Skip to content

Latest commit

 

History

History
443 lines (272 loc) · 16 KB

ch02.asciidoc

File metadata and controls

443 lines (272 loc) · 16 KB

Programming Bitcoin

Elliptic Curves

In this chapter we’re going to learn about Elliptic Curves. In the next chapter, we will combine Elliptic Curves with Finite Fields to make Elliptic Curve Cryptography.

As in the previous chapter, elliptic curves can look intimidating if you haven’t seen them before. Also as in the previous chapter, the actual math isn’t very difficult. Most of Elliptic Curves could have been taught to you around the second year of High School. In this chapter, we’ll get to what these curves are and what we can do with them.

Definition

Elliptic Curves are really just like many equations you’ve been seeing since around 8th grade. They have y on one side and x on the other in some form. They specifically have a form like this:

y2=x3+ax+b

This is probably somewhat familiar as you’ve worked with other equations that look similar. For example, you probably learned the linear equation back in pre-algebra:

y = mx + b

You may even remember that m here has the name slope and b, y-intercept. You can also graph linear equations like this:

Linear Equation
Figure 1. Linear Equation

Similarly, you’re probably familiar with the quadratic equation and its graph:

y = ax2+bx+c

Quadratic Equation
Figure 2. Quadratic Equation

And sometime in high school, you did even higher orders on x, something called the cubic equation and its graph:

y = ax3+bx2+cx+d

Cubic Equation
Figure 3. Cubic Equation

An elliptic curve isn’t all that different. The only real difference between the elliptic curve and the cubic curve above is the y2 term on the right side. This has the effect of making the graph symmetric over the x-axis like so:

Elliptic Curve Equation
Figure 4. Continuous Elliptic Curve

You may also have noticed that the elliptic curve is less steep than the cubic curve. Again, this is because of the y2 term on the right. At times, the curve may even be disjoint like this:

Elliptic Curve Equation
Figure 5. Disjoint Elliptic Curve

If it helps, an elliptic curve is more or less made by taking a cubic equation graph, taking only the part above the x-axis, flattening it out and then mirroring the top half on the bottom half of the x-axis.

Start
Figure 6. Step 1: A Cubic Equation
Stretch
Figure 7. Step 2: Stretched Cubic Equation
Symmetric
Figure 8. Step 3: Reflected over the X-Axis

Specifically, the elliptic curve used in Bitcoin is called secp256k1 and it uses this particular equation:

y2=x3+7

The canonical form is y2=x3+ax+b so you can also think of the curve as being a=0, b=7. The curve looks like this:

secp256k1 Curve
Figure 9. secp256k1 Curve

Coding Elliptic Curves in Python

For a variety of reasons which will be clear later, we are not interested in the curve itself, but specific points on the curve. For example, in the curve y2=x3+5x+7, we are interested in the coordinate (-1,1). We are thus going to define the class Point to be the actual point on a specific curve. The curve has a specifc form, y2=x3+ax+b so we can define the curve with just the two numbers a and b.

class Point:

    def __init__(self, x, y, a, b):
        self.a = a
        self.b = b
        self.x = x
        self.y = y
        if self.y**2 != self.x**3+self.a*self.x + self.b: # (1)
	    raise ValueError('Point ({},{}) is not on the curve'.format(x,y))

    def __eq__(self, other): # (2)
        return self.a == other.a and self.b == other.b and self.x == other.x and self.y == other.y
  1. We check here that the point is actually on the curve.

  2. Points are equal iff they are on the same curve and have the same coordinates

This allows us to do something like this:

>>> from ecc import Point
>>> p1 = Point(-1, -1, 5, 7)
>>> p2 = Point(-1, -2, 5, 7)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "ecc.py", line 143, in __init__
    raise ValueError('({}, {}) is not on the curve'.format(self.x, self.y))
ValueError: (-1, -2) is not on the curve

We want the __init__ method to throw an error when the point is actually not on the curve.

Exercise 1

Determine which of these points are on the curve y2=x3+5x+7:

(2,4), (-1,-1), (18,77), (5,7)

Exercise 2

Write the __ne__ method for Point.

Point Addition

The main reason that Elliptic Curves are useful is because of something called Point Addition. Point Addition is where we can do an operation on two of the points on the curve and get a third point. It’s called addition because it has a lot of the intuitions we associate with what we call "addition". For example, Point Addition is commutative. That is, adding point A to point B is the same as adding point B to point A.

The way we define Point Addition is as follows. It turns out that for every elliptic curve a line, except for a couple of special cases, will intersect at either 1 or 3 points.

Line intersecting at 1 point
Figure 10. Line intersects at only 1 point
Line intersecting at 3 points
Figure 11. Line intersects at 3 points

The two exceptions are when a line is tangent to the curve and when a line is exactly vertical.

