<h1><b>Homework III</b></h1>

<i>Introduction to Cryptography &ndash; Loyola University Chicago - Spring 2024</i>

<div style="margin-top:32px;">
<font style="font-size: large;">
    <b>Name:</b> 
    Alina Zacaria
</font>
</div>

## **P0:** Self-Assessment

`Undergraduate Students & Graduate Students:`

- Please give resources used (and to what extent) on this homework assignment.

 - Name one problem that:

    + you are sure about; P3

    + you would like feedback on; P4

 - Look back at the definitions, theorems, concepts, and questions-of-the-week from the past two weeks. Place them into one of three columns.

| happy: | :need review: | :unhappy |
| --- | --- | --- |
| prime number | rings | el gamal |
| crt | rabin's encryption | gcdex |


 - **Agree** 
 Next week, I should seek more help from my group members or Piazza, or [Drop in](https://appt.link/lauve-meetings) for a visit with my professor.

# Math/Comp 331

``Undergraduate Students:`` submit solutions to all exercises in this collection, plus the **Self Assessment** above.

**Important Notes.** 

- On problems that require some mathematical calculations, you may use markdown cells with $\LaTeX{}$ or upload a PDF or PNG file. 
<br>
(Be sure to indicate the file name if you don't import your solution directly beneath the problem statement.)

- All functions you code in this class as part of your solutions should include a doc string (within triple-quotes). 
<br>(Additionally, particularly lengthy blocks of code should include a comment or two for the reader.)

## **P1:** Python Checkup, I

We need to talk about **encoding(\*) and decoding.** (See Hoffstein, Section 1.7.2.) 

 - Let us use Unicode UTF-8 encoding. ([See here](https://www.utf8-chartable.de/unicode-utf8-table.pl?number=128&names=2&utf8=string-literal) for a dictionary of printable and nonprintable characters.)

 - Converting these to decimal numbers, they are all less than 128, so let's pick a bigger prime (say $p=131$)
For all unassigned numbers (not appearing in the Unicode encoding scheme), let us associate them with "$*_i$" for the $i$-th non-specified character. By the same token, let us write $x_i$ for the UTF-8 literals that are non-printable characters. (Again, see [the dictionary](https://www.utf8-chartable.de/unicode-utf8-table.pl?number=128&names=2&utf8=string-literal).)

To see its use in practice, let us use an Affine cipher, with $e(m) = 3m+70$. What does the process look like? (_Warning:_ below I'm using an incorrect/completely-made-up encoding, just for illustrative purposes.) In practice there are four steps: encode, encrypt, decrypt, decode, which I show as four rows: input letter (*plaintext*), input number ("plaintext"), output number ("ciphertext"), output letter (*ciphertext*).

```
  a  b   c  d  e ...
 -------------------
  1  2  20  4 22 ...
 73 76 130 82  5 ...
 -------------------
  p  X  *1  4 x5 ...
```

So, if Bob sends "badcab", then Eve and Alice both see `(76, 73, 82, 130, 73, 76)` and both decode/read it as the message "X p 4 *1 p X". Of course, Alice knows how to first apply a decryption function before trying to decode/read it. So she will correctly see "badcab" when done.

#### Your Tasks:

1. Write "let sleeping dogs lie", including the spaces, as a string of Unicode numbers. (Use code to help you; learn about `ord` and `chr`.)


2. Show me the (correct) encryption table for the full lowercase alphabet. (I don't need to see all four rows, as fake-shown above, just the first and last.)


3. Encrypt the message in Part 1.

---

(\*) The "proper" way to encode text is to assign characters to numbers in a such way that they are "far apart" when written in binary notation. E.g., the letter `A` might be encoded as `011000` while `B` might be encoded as `000101`. This allows for error detection during transmission. (_E.g._, suppose Bob sends `A`, but static in the transmission line causes the third digit to blip from `1` to `0`, so Alice receives `010000`. "Hmm. that string is not in my lookup table,"" says Alice's computer. The computer tries to repair it... the received message is **three errors away** from `B` but only **one error away** from `A`. Assumig a not-very-noisy channel, Bob must have sent `A`.) But we won't worry about that for now.

