In [11]:
print("hello world")

hello world


In [12]:
load('utils.py')

## Discrete Logarithm Problem

The discrete logarithm problem can be summarized as finding $x$ such as $g^x = y$ given $g$ .
In our case $g$ is a generator of a subgroup of order $q$ a prime divisor of $(p-1)$.

The tuple $(p,q,g)$ is public, $x$ ,*the private key*, is an integer sampled at random from $<g>$ the subgroup generated by $g$.
The public key is simply $y$.


## Discrete Logarithm Parameter Generation

Our goal is to generate public parameters for our system based on the DLP.
The ingredients required are a large prime $p$ (1024-bit...) a prime divisor of $p-1$ and a generator.
Finding the generator is the only *costly* operation using **Fermat Last Theorem** we will be able to compute it easily.


- Input : Security parameter l,t
- Output : DL Domain parameters (p,q,g)

1. Select a t-bit prime $q$ and an l-bit prime $p$ such as $q | p-1$.
2. Finding an element g of order q (finding the generator):

    2.1. Select an arbitrary $h \in [1,p-1]$ and compute $g = h^{((p-1)/q)} \mod p$
    
    2.2. If g = 1 then go to step 2.1 $(Pr(g=1) = 1/p)$
3. Return (p,q,g)

In [13]:
def dlp_param_gen(l,t):
    p = random_prime(2^l,lbound=2^(l-1))
    q = prime_divisors(p-1)[-1] # get the largest prime divisor of p-1
    h = randint(1,p-1)
    y = Integer((p-1)/q)
    g = power_mod(h,y,p)
    if g == 1 :
        g = power_mod(h,Integer((p-1)//q),p)
    return (p,q,g)

In [14]:
p,q,g = dlp_param_gen(256,128)

In [15]:
is_prime(q)

True

In [16]:
is_prime(p)


True

## Keypair generation

Since we're doing public key crypto we need to generate a keypair composed of our secret private key and a public key.
The algorithm to do so is as follows :

- Input : Domain parameters $(p,q,g)$
- Output : public key $y$ and private key $x$
1. Sample $x \in [1,q-1]$
2. Compute $y = g^x \mod p$
3. Return $(y,x)$

In [17]:
def dlp_keygen(p,q,g):
    x = randint(1,q-1)
    y = power_mod(g,x,p)
    return (y,x)

In [18]:
(y,x) = dlp_keygen(p,q,g)

## Encryption and Decryption

You can refer to [this answer](https://stackoverflow.com/questions/45617188/converting-elgamal-encryption-from-encrypting-numbers-to-strings) from stack overflow for more details.

Since you're encrypting using numbers doing so for a *plaintext* such as a credit card number or a **short message** is trivial you simple take your *text or binary data* turn it into a bytes then encode the bytes into a *big integer*.

Doing so for bytes is obvious since a string is just an array of bytes, encoding into big integers depends on your language (whether it supports arbitrary precision integers or needs a library).

When I say **short message** I point to the fact that your message needs to be smaller than the $p$ parameter since it needs to be inside the *group we're working on* in this case $\mathbb{Z_p}$ .

## Signature and DSA

The principle behind signing is authenticating the source of the data.
In our case Alice signs a message to prove to Bob the message's content and authenticity.

A great example is [ethereum](https://ethereum.org), to send some *ether* to Bob,Alice constructs a transaction
saying *send 10ether to Bob from this account* here's a signature $s$ proving *I did authorize the transaction*.

Ethereum of course uses a better construction based on Elliptic Curves (the subject of the next set of notes).

Here we'll see **DSA**, the Digital Signature Algorithm was proposed by NIST in 1991.
You have to know the difference between the signature algorithm and the math itself, the algorithm only does 
some computation to build hard to solve and easy to verify problems.

There can be many algorithms in fact we'll see another one designed by **Schnorr** that was pattented until 2008.
The algorithm can remain the same (require slight modifications) and we can instead change the *math*, that's in a sense how this thing works the math provides us with security guarrentees that *this equation is difficult to solve here are some big numbers to use for doing equation stuff*.

