# Cryptographic Utilities

## Exercise 1: MD5, SHA1, SHA256, SHA512

Generate the previsously mentioned hash values of the string `Hello World!`. Do You get the same result as Your neighbour? Check the size of each hash value! What are the corresponding block sizes?
Make a table! How many hash values would You have to generate in order to find a collision with a probability of at least 50% (90%)?

In [16]:
import hashlib

string = 'Hello World!'

# Hashes
md5 = hashlib.md5(string.encode()).hexdigest()
sha1 = hashlib.sha1(string.encode()).hexdigest()
sha256 = hashlib.sha256(string.encode()).hexdigest()
sha512 = hashlib.sha512(string.encode()).hexdigest()
sha3_512 = hashlib.sha3_512(string.encode()).hexdigest()

# We calculate the Bit length of the hash as follows: Lenght of string (in HEX) * 4 (Bits per HEX digit)
print('MD5:    ' + str(md5))
print('Length: ' + str(len(md5) * 4) + '\n')
print('SHA1:   ' + str(sha1))
print('Length: ' + str(len(sha1) * 4) + '\n')
print('SHA256: ' + str(sha256))
print('Length: ' + str(len(sha256) * 4) + '\n')
print('SHA512: ' + str(sha512))
print('Length: ' + str(len(sha512) * 4) + '\n')
print('SHA3:   ' + str(sha3_512))
print('Length: ' + str(len(sha3_512) * 4) + '\n')

MD5:    ed076287532e86365e841e92bfc50d8c
Length: 128

SHA1:   2ef7bde608ce5404e97d5f042f95f89f1c232871
Length: 160

SHA256: 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
Length: 256

SHA512: 861844d6704e8573fec34d967e20bcfef3d424cf48be04e6dc08f2bd58c729743371015ead891cc3cf1c9d34b49264b510751b1ff9e537937bc46b5d6ff4ecc8
Length: 512

SHA3:   32400b5e89822de254e8d5d94252c52bdcb27a3562ca593e980364d9848b8041b98eabe16c1a6797484941d2376864a1b0e248b0f7af8b1555a778c336a5bf48
Length: 512



To calculate the corresponding collision probabilities, we use the formula from the slides:

$$ n \approx 2^{\frac{m+1}{2}}\sqrt{\ln(\frac{1}{1-p})} $$

In [18]:
import numpy as np

def number_hashes_for_collision(message_digest_length, probability_threshold):
    n = 2 ** ((message_digest_length+1)/2) * np.sqrt(np.log(1/(1-probability_threshold)))
    return n

print('MD5, p = 0.5:  ' + str(number_hashes_for_collision(128,0.5)))
print('MD5, p = 0.8:  ' + str(number_hashes_for_collision(128,0.8)))
print('SHA1, p = 0.5:  ' + str(number_hashes_for_collision(160,0.5)))
print('SHA1, p = 0.8:  ' + str(number_hashes_for_collision(160,0.8)))
print('SHA256, p = 0.5:  ' + str(number_hashes_for_collision(256,0.5)))
print('SHA256, p = 0.8:  ' + str(number_hashes_for_collision(256,0.8)))
print('SHA512, p = 0.5:  ' + str(number_hashes_for_collision(512,0.5)))
print('SHA512, p = 0.8:  ' + str(number_hashes_for_collision(512,0.8)))
print('SHA3, p = 0.5:  ' + str(number_hashes_for_collision(512,0.5)))
print('SHA3, p = 0.8:  ' + str(number_hashes_for_collision(512,0.8)))

MD5, p = 0.5:  2.171938135516356e+19
MD5, p = 0.8:  3.30957200331212e+19
SHA1, p = 0.5:  1.4234013764919992e+24
SHA1, p = 0.8:  2.1689611080906308e+24
SHA256, p = 0.5:  4.006518692980012e+38
SHA256, p = 0.8:  6.1050827738612895e+38
SHA512, p = 0.5:  1.3633476639602231e+77
SHA512, p = 0.8:  2.077452016537768e+77
SHA3, p = 0.5:  1.3633476639602231e+77
SHA3, p = 0.8:  2.077452016537768e+77


