# DS 653 -- Homework 6

**Due:** Friday, March 28 at 10pm on [Gradescope](https://www.gradescope.com/courses/959425).

_You must follow the Academic Code of Conduct and Collaboration Policy stated in the course syllabus at all times while working on this assignment._

This assignment contains 8 questions worth a total of 20 points. You will earn:
- 1 course learning credit for earning at least 10 points, or
- 2 course learning credits for earning all 20 points on this homework.

_If you write code that attempts to fool the tests rather than solving the actual question, then you will receive a 0 on the assignment and it will be considered a violation of the Academic Code of Conduct._

This homework is configured to run either on Google Colab or locally on your computer. If you run it locally, please make sure that this Jupyter notebook is the only file in its directory.

To begin, please execute the code block below. It will download this week's auto-grading tests, install and configure otter-grader, and import the crypto and bytestring libraries that we use in this course.

In [1]:
url = "https://crypto-ds.github.io/hw06.zip"

!pip install -q otter-grader && pip install pycryptodomex

# Download zip file containing tests
import os
import urllib.request

zip_file_name = url.split("/")[-1]  # Extract filename from URL
zip_path = os.path.join(os.curdir,zip_file_name)

if not os.path.exists(zip_path):
    print(f"Downloading {url} to {zip_path}...")
    urllib.request.urlretrieve(url, zip_path)
    print("Download complete.")
else:
    print(f"File {zip_path} already exists. Skipping download.")

# Extract test files from zip
import zipfile

extract_dir = os.path.join(os.curdir, "tests") # Where to extract the files
if not os.path.exists(extract_dir):            # Ensure extraction directory exists
    os.makedirs(extract_dir)

print(f"Extracting {zip_path} to {extract_dir}...")
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
    zip_ref.extractall(extract_dir)

print(f"Unzipped {zip_path} to {extract_dir}")

# Initialize otter-grader
import otter
grader = otter.Notebook()

# Import crypto libraries
import Cryptodome
from binascii import hexlify, unhexlify
from hashlib import sha256
from os import urandom
from Cryptodome.Util.strxor import strxor
from Cryptodome.Cipher import AES

/bin/bash: line 1: /home/annaandmandy/ds653/DS653_crypto/.venv/bin/pip: cannot execute: required file not found
Downloading https://crypto-ds.github.io/hw06.zip to ./hw06.zip...
Download complete.
Extracting ./hw06.zip to ./tests...
Unzipped ./hw06.zip to ./tests


### Reading Questions (2 points each)

These multiple-choice questions are based on the week 8-9 reading assignments: [Boneh-Shoup pages 4-18](https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_6.pdf), [AMPH pages 9-19](https://rd-springer-com.ezproxy.bu.edu/book/10.1007/978-3-662-44757-4), and [Aumasson pages 7-12](https://nostarch.com/download/SeriousCryptography_Chapter4_sample.pdf).

To answer a question, please uncomment the correct response.

**Question 1 (Variable length OTP).** In a variable length one-time pad, which of the following is **not** allowed?

1. Plaintext message is shorter than the symmetric key.
2. Plaintext message is the same length as the symmetric key.
3. Plaintext message is longer than the symmetric key.

In [2]:
def hw6_q1() -> int:
    # return 1
    # return 2
    return 3

In [3]:
grader.check("q1")

**Question 2 (Breaking OTP confidentiality).** How much work does an attacker Mallory have to perform in order to break the confidentiality of a one-time pad?

1. A small amount of work that is easy to perform on a laptop.
2. A large but possible amount of work (similar to mining a block).
3. A gigantic and infeasible amount of work (similar to forging a signature).
4. It is impossible, no matter how powerful Mallory is.

In [10]:
def hw6_q2() -> int:
    # return 1
    # return 2
    # return 3
    return 4

In [11]:
grader.check("q2")

**Question 3 (MACs versus signatures).** Both message authenication codes (MACs) and digital signatures provide data integrity, but they have some differences. Which of the following statements is true?

1. Both MACs and digital signatures allow the whole world to verify the sender's identity.
2. Both MACs and digital signatures satisfy the security guarantee of "existential unforgeability under a chosen message attack" (EU-CMA).
3. Both MACs and digital signatures require a public/secret key pair.

In [14]:
def hw6_q3() -> int:
    # return 1
    return 2
    # return 3

In [15]:
grader.check("q3")

**Question 4 (Password hashing).** Let $H$ be an ordinary hash function like SHA-2 or SHA-3, and let $P$ be a password hashing function like PBKDF2. What is the main difference between $H$ and $P$?