The DSA algorithm works as follows :

- Input : Domain parameters : $(p,q,g)$,private key $x$,message $m$

- Output : a signature $(r,s)$

    1.Sample a random $k \in [1,q-1]$.

    2.Compute $T = g^k \mod p$.
    
    3.Compute $r = T \mod q$ if $r=0$ recompute go to 1.
    
    4.Compute $h = H(m)$ , $H$ is a hash function.
    
    5.Compute $s = k^{-1} ( h + xr) \mod q$ if $s=0$ go to 1.
    
    6.Return (r,s)
    
    
The DSA signature verification algorithm works as follows :

- Input :  Domain parameters : $(p,q,g)$,public key $y$,message $m$ ,signature $(r,s)$
- Output : Boolean 

    1. Verify that r,s are in the interval $[1,q-1]$ reject if not
    2. Compute $h = H(m)$
    3. Compute $w = s^{-1} \mod q$
    4. Compute $u_1 = hw \mod q$
    5. Compute $u_2 = rw \mod q$
    6. Compute $T = g^{u_1}y^{u_2} \mod p$
    7. Compute $r' = T \mod q$
    8. If $r = r'$ then the signature is valid otherwise reject it. 

In [21]:
message = b"Nobody inspects"
messageHash = sha256py(b)
msgHashBytes = bytearray(h)

In [25]:

def int_from_bytes(b):
    n = 0
    for byte in msgHashBytes:
        n = n<<8 | byte
    return n

In [26]:
msgPoint = int_from_bytes(msgHashBytes)

msgPoint < (p-1)


True

In [44]:
def dlp_dsa_sign(p,q,g,x,h):
    k = randint(1,q-1)
    T = power_mod(g,k,p)
    r = mod(T,q)
    if r == 0 :
        print("r=0 repeat")
    invk = inverse_mod(k,q)
    secpart = (Integer(h) + (x*r) % q) %q
    s1 = invk*secpart
    s = s1 % q
    if s == 0 :
        print("s=0 repeat")
    return (r,s)

In [45]:
r,s = dlp_dsa_sign(p,q,g,x,msgPoint)

In [46]:
print(r < (q-1))
print(s < (q-1))
print(p,q,g,y,r,s)


True
True
(113377137750698992514901559591257981535085762510979630262220173300076725844389, 145781614272749218536927089054294369, 13743192433586752580922535577223971295725355363763292863497585116126565241744, 52805610933121568656382851904751315685369793561473300368000311375497674784972, 28900507199467140063486050821381627, 123908120214468337562239144391336313)


In [47]:
def dlp_dsa_verify(p,q,g,y,r,s,h):
    # if r or s isn't in [1,q-1] reject the signature
    w = inverse_mod(Integer(s),q)
    u1 = mod(h*w,q)
    u2 = mod(r*w,q)
    T1 = power_mod(g,Integer(u1),p)
    T2 = power_mod(y,Integer(u2),p)
    T = mod((T1*T2),p) 
    rp = mod(T,q)
    if r == rp:
        return True
    else :
        return False

In [48]:
dlp_dsa_verify(p,q,g,y,r,s,msgPoint)

True

To wrap up this let's write a proof that the signature validation algorithm is correct

$Proof$ :

- Let $k$ a random element we have $T = g^k \mod p$

- let $r = T \mod q$ and $s = k^{-1} (h+xr) \mod q$

- Verifier doesn't know x nor k but using algebra we can see that $k = s^{-1} (h+xr) \mod q$

- We raise both sides to $g$ $ g^k = g^{hs^{-1} + xr{s^{-1}}} \mod q$

- We decompose the right hand side $g^k = g^{hs^{-1}} . g^{xrs^{-1}} \mod q$

- $g^x = y$ thus $g^k = g^{hs^{-1}} . y^{rs^{-1}} \mod q$

- The verifier now computes $T = (g^{hs^{-1}} . y^{rs^{-1}} \mod q)$ and verifies $r' = T \mod q$ is equal to $r$ $\square$


## Schnorr Signature Algorithm

So a signature is a *proof of knowledge of y* and we can describe a *signature algorithms* ase a sequence of computations used to generate a **proof** and **verify** a proof.