Data from the [Secure Hash Standard - FIPS.180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf):

| Hash function | Message Digest size | Block size | n Hashes p(Collision) > 50% | n Hashes p(Collision) > 90% |
|:--- |:--- |:--- |:--- |:--- |
| MD5 | $128$ | $512$ | $ 2.18\cdot 10^{19} $ | $ 3.31\cdot 10^{19} $ |
| SHA1 | $160$ | $512$ | $ 1.42\cdot 10^{24} $ | $ 2.17\cdot 10^{24} $ |
| SHA256 | $256$ | $512$ | $ 4.01\cdot 10^{38} $ | $ 6.11\cdot 10^{38} $ |
| SHA512 | $512$ | $1024$ | $ 1.37\cdot 10^{77} $ | $ 2.08\cdot 10^{77} $ |
| SHA3_512 | $512$ | $576$ | $ 1.36\cdot 10^{77} $ | $ 2.08\cdot 10^{77} $ |

## Exercise 2: True random number generator

Check if Your computer can generate true random numbers, possibly through some special device? Find out the underlying physical principle (thermal noise, etc.). How can You use the random number generator in the power shell (Windows) or some shell (bash, sh, etc.) on Linux or MAC OS X?
How are true random numbers generated on smart cards? Do some research on the internet!

#### True random numbers:
- The /dev/random device on Linux: Generates random numbers, “blocks” and doesn’t return a result until it gathers enough entropy to return a truly random number.
- Intel chips include a hardware-based random number generator known as RdRand. This chip uses an entropy source on the processor and provides random numbers to software when the software requests them. The problem here is that the random number generator is essentially a black box and we don’t know what’s going on inside it.
- Sources of randomness from the environment include 
 - inter-keyboard timings, 
 - inter-interrupt timings from some interrupts, 
 - and other events which are both 
   - (a) non-deterministic and 
   - (b) hard for an outside observer to measure.  
- Randomness from these sources are added to an "entropy pool", which is mixed using a CRC-like function.

#### PowerShell
- Get-Random sets a default seed for each session based on the system time clock when the session starts.

#### Smart Cards
Current random numbergenerators in the smart card micro-controllers are generallybased on Linear Feedback Shift Registers (LFSR) driven byvoltage-controlled oscillators.

Source: http://www.academia.edu/2519923/Pseudorandom_Number_Generation_in_Smart_Cards_An_Implementation_Performance_and_Randomness_Analysis

## Exercise 3: Linear congruential random number generator

Compute the period of a **linear congruential number** generator if $m = 11$, $b = 5$, $a = 3$ and $x_0 = 7$ is used. Write down the sequence of random number! What is the maximal size of the period? Adapt the parameters, such that the period is maximal!

In [86]:
def lcp(m, a, b, x):
    periodsize = 0
    numbers = []
    def lcp_inner(m, a, b, x):
        nonlocal periodsize
        nonlocal numbers
        random = (a*x+b)%m
        if random not in numbers:
            numbers.append(random)
            periodsize += 1
            lcp_inner(m, a, b, random)
        else:
            print("size of period: " + str(periodsize))
            print("randomnumbers: " + str(numbers))
    lcp_inner(m, a, b, x)

In [91]:

## with parameters
lcp(11,3,5,7)


print("\nwith maximal size of period")
## a must be 1 and b between 2 and 10
lcp(11,1,5,7)

size of period: 5
randomnumbers: [4, 6, 1, 8, 7]

with maximal size of period
size of period: 11
randomnumbers: [1, 6, 0, 5, 10, 4, 9, 3, 8, 2, 7]


## Exercise 4a: LFSR

Construct an LFSR of length $5$ which produces the sequence of bits $(1, 0, 1, 1, 0, 0, 1, 0, 1, 0,...)$. What is the period of this LFSR? What is the maximal period? Try to improve this LFSR such that it has maximum period!

**Solution**: Connection (or feedback) polynomial $C(D) = 1 + D + D^3 + D^5$; recursive formula
$$ s_j =
\sum_{k=1}^5{
c_k s_{j−k}} \text{mod}\ 2= s_{j−1}+s_{j−3}+s_{j−5}\text{mod}\ 2, j ≥ 5.$$ 
Period is $15$ which can be improved to $31$ by adding $c_2 = 1$ as an example! To make computations easy, use the following python code
```python
def lfsr5(seed, taps):
	sr, xor = seed, 0
	while 1:
		for t in taps:
			xor += int(sr[t − 1])
		xor %= 2
		sr, xor = str(xor) + sr[: − 1], 0
		yield sr
		if sr == seed:
			break

a = lfsr5(’10110’, (5,3,2,1))
[next(a) for j in range(31)]
```

