<h1>Elliptic Curve Cryptography</h1>
<p>
Elliptic curve equation: <br>
y^2 = x^3 + ax + b <br>
where a,b are such that the discriminant is nonzero: <br>
-16(4a^3 + 27b^2) != 0
</p>

<h2> Plotting Elliptic Curve</h2>

In [1]:
import numpy as np
import matplotlib.pyplot as plt
from ipywidgets import interact

def elliptic_curve(a: int, b: int):
    y, x = np.ogrid[-5:5:100j, -5:5:100j]
    plt.contour(x.ravel(), y.ravel(), pow(y, 2) - pow(x, 3) - x * a - b, [0])
    plt.grid()
    plt.show()

interact(elliptic_curve, a=(0,10), b=(0,10))

<function __main__.elliptic_curve>

<h2> Elliptic Curve Characteristics</h2>
<p>
<ul>
<li> A line intersecting elliptic curve at two points will also intersect it at third point except when the line is verticle or it is a tangent.</li>
<li> Characteristics of point on elliptic curve:</li>
<ul>
<li> P + 0 = 0 + P = P for all P ∈ E </li>
<li> P + (−P) = 0 for all P ∈ E </li>
<li> P + (Q + R) = (P + Q) + R for all P, Q, R ∈ E </li>
<li> P + Q = Q + P for all P, Q ∈ E </li>
</ul>
<li> Point Adding </li>
<ul>
<li> P + Q + R = 0 for all P, Q, R ∈ E and for all P, Q, R ∈ L</li>
</ul>
<li> Point Doubling </li>
<ul>
<li> P is tangent on E i.e. P = Q </li>
<li> 2P + R = 0 for all P, Q, R ∈ E
</ul>
<li> Characteristics of a line </li>
<ul>
<li> Line (L) : y = λx + ν </li>
<li> Slope λ: <br>
P1 = (x1, y1) and P2 = (x2, y2)<br>
λ = (y2-y1)/(x2-x1)<br>
</li>
</ul>
<li> Calculating slope for points on Elliptic curve </li>
<ul>
<li> For P1 != P2 </li>
λ = (y2-y1)/(x2-x1)                           ---------------- (4) <br>
<li> For P1 = P2 </li>
y^2 = x^3 + ax + b <br>
Differentiating both sides: <br>
=> d(y^2) = d(x^3 + ax + b) <br>
=> 2ydy = (3x^2 + a)dx <br>
=> λ = dy/dx = (3x^2 + a)/2y                   ---------------- (3)
</ul>
<li> Deriving Formula for point Adding i.e. P1 != P2 </li>
E : y^2 = x^3 + Ax + B and L : y = λx + ν <br>
By substituting y from L: <br>
=> (λx + ν)^2 = x^3 + Ax + B <br>
=> x^3 + Ax + B − (λx + ν)^2 = 0                                 ----------------- (1) <br>
Since x is on elliptic curve as well as line it is either x1, x2, or x3 <br>
=> x - x1 = 0 or x - x2 = 0 or x - x3 = 0 where x1, x2, x3, x ∈ E and L <br>
=> (x - x1)(x - x2)(x - x3) = 0  where x1, x2, x3, x ∈ E and L   ------------------ (2) <br>
Equating (1) and (2) <br>
=> x^3 + Ax + B − (λx + ν)^2 = (x - x1)(x - x2)(x - x3) where x1, x2, x3, x ∈ E and L <br>
=> x^3 + Ax + B − (λ^2*x^2 + 2νλx + ν^2) = x^3 - (x1 + x2 + x3)x^2 + ... <br>
Matching multipiers of x^2 only <br> 
=> λ^2*x^2 = (x1 + x2 + x3)x^2 <br>
=> λ^2 = x1 + x2 + x3 <br>
=> x3 = λ^2 - x1 - x2                           ------------------ (5) <br>
Using slope formula: λ = (y2-y1)/(x2-x1) <br>
=> λ = (y1-y3)/(x1-x3) <br>
Since R = (x3, -y3) <br>
λ = (y1+yr)/(x1-xr) <br>
=> λ (x1 - xr) = (y1+yr) <br>
=> yr = λ (x1 - xr) - y1              -----------------------(6) <br>
From (5): <br>
xr = λ^2 - x1 - x2                   -----------------------(7) <br>
We have (4), (6) and (7) to perform point adding  <br>
<li> Deriving Formula for point Doubling i.e. P1 = P2 </li>
From (3) <br>
λ = (3x^2 + a)/2y <br>
From (7) i.e. xr = λ^2 - x1 - x2 <br>
=> xr = λ^2 - 2x1            ------------- (8) <br>
From (6) <br>
yr = λ (x1 - xr) - y1 <br>
We have (3), (8) and (6) to perform point doubling
</ul>
</p>

