In [1]:
# Initialize Otter
import otter
grader = otter.Notebook("assignment6.ipynb")

# DS 453 / 653: Programming Assignment 6

**Due date**: Sunday, March 31 at 8pm on [Gradescope](https://www.gradescope.com/courses/710247).

_You must follow the Academic Code of Conduct and Collaboration Policy stated in the course syllabus at all times while working on this assignment._

This assignment contains 3 questions worth a total of 5 points. You must receive at least 4 points to pass the assignment.

To begin, please execute the code block below:

In [2]:
# Execute this block only if you are using Google Colab.
# If you are running the notebook file locally, install pycryptodome yourself but do NOT install the package pycrypto.

!pip install pycryptodome

[33mDEPRECATION: Loading egg at /Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/luxai2021-0.1.0-py3.12.egg is deprecated. pip 24.3 will enforce this behaviour change. A possible replacement is to use pip for package installation.. Discussion can be found at https://github.com/pypa/pip/issues/12330[0m[33m


## Assignment Overview



#### Helper functions

In [3]:
from Crypto.Util.strxor import strxor
from binascii import hexlify, unhexlify
import string
import os

# the one-time pad operation, applied to bytestrings for the message and key
def one_time_pad(bytesMessage, bytesKey):
    """ If both the message and key are of type string and have the same length,
        then takes their strxor and returns the corresponding ciphertext.
    """
    assert(type(bytesMessage) == bytes)
    assert(type(bytesKey)     == bytes)
    assert(len(bytesMessage)  == len(bytesKey))
    return strxor(bytesMessage, bytesKey)

# list of the top 100 words, in all lowercase letters
words_lower = [b'a', b'about', b'after', b'all', b'also', b'an', b'and', b'any', b'as',
               b'at', b'back', b'be', b'because', b'but', b'by', b'can', b'come',
               b'could', b'day', b'do', b'even', b'first', b'for', b'from', b'get',
               b'give', b'go', b'good', b'have', b'he', b'her', b'him', b'his', b'how',
               b'i', b'if', b'in', b'into', b'it', b'its', b'just', b'know', b'like',
               b'look', b'make', b'me', b'most', b'my', b'new', b'no', b'not', b'now',
               b'of', b'on', b'one', b'only', b'or', b'other', b'our', b'out', b'over',
               b'people', b'say', b'see', b'she', b'so', b'some', b'take', b'than',
               b'that', b'the', b'their', b'them', b'then', b'there', b'these', b'they',
               b'think', b'this', b'time', b'to', b'two', b'up', b'us', b'use', b'want',
               b'way', b'we', b'well', b'what', b'when', b'which', b'who', b'will',
               b'with', b'work', b'would', b'year', b'you', b'your']

# top 100 words, this time with a capitalized first letter
words_upper = [(word.decode('ascii')[0].upper() + word.decode('ascii')[1:]).encode('ascii') for word in words_lower]

# subset of the above list that happens to be three-letter words
three_letter_words_lower = [b'all', b'and', b'any', b'but', b'can', b'day', b'for',
                           b'get', b'her', b'him', b'his', b'how', b'its', b'new',
                           b'not', b'now', b'one', b'our', b'out', b'say', b'see',
                           b'she', b'the', b'two', b'use', b'way', b'who', b'you']

# the capitalized version of the three letter words list
three_letter_words_upper = [(word.decode('ascii')[0].upper() + word.decode('ascii')[1:]).encode('ascii') for word in three_letter_words_lower]

### Question 1: Two-time pad attack on three-character lowercase ciphertexts (2 points)

A one-time pad simply involves the xor of a message with a key to produce a ciphertext: `c = m ^ k`, where `^` denotes the XOR operation. It is essential that the key be as long as the message, or in other words that the key not be repeated for two distinct message blocks.

In this problem, you'll see why the key must only be used once. Your goal is to break small two-time-pad examples. The input ciphertexts are created by:

- Choosing two plaintexts at random from the list `three_letter_words_lower`. (This list contains the 3-letter words from the set of the 100 most common English words listed on [Wikipedia](https://en.wikipedia.org/wiki/Most_common_words_in_English), in lowercase format.)

- Applying the `one_time_pad()` function to both words, using the same 3-letter `bytesKey` (which is *not* provided!).

__Your task__: Even though you don't know the secret key, your job is to recover the two inital messages and return them as a set. (Hint: the messages are short enough that a brute-force attack can work here.)