![Diagram of LFSR](img\LinearFeedbackShiftRegister.png)

To crack this LFSR we make ourself a table, where we know the length is five, and we know the output, and thus the state of each register:

| Clock cycle | $S_4$ | $S_3$ | $S_2$ | $S_1$ | $S_0$ | Out |
| :--- | :--- | :--- | :--- | :--- | :--- |
| 0 | | | | | | - |
| 1 | | | | | | 1 |
| 2 | | | | | | 0 |
| 3 | | | | | | 1 |
| 4 | | | | | | 1 |
| 5 | | | | | | 0 |
| 6 | | | | | | 0 |
| 7 | | | | | | 1 |
| 8 | | | | | | 0 |
| 9 | | | | | | 1 |
| 10 | | | | | | 0 |

Now we can use backwards induction to fill in the preceding registers:

| Clock cycle | $S_4$ | $S_3$ | $S_2$ | $S_1$ | $S_0$ | Out |
| :--- | :--- | :--- | :--- | :--- | :--- |
| 0  | 0 | 1 | 1 | 0 | 1 | - |
| 1  | 0 | 0 | 1 | 1 | 0 | 1 |
| 2  | 1 | 0 | 0 | 1 | 1 | 0 |
| 3  | 0 | 1 | 0 | 0 | 1 | 1 |
| 4  | 1 | 0 | 1 | 0 | 0 | 1 |
| 5  | 0 | 1 | 0 | 1 | 0 | 0 |
| 6  |   | 0 | 1 | 0 | 1 | 0 |
| 7  |   |   | 0 | 1 | 0 | 1 |
| 8  |   |   |   | 0 | 1 | 0 |
| 9  |   |   |   |   | 0 | 1 |
| 10 |   |   |   |   |   | 0 |

Now we _only_ have to induce the values $c_i$ of the AND-Gates:

![Our LFSR](img\LFSR5.png)

We can calculate these values with the following equations:

$$
0 = (c_1 \cdot 0 + c_2 \cdot 1 + c_3 \cdot 1 + c_4 \cdot 0 + c_5 \cdot 1) \mod 2 \\
1 = (c_1 \cdot 0 + c_2 \cdot 0 + c_3 \cdot 1 + c_4 \cdot 1 + c_5 \cdot 0) \mod 2 \\
0 = (c_1 \cdot 1 + c_2 \cdot 0 + c_3 \cdot 0 + c_4 \cdot 1 + c_5 \cdot 1) \mod 2 \\
1 = (c_1 \cdot 0 + c_2 \cdot 1 + c_3 \cdot 0 + c_4 \cdot 0 + c_5 \cdot 1) \mod 2 \\
0 = (c_1 \cdot 1 + c_2 \cdot 0 + c_3 \cdot 1 + c_4 \cdot 0 + c_5 \cdot 0) \mod 2 \\
$$

This is of course nothing different than this matrix problem:

$$ 
\begin{bmatrix}
0& 1& 1& 0& 1 \\
0& 0& 1& 1& 0 \\
1& 0& 0& 1& 1 \\
0& 1& 0& 0& 1 \\
1& 0& 1& 0& 0 \\
\end{bmatrix}
\cdot
\begin{bmatrix}
c_1 \\
c_2 \\
c_3 \\
c_4 \\
c_5 \\
\end{bmatrix}
\equiv
\begin{bmatrix}
0 \\
1 \\
0 \\
1 \\
0 \\
\end{bmatrix}
\mod 2
$$

Hence our $c_{1...5}$ are $1,0,1,0,1$

In [24]:
import numpy
import math
from numpy import matrix
from numpy import linalg

### Shamelessly 'borrowed' from https://stackoverflow.com/questions/4287721/easiest-way-to-perform-modular-matrix-inversion-with-python
# Finds the inverse of matrix A mod p
def modMatInv(A,p):
    n=len(A)
    A=matrix(A)
    adj=numpy.zeros(shape=(n,n))
    for i in range(0,n):
        for j in range(0,n):
            adj[i][j]=((-1)**(i+j)*int(round(linalg.det(minor(A,j,i)))))%p
    return (modInv(int(round(linalg.det(A))),p)*adj)%p

