In [1]:
print("hello world")

hello world


## Discrete Logarithm Problem

The discrete logarithm problem can be summarized as finding $x$ such as $g^x = y$ given $g$ .
In our case $g$ is a generator of a subgroup of order $q$ a prime divisor of $(p-1)$.

The tuple $(p,q,g)$ is public, $x$ ,*the private key*, is an integer sampled at random from $<g>$ the subgroup generated by $g$.
The public key is simply $y$.


## Discrete Logarithm Parameter Generation

Our goal is to generate public parameters for our system based on the DLP.
The ingredients required are a large prime $p$ (1024-bit...) a prime divisor of $p-1$ and a generator.
Finding the generator is the only *costly* operation using **Fermat Last Theorem** we will be able to compute it easily.


- Input : Security parameter l,t
- Output : DL Domain parameters (p,q,g)

1. Select a t-bit prime $q$ and an l-bit prime $p$ such as $q | p-1$.
2. Finding an element g of order q (finding the generator):

    2.1. Select an arbitrary $h \in [1,p-1]$ and compute $g = h^{((p-1)/q)} \mod p$
    
    2.2. If g = 1 then go to step 2.1 $(Pr(g=1) = 1/p)$
3. Return (p,q,g)

In [6]:
def dlp_param_gen(l,t):
    p = random_prime(2^l,lbound=2^(l-1))
    q = prime_divisors(p-1)[-1] # get the largest prime divisor of p-1
    h = randint(1,p-1)
    y = Integer((p-1)/q)
    g = power_mod(h,y,p)
    if g == 1 :
        g = power_mod(h,Integer((p-1)//q),p)
    return (p,q,g)

In [15]:
p,q,g = dlp_param_gen(256,128)

In [16]:
is_prime(q)

True

In [17]:
is_prime(p)


True

## Keypair generation

Since we're doing public key crypto we need to generate a keypair composed of our secret private key and a public key.
The algorithm to do so is as follows :

- Input : Domain parameters $(p,q,g)$
- Output : public key $y$ and private key $x$
1. Sample $x \in [1,q-1]$
2. Compute $y = g^x \mod p$
3. Return $(y,x)$

In [20]:
def dlp_keygen(p,q,g):
    x = randint(1,q-1)
    y = power_mod(g,x,p)
    return (y,x)

In [21]:
(y,x) = dlp_keygen(p,q,g)

## Encryption and Decryption

You can refer to [this answer](https://stackoverflow.com/questions/45617188/converting-elgamal-encryption-from-encrypting-numbers-to-strings) from stack overflow for more details.

Since you're encrypting using numbers doing so for a *plaintext* such as a credit card number or a **short message** is trivial you simple take your *text or binary data* turn it into a bytes then encode the bytes into a *big integer*.

Doing so for bytes is obvious since a string is just an array of bytes, encoding into big integers depends on your language (whether it supports arbitrary precision integers or needs a library).

When I say **short message** I point to the fact that your message needs to be smaller than the $p$ parameter since it needs to be inside the *group we're working on* in this case $\mathbb{Z_p}$ .

## Signature and DSA

The principle behind signing is authenticating the source of the data.
In our case Alice signs a message to prove to Bob the message's content and authenticity.

A great example is [ethereum](https://ethereum.org), to send some *ether* to Bob,Alice constructs a transaction
saying *send 10ether to Bob from this account* here's a signature $s$ proving *I did authorize the transaction*.

Ethereum of course uses a better construction based on Elliptic Curves (the subject of the next set of notes).

Here we'll see **DSA**, the Digital Signature Algorithm was proposed by NIST in 1991.
You have to know the difference between the signature algorithm and the math itself, the algorithm only does 
some computation to build hard to solve and easy to verify problems.

There can be many algorithms in fact we'll see another one designed by **Schnorr** that was pattented until 2008.
The algorithm can remain the same (require slight modifications) and we can instead change the *math*, that's in a sense how this thing works the math provides us with security guarrentees that *this equation is difficult to solve here are some big numbers to use for doing equation stuff*.

The DSA algorithm works as follows :

- Input : Domain parameters : $(p,q,g)$,private key $x$,message $m$

- Output : a signature $(r,s)$

    1.Sample a random $k \in [1,q-1]$.

    2.Compute $T = g^k \mod p$.
    
    3.Compute $r = T \mod q$ if $r=0$ recompute go to 1.
    
    4.Compute $h = H(m)$ , $H$ is a hash function.
    
    5.Compute $s = k^{-1} ( h + xr) \mod q$ if $s=0$ go to 1.
    
    6.Return (r,s)
    
    
The DSA signature verification algorithm works as follows :

- Input :  Domain parameters : $(p,q,g)$,public key $y$,message $m$ ,signature $(r,s)$
- Output : Boolean 

    1. Verify that r,s are in the interval $[1,q-1]$ reject if not
    2. Compute $h = H(m)$
    3. Compute $w = s^{-1} \mod q$
    4. Compute $u_1 = hw \mod q$
    5. Compute $u_2 = rw \mod q$
    6. Compute $T = g^{u_1}y^{u_2} \mod p$
    7. Compute $r' = T \mod q$
    8. If $r = r'$ then the signature is valid otherwise reject it. 

In [22]:
from hashlib import sha256

def h(x):
    hash = sha256()
    hash.update(x)
    return hash.digest()

In [23]:
b = b"Nobody inspects"
h(b)

'\xe7\xa3\xf8\x08\xcb\x06\x87\xfd6`\xe9V\xa5\xdf\x0f\x00\xe2>\xda\xc5e\x07i\xec5N\xe6p\xb6X\x85\x8c'

Because sagemath doesn't support bytes to integer conversion I did that in python and pasted the number here.
h(b)=63559401733551349337704679248512602984947374998675114433015782914039590986727

In [24]:
# Let's check that h is less than our p i.e is inside Zp
h = 63559401733551349337704679248512602984947374998675114433015782914039590986727
h < (p-1)

True

In [25]:
def dlp_dsa_sign(p,q,g,y,m):
    k = randint(1,q-1)
    T = power_mod(g,k,p)
    r = mod(T,q)
    if r == 0 :
        print("r=0 repeat")
    h = 63559401733551349337704679248512602984947374998675114433015782914039590986727
    invk = inverse_mod(k,q)
    s1 = invk*(Integer(h)+(y*r))
    s = s1 % q
    if s == 0 :
        print("s=0 repeat")
    return (r,s)

In [26]:
r,s = dlp_dsa_sign(p,q,g,x,b)

In [27]:
print(r < (q-1))
print(s < (q-1))
print(p,q,g,y,r,s)


True
True
(104116694597093556388258477325882371225424429632523019990173022300713386500073, 362139158459728960513971474916731095377, 1953481512989517349830463270950424582837833895114092601119358879143227469542, 80122107292756902200579454089856062921509161717082990519030243630852977095017, 339846853237835977816144818670279379797, 280672864958921241162029585029789708142)


In [29]:
def dlp_dsa_verify(p,q,g,y,r,s,h):
    # if r or s isn't in [1,q-1] reject the signature
    w = inverse_mod(Integer(s),q)
    u1 = mod(h*w,q)
    u2 = mod(r*w,q)
    T1 = power_mod(g,Integer(u1),p)
    T2 = power_mod(y,Integer(u2),p)
    T = mod((T1*T2),p) 
    rp = mod(T,q)
    if r == rp:
        return True
    else :
        return False

In [30]:
dlp_dsa_verify(p,q,g,y,r,s,h)

True