# Extra week #8

### Q1: Implementing Authenticated Encryption

For this, go to subdirectory **answers_extra** and run the following commands:

```bash
python3 gen.py
python3 bob.py
python3 alice.py
```

### Q2: Signing with RSA
#### Question - P1

### Vulnerability of the naive RSA signature scheme

The naive RSA signature scheme is defined as follows:

- **Sign:** $\sigma = M^{d} \mod N$
- **Verify:** accept if $M' = \sigma^{e} \mod N = M$

This scheme is vulnerable to forgery because it is possible to produce valid signatures for certain messages without knowing the private key \(d\).

For example, for trivial messages:

- $M = 0$, the signature is $\sigma = 0^{d} \mod N = 0$, which is trivial to forge.  
- $M = 1$, the signature is $\sigma = 1^d \mod N = 1$, also trivial.  
- $M = N-1$, the signature is $\sigma = (N-1)^d \mod N = N-1$, again easy to produce.

Furthermore, due to the mathematical properties of RSA, an attacker can select any arbitrary value $\sigma \in [0, N-1]$, then compute the corresponding message $M = \sigma^e \mod N$. This pair $(M, \sigma)$ will pass verification despite the attacker not having access to the private key.

Therefore, this naive signature scheme does not provide unforgeability, as an adversary can create valid signature-message pairs without the private key.

In [None]:
from sage.all import power_mod
p = 7
q = 17
N = p * q #119

e = 5
sigma = 7 #arbitraty value chose for this example

# Let's compute M 
M = power_mod(sigma, e, N)

#g The attacker then submits (Message: M, Signature: sigma)
print(f"Submission by the attacker:\n{(M, sigma)}")

# Let's compute M'

M_check = power_mod(sigma, e, N)

# Let's check if M' == M

if M == M_check:
    print("Valid signature without even knowing d!!!")


Submission by the attacker:
(28, 7)
Valid signature without even knowing d!!!


#### Question - P2

FDH relies on three security properties of the hash functions:

##### *1. Preimage resistance*

It must be *computationally impossible* to find any input $x$ such that:

$H(x) = y$

The attacker would need to compute $h' = \sigma^{e}$. To forge a message/signature pair, the attacker must find $M$ such that:

$H(M) = h'$

This is exactly inverting the hash, which **preimage resistance** stops.

##### *2. Collision Resistance*

It should be infeasible to find any two messages $M_1$, $M_2$ such that:

$H(M_1) = H(M_2)$

Without this property, the attacker could forge signatures by forcing hash collisiones. It also prevents advanced attacks like multiplicative RSA tricks.

##### *3. Uniform output distribution:*

The hash function maps messages uniformly over the domain $[0, N-1]$, preventing predictable patterns in signatures.


Because of these properties, an attacker cannot simply pick a random signature $\sigma$ and compute a corresponding message $M$ that satisfies $H(M) = \sigma^e \mod N$ without the private key. This restores the unforgeability property, making FDH a secure digital signature scheme.
