# D√©monstration : ECDSA (Elliptic Curve Digital Signature Algorithm)

**Objectifs** :
- Comprendre les courbes elliptiques en cryptographie
- Impl√©menter ECDSA (signatures sur courbes elliptiques)
- Comparer avec RSA et DSA
- Utiliser Ed25519 (courbe moderne)

In [None]:
from cryptography.hazmat.primitives.asymmetric import ec, ed25519
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.backends import default_backend
import secrets
import time

## 1. Courbes Elliptiques : Introduction

**√âquation** : $y^2 = x^3 + ax + b \pmod{p}$

**Op√©ration de groupe** : Addition de points
- $P + Q = R$ (g√©om√©triquement : ligne passant par P et Q)
- $nP = P + P + \ldots + P$ (n fois)

**Probl√®me difficile** : ECDLP (Elliptic Curve Discrete Logarithm Problem)
- Donn√© $P$ et $Q = nP$, trouver $n$ est difficile

**Avantage** :
- Cl√©s courtes (256 bits) = S√©curit√© RSA-3072
- Calculs plus rapides
- Moins de bande passante

## 2. ECDSA : Signatures sur Courbes Elliptiques

**Setup** :
- Courbe $E$, point g√©n√©rateur $G$ d'ordre $n$
- Cl√© priv√©e : $d \xleftarrow{\$} [1, n-1]$
- Cl√© publique : $Q = dG$

**Signature de $m$** :
1. $k \xleftarrow{\$} [1, n-1]$ (nonce al√©atoire, crucial !)
2. $(x, y) = kG$
3. $r = x \mod n$
4. $s = k^{-1}(H(m) + dr) \mod n$
5. Signature : $(r, s)$

**V√©rification** :
1. $u_1 = H(m) \cdot s^{-1} \mod n$
2. $u_2 = r \cdot s^{-1} \mod n$
3. $(x, y) = u_1 G + u_2 Q$
4. Valide si $r \equiv x \pmod{n}$

## 3. ECDSA avec secp256r1 (NIST P-256)

In [None]:
def ecdsa_demo():
    """
    D√©monstration compl√®te d'ECDSA avec secp256r1.
    """
    print("=" * 70)
    print("ECDSA avec secp256r1 (NIST P-256)")
    print("=" * 70)
    
    # G√©n√©ration de cl√©s
    print("\nüë§ G√©n√©ration de cl√©s ECDSA :")
    start = time.perf_counter()
    private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
    elapsed = time.perf_counter() - start
    
    public_key = private_key.public_key()
    
    print(f"   Temps de g√©n√©ration : {elapsed*1000:.2f} ms")
    print(f"   Courbe : secp256r1 (NIST P-256)")
    print(f"   Taille cl√© priv√©e : 256 bits")
    print(f"   Taille cl√© publique : 2 √ó 256 bits (point (x, y))")
    
    # S√©rialisation des cl√©s
    private_pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.NoEncryption()
    )
    
    public_pem = public_key.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo
    )
    
    print(f"\nüîë Cl√©s (format PEM) :")
    print(f"   Cl√© priv√©e : {len(private_pem)} bytes")
    print(f"   Cl√© publique : {len(public_pem)} bytes")
    
    # Message √† signer
    message = b"Transaction: Alice sends 10 BTC to Bob"
    
    print(f"\nüìù Message √† signer : {message}")
    
    # Signature
    print(f"\n‚úçÔ∏è  Signature ECDSA :")
    start = time.perf_counter()
    signature = private_key.sign(
        message,
        ec.ECDSA(hashes.SHA256())
    )
    time_sign = time.perf_counter() - start
    
    print(f"   Temps : {time_sign*1000:.2f} ms")
    print(f"   Signature (hex) : {signature.hex()[:64]}...")
    print(f"   Taille : {len(signature)} bytes")
    
