**Exercise 1**
<br/>
Implement the final version of the authenticated DH protocol in Slide 16. (You can
use external libraries.)


In [1]:
!pip install rsa

Collecting rsa
  Obtaining dependency information for rsa from https://files.pythonhosted.org/packages/49/97/fa78e3d2f65c02c8e1268b9aba606569fe97f6c8f7c2d74394553347c145/rsa-4.9-py3-none-any.whl.metadata
  Downloading rsa-4.9-py3-none-any.whl.metadata (4.2 kB)
Collecting pyasn1>=0.1.3 (from rsa)
  Obtaining dependency information for pyasn1>=0.1.3 from https://files.pythonhosted.org/packages/c8/f1/d6a797abb14f6283c0ddff96bbdd46937f64122b8c925cab503dd37f8214/pyasn1-0.6.1-py3-none-any.whl.metadata
  Downloading pyasn1-0.6.1-py3-none-any.whl.metadata (8.4 kB)
Downloading rsa-4.9-py3-none-any.whl (34 kB)
Downloading pyasn1-0.6.1-py3-none-any.whl (83 kB)
   ---------------------------------------- 0.0/83.1 kB ? eta -:--:--
   -------------- ------------------------- 30.7/83.1 kB 1.4 MB/s eta 0:00:01
   ---------------------------------------- 83.1/83.1 kB 1.6 MB/s eta 0:00:00
Installing collected packages: pyasn1, rsa


ERROR: Could not install packages due to an OSError: [WinError 2] The system cannot find the file specified: 'C:\\Python311\\Scripts\\pyrsa-decrypt.exe' -> 'C:\\Python311\\Scripts\\pyrsa-decrypt.exe.deleteme'


[notice] A new release of pip is available: 23.2.1 -> 24.3.1
[notice] To update, run: python.exe -m pip install --upgrade pip


In [None]:
from sympy import randprime, primitive_root, factorint, isprime
import rsa
import random


# define participant with  authenticated DH protocol
class DHParticipant:

    __name: str
    __private_key: int
    __public_key: int
    __shared_private_key: int
    __p: int

    # constructor of participant class
    def __init__(self, name: str):
        self.__name = name

    # return q as a prime which the biggest prime factor of p - 1
    def __generate_q(self, p: int):
        # find list factors of p - 1
        factors = factorint(p - 1)
        # filter prime number in factor list
        prime_factors = [factor for factor in factors if isprime(factor)]
        # return the biggest factor in prime factor list
        return max(prime_factors) if prime_factors else None

    # return r as a random number as:
    #  (r**2) mod p != 1
    #  (g**r) mod p != 1
    #  (g**r) mod p != p - 1
    def __generate_r(self, p: int, g: int):
        while True:
            r = random.randint(2, p - 2)
            if pow(r, 2, p) != 1 and pow(g, r, p) != 1 and pow(g, r, p) != p - 1:
                return r

    # sign a message with RSA algorithm for authentication purpose
    # return (rsa public key, signature)
    def __generate_authentication(self, msg: str):
        rsa_public_key, rsa_private_key = rsa.newkeys(2048)
        signature = rsa.sign(msg.encode("utf-8"), rsa_private_key, "SHA-256")

        return (rsa_public_key, signature)

    # verify a message with public key and signature using RSA algorithm
    # return an error if authentication failed
    def __verify_authentication(self, msg: str, authentications):
        (rsa_public_key, signature) = authentications

        return rsa.verify(msg.encode("utf-8"), signature, rsa_public_key)

    # generate s as the minimum size of p
    # means that if s= 4, p need at least 4 bits to present
    def generate_s(self):
        # limit min between 2**8 to 2**16
        s = random.randint(8, 16)

        print(self.__name, f"chose s as {s}")

        return s

    # generate parameters based on s
    # return necessary params, public key and authentication info using RSA algorithm
    def select_parameters(self, s: int):
        # select p as a prime with s bits
        p = randprime(2 ** (s - 1), 2**s)
        self.__p = p
        # calculate g as primitive root of p
        g = primitive_root(p)
        # generate q, r based on p, g
        q = self.__generate_q(p)
        r = self.__generate_r(p, g)

        print(f"{self.__name} chose p as {p}, q as {q}, r as {r} with generator as {g}")