In [1]:
input_text = "let sleeping dogs lie" # text
unicode_nums = [] # accumulation -> list

for c in input_text: # conversion
    unicode_nums.append(ord(c))
    
print(unicode_nums) # output

[108, 101, 116, 32, 115, 108, 101, 101, 112, 105, 110, 103, 32, 100, 111, 103, 115, 32, 108, 105, 101]


In [2]:
encryption_table = {} # format: 'letter' -> 'encryption number'

for letter in range(ord('a'), ord('z') + 1):
    encrypted_char = (3 * (letter - ord('a')) + 70) % 131 # formula to convert to encryption number
    encryption_key = chr(letter)
    encryption_table[encryption_key] = encrypted_char

print(encryption_table) # encryption table

{'a': 70, 'b': 73, 'c': 76, 'd': 79, 'e': 82, 'f': 85, 'g': 88, 'h': 91, 'i': 94, 'j': 97, 'k': 100, 'l': 103, 'm': 106, 'n': 109, 'o': 112, 'p': 115, 'q': 118, 'r': 121, 's': 124, 't': 127, 'u': 130, 'v': 2, 'w': 5, 'x': 8, 'y': 11, 'z': 14}


## **P2:** The ElGamal PKC

Alice and Bob agree to use the prime $p = 1373$ and the base $g = 2$ for communications using the ElGamal public key cryptosystem.


In [3]:
# elgamal

for a in range(1, 23):
    xx = set([pow(a,k,23) for k in range(23)])
    print(a, len(xx), xx)

1 1 {1}
2 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
3 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
4 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
5 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
6 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
7 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
8 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
9 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
10 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
11 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
12 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
13 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
14 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
15 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
16 11 {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}
17 22 {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22}
18

**a)** Alice chooses $a = 947$ as her private key. What is the value of her public key $A$?

In [4]:
import math

a = 947 # private key
g = 2 # base
p = 1373 # prime modolus

A = int(math.pow(g, a) % p) # g ^ a mod p
print("Alice's public key:", A) # public key

Alice's public key: 177


 **b)** Bob chooses $b = 716$ as his private key, so his public key is $B = 2716 = 469 \pmod{1373}$
 Alice encrypts the message $m = 583$ for Bob using the random element $k = 877$. What is the ciphertext $(c_1,c_2)$ that Alice sends to Bob?

In [5]:
import math

g = 2
p = 1373
b = 716

B = math.pow(g, b) % p # Bob's public key: g ^ a mod p

m = 583 # encrypted message
k = 877 # random k

c1 = int(math.pow(g, k) % p) # first component c1 - ciphertext
c2 = (m * pow(int(B), k, p)) % p # second component c2 - ciphertext

ciphertext = (c1, c2)
print("Ciphertext (c1, c2):", ciphertext) # complete ciphertext

Ciphertext (c1, c2): (719, 623)


 **c)** New month, new keys. Alice now uses private key $a = 299$ with public key $A$ being $2^{299} = 34 \pmod{1373}$. Bob encrypts a message using Alice’s public key and sends her the ciphertext $(c_1,c_2) = (661,1325)$. Decrypt the message.

In [6]:
r_c1 = 661 # first component - ciphertext
r_c2 = 1325 # second component - ciphertext

p = 1373
a = 299

S = pow(r_c1, a, p) # secret
S_inv = pow(S, -1, p) # invert the secret
m = (r_c2 * S_inv) % p # plaintext

print("Decrypted message (m):", m) # message


Decrypted message (m): 332


**d)** Eve notices that Alice and Bob have not used a particularly large $p$ and that $g$ does not have a particularly large order in $\mathbb F_p^*$. What DLP should she solve to in order to eavesdrop (and crack) all communications from Bob to Alice?

