# Elliptic Curve Cryptography (ECC)

Elliptic Curve Cryptography (ECC) leverages algebraic structure of elliptic curves over finite fields in order to generate public keys. It can solve the problem of performance-heavy operations with too large keys (f.ex. 2048-bit RSA), as usually for ECC 256 bits are used.

## 1 Elliptic curves

### 1.1 Elliptic curve: definition 

Elliptic curves are defined over a field $K$ and describe points in its cartesian product $K^2$; they are smooth and projective affine algebraic structures. 

The Weierstrass equation of an elliptic curve $E$ over a field $K$ is [[1]](#references): 

$$ E : y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6 $$

what in case of the fields with characteristic different than 2 or 3 (i.e. the smallest number of summands $n$ of the field's identity element $e$ so $ne=0$), the affinitic equation of the elliptic curve can be simplified to: 

$$ E : y^2 = x^3 + Ax + B $$ $$A, B \in K$$ 


### 1.2 Elliptic curve: point addition 

The structure of elliptic curves fulfills the necessary requirements for its points to form an algebraic group with a certain addition law. 

<p align="center">
<img width="300" src="assets/ec-addition.png" >
<div align="center">
Fig. 1.1: Addition on elliptiv curve
</div>
</p>

With $P, Q \in E$ - being two points on an elliptic curve group $E$ - and $L$ being the line connecting those points, the third point $R$ can be defined where the intersection of $L$ with $E$ happens. Then, the result of $P+Q$ is located on the residual point of the intersection $R'$. 

The coordinates of the result ($x_{res}$, $y_{res}$) can be calculated as:
$$x_{res} = s^2-x_p-x_q$$
$$y_{res} = -y_p+s(x_p-x_{res})$$
with $s$ being the slope of the line $L$ through $P$ and $Q$: 
$$s= y_p-y_q/x_p-x_q$$

With $O$ being the neutral point in the group $E$, the following properties are fullfiled: 
- $P + O = P$
- $P + Q = Q + P$
- if $P \in E$ then there exists a point $Q$ such that $P + Q = O$
- if $P, Q \in E$ then $P + Q \in E$
- for $P, Q, R \in E$ is satisfied $(P + Q) + R = P + (Q + R)$ 

### 1.4 Multiplication of EC point with integer

Any point $P$ on the elliptic curve can be added to itself resulting in: 
$$ P + P = 2 * P $$

Continuing the addition multiple $n$ times yeilds to: 

$$ P * n = P + P + ... + P (n-times)$$

As multiplication is defined by the point addition, it always results in another point on the elliptic curve. 

For point doubling, i.e. $R = 2*P = P + P$, the following formula holds: 
$$x_{R} = s^2-2x_p$$
$$y_{R} = -y_p+s(x_p-x_{res})$$
with $s$: 
$$s= (3x_p^2+a)/2y_p$$

### 1.5 Elliptic Curves over finite field

The ECs used in ECC are strictly defined over finite field $Fp$, with $p$ being a prime number bigger than 3. Hence, the field is a square matrix with dimensions $p \times p$. Hence, the points of a given curve are limited to integer coordinates within its field matrix and all algebraic operations will result in a point within that field.   



## 2 NIST elliptic curves

### 2.1 NIST Standard

National Institute of Standards and Technology (NIST) is an American national institute, working under the provisions of the Federal Information Security Management Act. It defines the standars of the curves and its parameters for different key-lengths, in order to achieve implementation with base security accepted by the USA government. As well, it outlines key-establishment schemes, key-derivation and key-pair managements methods, as well as recommendations for DLC-based (Discrete Logarithm Cryptography) key-agreement schemes[[4]](#references). 

For each key-length NIST provides two types of fields[[5]](#references): 
* **prime field**: it contains a prime number $p$ of elements, which are the integers modulo $p$, with the field arithmetic being implemented in terms of the arithmetic of integers modulo $p$;
* **binary field**: it contains $2^m$ elements (with $m$ being the degree of the field) which are bit strings of length $m$, and the field arithmetic is implemented in terms of operations on bits. 

