getCurve('brainpoolP256r1'))


EllipticCurve(a=56698187605326110043627228396178346077120614539475214109386828188763884139993, b=17577232497321838841075697789794520262950426058923084567046852300633325438902, base=Point(x=63243729749562333355292243550312970334778175571054726587095381623627144114786, y=38218615093753523893122277964030810387585405539772602581557831887485717997975), field=Field(p=76884956397045344220809746629001649093037950200943055203735601445031516197751, q=76884956397045344220809746629001649092737531784414529538755519063063536359079, h=1), inf=Point(x=0, y=0), name='brainpoolP256r1')
EllipticCurve(a=6294860557973063227666421306476379324074715770622746227136910445450301914281276098027990968407983962691151853678563877834221834027439718238065725844264138, b=3245789008328967059274849584342077916531909009637501918328323668736179176583263496463525128488282611559800773506973771797764811498834995234341530862286627, base=Point(x=6792059140424575174435640431269195087843153390102521881468023012732047482579853077

In [8]:
from typing import List
# common divisor functions -> for natural positive numbers 
# returns list of divisors of number n
divs: Callable[[int], List[int]] = lambda n: [i for i in range(1, n + 1)  if n % i == 0]

# interface: GCD and Bezout coefficients (x, y), so ax+bx=gcd(a, b) 
@dataclass 
class GcdProps: 
    gcd: int # prime modulus 
    x: int # order of the base point 
    y: int = 1

egcdStep: Callable[[int, int, GcdProps], GcdProps] = lambda a, b, g: \
    GcdProps(g.gcd, g.y-(b//a)*g.x, g.x)

# extended GCD euclidean algorithm
egcd: Callable[[int, int], GcdProps] = lambda a, b: \
    GcdProps(b, 0, 1) if a == 0 else \
        egcdStep(a, b, egcd(b%a, a))

# modular multiplicative inverse integer (a/b vs b/a); it is necessary to compute the slope f.ex.
# gcd(a, prime) = x*a + y*prime -> x is the inverse
multInvert: Callable[[EllipticCurve, int], int] = lambda ec, i: \
    0 if i==0 else \
        (ec.field.p - multInvert(ec, -i)) if i < 0 else \
            (lambda g=egcd(i, ec.field.p): None if g.gcd != 1 else g.x%ec.field.p)()

print(egcd(25, 100))
print(egcd(56, 63))
print(egcd(1308, 729))
#print(100000, multInvert(ec1, 100000))

GcdProps(gcd=25, x=1, y=0)
GcdProps(gcd=7, x=-1, y=1)
GcdProps(gcd=3, x=34, y=-61)


In [9]:
# check if point is on curve [in the field Fp]
# y^2 % p = (x^3 + Ax + B) % p
isOnCurve: Callable[[EllipticCurve, Point], bool] = lambda ec, p: \
    (p.y**2 - p.x**3 - ec.a*p.x - ec.b) % ec.field.p == 0

# point of infinnity check
isZero: Callable[[EllipticCurve, Point], bool] = lambda ec, p: (p.y == ec.inf.y and p.x == ec.inf.x)

# invert the point (y axis)
invert: Callable[[EllipticCurve, Point], Point] = lambda ec, p: \
    p if isZero(ec, p) else Point(p.x, (-p.y)%ec.field.p)

# check if two points are inverse 
areInverse: Callable[[EllipticCurve, Point, Point], bool] = lambda ec, p1, p2: \
    (p1 == invert(ec, p2))




In [10]:
ec1 = getCurve(ELLIPTIC_CURVES.bp256.value)
G = ec1.base 
Gi = invert(ec1, G)

print(areInverse(ec1, G, Gi))
print(isOnCurve(ec1, G))