1. Determinism: $H$ is a deterministic function whereas $P$ is randomized.
2. Keying: $H$ is an unkeyed function whereas $P$ requires a symmetric key.
3. Security: $H$ satisfies collision resistance whereas $P$ only satisfies preimage resistance.
4. Speed: $H$ is fast whereas $P$ is slow.

In [22]:
def hw6_q4() -> int:
    # return 1
    # return 2
    # return 3
    return 4

In [23]:
grader.check("q4")

**Question 5 (Key lengths).** The Advanced Encryption Standard (AES) is a family of pseudorandom permutations -- also known as a block cipher. It supports a few different key lengths. Which of the following is **not** a supported key length?

1. 56 bits
2. 128 bits
3. 192 bits
4. 256 bits

In [26]:
def hw6_q5() -> int:
    return 1
    # return 2
    # return 3
    # return 4

In [27]:
grader.check("q5")

**Question 6 (Software vs hardware).** The Advanced Encryption Standard (AES) can be implemented in either software or hardware. There are many advantages when using the dedicated hardware AES instruction within Intel/AMD processors rather than implementing it yourself in software. Which of the following statements is **not** an advantage of hardware?

1. Determinism: The hardware instruction is deterministic whereas the software implementations are randomized.
2. Security: The hardware instruction stops some side channel attacks that exist with software implementations.
3. Speed: The hardware instruction is faster.

In [28]:
def hw6_q6() -> int:
    return 1
    # return 2
    # return 3

In [29]:
grader.check("q6")

### Programming Questions (4 points each)

These questions require you to write code in `Python`. This week's homework explores one-time pads and the sponge function design.

**Question 7 (Two-time pad attack).** In this question, you will see why it is important never to re-use the key in a one-time pad.

To begin, execute the code block below. It executes a one-time pad for 3-byte messages.

In [30]:
## Execute, but DO NOT MODIFY this code block ##

from Cryptodome.Util.strxor import strxor
from os import urandom
from binascii import hexlify, unhexlify

def OTP_encrypt(pt, key):
    """ Given pt and key in byte, return ciphertext c = (pt xor key).
    """
    assert len(pt)   == 3
    assert len(key)  == 3
    assert type(pt)  == bytes
    assert type(key) == bytes
    return strxor(pt, key)

# common 3-letter English words
# source: https://en.wikipedia.org/wiki/Most_common_words_in_English
common_words = [b"all", b"and", b"any", b"but", b"can", b"day", b"for",
                b"get", b"her", b"him", b"his", b"how", b"its", b"new",
                b"not", b"now", b"one", b"our", b"out", b"say", b"see",
                b"she", b"the", b"two", b"use", b"way", b"who", b"you"]

A one-time pad performs the bitwise logical XOR of the plaintext and key. We provide an example below. (Note that each time you execute this code block, a new key is randomly sampled and as a result the ciphertext changes.)

In [31]:
from os import urandom
from binascii import hexlify, unhexlify

pt  = b"all"
print("plaintext: ", hexlify(pt))

key = urandom(3)
print("key:       ", hexlify(key))
print("ciphertext:", hexlify(OTP_encrypt(pt, key))) # ciphertext length: 3 bytes

plaintext:  b'616c6c'
key:        b'f8a175'
ciphertext: b'99cd19'


**Your task:** Given two ciphertexts that correspond to the one time pad of (potentially different) `common_words` with the *same key*, find the two underlying plaintexts and return them as a Python set.

In [35]:
def q7_two_time_pad_attack(ct1: bytes, ct2: bytes) -> set:
    # use this variable for your eventual solution
    plaintexts = set()
    
    xor_ct = strxor(ct1, ct2)

    for i in range(len(common_words)):
        for j in range(i+1, len(common_words)):
            pt1 = strxor(xor_ct, common_words[i])
            pt2 = strxor(xor_ct, common_words[j])
            if pt1 in common_words and pt2 in common_words:
                plaintexts.add(pt1)
                plaintexts.add(pt2)
        

    assert type(plaintexts) == set
    return plaintexts

Our test for this question samples two plaintexts at random from `common_words` and a single key as a random bytestring of length 3. It provides the two corresponding ciphertexts as inputs to your function.

In [36]:
grader.check("q7")

**Question 8 (Sponge function).** The *sponge function* forms the basis of the SHA-3 hash function (aka Keccak). See the following Wikipedia page for a reminder of the design: [[link]](https://en.wikipedia.org/wiki/Sponge_function).