As well, two types of curves are given: 
* **pseudorandom** curves: with coefficients that are generated from the output of the seeded hash function;
* **special** curves: with coefficients and the field being selected to optimize the efficiency of the arithmetic operations on the curve.

The special curves over prime fields are known as *Edwards* or *Montgomery* curves; meanwhile over binary field they are referred as *Koblitz* curves. 

In this paper, there will be inspected in detail psudorandom curves over prime fields. 

### 2.2 NIST pseudorandom curves over prime fields

#### 2.2.1 Curves parameters


Due to NIST official publication on *Recommended Elliptic Curves for Federal Government Use*[[6]](#references), all the pseudorandom curves over prime field curves are defined by: 

$$ E: y^2 = x^3 - 3x + b \mod p $$

with $a$ having a static value of $a=-3$ in every case for the reasons of efficiency. 

<p align="center">
<img width="500" src="assets/nist-basic-curve.png" />
<div align="center">
Fig. 2.1: Examples of curve E with different coefficients b, interactive access: <a href="https://www.desmos.com/calculator/shiz2q2qk4">desmos tool</a>
</div>
</p>

The following parameters are specifying the curves in details: 

* $p$: prime modulus 
* $n$: the order 
* $SEED$: the 160-bit long input seed to the domain parameter generation (SHA-1 algorithm)
* $c$: the output of the SHA-1 algorithm
* $b$: the coefficient of the curve, that grants satisfaction of condition $b^2c=-27 \mod p$
* $G$: the base point with two values: 
  * $Gx$: the $x$ coordinate of the base point
  * $Gy$: the $y$ coordinate of the base point

The parameters $p$ and $n$ are always given in decimal value, meanwhile the rest in hexadecimal. 

#### 2.2.2 P-256: 256-bit length curve


| param         | value |
|:-------------:|-------|
| $p_{(10)}$    | 115792089210356248762697446949407573530086143415290314195533631308867097853951 |
| $n_{(10)}$    | 115792089210356248762697446949407573529996955224135760342422259061068512044369 |
| $SEED_{(16)}$ | c49d3608 86e70493 6a6678e1 139d26b7 819f7e90 |
| $c_{(16)}$    | 7efba166 2985be94 03cb055c 75d4f7e0 ce8d84a9 c5114abc af317768 0104fa0d |
| $b_{(16)}$    | 5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e 27d2604b |
| $Gx_{(16)}$   | 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296 |
| $Gy_{(16)}$   | 4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5 |

#### 2.2.3 P-521: 512-bit length curve

| param         | value |
|:-------------:|-------|
| $p_{(10)}$    | 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151 |
| $n_{(10)}$    | 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449 |
| $SEED_{(16)}$ | d09e8800 291cb853 96cc6717 393284aa a0da64ba |
| $c_{(16)}$    | 0b4 8bfa5f42 0a349495 39d2bdfc 264eeeeb 077688e4 4fbf0ad8 f6d0edb3 7bd6b533 28100051 8e19f1b9 ffbe0fe9 ed8a3c22 00b8f875 e523868c 70c1e5bf 55bad637 |
| $b_{(16)}$    | 051 953eb961 8e1c9a1f 929a21a0 b68540ee a2da725b 99b315f3 b8b48991 8ef109e1 56193951 ec7e937b 1652c0bd 3bb1bf07 3573df88 3d2c34f1 ef451fd4 6b503f00 |
| $Gx_{(16)}$   | c6 858e06b7 0404e9cd 9e3ecb66 2395b442 9c648139 053fb521 f828af60 6b4d3dba a14b5e77 efe75928 fe1dc127 a2ffa8de 3348b3c1 856a429b f97e7e31 c2e5bd66 |
| $Gy_{(16)}$   | 118 39296a78 9a3bc004 5c8a5fb4 2c7d1bd9 98f54449 579b4468 17afbd17 273e662c 97ee7299 5ef42640 c550b901 3fad0761 353c7086 a272c240 88be9476 9fd16650 |



## 3 Brainpool elliptic curves

### 3.1 Brainpool standard 

Brainpool elliptic curves are curves which are standardized by the Internet Engineering Task Force (IETF) - an international open standards organization - and are described in RFC-5639[[8]](#references).  