    # V√©rification
    print(f"\n‚úÖ V√©rification de la signature :")
    start = time.perf_counter()
    try:
        public_key.verify(
            signature,
            message,
            ec.ECDSA(hashes.SHA256())
        )
        time_verify = time.perf_counter() - start
        print(f"   Temps : {time_verify*1000:.2f} ms")
        print(f"   R√©sultat : VALIDE ‚úÖ")
        print(f"   ‚Üí Signature authentique (vient de la cl√© priv√©e)")
        print(f"   ‚Üí Message int√®gre (pas modifi√©)")
    except Exception as e:
        print(f"   R√©sultat : INVALIDE ‚ùå")
        print(f"   Erreur : {e}")
    
    return private_key, public_key, signature

private_key, public_key, signature = ecdsa_demo()

## 4. Tests de Robustesse

In [None]:
def ecdsa_robustness_tests():
    """
    Tests de robustesse d'ECDSA.
    """
    print("\n" + "=" * 70)
    print("TESTS DE ROBUSTESSE ECDSA")
    print("=" * 70)
    
    message = b"Original message"
    
    # Test 1 : Modification du message
    print(f"\nüîç TEST 1 : Modification du message")
    modified_message = b"Modified message"
    
    print(f"   Message original : {message}")
    print(f"   Message modifi√©  : {modified_message}")
    
    try:
        public_key.verify(
            signature,
            modified_message,
            ec.ECDSA(hashes.SHA256())
        )
        print(f"   ‚ùå ERREUR : Signature valide sur message modifi√© !")
    except Exception:
        print(f"   ‚úÖ Signature INVALIDE (attendu)")
        print(f"   ‚Üí Modification D√âTECT√âE")
    
    # Test 2 : Corruption de la signature
    print(f"\nüîç TEST 2 : Corruption de la signature")
    corrupted_signature = bytearray(signature)
    corrupted_signature[0] ^= 0xFF
    
    try:
        public_key.verify(
            bytes(corrupted_signature),
            message,
            ec.ECDSA(hashes.SHA256())
        )
        print(f"   ‚ùå ERREUR : Signature corrompue accept√©e !")
    except Exception:
        print(f"   ‚úÖ Signature INVALIDE (attendu)")
        print(f"   ‚Üí Corruption D√âTECT√âE")
    
    # Test 3 : Mauvaise cl√© publique
    print(f"\nüîç TEST 3 : V√©rification avec mauvaise cl√© publique")
    wrong_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
    wrong_public_key = wrong_private_key.public_key()
    
    try:
        wrong_public_key.verify(
            signature,
            message,
            ec.ECDSA(hashes.SHA256())
        )
        print(f"   ‚ùå ERREUR : Signature valide avec mauvaise cl√© !")
    except Exception:
        print(f"   ‚úÖ Signature INVALIDE (attendu)")
        print(f"   ‚Üí Authentification √©chou√©e (mauvais signataire)")
    
    # Test 4 : Randomisation (signatures diff√©rentes)
    print(f"\nüîç TEST 4 : Randomisation des signatures")
    sig1 = private_key.sign(message, ec.ECDSA(hashes.SHA256()))
    sig2 = private_key.sign(message, ec.ECDSA(hashes.SHA256()))
    
    print(f"   Signature 1 : {sig1.hex()[:32]}...")
    print(f"   Signature 2 : {sig2.hex()[:32]}...")
    print(f"   Diff√©rentes : {sig1 != sig2} ‚úÖ")
    print(f"   ‚Üí Nonce k al√©atoire (s√©curit√©)")
    
    # V√©rifier que les deux sont valides
    try:
        public_key.verify(sig1, message, ec.ECDSA(hashes.SHA256()))
        public_key.verify(sig2, message, ec.ECDSA(hashes.SHA256()))
        print(f"   Les deux signatures sont valides ‚úÖ")
    except:
        print(f"   ‚ùå ERREUR : Une signature invalide !")

ecdsa_robustness_tests()

## 5. Attaque : Nonce Reuse (k r√©utilis√©)

**CATASTROPHE** : Si le m√™me $k$ est utilis√© pour deux signatures, la cl√© priv√©e peut √™tre r√©cup√©r√©e !

**Exemple c√©l√®bre** : PlayStation 3 hack (2010)
- Sony a r√©utilis√© le m√™me $k$ pour toutes les signatures
- Cl√© priv√©e r√©cup√©r√©e ‚Üí Jeux pirat√©s sign√©s comme l√©gitimes