In [7]:
p = 1373
g = 2
B = pow(g, b, p) # Bob's public key

def discrete_log(g, B, p):
    '''
    Input:
    -------
    g: int
        generator
    B: int
        Bob's public key
    p: int
        prime modulos

    Output:
    -------
    int or None
        The private key corresponding to the public key B if found, otherwise None.

    Comments:
    ---------
    Brute-force solution to find b in ElGamal encryption scheme. 
    '''

    for b in range(1, p):  # Iterate through all possible private keys
        if pow(g, b, p) == B:  # Check if g^b mod p equals Bob's public key B
            return b
    return None  # If no solution is found

found_b = discrete_log(g, B, p)

if found_b is not None:
    print("Found private key (b):", found_b)
else:
    print("No private key (b) found.")


Found private key (b): 716


 **e)** Bob accidentally used the same ephemeral key 100 times in a row, and Eve intercepts $(2, x_1), (2, x_2), \ldots, (2, x_{100})$. How might she use frequency analysis to decrypt all 100 of these messages?


By looking at the distribution of the intercepted x x-values, ve can take use of the fact that Bob unintentionally used the same ephemeral key more than once. It indicates that the same plaintext message was encrypted with the same ephemeral key if there are any recurring x x-values within the ciphertexts (2, x 1 ), (2, x 2 ), …, (2, x 100 ) (2,x 1 ​~ ), (2,x 2 ​~ ),…,(2,x 100 ​~ ). The associated plaintext messages may subsequently be discovered by Eve if she is successful in decrypting these ciphertexts using the repeated ephemeral key. This strategy depends on Eve's capacity to spot trends in the ciphertexts and take advantage of the predictability brought about by Bob's repeated use of the ephemeral key.




## **P3:** Near-Perfect Security?

Consider the following private-key cryptosystem.

 - Bob and Alice agree on a prime modulus $p=17$ (public knowledge)

 - Bob and Alice agree that the key space $\mathbb K$ should be a subset of $\{1, 3, 5, 7, 9, 11, 13, 15\}$, and the plaintext space $\mathbb P$ should be a subset of $\{2, 3, 4, 5, \ldots, 13, 14, 15\}$. 
 
- Once they agree on a particular key $k$ (privately), encryption proceeds as $e_k(m) = m^k \pmod{17}$.
 
Below is the full range of possibilities.

In [8]:
p = 17
K_space = [1, 3, 5, 7, 9, 11, 13, 15]
P_space = [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]

header = "k\\m | " + " ".join("{:>2}".format(str(m)) for m in P_space) + " | e: m -> m^k (mod p)"
print(header)
print("-"*(1+len(header)))

C_space = set()
for k in K_space:
    # build and print the encryption output, for a given key
    # and extend the cipherspace set, as needed
    row = [pow(m, k, p) for m in P_space]
    C_space.update(row) 
    prow = "{:>3} | ".format(str(k)) + " ".join("{:>2}".format(str(mk)) for mk in row) + " |"
    print(prow)
C_space

k\m |  2  3  4  5  6  7  8  9 10 11 12 13 14 15 | e: m -> m^k (mod p)
----------------------------------------------------------------------
  1 |  2  3  4  5  6  7  8  9 10 11 12 13 14 15 |
  3 |  8 10 13  6 12  3  2 15 14  5 11  4  7  9 |
  5 | 15  5  4 14  7 11  9  8  6 10  3 13 12  2 |
  7 |  9 11 13 10 14 12 15  2  5  3  7  4  6  8 |
  9 |  2 14  4 12 11 10  8  9  7  6  5 13  3 15 |
 11 |  8  7 13 11  5 14  2 15  3 12  6  4 10  9 |
 13 | 15 12  4  3 10  6  9  8 11  7 14 13  5  2 |
 15 |  9  6 13  7  3  5 15  2 12 14 10  4 11  8 |


{2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}

#### Final Encryption Scheme Details

- Suppose Bob and Alice agree to use each key with equal probability. 
- Also suppose the probability of messages `2` or `8` occuring is twice as likely as any other message. (But otherwise all probabilities are equal.)