The sponge construction requires a public, fixed-length, random-looking permutation `f`. Since we haven't yet discussed in class how the actual Keccak-`f` function works, in this problem let's instead use a toy 32-byte permutation that is provided below.

In [37]:
## Execute, but DO NOT MODIFY this code block ##

from Cryptodome.Cipher import AES
from Cryptodome.Util.strxor import strxor

def toy_f(input_bytes):
    """
    Toy example of a pseudorandom permutation. While it is **NOT** secure and
    should not be used in practice, we will use it in this homework for learning purposes.

    The input and output length of this permutation is 32 bytes. Note that toy_f
    is invertible, but you do not need the inverse function to copmlete the HW question.
    """
    assert len(input_bytes) == 32, "incorrect length" # input length must be 32
    prp1 = AES.new(b"AES with key one", AES.MODE_ECB) # run AES twice with fixed keys
    prp2 = AES.new(b"AES with key two", AES.MODE_ECB)
    return prp1.encrypt(input_bytes[:16]) + prp2.encrypt(input_bytes[-16:])

**Your task**: Design a sponge function that *absorbs* an arbitrary-length input bytestring using the specified `rate`, and then *squeezes* an output that contains `outputLen` bytes of data.
        
Notes:
- Don't worry about padding; that is, you may assume that inputs are always a multiple of `rate` bytes in length.
- Keep in mind that `rate + capacity = 32`, so the capacity size is determined by the rate size.

In [86]:
def q8_sponge_function(inputBytes: bytes, outputLen: int, rate: int) -> bytes:
    assert(len(inputBytes) % rate == 0), "invalid input length"
    state = bytearray(32)
    
    for i in range(0, len(inputBytes), rate):
        block = inputBytes[i:i + rate]
        if len(block)<rate:
            block = block + bytearray(rate - len(block))
        state = strxor(state, block+bytearray(32-rate))
        state = toy_f(state)

    output = bytearray()

    while len(output) < outputLen:
        output.extend(state[:min(rate, outputLen - len(output))])
        if outputLen - len(output) > 0:
            state = toy_f(state)

    return bytes(output[:outputLen])


Here are a few test cases that you can use in this question.

In [87]:
from binascii import hexlify, unhexlify

def q8_test_cases():
    assert q8_sponge_function(unhexlify(b'9654'), 1, 2) == unhexlify(b'13')
    assert q8_sponge_function(unhexlify(b'1a2b'), 2, 2) == unhexlify(b'e7fe')
    assert q8_sponge_function(unhexlify(b'd0c91003bfabab35fa'), 3, 3) == unhexlify(b'eff815')
    assert q8_sponge_function(unhexlify(b'b57bf48ce793c55f98027ec7'), 3, 3) == unhexlify(b'd5d0c8')
    assert q8_sponge_function(unhexlify(b'e8757bd4dfefd2bda87a5ac7'), 5, 3) == unhexlify(b'266a0c920f')
    assert q8_sponge_function(unhexlify(b'eb65fe6c985e56f26d76812b42d18e0b6872ba61a3024e5188'), 6, 5) == unhexlify(b'328a1be2d287')
    assert q8_sponge_function(unhexlify(b'1866a4fddb2449a9aa6705579e4856ba486bf6ae0d38cc3dbbdc20f3'), 18, 7) == unhexlify(b'419633435409c71a8b9655bf278e05ea1015')

q8_test_cases()

In [88]:
grader.check("q8")

### Collaboration Policy

Congratulations on completing the homework! Before you submit the assignment: list all collaborators, sources, and AI tools in accordance with the collaboration policy. Doing so is to your advantage: this is your opportunity to document and explain any external information used and why you believe it adheres to the code of conduct and collaboration policy. If I discover an undocumented violation of the collaboration policy, then this will be considered academic misconduct.

A. Write the names of all classmates you worked with, along with a short description of the work that you performed together.

**Your response:** 

B. List all written materials that you used, such as books or websites (besides the lecture notes and course textbooks). Provide links to any web-based resources, or citations to any physical works.

**Your response:** 

C. State all code that you used from other sources. In particular, if you used an AI tool, then you must include the entire exchange with the AI tool, as per the [CDS Generative AI Assistance Policy](https://www.bu.edu/cds-faculty/culture-community/gaia-policy/).

**Your response:** 

### Sending to Gradescope

After completing the assignment, submit only the `.ipynb` file to Gradescope. It takes a while for the auto grading system to check your work.