# Q1. MITM

## Our solution
Man-in-the-Middle (MITM) attack on the Diffie-Hellman key exchange between Alice and Bob.

Our attack script, mitm.py, acts as a transparent proxy with malicious intent:
1.  Interception: It listens on two specific ports to intercept connections intended for Alice and Bob.
2.  Key Replacement:
    - When Bob connects, mitm.py intercepts his public key ($g^y$) and sends him a fake public key ($g^z$).
    - When Alice connects, mitm.py sends her the fake public key ($g^z$) and intercepts her real public key ($g^x$).
3.  Result: Alice and Bob believe they have a secure connection with each other, but they have actually established separate shared secrets with the attacker.

## The Execution Instructions
The code can be found in the Q1 folder.

Please execute the files in separate terminals in the following order.

### Run the Scripts
Open your terminal and run the scripts in this specific order to ensure listeners are active before connections are attempted:

1.  Start Alice: (Alice waits for a connection, so she must start first)
    ```bash
    python3 alice.py
    ```
2.  Start the Attacker:
    ```bash
    python3 mitm.py
    ```
3.  Start Bob: (Bob initiates the connection cycle)
    ```bash
    python3 bob.py
    ```

#### 3. Expected Output
In the mitm.py terminal window, you will see:
* Interception of GY from Bob.
* Interception of GX from Alice.
* Success Message: Displaying the two compromised shared secrets (one shared with Alice, one shared with Bob).

# Q2. ECC

### P1

**Proof:**
The verification algorithm checks if m = σ + k · pkA. We can prove this is always true for a valid signature by substituting the definitions of `σ` and pkA from the signing process into the verification equation.

1.  Start with the right-hand side of the verification formula:
    σ + k · pkA

2.  Substitute σ = m - k · skA · G and pkA = skA · G:
    = (m - k · skA · G) + k · (skA · G)

3.  The terms (- k · skA · G) and (+ k · skA · G) are additive inverses and cancel out, leaving:
    = m

Since the expression simplifies to m, the verification check m = m is always true. Thus, the scheme is correct for validly signed messages.

### P2

**Forgery Technique:**
The scheme is insecure because an attacker can forge a signature for any arbitrary message m' without the private key skA.

An attacker performs the following steps:
1.  **Choose any message m'** they want to forge.
2.  **Choose any random scalar k'**. For instance, let k' = 1.
3.  **Calculate the forged signature σ'** by rearranging the public verification formula m' = σ' + k' · pkA to solve for σ':
    σ' = m' - k' · pkA

This calculation only requires the desired message m', the chosen k', and the public key pkA, all of which are known to the attacker. The private key skA is not needed.

The resulting tuple (m', k', σ') will always pass verification, as (m' - k' · pkA) + k' · pkA simplifies to m', thus satisfying the check.

# Q3. ElGamal

### Question - P1:
Na função de desincriptação, temos a criação da chave partilhada $s$ e temos que o ciphertext $c = m ⋅ s$, ao realizarmos:
$$
m = c ⋅ s^{-1} = m ⋅ s ⋅ s^{-1} = m ⋅ 1 = m
$$
Logo temos a mensagem original.

### Question - P2:
Para se conseguir obter a mensagem: $m \leftarrow c ⋅ s^{-1}$, temos que saber o valor de $s$, sendo que:
$$
s = g^{xy}
$$  
Para se puder quebrar a confidencialidade do ElGamal, um atacante teria de descobrir a chave partilhada $s$ a partir de $X = g^{x}$ (chave publica) e $Y = g^{y}$ (valor aleatorio enviado no ciphertext).  
Calcular $s = g^{xy}$ apenas com $g^{x}$ e $g^{y}$ corresponde exatamente ao problema Diffie-Hellman. Se o atacante conseguisse resolver o logaritmo discreto, isto é, descobrir o expoente $x$ tal que $X = g^{x}$ então poderia simplesmente calcular $s = Y^{x}$ e obter a mensagem original. Portanto, destruiria a mensagem.  

A segurança prática do ElGamal, no sentido de garantir a confidencialidade, depende da dificuldade dos problemas CDH (Computational Diffie-Hellman) e DDH (Decisional Diffie-Hellman).
Se CDH for dificil, então não é possivel descobrir nenhuma informação de g^{xy}.
Além disso, se o problema DDH também for dificil, isto significa que um atacante não consegue distinguir entre $g^{x}$, $g^{y}$ e $g^{xy}$.  
Assim sendo, $c = m . g^{xy}$, não revela qualquer informação util sobre a mensagem.

### Question - P3: