Diffie-Hellman Key Exchange + ElGamal Encryption

In [None]:
import math
import random
from sympy import randprime, isprime, Mod
import hashlib

Let a,b be positive integers. Then there exists integers X,Y such that Xa+Yb=gcd(a,b).

Furthermore, gcd(a,b) is the smallest positive integer that can be expressed in this way

In [None]:
def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
    gcd = b
    return gcd, x, y

In [None]:
a = 10
b = 21

gcd, x, y = egcd(a, b)

In [None]:
print(a, "*", x, "+", b, "*", y, "=", math.gcd(a,b))
a * x + b * y

If for b there exists an integer b−1 such that bb−1=1modN then we call:

b invertible

b−1 modular inverse of b modulo N

Proposition 7.7 Let a,N be integers, with N>1. Then a is invertible modulo N if and only if gcd(a,N)=1.

A group is a set G along with a binary operation ⊕ for which the following conditions hold:

(Closure:) For all g,h∈G, g⊕h∈G

(Existance of an Identity:) There exists an identity e∈G such that for all g∈G, e⊕g=g=g⊕e.

(Existence of Inverses:) For all g∈G there exists an element h∈G such that g⊕h=e

(Associativity:) For all g1,g2,g3∈G, (g1⊕g2)⊕g3=g1⊕(g2⊕g3).

If G has finite number of elements →G is a finite group

|G| - order of the group - number of elements in G

G is abelian if for all g,h∈G,g⊕h=h⊕g

Z+n=(Zn,+)=({0,1,…,n−1},+modn) for n≥2 is an abelian group of order |Z+n|=n

Z∗n=({a:gcd(a,n)=1},⋅modn). If n is prime: Z∗p=(Zp,⋅)=({1,…,p−1},⋅modp) for p prime is an abelian group of order |Z∗p|=p−1

Z∗n=({a:gcd(a,n)=1},⋅modn).

Let n=p⋅q, p,q are primes -- an abelian group of order |Z∗pq|=(p−1)(q−1)

Let G be a finite group of order m.

Let g∈G, consider the set:
⟨g⟩={g0,g1,…}

From Theorem 7.14 we have gm=1.

Let i≤m be the smallest positive integer for which gi=1.

Then the sequence repeats after i terms, so:
⟨g⟩={g0,…,gi−1}

The set contains exactly i elements since:

if gj=gk with 0≤j<k<i

then gk−j=1 and 0<k−j<i (contradicting choice of i).

G=Z∗11

⟨2⟩=⟨6⟩=⟨7⟩=⟨8⟩=G

Def: A primitive root of G is such a g∈G that ⟨g⟩=G

⟨g⟩ is a subgroup of G

inverse of gx is gi−x

Z∗n=({a:gcd(a,n)=1},⋅modn)

In [None]:
def group(n):
    G = []
    m = 0
    for a in range(n):
        if math.gcd(a, n) == 1:
            G.append(a)
            m = m + 1
    return G, m

n = 11
group(n)

In [None]:
def subgroup(g, n, m):
    H = {}
    for i in range(m):
        H[(g ** i % n)] = 1
    return H

p = 11
gs = subgroup(2, p, p-1)

print(gs.keys(), len(gs))

In [None]:
p, q = 11, 13
n, m = p * q, (p-1)*(q-1)
#n = 11
#m = n - 1
print("Group Z",n,"* order: ", m)
#pint(group(n))
for i in range(n):
    if math.gcd(i, n) == 1:
        w = subgroup(i, n, m)
        print("Element ", i, "order:", len(w))
        #print(w.keys())

Let  G  be a finite group and  g∈G . The order of  g  is the smallest positive integer  i  with  gi=1

In [None]:
def order(g, n):
    o = 1
    while g ** o % n != 1:
        o = o + 1
    return o

order(10, 11)

In [None]:
x = random.randint(2, 2*q - 1)
q = 11
p = 2 * q  + 1
g = x ** 2 % p
print(x, g)
#groupOrder = p - 1
#subgroup orders: divisors of p - 1 = 2q -> 1, 2, q, 2q
print(group(p))
print(order(g, p))
print(list(subgroup(g, p, p-1).keys()))

In [None]:
for g in [3, 9, 4, 12, 13, 16, 2, 6, 18, 8]:
    print(list(subgroup(g, p, p - 1).keys()))
    

 Let G be a finite group of order m, and say g∈G has order i then i|m.