<img src="img/add-points.png",width=400,height=400>

<h2> Scalar Multiplication with a Point </h2>
<p>
To calculate mP:<br>
m = m0 + m1\*2^1 + m2\*2^2 + · · · + mr\*2^r where m0 , . . . , mr ∈ {0, 1}<br>
mP = m0\*P + m1\*P\*2 + m2\*P\*2^2 + · · · + mr\*P\*2^r where 2^k\*P requires k doublings<br>
</p>

In [4]:
def point_mul(p, m):
    n = p
    q = None

    for i in range(256):
        if m & (1 << i):
            if q is None:
                q = n
            else:
                q = point_add(q, n)

        n = point_add(n, n)

    return q

<h2> Elliptic curve in finite field </h2>
<p>
Elliptic curve E is reduced by modulo prime P.<br>
Finite field created by modulo prime P is denoted by Ƒp <br>
=> Ě: y^2 = x^3 + Ăx + Ḃ where Ă,Ḃ ∈ Ƒp
</p>

<h3> Point adding in Finite field Elliptic Curve </h3>
<p>
From (4)<br>
λ = (yq-yp)/(xq-xp) % P<br>
To obtain λ we need to find multiplicative-inverse of (xq-xp) in finite field<br>
=> (yq-yp) \* Multiplicate-Inverse(xq-xp) % P<br>
########### <br>
Multiplicative inverse i of a number N in finite field is calculated by :<br>
N * i % P = 1 <br>
since N^(P-1) % P = 1 <br>
=> i = N^(P-2) <br>
=> (1/N) % P = N^(P-2) % P <br>
########## <br>
=> ((yq-yp) \* ((xq-xp)^(P - 2) % P)) % P<br>
From (7)<br>
xr = (λ^2 - xp - xq) % P <br>
From (6)<br>
yr = (λ (xp - xr) - yp) % P

<h3> Point doubling in Finite field Elliptic Curve </h3>
<p>
From (3) <br>
λ = (3xp^2 + a)/2yp <br>
=> λ = (3xp^2 + a) \* pow(2*yp % P, P - 2, P) % P <br>
From (8) <br>
xr = (λ^2 - 2xp) % P  <br>
From (6) <br>
yr = (λ (xp - xr) - yp) % P
</p>

In [5]:
def point_add(p, q):
    global a # a = 0 incase of bitcoin
    xp, yp = p
    xq, yq = q

    # point doubling 
    if p == q:
        l = pow(2 * yp % P, P - 2, P) * (3 * xp * xp + a) % P
    # point adding
    else:
        l = pow(xq - xp, P - 2, P) * (yq - yp) % P

    xr = (l ** 2 - xp - xq) % P
    yr = (l * xp - l * xr - yp) % P

    return xr, yr

<h1> Bitcoin Elliptical Curve Cryptography </h1>
<p> Bitcoin uses sec256k1 Elliptical Curve.<br>
Elliptic curve domain parameters over Ƒp are a sextuple: T = (p, a, b, G, n, h)<br>
Where: <br>
<ul>
<li> p is Modulo Prime</li>
<li> G is point on E(Ƒp)</li>
<li> n is the order of the basepoint G. It is the number of points the basepoint generates under repeated addition:<br>
nG = Identity Point (O). Identity Point O is sush that O + G = G. </li>
<li> h is the cofactor of basepoint G. It is the order of the entire group (number of points on the curve) divided by the order of basepoint G. </li>
</ul>
</p>

<h2> Constants </h2>
<p> The elliptic curve domain parameters over Ƒp associated with a Koblitz curve secp256k1 are
specified by the sextuple T = (p, a, b, G, n, h) where the finite field Ƒp is defined by </p>
<ul>
<li> 
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
FFFFFC2F <br>
  = 2^256 − 2^32 − 2^9 − 2^8 − 2^7 − 2^6 − 2^4 − 1 
</li>
<li>
The curve E: y^2 = x^3 + ax + b over Ƒp is defined by:
a = 0 <br>
b = 7 <br>
=> Curve E: y^2 = x^3 + 7 over Ƒp
</li>
<li>
The base point G in compressed form is:<br>
G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
</li>
<li>
The base point G in uncompressed form is:<br>
G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
</li>
<li>
The order n of G and the cofactor are:<br>
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141<br>
h = 1
</li>
</ul>

In [8]:
import binascii

# Bitcoin Secp256k1 constants [
# generator point
G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
     0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8)

# field prime
P = 2 ** 256 - 2 ** 32 - 2 ** 9 - 2 ** 8 - 2 ** 7 - 2 ** 6 - 2 ** 4 - 1

# order
N = (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF

a = 0
b = 7

<h2> Key Generation </h2>
<p> K = k \* G where G is generator point, k is Private Key(a scalar), K is Public Key ∈ Ƒp </p>