# Finds the inverse of a mod p, if it exists
def modInv(a,p):
    for i in range(1,p):
        if (i*a)%p==1:
            return i
    raise ValueError(str(a)+" has no inverse mod "+str(p))

# Return matrix A with the ith row and jth column deleted
def minor(A,i,j):
    A=numpy.array(A)
    minor=numpy.zeros(shape=(len(A)-1,len(A)-1))
    p=0
    for s in range(0,len(minor)):
        if p==i:
            p=p+1
        q=0
        for t in range(0,len(minor)):
            if q==j:
                q=q+1
            minor[s][t]=A[p][q]
            q=q+1
        p=p+1
    return minor

S = np.matrix('0 1 1 0 1; 0 0 1 1 0; 1 0 0 1 1; 0 1 0 0 1; 1 0 1 0 0')
o = np.matrix('0;1;0;1;0')
c = (modMatInv(S,2).dot(o)%2)
print(c)

[[1.]
 [0.]
 [1.]
 [0.]
 [1.]]


Which in turn enables us to complete the table:

| Clock cycle | $S_4$ | $S_3$ | $S_2$ | $S_1$ | $S_0$ | Out |
| :--- | :--- | :--- | :--- | :--- | :--- |
| 0  | 0 | 1 | 1 | 0 | 1 | - |
| 1  | 0 | 0 | 1 | 1 | 0 | 1 |
| 2  | 1 | 0 | 0 | 1 | 1 | 0 |
| 3  | 0 | 1 | 0 | 0 | 1 | 1 |
| 4  | 1 | 0 | 1 | 0 | 0 | 1 |
| 5  | 0 | 1 | 0 | 1 | 0 | 0 |
| 6  | 0 | 0 | 1 | 0 | 1 | 0 |
| 7  | 0 | 0 | 0 | 1 | 0 | 1 |
| 8  | 0 | 0 | 0 | 0 | 1 | 0 |
| 9  | 1 | 0 | 0 | 0 | 0 | 1 |
| 10 | 1 | 1 | 0 | 0 | 0 | 0 |

The maximum period for a LFSR is $2^{L}-1$, four our LFSR this value would be $2^5-1=31$, but our feedback (/connection) polynomial is $C(D) = 1 + D + D^3 + D^5$, as the number of tabs is uneven (3) this polynomial is not primitive, ie. does not have the maximum period.

We can calculate the period m, by finding the smallest m for which $C(D)$ divides $x^m+1$ [link](http://www-math.ucdenver.edu/~wcherowi/courses/m5410/m5410fsr.html) .

Starting from the factorization over the GF(2) of $x^{31}+1$:

