# Extra week #8

### Q1: Implementing Authenticated Encryption

For this, go to subdirectory **answers_extra** and run the following commands:

```bash
python3 gen.py
python3 bob.py
python3 alice.py
```

### Q2: Signing with RSA
#### Question - P1

Basically, if we define M = $\sigma^{e}$ mod $N$

This tells you what message would a verifier think this signature belongs to.


Then, the verifier will check if $\sigma^{e}$ mod $N$ = M. Since we literally defined it as that, the check **always succeeds**

In [3]:
from sage.all import power_mod
p = 7
q = 17
N = p * q #119

e = 5
sigma = 7 #arbitraty value chose for this example

# Let's compute M 
M = power_mod(sigma, e, N)

# The attacker then submits (Message: M, Signature: sigma)
print(f"Submission by the attacker:\n{(M, sigma)}")

# Let's compute M'

M_check = power_mod(sigma, e, N)

# Let's check if M' == M

if M == M_check:
    print("Valid signature without even knowing d!!!")


Submission by the attacker:
(28, 7)
Valid signature without even knowing d!!!


#### Question - P2

FDH relies on three security properties of the hash functions:

##### *1. Preimage resistance*

It must be *computationally impossible* to find any input $x$ such that:

$H(x) = y$

The attacker would need to compute $h' = \sigma^{e}$. To forge a message/signature pair, the attacker must find $M$ such that:

$H(M) = h'$

This is exactly inverting the hash, which **preimage resistance** stops.

##### *2. Second Preimage resistance*

Given a message $M$, it should be infeasible to find a different message $M'$ such that:

$H(M') = H(M)$

The attacker could find another message with the same hash or reuse a signature for a different message, if it wasn't for **second preimage resistance**.

##### *3. Collision Resistance*

It should be infeasible to find any two messages $M_1$, $M_2$ such that:

$H(M_1) = H(M_2)$

Without this property, the attacker could forge signatures by forcing hash collisiones. It also prevents advanced attacks like multiplicative RSA tricks.