# Public key cryptography

## Your name goes here. \(Double\-click on this cell to edit it.\)

Remember to hit Ctrl-Enter after editing any cell.

## Commands in python (re)introduced in this module

---

> pow()

---

### Recall commands/functions written for these modules

---

- convert_letter_to_number("a letter goes here"), 
- convert_number_to_letter(a number goes here), 
- affine_encrypt_letter("a plaintext letter goes here", key=a key goes here, m=a multiplier goes here), 
- affine_encrypt("a plaintext message goes here", key=a key goes here, m=a multiplier goes here), 
- affine_decrypt("a ciphertext goes here", key=a key goes here, m=a multiplier goes here)

---



## Math topics used in this module

- Modular exponentiation \(pg 73 in our Coursepack\)
- Commutativity



## Objectives

In this activity we will use Python to explore public key cryptography.

## Preliminaries
Before working on the questions below, be sure to click in the code cell below and use Ctrl-Enter to run it.

In [3]:
##### Import libraries #####


import math



##### Helper functions #####


### convert_letter_to_number(letter)
### Converts a lowercase number to its value between 0 and 25
### letter: string (a single lowercase letter)

def convert_letter_to_number(letter):
    # Define constant that will allow us to move the letter codes by 97
    MOVE_NUMBER = 97
    # Convert input to ASCII (97 to 122)
    number_ascii = ord(letter)
    # Move number to lie in the range 0 to 25
    number = number_ascii - MOVE_NUMBER
    return number


### convert_number_to_letter(number)
### Converts a number between 0 and 25 to its corresponding letter
### number: integer (should be between 0 and 25)

def convert_number_to_letter(number):
    # Define constant that will allow us to move the letter codes by 97
    MOVE_NUMBER = 97
    # Move number to lie in the ASCII range 97 to 122
    number_ascii = number + MOVE_NUMBER
    # Convert number to letter
    letter = chr(number_ascii)
    return letter


### affine_encrypt_letter(plaintext_letter, key, m)
### Applies affine encrytpion to a plaintext letter p to produce ciphertext letter
###     c = m*p + k mod 26
### plaintext_letter: string (can be any character, but should be only a single character)
### key: integer (between 1 and 25)
### m: integer (relatively prime to 26)

def affine_encrypt_letter(plaintext_letter, key, m = 1):
    # Replace uppercase with lowercase
    plaintext_letter = plaintext_letter.lower()
    # Check if plaintext_letter is a lowercase letter
    if ord(plaintext_letter) >= 97 and ord(plaintext_letter) <= 122:
        plaintext_number = convert_letter_to_number(plaintext_letter)
        ciphertext_number = (m* plaintext_number + key) % 26
        ciphertext_letter = convert_number_to_letter(ciphertext_number)
        return ciphertext_letter.upper()
    else:
        # If we get to this spot, we know we don't have a letter at all,
        # so just return the character as is
        return plaintext_letter



##### Affine encryption/decryption functions #####


### affine_encrypt(plaintext, key, m = 1)
### Encrypts ciphertext using c = m*p + k mod 26.
### plaintext: string
### key: integer (the value of k in the linear congruence above, from 1 to 25)
### m: integer (default value 1 results in shift encryption--should be relatively prime to 26)

def affine_encrypt(plaintext, key, m = 1):
    # Stop if m is not chosen appropriately
    if math.gcd(m, 26) != 1:
        print("The value of m must be relatively prime to 26!")
    else:
        ciphertext = ""
        for letter in plaintext:
            ciphertext_letter = affine_encrypt_letter(letter, key, m)
            ciphertext = ciphertext + ciphertext_letter
        return ciphertext


### affine_decrypt(ciphertext, key, m = 1)
### Decrypts ciphertext encrypted using c = m*p + k mod 26.
### ciphertext: string
### key: integer (the value of k in the linear congruence above, from 1 to 25)
### m: integer (default value 1 results in shift decryption--should be relatively prime to 26)

def affine_decrypt(ciphertext, key, m = 1):
    # Stop if m is not chosen appropriately
    if math.gcd(m, 26) != 1:
        print("The value of m must be relatively prime to 26!")
    else:
        m_inv = pow(m, -1, mod = 26)
        plaintext = affine_encrypt(ciphertext, -m_inv*key, m_inv)
        return plaintext.lower()


## The key distribution problem

A major security flaw in any cryptographical scheme is the problem of making sure both parties have the same key. After all, if keys could be distributed securely, there would not be much need for encrypted messages, which could be distributed with the same level of security. Any risk of message interception is the exact same risk of key interception.