True
True


In [11]:
# slope of the line crossing p1, p2 and inverse of result 
# calculates appropriate formula w.r.t if points are on same coordinates
slope: Callable[[EllipticCurve, Point, Point], int] = lambda ec, p1, p2: \
    ((p2.y-p1.y) * multInvert(ec, (p2.x-p1.x)) ) % ec.field.p if (p1 != p2) else \
        ec.inf if p1.y == 0 else \
             ((3*p1.x**2 + ec.a) * multInvert(ec, 2*p1.y)) % ec.field.p

sumPoints: Callable[[EllipticCurve, Point, Point], Point] = lambda ec, p1, p2: \
    (lambda s=slope(ec, p1, p2): \
        (lambda xr=((s**2 - p1.x - p2.x) % ec.field.p): \
            Point(xr, (s * (p1.x-xr) - p1.y) % ec.field.p) \
                )())()

pointAddition: Callable[[EllipticCurve, Point, Point], Point] = lambda ec, p1, p2: \
    p1 if isZero(ec, p2) else p2 if isZero(ec, p1) else \
         ec.inf if areInverse(ec, p1, p2) else \
             sumPoints(ec, p1, p2)
             
# point doubling 
pointDouble: Callable[[EllipticCurve, Point], Point] = lambda ec, p1: \
    pointAddition(ec, p1, p1) 

print(pointDouble(ec1, G))
print(pointAddition(ec1, G, G))

Point(x=52575969560191351534542091466380106041028581718640875237441073011616025668110, y=24843789797109572893402439557748964186754677981311543350228155441542769376468)
Point(x=52575969560191351534542091466380106041028581718640875237441073011616025668110, y=24843789797109572893402439557748964186754677981311543350228155441542769376468)


### 4.4 Double and add algorithm 

The ***double-and-add*** (DAA) algoritm computes fast multiplication of the point on the curve with a scalar. In the following steps, the cumulative multiplication as well as DAA will be implemented in order to compare their elapse time.

Furthermore, the ***Montgomery ladder*** approach to DAA computes the point multiplication in a fixed amount of time due to its property of performing the same amount of additions and doubles for any key of the same length[[9]](#references). This can prevent leveraging time or power-consumption measurements and their analysis in order to carry out a side-channel attack. 

However, it was proven that through application of a *FLUSH+RELOAD* side-channel attack on OpenSSL - one of the most commonly used open-source cryptographic libraries which uses Montgomery ladder in ECDSA - the full private key can be revealed at a very low cost[[10]](#references).


#### 4.4.1 Point multiplication with scalar implementations

A function to measure elapse time of function execution was prepared:

In [12]:
import time

# returns result and execution time of the passed function as an array
elapseTimeWithResult: Callable[[type(lambda x: None), ...], float] = lambda f, *args: \
    (lambda s=time.process_time(): [f(*args), time.process_time()-s])()

# returns execution time of the passed function
elapseTime: Callable[[type(lambda x: None), ...], float] = lambda f, *args: \
    elapseTimeWithResult(f, *args)[1]

At first standard multiplication - following scheme $nP = P + P + ... + P$ $(n-times)$ was implemented - in order to compare it with the double and add algorithm at later point.

In [13]:
# normal multiplication n*P
def pointMultiplySlow(ec: EllipticCurve, p: Point, n: int): 
    sum: Point = p 
    for x in range(1, n): 
        sum = pointAddition(ec, sum, p)
    return sum


A function to transform a given number into string of bits (MSB to LSB) and the DAA algorithm. The conversion of the number does not happen inside of the function in order to properly measure execution time of the algorithm itself.  

TODO: make a horribly ugly lambda out of it. 