In [91]:
import ipywidgets as widgets
from IPython.display import display 
import binascii

def privkey2pubkey(k: int):
    global G
    K = point_mul(G, k)
    return K

privkey = widgets.Text(description = 'Private Key')
privkey

In [99]:
pubkey = privkey2pubkey(int(privkey.value, 16))
print('04 %x %x' % (pubkey[0], pubkey[1]))

04 fcd4e9e28c13690ecff0c74633626be73c261f376b6e112ec82ad691b17c13dd 7908b8ec3209477496405fc0c51585df9d43fcf2c637e5586777768f39827d0b


<h2> Message Signing </h2>
<p> Steps to get Signature </p>
<ul>
<li> Calculate e=dSHA256(m), where dSHA256 is Double SHA-256 Hash function </li>
<li> z is left most bit of e </li>
<li> Select random number k from [1,n-1] ----------------- (1) </li>
<li> (x, y) = k \* G </li>
<li> Calculate r=x mod n. If r=0, go back to (1) </li>
<li> Calculate s=(k^(-1) \* (z+r \* privkey)) mod n. If s=0, go back to step 3 </li>
<li> The signature is the pair (r,s) </li>
</ul>

<h2> Signature Verification </h2>
<p> Steps to verify Signature </p>

<h2> Compressing/Uncompressing Point on Elliptic Curve secp256k1 </h2>

<h3> Compressing Point </h3>
<p>
For a given x0 there are two values of y i.e. y0, -y0 <br>
In finite field Ƒp: <br>
The two values of y are y0 and P - y0 <br>
This gives us equation: y1 = P - y0 <br>
Since P is odd in secp256k1 for any given x: y is either odd or even. <br>
So y is removed by adding prefix denoting whether y is odd or even. <br>
0x02 prefix denote y is even and 0x03 prefix denote y is odd. <br>
0x04 prefix denote point is uncompressed.
</p>

In [14]:
import ipywidgets as widgets
from IPython.display import display 
import binascii

def compressPubkey(pubkey: bytes):
    if pubkey[0:1] == b'\x04':
        x_b = pubkey[1:33]
        y_b = pubkey[33:65]
        if (y_b[31] & 0x01) == 0: # even
                compressed_pubkey = b'\x02' + x_b
        else:
                compressed_pubkey = b'\x03' + x_b
    elif pubkey[0:1] == b'\x02' or pubkey[0:1] == b'\x03':
        compressed_pubkey = pubkey
    else:
        raise ValueError('Invalid Elliptic Curve Point prefix %s' % pubkey[0])
    return compressed_pubkey

pubkey_s = widgets.Text(description = 'Public Key')
pubkey_s

In [15]:
compressed_pubkey = compressPubkey(binascii.unhexlify(pubkey_s.value))
compressed_pubkey_s = bytes.decode(binascii.hexlify(compressed_pubkey))
print(compressed_pubkey_s)

0250863ad64a87ae8a2fe83c1af1a8403cb53f53e486d8511dad8a04887e5b2352


<h3> Uncompressing Point </h3>
<p>
Curve E: y^2 = x^3 + 7 over Ƒp <br>
and P % 4 = 3 <br>
=> y % p = y^(2*(p + 1)/4) % p <br>
</p>

In [20]:
import ipywidgets as widgets
from IPython.display import display 
import binascii

# field prime
P = 2 ** 256 - 2 ** 32 - 2 ** 9 - 2 ** 8 - 2 ** 7 - 2 ** 6 - 2 ** 4 - 1

def uncompressPubkey(x_b: bytes):
        prefix = x_b[0:1]
        x_b = x_b[1:33]
        x = int.from_bytes(x_b, byteorder='big')

        y_square = (pow(x, 3, P)  + 7) % P
        y_square_square_root = pow(y_square, ((P+1) >> 2), P)
        if (prefix == b"\x02" and y_square_square_root & 1) or (prefix == b"\x03" and not y_square_square_root & 1):
            y = (-y_square_square_root) % P
        else:
            y = y_square_square_root

        y_b = y.to_bytes(32, 'big')
        full_pubkey_b = b''.join([b'\x04', x_b, y_b])
        return full_pubkey_b
    
pubkey_s = widgets.Text(description = 'Public Key')
pubkey_s

In [21]:
uncompressed_pubkey = uncompressPubkey(binascii.unhexlify(pubkey_s.value))
uncompressed_pubkey_s = bytes.decode(binascii.hexlify(uncompressed_pubkey))
print(uncompressed_pubkey_s)

0450863ad64a87ae8a2fe83c1af1a8403cb53f53e486d8511dad8a04887e5b23522cd470243453a299fa9e77237716103abc11a1df38855ed6f2ee187e9c582ba6