        # select private key randomly from 1 to (q - 1)
        self_private_key = random.randint(1, q - 1)
        self.__private_key = self_private_key
        # calculate public of its own as (g**(private key)) mod p
        self_public_key = pow(g, self_private_key, p)
        self.__public_key = self_public_key

        print(f"{self.__name}'s private key is {self.__private_key}")
        print(f"{self.__name}'s public key is {self.__public_key}")

        # generate authentication message based on parameters generated
        message_auth = f"{g},{p},{q},{r},{self_public_key}"
        auth = self.__generate_authentication(message_auth)

        return (g, p, q, r), self_public_key, auth

    # receive params from partner, calculate public, private and shared secret key
    # return public key, authentication info using RSA algorithm
    def receive_initial_parameters(self, params):
        (g, p, q, r), public_key, auth = params
        self.__p = p
        # create authentication message to validate received params
        message_auth = f"{g},{p},{q},{r},{public_key}"
        # verify message, throw error if not valid
        self.__verify_authentication(message_auth, auth)
        print(f"{self.__name} received successfully")
        # generate private key based on received q
        # private key is randomly from 1 to (q - 1)
        self_private_key = random.randint(1, q - 1)
        self.__private_key = self_private_key
        # calculate public of its own as (g**(private key)) mod p
        self_public_key = pow(g, self_private_key, p)
        self.__public_key = self_public_key

        print(f"{self.__name}'s private key is {self.__private_key}")
        print(f"{self.__name}'s public key is {self.__public_key}")

        # shared secret between 2 participants calculated as ((g **(private key of p1) **(private key of p2))) mod p
        # or as (public key of partner **(secret key of its own)) mod p
        shared_secret = pow(public_key, self_private_key, p)
        self.__shared_private_key = shared_secret

        print(f"{self.__name}'s shared secret key is {self.__shared_private_key}")

        # generate authentication params for partner
        auth = self.__generate_authentication(f"{self_public_key}")

        return self_public_key, auth

    # receive authentication params from partner, calculate shared secret key
    def receive_partner_public_key(self, partner_public_key, auth_params):
        # verify authentication params from partner, then verify it
        # throw error if it's invalid
        self.__verify_authentication(f"{partner_public_key}", auth_params)

        print(f"{self.__name} received successfully")

        # shared secret between 2 participants calculated as ((g **(private key of p1) **(private key of p2))) mod p
        # or as (public key of partner **(secret key of its own)) mod p
        shared_secret = pow(partner_public_key, self.__private_key, self.__p)
        self.__shared_private_key = shared_secret

        print(f"{self.__name}'s shared secret key is {self.__shared_private_key}")


# initial 2 object Alice and Bob
alice = DHParticipant("Alice")
bob = DHParticipant("Bob")
# step 1: Alice select s as minimum size of the prime
s = alice.generate_s()
# step 2: Bob generate params based on s
params = bob.select_parameters(s)

try:
    # step 3: Alice receive the params from Bob, verify then calculate the shared secret for itself
    alice_public_key, auth_params = alice.receive_initial_parameters(params)
    # step 4: Bob receive the authentication params from Alice, verify then calculate the shared secret itself
    bob.receive_partner_public_key(alice_public_key, auth_params)
except:
    print("invalid signature!")

Alice chose s as 11
Bob chose p as 1231, q as 41, r as 1053 with generator as 3
Bob's private key is 5
Bob's public key is 243
Alice received successfully
Alice's private key is 9
Alice's public key is 1218
Alice's shared secret key is 469
Bob received successfully
Bob's shared secret key is 469


**Exercise 4**
<br/>
Trusted Third Party (TTP) might be involved in a fair non-repudiation protocol in different extents

- **In-line TTP** acts as an intermediary between the originator and the recipient
  and intervenes directly in a non-repudiation service (e.g. the protocol in Slide
  36).
- **On-line TTP** is actively involved in every instance of a non-repudiation service (e.g. the protocol in Slide 38).
- **Off-line TTP** supports non-repudiation without being involved in each instance of a service

Design (or find in the literature, e.g., in IEEE CSF 1997, “An Efficient Non repudiation Protocol”) a fair non-repudiation protocol using an **off-line TTP** which
does not need to be involved unless the originator or the recipient misbehaves.