- Input: `c1`, `c2` (byte objects): Ciphertexts created by xor-ing a 3-letter word with some random 3-letter key

- Return: `{m1, m2}`: A set of two different `three_letter_words` corresponding to the original plaintext messages


__Your response:__

In [4]:
def q1_short_lower_twotimepad(c1, c2) -> set:

    for i in three_letter_words_lower:
        for j in three_letter_words_lower:
            if strxor(i,c1) == strxor(j,c2):
                return {i, j}

Here is a particular test you can use to check whether your code works. Given the ciphertexts:
```
c1 = b'\x1e\x1b\x03'
c2 = b'\x0f\t\x1f'
```

the corresponding two plaintexts should be `{b'day', b'use'}`, with the key `k = b'zzz'`.

_Points:_ 2

In [5]:
one_time_pad(b'\x1e\x1b\x03',  b'zzz')

b'day'

In [6]:
q1_short_lower_twotimepad(c1 = b'\x1e\x1b\x03', c2 = b'\x0f\t\x1f')

{b'day', b'use'}

In [7]:
grader.check("q1")

### Question 2: Two-time pad attack with capitalized and lowercase words (1 point)

Now, we make a small change to the previous question. This time, we guarantee that:
- the first message `m1` is a capitalized word from the list `three_letter_words_upper` (e.g., the word `New`).
- the second message `m2` is a lowercase word from the list `three_letter_words_lower` (e.g., the word `day`).

As a result, when you recover the two messages, you should also know their order. So, you can concatenate the two words together and put a space between them (e.g., `New day`). The one downside is that this function might return multiple possible outputs. Consider the following example:

In [8]:
print(one_time_pad(b'New', b'abc'), one_time_pad(b'day', b'abc'))
print(one_time_pad(b'Day', b'kfm'), one_time_pad(b'new', b'kfm'))

b'/\x07\x14' b'\x05\x03\x1a'
b'/\x07\x14' b'\x05\x03\x1a'


Hence, from the two ciphertexts `c1 = b'/\x07\x14'` and `c2 = b'\x05\x03\x1a'`, it might be the case that the original message was `New day` or `Day new`; you cannot distinguish between the two. Still though, this attack is deemed to be successful if we can narrow down the set of possible messages to just a small number of possible options.

__Your task__: Once again, recover the two initial messages. This time, you are allowed to output a set of possible concatenated bytestrings, as long as this set is not too large.

- Input: `c1`, `c2` (byte objects): Ciphertexts created by xor-ing a 3-letter word with some random 3-letter key. It is guaranteed that message `m1` has a capitalized first letter, whereas message `m2` does not.

- Return: A set of up to 10 possible `m1 + b' ' + m2` combinations of possible two-word plaintext messages. (Note that each individual string should be 7 bytes long, with the space in between the two 3-letter words.)

__Your response:__

_Points:_ 1

In [9]:
def q2_short_twotimepad(c1, c2) -> set:
    messages = set()
    for i in three_letter_words_upper:
        for j in three_letter_words_lower:
            if strxor(i,c1) == strxor(j,c2):
                messages.add(i + b' ' + j)
    return messages

In [10]:
grader.check("q2")

### Question 3: Two-time pad attack on longer messages (2 points)

__Your task:__ In this problem you will again break a cipher when the one-time pad is re-used. This time though, we have encrypted two long bytestrings that contain __multiple words__, with spaces in between the words. You are given two _hex-encoded_ ciphertexts `c1_hex` and `c2_hex` that have the same length as each other (note that the particular length is not fixed). They were formed by applying a “one-time pad” to two different messages _with the same key_. You must find the two corresponding messages `m_1` and `m_2`.

_Note: Do not try a brute-force attack on the key! That will quickly turn into "energy of the sun" type of work; in particular, you won't be able to complete the homework assignment by the deadline._

To make your search for the plaintext messages simpler, let me lay out a few ground rules:

1. Each message consists of English words in ASCII separated by spaces. No punctuation appears in the messages. 

2. Every character in the text is either a lowercase letter or a space, except that the first character of `m_1` is capitalized. The remaining words of `m_1` are lowercase, and all words in `m_2` are lowercase.

3. The second message m_2 starts with a space.

4. All of the words within each message is guaranteed to come from the set `words_lower` of the [100 most common English words](https://en.wikipedia.org/wiki/Most_common_words_in_English), except that the first message starts with a word in `words_upper`.

There are two ways that you can solve this question:

1. Write code yourself.
2. Use the interactive two-time pad cracking tool at https://www.tausquared.net/pages/ctf/twotimepad.html

__Test vector:__ To help you understand the question, here is a test vector:

```
q3_fulltwo_time_pad(b'3e21aa44d5319f099129e1859562eaeb26f558846e7dccbef7dd1a46e94d', b'5033b844dc318d4cd732fbc0d463e9b822b05892226c84bfeb8a4e4ce546')
```

should return `{'New day for all people how can we make the most of this time'}`.  In this test vector, note that:
- message 1 is 'New day for all people how can',
- message 2 is ' we make the most of this time',
- each message is 30 bytes long, and
- the first message starts with an uppercase letter, and the second message starts with a space.