In [None]:
def ecdsa_nonce_reuse_attack_theory():
    """
    Explication th√©orique de l'attaque par r√©utilisation de nonce.
    """
    print("\n" + "=" * 70)
    print("ATTAQUE : Nonce Reuse (k r√©utilis√©)")
    print("=" * 70)
    
    print(f"\n‚ö†Ô∏è  Sc√©nario vuln√©rable :")
    print(f"   Deux signatures (r‚ÇÅ, s‚ÇÅ) et (r‚ÇÇ, s‚ÇÇ) avec le M√äME k")
    
    print(f"\nüí° Rappel ECDSA :")
    print(f"   s = k‚Åª¬π(H(m) + dr) mod n")
    print(f"   r = x-coordinate of kG")
    
    print(f"\nüîç Si k r√©utilis√© pour m‚ÇÅ et m‚ÇÇ :")
    print(f"   s‚ÇÅ = k‚Åª¬π(H(m‚ÇÅ) + dr)")
    print(f"   s‚ÇÇ = k‚Åª¬π(H(m‚ÇÇ) + dr)")
    print(f"   r‚ÇÅ = r‚ÇÇ = r (m√™me k ‚Üí m√™me r !)")
    
    print(f"\nüí• Attaque :")
    print(f"   s‚ÇÅ - s‚ÇÇ = k‚Åª¬π(H(m‚ÇÅ) - H(m‚ÇÇ))")
    print(f"   ‚Üí k = (H(m‚ÇÅ) - H(m‚ÇÇ)) / (s‚ÇÅ - s‚ÇÇ) mod n")
    print(f"   ‚Üí d = (s‚ÇÅ¬∑k - H(m‚ÇÅ)) / r mod n")
    print(f"\n   CL√â PRIV√âE R√âCUP√âR√âE ! üíÄ")
    
    print(f"\nüìú Exemples historiques :")
    print(f"   - PlayStation 3 (2010) : k constant ‚Üí hack complet")
    print(f"   - Bitcoin (2013) : Wallet Android, k faible ‚Üí vol de BTC")
    print(f"   - Blockchain.info (2014) : k pr√©dictible ‚Üí vol")
    
    print(f"\n‚úÖ PROTECTIONS :")
    print(f"   1. k DOIT √™tre al√©atoire cryptographiquement s√ªr")
    print(f"   2. k DOIT √™tre unique pour chaque signature")
    print(f"   3. Utiliser RFC 6979 : k d√©terministe = HMAC(d, m)")
    print(f"      ‚Üí k unique par message, pas de hasard requis")
    print(f"   4. Utiliser Ed25519 : k = H(secret || m) (int√©gr√©)")

ecdsa_nonce_reuse_attack_theory()

## 6. Ed25519 : Courbe Moderne (Recommand√©e)

**Avantages sur ECDSA** :
- ‚úÖ Plus rapide (courbe Curve25519 optimis√©e)
- ‚úÖ R√©sistant aux side-channels (constant-time)
- ‚úÖ Nonce d√©terministe (pas de risque de r√©utilisation)
- ‚úÖ Signatures plus courtes (64 bytes)
- ‚úÖ Cl√©s plus courtes (32 bytes)

**Utilis√© dans** :
- SSH (ssh-ed25519)
- Signal Protocol
- Tor
- Cryptomonnaies (Monero, Stellar, etc.)

In [None]:
def ed25519_demo():
    """
    D√©monstration d'Ed25519 (courbe moderne).
    """
    print("\n" + "=" * 70)
    print("ED25519 : Courbe Moderne (Recommand√©e)")
    print("=" * 70)
    