Sure, sometimes keys can be shared one time in a secure space allowing for future communications to be encrypted. But what about situations where keys also have to be transmitted to faraway recipients?

## The "padlock" analogy

Imagine a physical key that fits a padlock that secures a physical box. If Alicia wants to send a secret object to Beto in that box, both Alicia and Beto will need copies of the key. If Alicia and Beto are lucky enough to have a secure way to obtain the same key initially, things will be okay for a while, at least until a new key is required. But what happens if Alicia and Beto are far away from each other and have no ability to meet to get a common key?

One possible solution looks like the following. Suppose that both Alicia and Beto have their own padlocks with their own private keys. Then they can execute the following procedure:

- Alicia puts the secret object in a box, locks it, and sends it to Beto.
- Beto locks the box again with his lock and sends the box back to Alicia.
- Alicia removes her lock and sends the box back to Beto.
- Beto removes the final lock and accesses the secret object.

This is called a "double" lock. What does this look like for encrypting a message?



## Double lock with a cipher?

Let's try out this double lock idea with a type of crypotgraphic protocol we've already studied, say an affine cipher.

### Question 1

Encrypt a short message of your choice using the affine cipher
$$
C \equiv 3P + 1 \mod 26.
$$
Recall that you'll use the `affine_encrypt` function (see the code cell above).

We'll call this "Lock A". Assign the result of this encryption to the variable `textA`.

In [4]:
# Add code here to encrypt a message using an affine cipher with key = 1 and m = 3.
# Be sure to store the result in the variable textA

# When you have created your code above, uncomment the line below (remove the hashtag) to print the result

# textA

### Question 2

Encrypt `textA` using another affine cipher:
$$
C \equiv 7P + 6 \mod 26.
$$

We'll call this "Lock B". Assign the result of this encryption to the variable `textAB` (since we applied Lock A first, followed by Lock B).

In [15]:
# Add code here to encrypt textA using an affine cipher with key = 6 and m = 7.
# Be sure to store the result in the variable textAB

# When you have created your code above, uncomment the line below (remove the hashtag) to print the result

# textAB

1

*****

Now we'll decrypt `textAB` by reversing the procedure. We'll need to apply `affine_decrypt` twice, once by unlocking Lock A (using Key A) and then by unlocking Lock B (using Key B). Does the order matter?

### Question 3

Start by decrypting `textAB` using Key B. Assign the result of this decryption to the variable `textABB`.

In [6]:
# Add code here to decrypt textAB using Key B.
# Be sure to store the result in the variable textABB

# When you have created your code above, uncomment the line below (remove the hashtag) to print the result

# textABB

Do you recognize the output `textABB`? What is it the same as?

<span style='color:#9c27b0'>_Please write up your answer here._</span>


### Question 4

Now decrypt `textABB` using Key A. Assign the result of this decryption to the variable `textABBA`.

In [7]:
# Add code here to decrypt textABB using Key A.
# Be sure to store the result in the variable textABBA

# When you have created your code above, uncomment the line below (remove the hashtag) to print the result

# textABBA

Do you recognize the output `textABBA`? What is it the same as?

<span style='color:#9c27b0'>_Please write up your answer here._</span>


*****

Now let's try decrypting using the other possible order.

### Question 5

Decrypt `textAB`, but this time starting with Key A. Assign the result of this decryption to the variable `textABA`.

In [8]:
# Add code here to decrypt textAB using Key A.
# Be sure to store the result in the variable textABA

# When you have created your code above, uncomment the line below (remove the hashtag) to print the result

# textABA

### Question 6

Finally, decrypt `textABA` using Key B. Assign the result of this decryption to the variable `textABAB`.

In [9]:
# Add code here to decrypt textABA using Key B.
# Be sure to store the result in the variable textABAB

# When you have created your code above, uncomment the line below (remove the hashtag) to print the result

# textABAB

### Question 7

Did the order in which we "unlocked" the locks matter with the affine cipher? (The reason why this happens is a little technical, but give it a little thought. Why might the order matter?)

<span style='color:#9c27b0'>_Please write up your answer here._</span>


### Question 8

Following the "double lock" strategy described above, would we obtain `textABAB` or `textABBA`? Why is that a problem for using the affine cipher as a double lock?

<span style='color:#9c27b0'>_Please write up your answer here._</span>


*****

The problem described above is often called the "socks and shoes" problem. You put on your socks first and then your shoes. To remove these items of clothing, the only way to do it is to work backward, taking off the shoes first and then the socks.

Well into the 20th century, all known cryptographic schemes followed the "socks and shoes" principle (except for very simple ones like a shift cipher, which, of course, are not suitable for secure crytography). They all had to be undone by reversing the steps. This made the "double lock" idea unfeasible.