| m | Factorization over GF(2) |
| :--- | :--- |
| 31 | $(x + 1)(x^5 + x^2 + 1)(x^5 + x^3 + 1)(x^5 + x^3 + x^2 + x + 1)(x^5 + x^4 + x^2 + x + 1)(x^5 + x^4 + x^3 + x + 1)(x^5 + x^4 + x^3 + x^2 + 1)$ |
| 30 | $(x + 1)^2 (x^2 + x + 1)^2 (x^4 + x + 1)^2 (x^4 + x^3 + 1)^2 (x^4 + x^3 + x^2 + x + 1)^2$ |
| 29 | $(x + 1) (x^{28} + x^{27} + x^{26} + x^{25} + x^{24} + x^{23} + x^{22} + x^{21} + x^{20} + x^{19} + x^{18} + x^{17} + x^{16} + x^{15} + x^{14} + x^{13} + x^{12} + x^{11} + x^{10} + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)$ |
| 28 | $(x + 1)^4 (x^3 + x + 1)^4 (x^3 + x^2 + 1)^4$ |
| 27 | $(x + 1) (x^2 + x + 1) (x^6 + x^3 + 1) (x^{18} + x^9 + 1)$ |
| 26 | $(x + 1)^2 (x^{12} + x^11 + x^10 + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)^2$ |
| 25 | $(x + 1) (x^4 + x^3 + x^2 + x + 1) (x^{20} + x^{15} + x^{10} + x^5 + 1)$ |
| 24 | $(x + 1)^8 (x^2 + x + 1)^8$ |
| 23 | $(x + 1) (x^{11} + x^9 + x^7 + x^6 + x^5 + x + 1) (x^{11} + x^{10} + x^6 + x^5 + x^4 + x^2 + 1)$ |
| 22 | $(x + 1)^2 (x^{10} + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)^2$ |
| 21 | $(x + 1) (x^2 + x + 1) (x^3 + x + 1) (x^3 + x^2 + 1) (x^6 + x^4 + x^2 + x + 1) (x^6 + x^5 + x^4 + x^2 + 1)$ |
| 20 | $(x + 1)^4 (x^4 + x^3 + x^2 + x + 1)^4$ |
| 19 | $(x + 1) (x^{18} + x^{17} + x^{16} + x^{15} + x^{14} + x^{13} + x^{12} + x^{11} + x^{10} + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)$ |
| 18 | $(x + 1)^2 (x^2 + x + 1)^2 (x^6 + x^3 + 1)^2$ |
| 17 | $(x + 1) (x^8 + x^5 + x^4 + x^3 + 1) (x^8 + x^7 + x^6 + x^4 + x^2 + x + 1)$ |
| 16 | $(x + 1)^{16}$ |
| 15 | $(x + 1) (x^2 + x + 1) (x^4 + x + 1) (x^4 + x^3 + 1) (x^4 + x^3 + x^2 + x + 1)$ |
| 14 | $(x + 1)^2 (x^3 + x + 1)^2 (x^3 + x^2 + 1)^2$ |
| 13 | $(x + 1) (x^{12} + x^{11} + x^{10} + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)$ |
| 12 | $(x + 1)^4 (x^2 + x + 1)^4$ |
| 11 | $(x + 1) (x^10 + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)$ |
| 10 | $(x + 1)^2 (x^4 + x^3 + x^2 + x + 1)^2$ |
| 9 | $(x + 1) (x^2 + x + 1) (x^6 + x^3 + 1)$ |
| 8 | $(x + 1)^8$ |
| 7 | $(x + 1) (x^3 + x + 1) (x^3 + x^2 + 1)$ |
| 6 | $(x + 1)^2 (x^2 + x + 1)^2$ |
| 5 | $(x^4 + x^3 + x^2 + x + 1)$ |
| 4 | $(x + 1)^4$ |
| 3 | $(x + 1) (x^2 + x + 1)$ |
| 2 | $(x + 1)^2$ |
| 1 | $(x + 1)$ |

At which point we did not find our polynomial, be sad, and conclude that polynomials are just sad losers and leave them galoising around =(.

## Exercise 4b: Is random really random (optional)
Read section 5.4.4 in the _Handbook of Applied Cryptography_ by A. Menezes, P. van Oorschot and S. Vanstone (p 181, 182, 183). Here we will only look at the monobit and the two-bit test of example 5.31 in the same book.
Consider the (probably non-random) sequence $s$ of length $n = 160$ obtained by replicating the following sequence four times

$$11100\ 01100\ 01000\ 10100\ 11101\ 11100\ 10010\ 01001$$

Apply the monobit and two-bit test. Based on these two tests, would you say, the sequence random?


**Solution**: monobit test passed because: $X_1 = 0.4 < 3.8415$; two-bit test passed because: $X_2 = 0.6252 <3.8415$; sequence would also pass poker test, but not runs and autocorrelation test.

## Exercise 5: Probability for a collision
There are 40 people in a room. You bet, that there are at least 2 people with the same birthday. What is the probability, that You win? Use the exact formula as well as the approximation!

**Solution**: Probility of having two people with the same birthday is $0.882$ or $88.2\%$. Use symbolic python for the exact answer:
```python
from sympy import *
i = symbols(’i’,integer=True)
p = 1 − product((365 − i)/365,(i,1,39))
p.evalf()
```

Probability of at least 2 people having the same birthday = 1 - probability of all people having different birthdays

probability of all people having different birthdays = $\frac{\prod_{n=0}^{39}(365-n)}{365^{40}} = 0.1088$

Probability of at least 2 people having the same birthday = $1 - 0.1088 = 0.8912$

## Exercise 6: Probability of a collision

Suppose You use a hash function of length $128$ bits. How many hash values would you have to compute in order to find a collision with probability at least 90%? Use the approximate forumula from Slide 14/58:

$$n \approx 2^{(m+1)/2}\sqrt{\ln\left(\frac{1}{1−p}\right)}$$

where $m = 128$ and $p = 0.9$. How much storage would you need, if you need $16$ bytes for each hash?

**Solution**: $n \approx 3.95861\cdot10^{19}$ ; $633'377'600$ terabytes storage.