Vertical Line
Figure 12. Line intersects at 2 points because it’s vertical
Tangent Line
Figure 13. Line intersects at 2 points because it’s tangent to the curve

We will come back to these two cases later.

What’s interesting is that we can define point addition using the fact that lines intersect one or three times with the Elliptic Curve. Two points define a line, so since that line intersects must intersect one more time. That third point reflected over the x-axis is the resulting Point Addition.

Like Field Addition, we are defining Point Addition. In our case, Point Addition is defined this way:

For any two points P1=(x1,y1) and P2=(x2,y2), we get P1+P2 by:

  • Find the point intersecting the elliptic curve a third time by drawing a line through P1 and P2

  • Reflect the resulting point over the x-axis

Visually, it looks something like this:

Point Addition
Figure 14. Point Addition

We first draw a line through the two points we’re adding (P and Q). The third intersection point is R. We then reflect that point over the x-axis, which puts us at the P+Q point in Figure 2-14.

One of the properties that we are going to use is that point addition is not easily predictable. We can calculate point addition easily enough with a formula, but intuitively, the result of point addition can be almost anywhere given two points on the curve. Going back to Figure 2-14, P+Q is to the right of both points, P+R would be somewhere between P and R on the x-axis, and Q+R would be to the left of both points. In mathematics parlance, point addition is non-linear.

Math of Point Addition

"Addition" in the name Point Addition satisfies certain properties that we think of as addition, such as:

  • Identity

  • Commutativity

  • Associativity

  • Invertibiltiy

Identity here means that there’s a zero. That is, there exists some point (I) which when added to a point (P) results in P. We’ll call this point the point at infinity (reasons for this will become clear in a bit). That is:

I + P = P

This is also related to invertibility. For some point P, there’s some other point -P which results in the Identity point. That is:

P + (-P) = I

Visually, these are points opposite each other in the elliptic curve.

Vertical Line
Figure 15. Vertical Line Intersection

This is why we call this point the point at infinity. We have one extra point in the elliptic curve which makes the vertical line intersect a third time.

Commutativity means that P+Q=Q+P. This is obvious since the line going through P and Q will intersect the curve a third time in the same place no matter what order.

Associativity means that (P+Q) + R = P + (Q+R). This isn’t obvious and is the reason for flipping over the x-axis.

Case 1
Figure 16. (P+Q)+R
Case 2
Figure 17. P+(Q+R)

You can see that in both cases, the final point is exactly the same. While this doesn’t prove the associativity of Point addition, the visual should at least give you the intuition that this is true.

To actually do the Point Addition, we’re going to split it up into 3 steps:

  1. Where the points are in a vertical line or using the Identity.

  2. Where the points are not in a vertical line, but are different.

  3. Where the two points are the same.

Coding Point Addition

We first handle the identity, or the point at infinity. Since we don’t have the infinity numbers in Python, we’ll use the None value instead. What we want is something like this:

>>> from ecc import Point
>>> p1 = Point(-1, -1, 5, 7)
>>> p2 = Point(-1, 1, 5, 7)
>>> inf = Point(None, None, 5, 7)
>>> p1 + inf
Point(-1, -1)
>>> inf + p2
Point(-1, 1)
>>> p1 + p2
Point(infinity)

In order to make this work, we have to do two things:

First, we have to adjust the __init__ method slightly so it doesn’t check that the curve equation is satisfied. Second, we have to overload the addition operator or __add__ as we did with the FieldElement class.

class Point:

    def __init__(self, x, y, a, b):
        self.a = a
        self.b = b
        self.x = x
        self.y = y
	if self.x is None and self.y is None:  # (1)
	    return
        if self.y**2 != self.x**3 + self.a*self.x + self.b:
	    raise ValueError('Point ({},{}) is not on the curve'.format(x,y))
    ...

    def __add__(self, other): # (2)
        if self.a != other.a or self.b != other.b:
            raise TypeError('Points {}, {} are not on the same curve'.format(self, other))

    	if self.x is None: # (3)
	    return other
	if other.x is None: # (4)
	    return self
  1. x-coordinate and y-coordinate being None is how we signify the point at infinity. Note that the next if statement will fail if we don’t return here.

  2. We overload the + operator here

  3. self.x being None means that self is the point at infinity, or the additive identity. Thus, we return other

  4. self.x being None means that other is the point at infinity, or the additive identity. Thus, we return self

Exercise 3

Handle the case where the two points are negatives of each other. That is, they have the same x, but a different y, causing a vertical line. This should return the point at infinity.

Point Addition for when x1≠x2

Now that we’ve covered the vertical line, we’re now proceeding to when the points are different. As the points are not vertical, the points must have different x-coordinates. When we have points where the x’s differ, we can add using a fairly simple formula. To help with intuition, it helps first to find the slope created by the two points. You can figure this out using a formula from pre-algebra:

P1=(x1,y1), P2=(x2,y2), P3=(x3,y3)

P1+P2=P3

s=(y2-y1)/(x2-x1)

This is the slope and we can figure out where the x3 intersection is. Once we know that, we can calculate y3. P3 can thus be derived using this formula:

x3=s2-x1-x2

y3=s(x1-x3)-y1

Remember that y3 is the reflection over the x-axis.