## Diffie-Hellman-Merkle key exchange

Be sure to watch the video here first:

[Public key cryptography - Diffie-Hellman Key Exchange (full version)](https://youtu.be/YEBfamv-_do)

The analogy with color mixing is a very helpful way of understanding the process. Let's explore how the math works.

First, Alicia and Beto need to choose a prime number $p$. This number will be publicly known; it is not a secret. For purposes of exposition, suppose $p = 17$. \(In reality, this prime will be much, much larger.\) Next, Alicia and Beto need to decide on $g$ which will need to be a _unit_ mod 17, in other words, a number that is relatively prime to 17. \(Of course, if we start with a prime number $p$, all possible choices of $g$ will be relatively prime to 17 as long as we don't pick 0 or 1.\) Let's suppose $g = 3$. This number is also publicly known.

Now, both Alicia and Beto need to choose their own separate private keys. These can be any numbers whatsoever. Say Alicia's private key is $a = 15$ and Beto's private key is $b = 13$.

The important expression is

$$
g^{x} \mod p
$$

where $g = 3$ and $p = 17$. We'll see how to use the exponent $x$ in a moment.

Using the numbers in this example, we have

$$
3^{x} \mod 17.
$$

Again, just as a reminder, every part of the above expression is public knowledge.

Here's where the secret private keys play their part. Alicia uses her private key as the exponent first:

$$
3^{15} \mod 17.
$$

In symbols,

$$
g^{a} \mod p
$$

We can use Python to compute this easily:



In [10]:
pow(3, 15, mod = 17)

6

Alicia posts the answer 6 publicly.

It's worth noting here that the following congruence is now entirely public:

$$
3^{a} \equiv 6 \mod 17.
$$

If you could solve this equation for $a$, then you would know Alicia's secret key. For this simple example, it's not too hard to find $a$, but with much larger numbers, this is a very challenging problem called the _discrete logarithm problem_. Modular exponentiation is an example of a _one\-way function_, which is a function that is easy to compute one direction, but hard to compute in reverse. This is similar to mixing paint: it's easy to mix the paint, but pretty much impossible to go backwards and separate the paint into its original colors.

Beto now takes Alicia's public answer 6 and applies his own private key:

$$
6^{13} \mod 17.
$$



### Question 9

Do this calculation in Python.

In [11]:
# Add code here to compute 6^13 mod 17

*****

Mathematically, this is what has happened up to this point:

$$
6^{13} \equiv (3^{15})^{13}  \equiv 10 \mod 17.
$$

In symbols, this is

$$
(g^{a})^b \mod p.
$$

The answer, 10, is the secret key. And Beto now knows it.

Now we can start with Beto and run through the same procedure again. Beto applies his private key $b = 13$ in the public expression

$$
3^{13} \mod 17.
$$



### Question 10

Do this calculation in Python.

In [12]:
# Add code here to compute 3^13 mod 17

*****

Now Beto posts his answer 12 publicly. Let's see what happens when Alicia applies her private key to 12:

$$
12^{15} \mod 17.
$$



### Question 11

Do this calculation in Python.

In [13]:
# Add code here to compute 12^15 mod 17

*****

Mathematically, this is what happened:

$$
12^{15} \equiv (3^{13})^{15}  \equiv 10 \mod 17.
$$

In symbols, this is

$$
(g^{b})^a \mod p.
$$

The answer, 10, is the secret key. And Alicia now knows it. Both Beto and Alice know the secret key 10, but 10 was not one of the numbers that was publicly shared. And because it's an example of the discrete logarithm problem, it is very challenging to figure out the secret key 10 by anyone who only knows the information that has been shared publicly. \(Well, again, it would be relatively simple in this case where we have small numbers, but in the real world, where much larger numbers are used, it would be computationally impractical.\)


### Question 12

Explain mathematically why Alicia and Beto got the same final answer, 10. Hint: look at the results of their calculations in symbols. Why do these give the same number?


<span style='color:#9c27b0'>_Please write up your answer here._</span>


*****

At this point, the secret key 10 can now be used as a shared key for any cryptographic scheme that Alicia and Beto wish to use. For example, they can now use 10 as their Caesar shift. Or 10 in their Vigenère cipher.

**Side note**: to be secure with current computational resources, it is recommended to use a prime number $p$ that has at least 2048 digits when expressed in binary \(0s and 1s\). That's at least a 617\-digit number.



## Conclusion

### Question 13

What do you conclude from this reading and activity?

<span style='color:#673ab7'>Put your thoughts here. </span>