Before writing any code, try using the interactive two-time pad cracking tool to find this message. Copy/paste the two hex ciphertexts, then guess "New" for the start of the first message and " we" for the start of the second message. Note how the cracking tool shows that they match. As you add a new word to each message, it shows possible candidates for the word on the other message.

__Your response:__

I tried to code the answer to Q3, but I found it too hard and finally decided to hardcode the response. This is how I did it: I chose a capitalized word from the list to start deciphering m1, selecting one that might uncover more letters in m2 due to its length. For m2, which I knew started with a space, I began with the word "you." After applying "After," it became evident there wasn't a subsequent word in the list beginning with "c," simplifying the guesswork for the next word in m2, "can." This technique, step by step, assisted in putting together the phrases "After all this time" for m1 and "you can see me now" for m2.

In [40]:
def q3_full_two_time_pad(c1_hex, c2_hex) -> set:
    ''' Input: Two hex-encoded ciphertexts c1_hex and c2_hex
        Return: Up to 100 possible m1 + m2 combinations of possible plaintext messages.
                Since m2 already starts with a space in this question,
                do *not* add an additional space in between m1 and m2.
    '''

    c1 = unhexlify(c1_hex)
    c2 = unhexlify(c2_hex)
    c = strxor(c1, c2)
    
    return {b'After all this time you can see me now'}

In [29]:
'''from binascii import unhexlify
from itertools import product

# Helper functions
def is_valid_string(byte_str):
    segments = byte_str.strip().split(b' ')
    if byte_str[0:1] == b' ':
        return all(any(word.startswith(seg) for word in words_lower) for seg in segments)
    else:
        return segments[0] in words_upper and all(any(word.startswith(seg) for word in words_lower) for seg in segments[1:])

def filter_valid_strings(byte_str_list):
    return [byte_str for byte_str in byte_str_list if is_valid_string(byte_str)]

def q3_full_two_time_pad(hex_c1, hex_c2):
    bytes_c1 = unhexlify(hex_c1)
    bytes_c2 = unhexlify(hex_c2)
    candidate_first_word = []
    potential_decryptions_c1 = []
    potential_decryptions_c2 = []
    xor_result = bytes(b1 ^ b2 for b1, b2 in zip(bytes_c1, bytes_c2))
    
    # Identify potential starting words
    initial_c1_letter = xor_result[0] ^ ord(' ')
    for possible_word in words_upper:
        if possible_word.startswith(bytes([initial_c1_letter])):
            candidate_first_word.append(possible_word)
    
    # Attempt to decode the beginning of c2
    for word in candidate_first_word:
        word_plus_space = word + b' '
        xor_with_candidate_word = xor_result[:len(word_plus_space)]
        start_of_c2 = bytes([x ^ y for x, y in zip(xor_with_candidate_word, word_plus_space)])
        if all(chr(c).isalpha() or chr(c).isspace() for c in start_of_c2):
            potential_decryptions_c2.append(start_of_c2)
            potential_decryptions_c1.append(word)
    
    # Process each candidate decryption pair
    for index, (decryption_c1, start_c2) in enumerate(zip(potential_decryptions_c1, potential_decryptions_c2)):
        if chr(start_c2[-1]).isalpha():
            trailing_char = chr(start_c2[-1])
            possible_following_words = [word for word in words_lower if word.startswith(bytes(trailing_char, 'ascii'))]
            for word in possible_following_words:
                combined_c2 = start_c2[:-1] + word + b' '
                combined_xor = xor_result[:len(combined_c2)]
                resultant_c1 = bytes([b1 ^ b2 for b1, b2 in zip(combined_xor, combined_c2)])
                if resultant_c1.startswith(decryption_c1) and all(chr(c).isalpha() or chr(c).isspace() for c in resultant_c1):
                    potential_decryptions_c1[index] = resultant_c1
                    potential_decryptions_c2[index] = combined_c2
        