Def. Let G be a group of order m, if there exists an element g∈G such that order of g is equal m then we call g a group generator and we call G a cyclic group.

Corollary 7.52 If G is a group of prime order p, then G is cyclic.

Furthermore, all elements of G except the identity are generators of G.

Theorem 7.53 If p is prime then Z∗p is cyclic.

n=p, p prime; the group order m=p−1

what if we find g such that ord(g) is prime?

"recipe":

q - prime
p=2q+1 be sure that is prime
then go with Z∗p

In [None]:
q = 11
p = 2 * q + 1
m = 2 * q
print(q, p)
g = 2
#print(group(p))
print(subgroup(g, p, p-1).keys())
print(order(g, p))

In [None]:
for g in [2, 4, 8, 16, 9, 18, 13, 3, 6, 12]:
    print(list(subgroup(g, p, p-1).keys()), len(subgroup(g, p, p-1)))

In [None]:
p = 23
for a in range(2,p-1):
    aa = a ** 2 % p
    print(a, "->", aa, "<",aa,"> = ", list(subgroup(aa, p, p-1)) )

QR∗p={a:(∃g∈Z∗p)a=g2modp}

DLOGA,G(n):

Run G(1n) to obtain (G,q,g):
G - cyclic group
q - group order
g - generator
Choose h←G
x←A(G,q,g,h)
Output is 1 if gx=h

 We say that the discrete logarithm problem is hard relative to G if for all PPT algorithms A there exists a negligible function negl such that
P[DLOGA,G(n)=1]≤negl.

Fix a cyclic group G and a generator g∈G. Given h1,h2, define
DHg(h1,h2)=gloggh1⋅loggh2

If X=gx and Y=gy then
DHg(X,Y)=gx⋅y=Xy=Yx.

 We say that DDH problem is hard relative to G if for all PPT algorithms A there exists a negligible function negl such that
|P[A(G,q,g,gx,gy,gz)=1]−P[A(G,q,g,gx,gy,gxy)=1|≤negl,
where in each case the probabilities are taken over the experiment in which G(1n) outputs (G,q,g), and then random x,y,z∈Zq are chosen.

Prime-Order Groups
Cyclic groups:

prime order
non-prime order
Pohling-Hellman algorithm for Discrete Log

group of order q=q1⋅q2→ Discrete Log Problem in q1 and q2

Generator generation

In [None]:
def genSecurePrime(a, b):
    a = False
    while a is False:
        p = randprime(a, b)
        q = 2 * p  + 1
        a = isprime(q)
    return p, q

p, q = genSecurePrime(30, 200)
print(p, q)

In [None]:
print("Group: ", group(q))

x = random.randint(2, 2 * p - 1)
print("Random: ", x)
g = x ** 2 % q
print("Random generator: ", g, "?")

S = subgroup(g, q, q -1)
print("Generated subgroup: ", S.keys())
print("(sub)group order: ", len(S))
print(order(g, q))

Diffie-Hellman Key Exchange
Diffie Hellman Key Exchange G - cyclic group of order p g - a group generator

Pascal:
x←R1,…,p
X=gx
Pascal−→XAllan
Allan:
y←R1,…,p
Y=gy
Pascal←YAllan
Pascal:
za=Yx=(gy)x=gyx
Allan:
zb=Xy=(gx)y=gxy
Computational Diffie-Hellman (CDH)

Fix a cyclic group G and a generator g∈G. Given h1,h2, define
DHg(h1,h2)=gloggh1⋅loggh2

If X=gx and Y=gy then
DHg(X,Y)=gx⋅y=Xy=Yx.

Shared key:

ka=h(za)
kb=h(zb)
"Magic":

ka=kb

In [None]:
def genGen(q):
    x = random.randint(2, q - 2)
    return x ** 2 % q

In [None]:
g = genGen(q)
print(g)
print(order(g, q))

In [None]:
def DH_Key_Gen(g, q):
        x = random.randint(1, (q - 1) // 2)
        return x, g ** x % q

In [None]:
x, X = DH_Key_Gen(g, q) # Alice

y, Y = DH_Key_Gen(g, q) # Bob

za = Y ** x % q # Alice computes

zb = X ** y % q # Bob computes

print(g, q) # Eve knows
print(X, Y) # Eve knows

A passive adversary's view:

G,g,X,Y
Security:

Can an adversary compute k?