    # G√©n√©ration de cl√©s
    print("\nüë§ G√©n√©ration de cl√©s Ed25519 :")
    start = time.perf_counter()
    private_key = ed25519.Ed25519PrivateKey.generate()
    elapsed = time.perf_counter() - start
    
    public_key = private_key.public_key()
    
    print(f"   Temps de g√©n√©ration : {elapsed*1000:.2f} ms")
    print(f"   Courbe : Curve25519 (Edwards form)")
    
    # S√©rialisation
    private_bytes = private_key.private_bytes(
        encoding=serialization.Encoding.Raw,
        format=serialization.PrivateFormat.Raw,
        encryption_algorithm=serialization.NoEncryption()
    )
    
    public_bytes = public_key.public_bytes(
        encoding=serialization.Encoding.Raw,
        format=serialization.PublicFormat.Raw
    )
    
    print(f"\nüîë Tailles :")
    print(f"   Cl√© priv√©e  : {len(private_bytes)} bytes (256 bits)")
    print(f"   Cl√© publique : {len(public_bytes)} bytes (256 bits)")
    print(f"   ‚Üí Plus compactes que RSA-2048 (256 bytes) !")
    
    # Message
    message = b"Secure message signed with Ed25519"
    print(f"\nüìù Message : {message}")
    
    # Signature
    print(f"\n‚úçÔ∏è  Signature Ed25519 :")
    start = time.perf_counter()
    signature = private_key.sign(message)
    time_sign = time.perf_counter() - start
    
    print(f"   Temps : {time_sign*1000:.2f} ms")
    print(f"   Signature (hex) : {signature.hex()}")
    print(f"   Taille : {len(signature)} bytes (512 bits)")
    
    # V√©rification
    print(f"\n‚úÖ V√©rification :")
    start = time.perf_counter()
    try:
        public_key.verify(signature, message)
        time_verify = time.perf_counter() - start
        print(f"   Temps : {time_verify*1000:.2f} ms")
        print(f"   R√©sultat : VALIDE ‚úÖ")
    except Exception as e:
        print(f"   R√©sultat : INVALIDE ‚ùå")
        print(f"   Erreur : {e}")
    
    return private_key, public_key, signature

ed25519_private, ed25519_public, ed25519_sig = ed25519_demo()

## 7. Comparaison : RSA vs ECDSA vs Ed25519

In [None]:
import pandas as pd

def compare_signature_schemes():
    """
    Compare RSA, ECDSA, et Ed25519.
    """
    print("\n" + "=" * 70)
    print("COMPARAISON : RSA vs ECDSA vs Ed25519")
    print("=" * 70)
    
    comparison = pd.DataFrame({
        'Propri√©t√©': [
            'Bas√© sur',
            'Taille cl√© publique',
            'Taille cl√© priv√©e',
            'Taille signature',
            'S√©curit√© (bits)',
            'Vitesse signature',
            'Vitesse v√©rification',
            'Nonce management',
            'Side-channel resistant',
            'Standardisation'
        ],
        'RSA-2048': [
            'Factorisation',
            '256 bytes',
            '256 bytes',
            '256 bytes',
            '112 bits',
            'Lent',
            'Rapide',
            'N/A',
            'Non',
            'PKCS#1, X.509'
        ],
        'ECDSA P-256': [
            'ECDLP',
            '64 bytes',
            '32 bytes',
            '~64 bytes',
            '128 bits',
            'Rapide',
            'Rapide',
            'Al√©atoire (risqu√©)',
            'Non',
            'FIPS 186-4'
        ],
        'Ed25519': [
            'ECDLP',
            '32 bytes',
            '32 bytes',
            '64 bytes',
            '128 bits',
            'Tr√®s rapide',
            'Tr√®s rapide',
            'D√©terministe (s√ªr)',
            'Oui',
            'RFC 8032'
        ]
    })
    
    print()
    print(comparison.to_string(index=False))
    
    print(f"\nüìä Benchmark (signatures sur 100 messages) :")
    
    message = b"Test message"
    iterations = 100
    
    # Ed25519
    start = time.perf_counter()
    for _ in range(iterations):
        sig = ed25519_private.sign(message)
        ed25519_public.verify(sig, message)
    time_ed25519 = time.perf_counter() - start
    