Deriving The Point Addition Formula

Supposing:

P1=(x1,y1), P2=(x2,y2), P3=(x3,y3)

P1 + P2 = P3

We want to know what P3 is.

Let’s start with the fact that the line that goes through P1 and P2 looks like this:

s=(y2-y1)/(x2-x1)

y=s(x-x1)+y1

The second formula here is the equation of the line that intersects at both P1 and P2. Now using this formula and plugging it into the elliptic curve equation, we get:

y2=x3+ax+b

y2=(s(x-x1)+y1)2=x3+ax+b

Gathering all the terms, we have this polynomial equation:

x3-s2x2+(a+2s2x1-2sy1)x+b-(sx1-y1)2=0

We also know that x1, x2 and x3 are solutions to this equation, thus:

(x-x1)(x-x2)(x-x3)=0

x3-(x1+x2+x3)x2 +(x1x2+x1x3+x2x3)x-x1x2x3=0

From above, we know that:

x3-s2x2+(a+2s2x1-2sy1)x+b-(sx1-y1)2=0

There’s a result from called the Theorem on the Equality of Polynomials, which states that the coefficients have to equal each other if the roots are the same. The first one that’s interesting is the coefficient in front of x2:

s2=x1+x2+x3

We can use this to derive the formula for x3:

x3=s2-x1-x2

We can plug this in to the formula for the line above:

y=s(x-x1)+y1

But we have to reflect over the x-axis, so this has to be negated:

y3=-(s(x-x1)+y1)=s(x1-x3)-y1

That’s how we arrive at this formula.

Exercise 4

For the curve y2=x3+5x+7, what is (2,5) + (-1,-1)?

Coding Point Addition for when x1≠x2

We now have to actually code this into our library. That means we have to adjust the __add__ method to handle the case where x1≠x2. We have the formulas:

s=(y2-y1)/(x2-x1)

x3=s2-x1-x2

y3=s(x1-x3)-y1

Now we have to return an instance of the class Point that corresponds to this.

Exercise 5

Write the __add__ method where x1≠x2

Point Addition for when P1=P2

When the x coordinates are the same and the y coordinate is different, we have the situation where the points are opposite each other over the x-axis. We know that this means:

P1=-P2 or P1+P2=I

We’ve already handled this above.

What happens when P1=P2? Visually, we have to calculate the line that’s tangent to the curve at P1 and find the point at which the line intersects the curve. The situation looks like this as we saw before:

Tangent Line
Figure 18. Line that’s tangent to the curve

Once again, we’ll have to find the slope of the tangent point.

P1=(x1,y1), P3=(x3,y3)

P1+P1=P3

s=(3x12+a)/(2y1)

The rest of the formula goes through as before, except x1=x2, so we can combine them:

x3=s2-2x1

y3=s(x1-x3)-y1

Deriving the Tangent LIne

We can derive the slope of the tangent line using some slightly more advanced math: calculus. We know that the slope at a given point is

dy/dx

To get this, we need to take the derivative of both sides of the elliptic curve equation:

y2=x3+ax+b

Taking the derivative we get:

2y dy=(3x2+a) dx

Solving for dy/dx, we get:

dy/dx=(3x2+a)/(2y)

That’s how we arrive at the slope formula. The rest of the results from the point addition formula derivation hold.

Exercise 6

For the curve y2=x3+5x+7, what is (-1,1) + (-1,1)?

Coding Point Addition for when P1=P2

Once again, we have to adjust the __add__ method to account for this particular case. We have the formulas, we now have to implement them.

s=(3x12+a)/(2y1)

x3=s2-2x1

y3=s(x1-x3)-y1

Exercise 7

Write the __add__ method where x1=x2 and y1=y2

Coding One More Exception

There is one more exception and this involves the case where the tangent line is vertical:

Tangent Vertical
Figure 19. Vertical and Tangent to the curve

This can only happen if P1=P2 and the y-coordinate is 0, in which case the slope calculation will end up with a 0 in the denominator.

We can handle this using a special case:

class Point:
    zero = 0 # (1)
    ...
    def __add__(self, other):
    	...
	if self == other and self.y == self.zero: # (2)
	    return self.__class__(None, None, self.a, self.b) # (3)
  1. For reasons which will become clear in the next chapter, we need to define zero specific to the class.

  2. If the two points are equal and the y coordinate is zero, we return the point at infinity.

  3. This is how we create a point at infinity

Conclusion

We’ve covered what Elliptic Curves are, how they work and how to do point addition on them. We now combine the concepts from Chapters 1 and 2 to build Elliptic Curve Cryptography