It presents a set of domain parameters defining cryptographically strong groups on elliptic curves for different key-length encryption schemes.

The curves are described with regard to Wierstrass' definition: 
$$ E : y^2 = x^3 + Ax + B $$

### 3.2 Brainpool curves 

### 3.3.1 Curves parameters 

The Brainpool curves are defined with similar parameters to NIST standard; used in the official publication symbols are: 

* $p$: prime number (modulus) specifying the base field, $p >3$ 
* $a$ and $b$: the coefficients of the $E$, satisfying $4a^3 + 27b^2 \mod p \ne 0$
* $G$: the base point with two values: 
  * $x$: the $x$ coordinate of the base point
  * $y$: the $y$ coordinate of the base point
* $q$: the prime order of the group generated by base point $G$ (equivalent of NIST $n$ parameter), such that $qG=0$
* $h$: the cofactor of $G$ in $E$, $h = E($Fp$)/q$

In the further implementations, the given here parameters naming convention will be used. 

### 3.3.2 brainpoolP256r1: 256-bit length curve

The curve for 256-bit length key is identified by the Curve-ID `brainpoolP256r1`, and has the following parameters:

| param      | value |
|------------:|-------|
| $p_{(16)}$ | A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377 |
| $q_{(16)}$ | A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7 |
| $a_{(16)}$ | 7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9 |
| $b_{(16)}$ | 26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6 |
| $Gx_{(16)}$ | 8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262 |
| $Gy_{(16)}$ | 547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997 |
| $h_{(10)}$ | 1 |


### 3.3.3 brainpoolP512r1: 512-bit length curve

The curve for 512-bit length key is identified by the Curve-ID `brainpoolP512r1`, and has the following parameters:

| param      | value |
|------------|-------|
| $p_{(16)}$ | AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3 |
| $q_{(16)}$ | AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069 |
| $a_{(16)}$ | 7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA |
| $b_{(16)}$ | 3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723 |
| $Gx_{(16)}$ | 81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822 |
| $Gy_{(16)}$ | 7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892 |
| $h_{(10)}$ | 1 |

## 4 Implementation 

### 4.1 Preeliminary considerations 

In order to achieve certain level of security, the selection of the curve parameters and the base point is important; hence, in this realization, the Brainpool defined curves will be used. 

Apart of that, the required protection depends on the implementation and its environment: if the hardware that runs it is completely secured and separated, the time-invariant implementation may be sufficient. If the implementation of ECC is located on the physically accessible device, it has to be robust against side-channel attacks (power consumption and its analysis, electromagnetic emanations, active fault injection, etc.), then more security measures needs to be taken, with techniques of randomization being essential in it[[3]](#references). In this lab, the hardware vurnerabilities are not taken in considerations, hence the focus will be on achieving time-constant implementation.

### 4.2 ECDH: Elliptic Curve Diffie-Hellman Key Exchange

The ECDH (Elliptic Curve Diffie-Hellman Key Exchange) is the scheme that allows derivation of the shared secret key over an insecure channel, based on the private-public key pairs of both sides. It follows the traditional Diffie–Hellman Key Exchange, nevertheless, the key pairs are of elliptic curve type and point multiplication is performed instead of the modular exponentiation.