In [14]:
toBinary: Callable[[int], str] = lambda i: bin(i)[2:]

# standard double and add algorithm 
def doubleAndAdd(ec: EllipticCurve, p: Point, bits: str) -> Point: 
    sum = ec.inf # starting point: neutral element
    # from MSB to LSB
    for bit in bits: 
        sum = pointDouble(ec, sum) # double
        if bit == '1':  
            sum = pointAddition(ec, sum, p) # add
    return sum

# standard double and add 
#doubleAndAdd: Callable[[EllipticCurve, Point, int], Point] = lambda ec, p, n: \
#    (lambda sum=ec.inf, bits=toBinary(n): [(lambda bit=bit, partSum=pointDouble(ec, sum): \
#        pointAddition(ec1, partSum, p) if bit == '1' else partSum )() for bit in bits])()

In [39]:
multSlow = pointMultiplySlow(ec1, G, 11)
multFast = doubleAndAdd(ec1, G, toBinary(11))

#print(multSlow == multFast)

reps = 89363

timeMultSlow = elapseTime(pointMultiplySlow, ec1, G, reps)
print('Slow multiplication: ', timeMultSlow, 's')

timeMultFast = elapseTime(doubleAndAdd, ec1, G, toBinary(reps))
print('Fast multiplication (double-add): ', timeMultFast, 's')

print('Difference (slow - fast): ', timeMultSlow - timeMultFast, 's')


Slow multiplication:  10.337105427000001 s
Fast multiplication (double-add):  0.002713084999999893 s
Difference (slow - fast):  10.334392342000001 s


In [40]:
# Montgomery ladder double and add algorithm 
def montgomeryDoubleAndAdd(ec: EllipticCurve, p: Point, bits: str) -> Point: 
    r0 = ec.inf # sum register
    r1 = p # intermediate register
    # from MSB to LSB
    for bit in bits: 
        if bit == '1': 
            r0 = pointAddition(ec, r0, r1)
            r1 = pointDouble(ec, r1)
        else: 
            r1 = pointAddition(ec, r0, r1)
            r0 = pointDouble(ec, r0)
    return r0

    
daaRes1 = doubleAndAdd(ec1, G, toBinary(11))
mlRes1 = montgomeryDoubleAndAdd(ec1, G, toBinary(11))
#print(daaRes1)
#print(mlRes1)
print(daaRes1 == mlRes1)

True


In [41]:
# short hand notation for base point of the curve

# slow multiply
slowMultiplyBase: Callable[[EllipticCurve, int], Point] = lambda ec, n: pointMultiplySlow(ec, ec.base, n)

# double and add 
doubleAndAddBase: Callable[[EllipticCurve, str], Point] = lambda ec, bits: doubleAndAdd(ec, ec.base, bits)

# montgomery ladder is the default algorithm for multiplication
pointMultiplication: Callable[[EllipticCurve, str], Point] = lambda ec, bits: montgomeryDoubleAndAdd(ec, ec.base, bits)

# point multiplication (montgomery ladder) with conversion to binary included 
pointMultiplyWithInt: Callable[[EllipticCurve, int], Point] = lambda ec, n: montgomeryDoubleAndAdd(ec, ec.base, toBinary(n))


#### 4.4.2 Performance measurements

Functions to generate measurements of the performance of both - standard and Montgomery Ladder - algorithms with regard to the timing of their execution time. 

The tests were performed on two Brainpool curves (`brainpoolP256r1` and `brainpoolP512r1`) for 3 datasets, each being a list containing 30 prime numbers in different value ranges, so each set would result in elements with fixed - but diverse between each others - number of bits.

In [42]:
import pandas as pd
import numpy as np

# class for calculating common statistics results from any list
@dataclass 
class MeasurementsProps: 
    data: list
    name: str = 'undefined'
    standardDeviation: float = field(init=False)
    mean: float = field(init=False)
    variance: float = field(init=False)
    median: float = field(init=False)
    max: float = field(init=False) 
    min: float = field(init=False)
    def __post_init__(self):
        self.standardDeviation = np.std(self.data)
        self.mean = np.mean(self.data)
        self.variance = np.var(self.data)
        self.median = np.median(self.data)
        self.max = np.amax(self.data) 
        self.min = np.amin(self.data)
    def __str__(self):
        return f'- {self.name} {("".join(["-" for _ in range(80-len(self.name))]))} \n\tstandard deviation: {self.standardDeviation} \n\tvariance: {self.variance} \n\tarithmetic mean: {self.mean} \n\tmedian: {self.median} \n\tmaximum: {self.max} \n\tminimum: {self.min} \n'