        if chr(start_c2[-1]).isspace():
            # Consider possible letters that can extend the current partial decryption of c2
            for next_char in (bytes([i]) for i in range(ord('a'), ord('z') + 1)):
                # Check the next character in the XOR result to potentially extend c1
                next_xor_char = xor_result[len(start_c2)]
                next_c1_char = next_xor_char ^ next_char[0]
                if chr(next_c1_char).isalpha():
                    # Check for words that begin with this letter
                    for possible_word in words_lower:
                        if possible_word.startswith(next_char):
                            # Construct a possible continuation of c2 and its corresponding c1
                            extended_c2 = start_c2 + possible_word + b' '
                            # XOR with the current guess to get the next part of c1
                            extended_xor_with_word = xor_result[:len(extended_c2)]
                            next_part_c1 = bytes([b ^ w for b, w in zip(extended_xor_with_word, extended_c2)])
                            # Check if the new part of c1 forms a valid word or prefix
                            if next_part_c1.startswith(decryption_c1) and is_valid_string(next_part_c1):
                                potential_decryptions_c1[index] = next_part_c1
                                potential_decryptions_c2[index] = extended_c2

    
    # Combine the valid decryptions and return
    valid_c1_decryptions = filter_valid_strings(potential_decryptions_c1)
    valid_c2_decryptions = filter_valid_strings(potential_decryptions_c2)
    combined_valid_decryptions = set()
    for decrypt_c1, decrypt_c2 in zip(valid_c1_decryptions, valid_c2_decryptions):
        combined_valid_decryptions.add(decrypt_c1 + decrypt_c2)

    return combined_valid_decryptions'''

In [41]:
q3_full_two_time_pad(b'3e21aa44d5319f099129e1859562eaeb26f558846e7dccbef7dd1a46e94d',
                                                b'5033b844dc318d4cd732fbc0d463e9b822b05892226c84bfeb8a4e4ce546')

{b'After all this time you can see me now'}

You can try to test out your code on the test vector that we provided above.

In [42]:
def test3_0():
    answerstring = b'New day for all people how can we make the most of this time'
    return answerstring in q3_full_two_time_pad(b'3e21aa44d5319f099129e1859562eaeb26f558846e7dccbef7dd1a46e94d',
                                                b'5033b844dc318d4cd732fbc0d463e9b822b05892226c84bfeb8a4e4ce546')
test3_0()

False

We provide two tests for this question, each one of which is worth 1 point.

- You will earn one point for solving the following two-time-pad challenge.
    - `m1 = b'5a2e8da8d55eb6b738139bda26471b26f5fa4f'`
    - `m2 = b'3b3196b8871db6b574408ad76f595e72f2f85d'`
- You will earn another point if your code works on arbitrary ciphertext pairs.

You can hardcode the answer in the function `q3_full_two_time_pad` if you want to receive only one point for this question. Even if you choose this option, make sure to show your work and explain how you found the answer!

_Points:_ 2

In [43]:
grader.check("q3")

## Submitting the Assignment

Please follow these instructions to complete the assignment and submit it for credit.

**Documenting collaborators, sources, and AI tools:** In accordance with the collaboration policy, use the space below to report if you used any resources to complete this homework assignment, aside from the lecture notes and the course textbooks/videos. Specifically, please report:

1. Names of all classmates you worked with, and a short description of the work that you performed together.
2. All written materials that you used, such as books or websites (besides the lecture notes or textbooks). Please include links to any web-based resources, or citations to any physical works.
3. All code that you used from other sources. In particular, if you used an AI tool, then you must include the entire exchange with the AI tool, as per the [CDS Generative AI Assistance Policy](https://www.bu.edu/cds-faculty/culture-community/gaia-policy/).

Remember that if we discover any undocumented collaborators, sources, or AI tools then this is grounds for a grade penalty and referral to BU's Academic Conduct Committee (as described in the syllabus).

_Your response:_

1. I went to office hours and got help from the TA to get started with Q3, and also got ideas from other classmates that were there. I tried to then code Q3 myself but it was too confusing, so I used the help of GenAI to formulate it. I finally managed to make it partially work but it was not enough to pass the test, so I eventually decided to hard code it.

2. N/A

3. N/A

**Sending to Gradescope:** After completing the assignment:
- if you did the assignment on Colab, download it in `.ipynb` format.
- if you did the assignment locally on your machine, all you need to do is to find it in your directory.

Then, submit only the `.ipynb` file to this week's programming assignment on Gradescope. It may take a few seconds or a minute for the auto-grading system to check your work.

Remember that you can submit as many times as you want until the deadline for the assignment; only your last score counts.

## Submission

Make sure you have run all cells in your notebook in order before running the cell below, so that all images/graphs appear in the output. The cell below will generate a zip file for you to submit. **Please save before exporting!**

Submit your assignment on Gradescope once you have passed enough tests to receive at least 4 of the 5 available points.

In [19]:
# Save your notebook first, then run this cell to export your submission.
grader.export(run_tests=True)



AttributeError: module 'nbconvert' has no attribute 'pdf'