_Remember:_ $1 = \sum_{m\in \mathbb P} \mathrm{prob}(P=m)$.

#### Your Tasks

For each of the options below,
 - if you are sure **it is** a perfectly secure system, explain why.
 - if you are sure **it is not** a perfectly secure system, explain why.
 - **otherwise** find, if possible, some plaintext $m\in \mathbb P$ satisfying $\mathrm{prob}(C=c | P=m) \neq \mathrm{prob}(C=c).$

Explore the case when:

1.  `K_space = [5, 7, 9, 11]; P_space = [2, 8, 9]`

2. `K_space = [5, 7, 9, 13]; P_space = [2, 8, 9]`

3. `K_space = [3, 5, 7, 11]; P_space = [2, 4, 8, 9]`

4. `K_space = [5, 7, 9, 11]; P_space = [2, 8, 9, 15]`


In [9]:
import math

space_cases = [
    ({5, 7, 9, 11}, {2, 8, 9}),
    ({5, 7, 9, 13}, {2, 8, 9}),
    ({3, 5, 7, 11}, {2, 4, 8, 9}),
    ({5, 7, 9, 11}, {2, 8, 9, 15})
]

def perfect_secure_sys(space_cases):
    '''
    Input: 
    ------
    space_cases : list of tuples of sets of space numbers
        A list of tuples where each tuple contains two sets: 
        the first set represents the key space (K_space), 
        and the second set represents the plaintext space (P_space).

    Output: 
    -------
    None

    Comments:
    ---------
    Computes ciphertext space (C_space) by different key spaces (K_space) 
    and plaintext spaces (P_space) specified in the input list `space_cases`
    '''
    for case_num, (K_space, P_space) in enumerate(space_cases, start=1):
        C_space = set()

        for k in K_space:
            for m in P_space:
                c = int(math.pow(m, k) % 17)
                C_space.add(c)
        
        print(f"Case {case_num}, C_space: {C_space}")

perfect_secure_sys(space_cases)


Case 1, C_space: {8, 9, 2, 15}
Case 2, C_space: {8, 9, 2, 15}
Case 3, C_space: {2, 4, 8, 9, 13, 15}
Case 4, C_space: {8, 9, 2, 15}


## **P4:** CRT

Work Hoffstein Exercise 2.18(b,c,d,e). 

*Remark.* Do (d) by hand. You are welcome to hunt for (and use) a Python package with a `CRT` function to help with the other parts.

Please see attached pdf for [2.18.d](P4-CRT.pdf)

In [10]:
import sympy

def fast_modular_congruences(c):
    '''

    Input 
    -------------
    c: tuple of modular congruence tuples with (r_i, m_i) representing remainders and moduli 
       ((r_0, m_0), (r_1, m_2), ..., (r_i, m_i)) where i is the total number of congruence equations.

    Output
    -------------
    int: The solution to the system of modular congruences.

    Comments
    -------------
    Computes the solution to a system of modular congruences.
    '''
    large_mod = 1
    for i in range(len(c)):
        large_mod *= c[i][1]

    x = 0
    
    for a_i, n_i in c:
        m_i = large_mod // n_i
        _, M_i_inv, _ = sympy.gcdex(m_i, n_i)
        x += M_i_inv * m_i * a_i

    x = x % large_mod
    return x

congruences_b = ((137, 423), (87, 191))
congruences_c = ((133, 451), (237, 697))
congruences_e = ((37, 43), (22, 49), (18, 71))

res_b = fast_modular_congruences(congruences_b)
res_c = fast_modular_congruences(congruences_c)
res_e = fast_modular_congruences(congruences_e)

print("RESULT B:", res_b)
print("RESULT C:", res_c)
print("RESULT E:", res_e)

RESULT B: 33437
RESULT C: 250018
RESULT E: 43419
