# Elliptic Curves

Bloqs for breaking elliptic curve cryptography systems via the discrete log.

Elliptic curve cryptography is a form of public key cryptography based on the finite
field of elliptic curves. For our purposes, we will denote the group operation as addition
(whose definition we will explore later) $A + B$. We will denote repeated addition
 as $[k] A = A + \dots + A$ ($k$ times).

Within this algebra, the cryptographic scheme relates the public and private keys via
$$
Q = [k] P
$$
for private key $k$, public key $Q$, and a choice of base point $P$. The cryptographic
security comes from the difficulty of inverting the multiplication. I.e. it is difficult
to do a discrete logarithm in this field.

Using Shor's algorithm for the discrete logarithm, we can find $k$ in polynomial time
with a quantum algorithm.

In [None]:
from qualtran import Bloq, CompositeBloq, BloqBuilder, Signature, Register
from qualtran import QBit, QInt, QUInt, QAny
from qualtran.drawing import show_bloq, show_call_graph, show_counts_sigma
from typing import *
import numpy as np
import sympy
import cirq

## `FindECCPrivateKey`
Perform two phase estimations to break elliptic curve cryptography.

This follows the strategy in Litinski 2023. We perform two phase estimations corresponding
to `ECCAddR(R=P)` and `ECCAddR(R=Q)` for base point $P$ and public key $Q$.

The first phase estimation projects us into a random eigenstate of the ECCAddR(R=P) operator
which we index by the integer $c$. Per eq. 5 in the reference, these eigenstates take the form
$$
|\psi_c \rangle = \sum_j^{r-1} \omega^{cj}\ | [j]P \rangle  \\
\omega = e^{2\pi i / r} \\
[r] P = P
$$

This state is a simultaneous eigenstate of the second operator, `ECCAddR(R=Q)`. By
the definition of the operator, acting it upon $|\psi_c\rangle$ gives:
$$
|\psi_c \rangle \rightarrow \sum_j w^{cj} | [j]P + Q \rangle\rangle
$$

The private key $k$ that we wish to recover relates the public key to the base point
$$
Q = [k] P
$$
so our simultaneous eigenstate can be equivalently written as
$$
\sum_j^{r-1} \omega^{cj} | [j+k] P \rangle \\
= \omega^{-ck} |\psi_c \rangle
$$

Therefore, the measured result of the second phase estimation is $ck$. Since we have
already measured the random index $c$, we can divide it out to recover the private key $k$.

#### Parameters
 - `n`: The bitsize of the elliptic curve points' x and y registers.
 - `base_point`: The base point $P$ with unknown order $r$ such that $P = [r] P$.
 - `public_key`: The public key $Q$ such that $Q = [k] P$ for private key $k$.
 - `add_window_size`: The number of bits in the ECAdd window.
 - `mul_window_size`: The number of bits in the modular multiplication window. 

#### References
 - [How to compute a 256-bit elliptic curve private key with only 50 million Toffoli gates](https://arxiv.org/abs/2306.08585). Litinski. 2023. Figure 4 (a).


In [None]:
from qualtran.bloqs.cryptography.ecc import FindECCPrivateKey

### Example Instances

In [None]:
from qualtran.bloqs.cryptography.ecc import ECPoint

n, p = sympy.symbols('n p')
Px, Py, Qx, Qy = sympy.symbols('P_x P_y Q_x Q_y')
P = ECPoint(Px, Py, mod=p)
Q = ECPoint(Qx, Qy, mod=p)
ecc = FindECCPrivateKey(n=n, base_point=P, public_key=Q)

#### Graphical Signature

In [None]:
from qualtran.drawing import show_bloqs
show_bloqs([ecc],
           ['`ecc`'])

### Call Graph

In [None]:
from qualtran.resource_counting.generalizers import ignore_split_join
ecc_g, ecc_sigma = ecc.call_graph(max_depth=1, generalizer=ignore_split_join)
show_call_graph(ecc_g)
show_counts_sigma(ecc_sigma)