# Public Key Cryptography I

## 1 Shamir’s three-pass protocol

Alice and Bob want the implement Shamir’s three-pass protocol using the Vernam cipher, i.e. one-time pad. This is supposed to provide perfect secrecy. Is the following protocol secure?

![Vernam ciphers (otp) commute!](img/VernamCiphers.png)

__Your Task__: Can You compute the message? Make an example with $M = 010110111101$,
$K_A = 101101110100$, and $K_B = 001011011011$.

## 2 Diffie Hellman

_Alice_ and _Bob_ agree to use $n = 13$ and $e = 11$. Alice chooses her secret number $a = 5$, whereas Bob chooses $b = 7$.

__Your Task__: What are the requirements for $n$ and $e$? Are they fullfilled? Describe the key agreement protocol step by step using the above assumptions about a and b. What is the common secret key?

## 3 Discrete Logarithm Problem

Assume Mallory intercepts the message $A = 9$ from Alice to Bob and B = 3 from Bob to Alice.
He also knows $n = 13$ and $g = 11$.

__Your Task__: Suppose Mallory wants to know the common key. Describe his steps to find this key!

He would need to find $a$ such that $A=g^a \mod n$.
Then he could calculate $B^a=K$.

$9=11^a \mod 13$

$11^1 = 11$

$11^2= 121 = 4$

$11^3 = 5$

$11^4 = 3$

$11^5 = 7$

$11^6 = 12$

$11^7 = 2$

$11^8 = 9 -> a=8, K=3^8 = 9$

For large numbers, this is infeasable.

## 4 Attack on textbook RSA

The public key $(n,e) = (2537,13)$ was used to encrypt the plaintext $M$. Eve intercepts the ciphertext $C = 2081$.

__Your Task__: Show how Eve computes the plaintext $M$!

## 5 Attack on textbook RSA — small exponent e

Frequently, the exponent $e$ in the public key $(n,e)$ is choosen very small, say $e = 3$. Hence, encryption of $m$ is very fast

$$ c = m^3 \mod n$$

because modular exponentiation with small exponent is fast.

Unfortunately, this is is bad, if a small message, $m < n^{\frac{1}{3}}$ is encrypted, because there is no modular reduction and the attacker only has to compute the cubic root of $c$.

In the sequel we construct an attack which works for arbitrary messages $m, (1 < m < n−2)$. To this end, we assume $e = 3$ and send the same message to three people with public keys $(n_1 ,e), (n_2 ,e)$, and $(n_3 ,e)$:

$$ c_1 = m^3 \mod n_1,\ c_2 = m^3 \mod n_2,\ c_3 = m^3 \mod n_3 .$$

Furthermore we assume, that the moduli $n_1, n_2$, and $n_3$ are pairwise co-prime, i.e. $\gcd(n_i ,n_j)=1,\ 
for\ i \neq j$.

According to the chinese remainder theorem (CRT), there is a solution to these three linear congruences

$$ c_1 = m^3 \mod n_1,\ c_2 = m^3 \mod n_2,\ c_3 = m^3 \mod n_3 .$$

First let $n = n_1 \cdot n_2 \cdot n_3$ and

$$ N_1 =\frac{n}{n_1}=n_2n_3,\ \ N_2 =\frac{n}{n_2}=n_1n_3, \ \  N_3 =\frac{n}{n_3}=n_1n_2$$

Because $n_i$ and $n_j$ are co-prime if $i \neq j$, it follows that $\gcd(n_i,N_i) = 1$. Consequently, we can compute the (multiplicative) inverse $y_i$ of $N_i$ modulo $n_i$ such that

$$ N_1 y_1 \equiv 1\ (\text{mod}\ n_1 ),\ N_2 y_2 \equiv 1\ (\text{mod}\ n_2 ),\ N_3 y_3 \equiv 1\ (\text{mod}\ n_3 ) .$$

Then the simultaneous solution of the system of linear congruences is

$$ m^3 =\sum_{i=1}^{3}c_i N_i y_i = c_1 N_1 y_1 +c_2 N_2 y_2 + c_3 N_3 y_3 .$$

Here $m^3$ is unique up to a multiple of $n_1 n_2 n_3$. Because $m^3$ is typically smaller than $n_1 n_2 n_3$ we can just take the cube root of $m^3$ to find $m$.


__Your Task__: Assume the message $m$ is sent to 3 different people using textbook RSA, with moduli $n_1 = 377,\ n_2 = 391$, and $n_3 = 589$. You get hold of the corresponding ciphertexts

$$330 = m^3 \mod 377$$
$$34 = m^3 \mod 391$$
$$419 = m^3 \mod 589$$

Compute $m =\sqrt[3]{x}$ using the CRT, where $x = m^3$ satisfies the system of linear congruences

$$ x \equiv 330 \mod 377 $$
$$ x \equiv 34  \mod 391 $$
$$ x \equiv 419 \mod 589 $$

Use python in a Jupyter notebook. Use the (extended) Euklidean algorithm to compute the inverses and find or invent a python code, which implements the CRT.

## 6 Attack on textbook RSA — common module n

Suppose the CTO of a company wants that all employees use the same module $n$. The individual employees have pairwise different $(e_i , d_i )$. Suppose, two employees $A$ and $B$ have the public keys $(n,e_A)$ and $(n,e_B)$ where $\gcd(e_A,e_B) = 1$.

Now the administration sends the encrypted message $m$ to the two employees

$$c_A = m^{e_A} \mod n $$
$$ c_B = m^{e_B} \mod n$$

We will now show, that Eve is able to compute $m$ if she knows the two ciphertexts $c_A$ and $c_B$. She first computes $a$ and $b$ such that

$$ae_A +be_B = 1$$

She does it using the extended Euclidean algorithm which works because $\gcd(e_A,e_B)=1$. Then she computes

$$ c_A^{a}c_B^{b} \equiv (m^{e_A})^a (m^{e_B})^b \equiv m^{ae_A +be_B} \equiv m^1 \equiv m$$

Hence, as promised, she can compute $m$.

__Your Task__: Design a example with small numbers which demonstrates, this attack! Assume $n = 11\cdot 13$, i.e. $p = 11$ and $q = 13$.

$m = 12$

$e_A = 13$, $e_B = 7$

$c_A = 12^{13} mod 143 = 12$

$c_B = 12^7 mod 143 = 12$

$a*13+b*7 = 1$

|- | - | - | - |
|:---|:---|:---|:---|
| 13 | - | 1 | 0 |
| 7 | 1 | 0 | 1 |
| 6 | 1 | 1 | -1 |
| 1 | 6 | -1 | 2 |
| 0 | - | - | - |

$a = -1, b = 2$

$c_A^ac_B^b = 12^{-1}*12^2 = 12^{-1+2} = 12^1 = 12$

## 7 Elgamal

The prime number $p=13$ and the generator $g=3$ were used. Check if 3 is a generator: otherwise use the next larger number after 3. Bob chooses the secret key $sk_B = j = 3$ and Alice $sk_A = i = 4$.

__Your Task__: Compute all intermediate results if Alice wants to securely send the message $m = 12$ to Bob.

## 8 Elgamal 2nd

Alice uses the private key $a=1751$ and computes the public key $(p=2357,\alpha=2,\alpha^a =1185)$.
Now Bob wants to encrypt the message $m = 2035$. He uses the random $k = 1520$.

__Your Task__: Compute the encrypted message and show how Alice decrypts the message.