Considering following properties: 
* $P_{base}$ - base point of the curve
* $A_{priv}$ - integer, private key of A 
* $A_{pub}$ - point on the curve, $A_{pub}=A*P_{base}$, public key of A 
* $B_{priv}$ - integer, private key of B 
* $B_{pub}$ - point on the curve, $B_{pub}=B*P_{base}$, public key of B
* $K$ - shared secret key, $K=A_{priv}*B_{priv}*P_{base}$

the algorithm executes following flow: 
```
┌──────────────────────────────────────────────────────────────┐
│              A                               B               │
│              │                               │               │
│    ┌─────────▼─────────┐           ┌─────────▼─────────┐     │
│    │   Choose A_priv   │           │   Choose B_priv   │     │
│    └─────────┬─────────┘           └─────────┬─────────┘     │
│              │                               │               │
│   ┌──────────▼───────────┐        ┌──────────▼───────────┐   │
│   │    Compute A_pub     │        │    Compute B_pub     │   │
│   │A_pub = A_priv*P_base │        │B_pub = B_priv*P_base │   │
│   └──────────┬───────────┘        └──────────┬───────────┘   │
│              │                               │               │
│     ┌────────▼─────────┐            ┌────────▼─────────┐     │
│     │  Exchange A_pub  └────────────►  Exchange B_pub  │     │
│     │    and B_pub     ◄────────────┐    and A_pub     │     │
│     └────────┬─────────┘            └────────┬─────────┘     │
│              │                               │               │
│      ┌───────▼─────────┐             ┌───────▼─────────┐     │
│      │   Compute K     │             │   Compute K     │     │
│      │  K=A_priv*B_pub │             │  K=B_priv*A_pub │     │
│      └─────────────────┘             └─────────────────┘     │
└──────────────────────────────────────────────────────────────┘
```
 
This results in both sides, A and B, having the same secret shared key that can be used for symmetric encryption. 

Based on that, the implementation will be divided into following steps: 
* curve data type definition 
* curve and field generation functions
* point addition function
* point multiplication function 
* double-and-add algorithm 
* Diffie-Hellman algorithm

### 4.3 Definition of the curve parameters

The curve parameters were declared with use of Python's `dataclass`[[7]](#references), introduced in version 3.7. This allowed to keep the code cleaner and to approach further computations rather functionally than object oriented. 



In [20]:
from dataclasses import dataclass 
from typing import Callable

@dataclass
class Point:
    x: int 
    y: int

@dataclass 
class Field: 
    p: int # prime modulus
    base: Point # base point 
    q: int # order of the base point 
    h: int = 1

@dataclass
class EllipticCurve:
    a: int # coefficient
    b: int # coefficient
    field: Field
    name: str = "undefined" 


In [21]:
brainpool_256 = EllipticCurve(
    name="brainpoolP256r1",
    a=0x7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9,
    b=0x26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6,
    field=Field(
        p=0xA9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377,
        q=0xA9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7,
        h=1,
        base=Point(
            x=0x8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262,
            y=0x547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
        )
    )
)

brainpool_512 = EllipticCurve(
    name="brainpoolP512r1",
    a=0x7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA,
    b=0x3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723,
    field=Field(
        p=0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3,
        q=0xAADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069,
        h=1,
        base=Point(
            x=0x81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822,
            y=0x7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892
        )
    )
)

# list of available curves 
EC_NAMES = ['brainpoolP256r1', 'brainpoolP512r1']

EC = {
    bp256: 'brainpoolP256r1',
    bp512: 'brainpoolP512r1'
}
ELLIPTIC_CURVES = [brainpool_256, brainpool_512]

# function to retrieve a curve to work on 
getCurve = lambda name : next(filter(lambda ec: ec.name == name,  ELLIPTIC_CURVES)) if name in EC_NAMES else ValueError("Invalid name of the curve.")