The Schnorr signature algorithm is actually an *interactive zero knowledge proof of logarithm* you can read the [paper](https://pdfs.semanticscholar.org/8d69/c06d48b618a090dd19185aea7a13def894a5.pdf) there's a nice construction in cryptography called the [fiat-shamir heuristic](https://pdfs.semanticscholar.org/b904/6d002da153a6fe9b06d469da4efffdfcb9c6.pdf) that can turn any *interactive proof* to a *non-interactive one*.

> **Say I want to let you know that I know $x$ such as $g*x = y$ and I want to prove it to you without disclosing $x$.**

Well *Schnorr* thought hard and said well we can use randomness and hash functions to build a solid protocol that is sound and complete (Basically Verifier can't be cheated such as Prover proves a false statement)

The protocol works like this :

- **(Commitment)** : Verifier samples a random $v \in \mathbb{Z_q}$ and asks Prover for $t = g^v$

-  $t$ is called a commitment it's a way to force the Prover to commit to $g$.

- **Challenge** : Verifier sends a challenge $c = H(g,y,t)$

- **Response** : Prover computes $r = v -cx \mod q$

- The **zero knowledge proof of x is $(c,r)$**

To verify this the verifier can go trough the following steps :

- $t' = g^r.y^c$

- $t' = g^{(v-cx)}.y^c$

- $t' = g^{(v-cx)}.g^xc$

- $t' = g^{(v-cx + cx)} = g^v = t$

Thus if x was indeed the correct answer we'd have $H(g,y,t') = t$ 

The signature algorithm and verification is no different than this process.

Schnorr Signature Algorithm goes as follows:

- Input : (p,g,q), x,m
- Output : (s,e)
     
     1.Sample a random $k \in [1,q-1]$.
     
     2.Compute $r = g^k \mod q$
     
     3.Compute $e = H(r||m)$ || is the concatenation symbol as r is represented as bytes
     
     4.Compute $s = k - xe$
     
     5.return $(s,e)$
     
Verifying schnorr signatures is easier the algorithm proceeds as follows

- Input : (p,q,g),y,(s,e),h
- Output : True or Flase

    1. Let $rv = g^s * y^e$
    2. Let $ev = H(rv||h)
    3. If $ev = e$ return True otherwise return False
    
### Notes :

- For ease I basically work with hashes and verify the signatures over the hashes themselves in a public environment you 
should ask for the message itself and compute the hashes by yourself (ROM).

Verifying the signature is as easy as compute $ev = H(g^s.y^e||M)$ I leave to you the implementation details.

In [49]:
from Crypto.Util.number import long_to_bytes


In [52]:
k = randint(1,q-1)
r = power_mod(g,k,q)
rb = long_to_bytes(r)
rb.

'\t\x91\xf0t\x80\xc7\xb9rJL\xa5\xa5\xf7c\xbb'

In [53]:
def schnorr_sign(p,g,q,x,h):
    k = randint(1,q-1)
    r = power_mod(g,k,q)
    rBytes = long_to_bytes(r)
    rm = rb + h
    eBytes = sha256py(rm)
    e = int_from_bytes(eBytes)
    s = (k - (x*e) % q) % q
    return (s,e)

In [54]:
(s,e) = schnorr_sign(p,q,g,x,msgHashBytes)

In [57]:
def schnorr_verify(p,q,g,y,s,e,h):
    gs = power_mod(g,s,q)
    ye = power_mod(y,e,q)
    rv = gs * ye
    rvBytes = long_to_bytes(rv)
    rm = rvBytes + h
    evBytes = sha256py(rm)
    ev = int_from_bytes(evBytes)
    if ev == e :
        return True
    return False
    

In [58]:
schnorr_verify(p,q,g,x,s,e,msgHashBytes)

True