In [None]:
ha = hashlib.new('sha3_256')
hb = hashlib.new('sha3_256')

ha.update(za.to_bytes(2, 'big'))
hb.update(zb.to_bytes(2, 'big'))

print(ha.hexdigest())
print(hb.hexdigest())

ElGamal encryption

KeyGen(1n):

p←RPrimes(n)
x←R{1,…,p−2}
g←PrimitiveRoots(p)
X←gxmodp privKey = x / pubKey = p,g,X

In [None]:
def gen(sec):
    n = len(sec)
    pp, p = genSecurePrime(2 ** n, 2 ** (n+1) - 1)
    g = 3
    while order(g, p) < (p-2)//2:
        g = random.randint(2, p-1)
    x = random.randint(1, p - 2)
    X = (g ** x) % p
    return g, X, p, x
    
def genP(sec, p):
    g = 3
    while order(g, p) < (p-2)//2:
        g = random.randint(2, p-1)
    x = random.randint(1, p - 2)
    X = (g ** x) % p
    return g, X, p, x    
    
    
    

Enc(m,pubKey):

y←R{1,…,p−2}
return (gy,mXy)

In [None]:
def enc(m, pub_key):
    g, X, p = pub_key
    y = random.randint(1, p-2)
    Y = g ** y % p
    return Y, m * (X ** y % p) % p




Dec(α,β), privKey, pubKey):

a = p - 1 - x
return αaβmodp
αaβ=YamXy=mgyagxy=mg−yxgxy=m

In [None]:
def dec(c, priv_key):
    g, X, p, x = priv_key
    alpha, beta = c
    a = 2 * p - 2 - x
    return (((alpha ** a) % p) * beta) % p

In [None]:
g, X, p, x = gen("111111")

print(g, X, p, x)

In [None]:
p = 107
g, X, p, x = genP("asd", p)
print(g, X, p, x)

#plaintext = random.randint(1, p-1)
#print(plaintext)
plaintext = 73

In [None]:
ct = enc(plaintext, [g, X, p])
print(ct)


In [None]:
decrypted = dec(ct, [g, X, p, x])
print(decrypted)

In [None]:
x, y = [], []
t = 2000
for i in range(t):
    ct = enc(plaintext, [g, X, p])
    xa, ya = ct
    x.append(xa)
    y.append(ya)
    
    
    
    


In [None]:
import matplotlib.pyplot as plt
fig = plt.figure()
#plt.plot(x, y, '.r')
plt.hist2d(x, y, bins=(p, p))
cbar = plt.colorbar()
cbar.ax.set_ylabel('Counts')

In [None]:
import matplotlib.pyplot as plt
fig = plt.figure()
#plt.plot(x, y, '.r')
plt.hist2d(x, y, bins=(p, p))
cbar = plt.colorbar()
cbar.ax.set_ylabel('Counts')

Generalized ElGamal
multiplicative group Z∗p
multiplicative group F∗2m of the finite field F2m of characteristic two
group of points on an elliptic curve over a finite field
multiplicative group F∗q of the finite field Fq where q=pm, p is a prime
the group of units Z∗n where n is a composite integer
the jacobian of a hyperelliptic curve defined over a finite field
the class group of an imaginary quadratic number field

Cryptographic commitments

## Example

### Coin tossing over the internet

Participants:

* $\mathcal{A}$
* $\mathcal{B}$

Goal:

* select uniformly at random a bit $b \leftarrow_R \{0, 1\}$

Naive apprach (does not work):

1. $\mathcal{A}(b_{\mathcal{A}}) \xrightarrow{b_{\mathcal{A}}} \mathcal{B}$
2. $\mathcal{A} \xleftarrow{b_{\mathcal{B}}} \mathcal{B}(b_{\mathcal{B}})$
3. both compute $b = b_{\mathcal{A}} \oplus b_{\mathcal{B}}$



Why it is not secure? 

What does secure mean in this context?






1. $\mathcal{A}:$ commits to $b_{\mathcal{A}}$, sends $c =$ Comm($b_{\mathcal{A}}, r$) to $\mathcal{B}$

$\mathcal{A} \xrightarrow{c} \mathcal{B}$