In [43]:
def measureDoubleAndAdd(ec: EllipticCurve, scalars: List):
    dataTitleMult = 'Multiplicant'
    dataTitleMultBin = 'Multiplicant (bin)'
    dataTitleMlTime = 'Montgomery Ladder time'
    dataTitleDaaTime = 'Standard DAA time'
    dataTitleResultEq = 'Results equal'
    # array for data collection
    data = {
        dataTitleMult: [],
        dataTitleMultBin: [],
        dataTitleMlTime: [],
        dataTitleDaaTime: [],
        dataTitleResultEq: []
    }

    for r in scalars: 
        rBin = toBinary(r)
        daa = elapseTimeWithResult(doubleAndAddBase, ec, rBin)
        ml = elapseTimeWithResult(pointMultiplication, ec, rBin)
        # save data
        data[dataTitleMult].append(r)
        data[dataTitleMultBin].append(rBin)
        data[dataTitleMlTime].append(ml[1])
        data[dataTitleDaaTime].append(daa[1])
        data[dataTitleResultEq].append(daa[0] == ml[0])

    # pandas data frame for pretty print table
    pd.set_option('display.width', 140)
    df = pd.DataFrame(data)
    # results computation
    mlMeasurementsResults = MeasurementsProps(
        name = 'Montgomery Ladder Timing',
        data = data[dataTitleMlTime]
    )
    daaMeasurementsResults = MeasurementsProps(
        name = 'Standard Double-and-add Timing',
        data = data[dataTitleDaaTime]
    )

    dashes = ''.join( ["=" for _ in range(40-len(ec.name)//2)] )
    print(dashes, 'Curve: ', ec.name, ', samples bit size: ', len(toBinary(scalars[0])), dashes)
    print(mlMeasurementsResults)
    print(daaMeasurementsResults)
    print(df)
    print()


# data samples: 30 primes from different bit-length ranges
primes1 = [
    11731, 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 
    11827, 11831, 11833, 11839, 11863, 11867, 11887, 11897, 11903, 11909, 
    11923, 11927, 11933, 11939, 11941, 11953, 11959, 11969, 11971, 11981
]

primes2 = [
    284059, 284083, 284093, 284111, 284117, 284129, 284131, 284149, 284153, 284159,
    284161, 284173, 284191, 284201, 284227, 284231, 284233, 284237, 284243, 284261,
    284267, 284269, 284293, 284311, 284341, 284357, 284369, 284377, 284387, 284407
]

primes3 = [
    14837491, 14837503, 14837513, 14837519, 14837527, 14837533, 14837539, 14837551, 14837587, 14837591,
    14837593, 14837609, 14837653, 14837657, 14837663, 14837677, 14837681, 14837687, 14837707, 14837723,
    14837743, 14837789, 14837807, 14837839, 14837857, 14837861, 14837873, 14837891, 14837897, 14837899
]


ecBp256 = getCurve(ELLIPTIC_CURVES.bp256.value)
ecBp512 = getCurve(ELLIPTIC_CURVES.bp512.value)

measureDoubleAndAdd(ecBp256, primes1)
measureDoubleAndAdd(ecBp512, primes1)
measureDoubleAndAdd(ecBp256, primes2)
measureDoubleAndAdd(ecBp512, primes2)
measureDoubleAndAdd(ecBp256, primes3)
measureDoubleAndAdd(ecBp512, primes3)

- Montgomery Ladder Timing -------------------------------------------------------- 
	standard deviation: 0.0007548801765034043 
	variance: 5.698440808778109e-07 
	arithmetic mean: 0.003748938999999633 
	median: 0.0035187564999983323 
	maximum: 0.005868776999999881 
	minimum: 0.002840479999999701 

- Standard Double-and-add Timing -------------------------------------------------- 
	standard deviation: 0.0006238278146219745 
	variance: 3.891611422960285e-07 
	arithmetic mean: 0.002809679933333579 
	median: 0.002632143500001405 
	maximum: 0.004576283000002235 
	minimum: 0.002155230999999702 

    Multiplicant Multiplicant (bin)  Montgomery Ladder time  Standard DAA time  Results equal
0          11731     10110111010011                0.005510           0.003236           True
1          11743     10110111011111                0.003736           0.004576           True
2          11777     10111000000001                0.005191           0.002507           True
3          11779     1011

The timing analysis showed that the Montgomery ladder was mostly slower than the standard Double-and-add algorithm, which was expected. As well the standard deviation was lower in case of the Montgomery ladder version, pointing to more time-invariant results.

Both algorithms always yielded the same result of the multiplication. 

# References <a id='references'></a>

- [[1]](https://perso.univ-rennes1.fr/christophe.ritzenthaler/cours/elliptic-curve-course.pdf): Ritzenhaler C., "Introduction to elliptic curves", Université de Rennes, 2013-2014, online access: https://perso.univ-rennes1.fr/christophe.ritzenthaler/cours/elliptic-curve-course.pdf

- https://cryptobook.nakov.com/asymmetric-key-ciphers/elliptic-curve-cryptography-ecc

- [3] https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session4-merkle-johannes.pdf - Requirements for Elliptic Curves for High-Assurance Applications, chapter 3.5 Implementation Security

- [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
- [5] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf page 9
- [6] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf Appendix D: Recommended Elliptic Curves for Federal
Government Use, p. 87

- [7] https://www.python.org/dev/peps/pep-0557/ dataclasses

- [8] https://www.rfc-editor.org/rfc/pdfrfc/rfc5639.txt.pdf -> Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation, chapter 3 Domain Parameter Specification

- ? https://www.rfc-editor.org/rfc/rfc8734.html#section-appendix.a-1 brainpool test vectors for later

- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-1_pdf.pdf?__blob=publicationFile&v=1 

- [9] https://www.emsec.ruhr-uni-bochum.de/media/attachments/files/2014/11/MA_Bluhm.pdf Software optimization of binary elliptic curves arithmetic
using modern processor architectures, p. 14

- [10] https://eprint.iacr.org/2014/140.pdf Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack

https://billatnapier.medium.com/barebones-p256-1700ff5a4  

https://girlstalkmath.com/2018/07/02/elliptic-curve-cryptography-2/ multiplicative inverse in mod arithmetic

my ascii charts https://asciiflow.com/#/share/eJyrVspLzE1VssorzcnRUcpJrEwtUrJSqo5RqohRsrI0NdaJUaoEsowszYGsktSKEiAnRunRlD1DGsXE5AFJBYoAbY1xJKDNiThjCDvv0ZQmOhlFIFamEYgzFGN7Hk1pwIlAJuGWnTIBq9OApHNGfn5xqoJjfEFRZhmGjyG%2Bg6pxQqhpItmnhBCKpVPw%2BmUNXtkZtIxPwj4hFKOoviUQqYTjFRG7aM4Eme6cn1tQWgKO3NIkdP9DPQpT44SkpgnTOIgRttB0ohUQn5QITBGoxjlB1TihqcFiHFUQsemFYJJBJByalShUKgTwJhjSiwCIx1wrkjMS89Lh6YTYGJi2C0mvE0wvlqIBFn6JeSnI6Wx6CwkRDdLriJZGSQlkEsof%2FAlqAEsffF4kJRHhTkVkJCGor2DliDdWn0LrETQ12OIQotXbFlrQQJILVuO8baEFjSNUDS7jKE8QxBQxpCcHUsEgNWZIoxilWqVaACONwUA%3D)