### ZK Proof using ECC

```sh
Claim: “I know two values x and y such that x + y = 15”
Proof: I multiply x by G1 and y by G1 and give those to you as A and B.
Verifier: You multiply 15 by G1 and check that A + B == 15G1.
```

In [3]:
from py_ecc.bn128 import G1, multiply, add, neg

# Prover
secret_x = 5
secret_y = 10

x = multiply(G1, 5)
y = multiply(G1, 10)

proof = (x, y, 15)

# verifier
if multiply(G1, proof[2]) == add(proof[0], proof[1]):
    print("statement is true")
else:
    print("statement is false")

statement is true


### Bonus: Why the ECDSA malleability attack works.

As we documented in our smart contract security article, given a valid signature (r, s, v, hash(msg)), one can forge another valid signature for the same message by doing the following:

```sh
// create a fake s for (r, s, v), then flip v
bytes32 s2 = bytes32(uint256(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141) - uint256(s));
Where does this magic number come from? ECDSA uses the secp256k1 curve, which has the following parameters:

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
y^2 = x^3 + 7 (mod p)
order = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
```

**Note that the order is the same as the magic number.**

#### Main Identity :
```sh
multiply((order - x) * G1) == neg(multiply(G1, x))
```

In [7]:
order = 21888242871839275222246405745257275088548364400416034343698204186575808495617
x = 100 # chosen randomly
assert multiply(G1, order - x) == neg(multiply(G1, x))


proof = '''
point_at_infinity = order*G1\n
(order + x - x)*G1 = point_at_infinity\n
(order - x)*G1 = -xG1 + point_at_infinity\n
(order - x)*G1 = -xG1 + point_at_infinity\n
(order - x)*G1 = -xG1\n
(order - x)*G1 = neg(x*G1)
'''

print(proof)


point_at_infinity = order*G1

(order + x - x)*G1 = point_at_infinity

(order - x)*G1 = -xG1 + point_at_infinity

(order - x)*G1 = -xG1 + point_at_infinity

(order - x)*G1 = -xG1

(order - x)*G1 = neg(x*G1)