    print(f"\n   Ed25519      : {time_ed25519:.3f}s ({time_ed25519/iterations*1000:.2f} ms/op)")
    print(f"   ECDSA P-256  : ~{time_ed25519*1.5:.3f}s (estim√©, ~1.5x plus lent)")
    print(f"   RSA-2048     : ~{time_ed25519*10:.3f}s (estim√©, ~10x plus lent)")
    
    print(f"\n‚úÖ RECOMMANDATIONS :")
    print(f"   Ed25519   : Nouveau code (SSH, Signal, Tor)")
    print(f"   ECDSA     : Compatibilit√© (Bitcoin, TLS legacy)")
    print(f"   RSA       : Legacy (TLS 1.2, PGP, X.509 existants)")

compare_signature_schemes()

## 8. Applications R√©elles

In [None]:
print("\n" + "=" * 70)
print("APPLICATIONS R√âELLES")
print("=" * 70)

print(f"\nüåê TLS/HTTPS :")
print(f"   - TLS 1.2 : RSA-2048 ou ECDSA P-256/P-384")
print(f"   - TLS 1.3 : Pr√©f√®re ECDSA (plus rapide handshake)")
print(f"   - Certificats X.509 : RSA ou ECDSA")

print(f"\nüîê SSH :")
print(f"   - ssh-rsa : RSA-2048 (legacy)")
print(f"   - ecdsa-sha2-nistp256 : ECDSA P-256")
print(f"   - ssh-ed25519 : Ed25519 (recommand√©) ‚úÖ")
print(f"   Commande : ssh-keygen -t ed25519")

print(f"\nüí∞ Cryptomonnaies :")
print(f"   - Bitcoin : ECDSA secp256k1")
print(f"   - Ethereum : ECDSA secp256k1 (r√©cup√©ration cl√© publique)")
print(f"   - Monero : Ed25519 (ring signatures)")
print(f"   - Cardano : Ed25519")

print(f"\nüì± Messagerie :")
print(f"   - Signal Protocol : X25519 (ECDH) + Ed25519 (signatures)")
print(f"   - WhatsApp : Signal Protocol")
print(f"   - iMessage : ECDSA (Apple)")

print(f"\nüîè Autres :")
print(f"   - PGP/GPG : RSA-2048/4096 ou ECDSA")
print(f"   - DNSSEC : RSA ou ECDSA P-256")
print(f"   - Code signing : RSA ou ECDSA (Apple, Microsoft)")
print(f"   - Tor : Ed25519 (onion addresses v3)")

## Conclusion

**Points cl√©s** :
- Courbes elliptiques : Cl√©s courtes (256 bits) = S√©curit√© RSA-3072
- ‚úÖ ECDSA : Standard NIST, largement d√©ploy√©
- ‚ö†Ô∏è ECDSA : Vuln√©rable si nonce k r√©utilis√© ou faible
- ‚úÖ Ed25519 : Courbe moderne, rapide, r√©sistant aux side-channels
- ‚úÖ Ed25519 : Nonce d√©terministe (pas de risque de r√©utilisation)

**S√©curit√©** :
- ECDSA P-256 / Ed25519 : ~128 bits (√©quivalent RSA-3072)
- ECDSA P-384 : ~192 bits (√©quivalent RSA-7680)
- ECDSA P-521 : ~256 bits (√©quivalent RSA-15360)

**Performance** :
- Ed25519 : ~10x plus rapide que RSA-2048
- ECDSA : ~5-8x plus rapide que RSA-2048
- Cl√©s et signatures beaucoup plus compactes

**En pratique** :
- Nouveau code : **Ed25519** (recommand√©)
- Compatibilit√© : **ECDSA P-256**
- Legacy : **RSA-2048** minimum (pr√©f√©rer 3072)

**√âviter** :
- ‚ùå RSA < 2048 bits
- ‚ùå ECDSA avec nonce non-al√©atoire
- ‚ùå ECDSA sans RFC 6979 (nonce d√©terministe)