In [24]:
print(getCurve('brainpoolP256r1'))
print(getCurve('brainpoolP256r1aaa'))
print(getCurve('brainpoolP512r1'))

print(getCurve2(123))

EllipticCurve(a=56698187605326110043627228396178346077120614539475214109386828188763884139993, b=17577232497321838841075697789794520262950426058923084567046852300633325438902, field=Field(p=76884956397045344220809746629001649093037950200943055203735601445031516197751, base=Point(x=63243729749562333355292243550312970334778175571054726587095381623627144114786, y=38218615093753523893122277964030810387585405539772602581557831887485717997975), q=76884956397045344220809746629001649092737531784414529538755519063063536359079, h=1), name='brainpoolP256r1')
Invalid name of the curve.
EllipticCurve(a=6294860557973063227666421306476379324074715770622746227136910445450301914281276098027990968407983962691151853678563877834221834027439718238065725844264138, b=3245789008328967059274849584342077916531909009637501918328323668736179176583263496463525128488282611559800773506973771797764811498834995234341530862286627, field=Field(p=894896220765023255165660281515915342216260964409835451134459718720005701041

In [26]:
# check if point is on curve 
# y^2 - (x^3 + Ax + B) = 0 
isOnCurve: Callable[[Point, EllipticCurve], bool] = lambda p, ec: ((p.y**2 - (p.x**2 + ec.a*p.x + ec.b) % ec.field.p) == 0)

ec1 = getCurve('brainpoolP256r1')


print()

True

# References <a id='references'></a>

- [[1]](https://perso.univ-rennes1.fr/christophe.ritzenthaler/cours/elliptic-curve-course.pdf): Ritzenhaler C., "Introduction to elliptic curves", Université de Rennes, 2013-2014, online access: https://perso.univ-rennes1.fr/christophe.ritzenthaler/cours/elliptic-curve-course.pdf

- https://cryptobook.nakov.com/asymmetric-key-ciphers/elliptic-curve-cryptography-ecc

- [3] https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session4-merkle-johannes.pdf - Requirements for Elliptic Curves for High-Assurance Applications, chapter 3.5 Implementation Security

- [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
- [5] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf page 9
- [6] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf Appendix D: Recommended Elliptic Curves for Federal
Government Use, p. 87

- [7] https://www.python.org/dev/peps/pep-0557/ dataclasses

- [8] https://www.rfc-editor.org/rfc/pdfrfc/rfc5639.txt.pdf -> Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation, chapter 3 Domain Parameter Specification

- ? https://www.rfc-editor.org/rfc/rfc8734.html#section-appendix.a-1 brainpool test vectors for later

- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-1_pdf.pdf?__blob=publicationFile&v=1 

https://billatnapier.medium.com/barebones-p256-1700ff5a4  

my ascii charts https://asciiflow.com/#/share/eJyrVspLzE1VssorzcnRUcpJrEwtUrJSqo5RqohRsrI0NdaJUaoEsowszYGsktSKEiAnRunRlD1DGsXE5AFJBYoAbY1xJKDNiThjCDvv0ZQmOhlFIFamEYgzFGN7Hk1pwIlAJuGWnTIBq9OApHNGfn5xqoJjfEFRZhmGjyG%2Bg6pxQqhpItmnhBCKpVPw%2BmUNXtkZtIxPwj4hFKOoviUQqYTjFRG7aM4Eme6cn1tQWgKO3NIkdP9DPQpT44SkpgnTOIgRttB0ohUQn5QITBGoxjlB1TihqcFiHFUQsemFYJJBJByalShUKgTwJhjSiwCIx1wrkjMS89Lh6YTYGJi2C0mvE0wvlqIBFn6JeSnI6Wx6CwkRDdLriJZGSQlkEsof%2FAlqAEsffF4kJRHhTkVkJCGor2DliDdWn0LrETQ12OIQotXbFlrQQJILVuO8baEFjSNUDS7jKE8QxBQxpCcHUsEgNWZIoxilWqVaACONwUA%3D)