# Introduction to blockchain HW 1

## Problem 1 (10 points)

Assume that at the end of the term an instructor uses an RSA Public Key Cryptosystem to sign the grades sent to students and to the Education Office. He signs each grade with his private key and transmits both the grade and the signature in a secure manner encrypted with a public key. After you decrypt the message you use his public key to decipher the signature and verify the grade. Assume the cryptosystem has the following features: n=55, e=33 and that the grading system features integer grades from 0 to 10. You have received the grade-signature pairs 8||13 and 6||41

1.Verify that the grades you received are indeed originating from the instructor showing just intermediate results of your calculation (2 points)

Open key {e,n} = {33,55}, received messages: {$m_1,s_1$} = {8,13}, {$m_2,s_2$} = {6,41}. To prove grades we need to calculate $m' = s^e mod(n)$ and check with m.
Let's do it: $m'_1 = s_1^e mod(n) = 13^{33} mod(55) = 8, m'_2 = s_2^e mod(n) = 41^{33} mod(55) = 6$
That means, that $m_1' = m_1, m_2' = m_2$, grades are correct and come from instructor.

2.Given the information above only can you fabricate the instructors’ signature for another grade? If yes, for which grade and how? (3 points)

We can use multiplicative property of RSA, let's create new message as a product of 2 messages received $m_{new} = m*m mod(n)$, it will have $s_{new} = s*smod(n)$, because we have grades from 0 to 10, the only variant is to create $m_{new} = 8*8 mod(55) = 9 $, signature $s_{new} = 13*13 mod(55) = 4$. 

Let's prove, that attack is correct:
new message {$m_{new},s_{new}$} = {9,4}, 

then signature proof: $m'_{new} = s_{new}^e mod(n) = 4^{33} mod(55) = 9$, so we corrupted the message and received grade 9.

3.What would you advise the instructor to do so as to prevent such fabrication? (2 points)

use bigger n = 11*13 for example????

4.Discuss what can go wrong in case the instructor sends a grade secretly by first enciphering it with a student’s public key, then signing it with his private key. Provide an example (3 points) 

We can currupt the grade and signature by discovering private key. Private key to be calculated the following: $d = e^{-1} mod \varphi(n)$ , so for {e,n} = {33,55}, we have d = 17. After that, we can create any grade and signature {c,s} we like by following: $c = m^e mod(n), s = m^d mod(n)$ So fake grade, for example 9: $c = 10^{33} mod(55) = 14, s = 9^{17} mod(55) = 4$.

So the received fake will be {14,4}. 


## Problem 2 (10 points)

El-Gamal is videly used cryptographic standart. In this task you will implement El-Gamal encryption scheme using Python

1.Implement function for generating keys. The function must generate big random prime number (problem of generating big prime numbers was discussed during seminar after lecture 3). (2 points)

In [95]:
from random import randint
import math

def is_prime(num, test_count):
    if num == 1:
        return False
    if test_count >= num:
        test_count = num - 1
    for x in range(test_count):
        val = randint(1, num - 1)
        if pow(val, num-1, num) != 1:
            return False
    return True

def generate_big_prime(n, test_count=1000):
    found_prime = False
    while not found_prime:
        p = randint(2**(n-1), 2**n)
        if is_prime(p, test_count):
            return p
def roots(n):
    ans = 0
    x = set(j for j in range (1, n) if math.gcd(j, n) == 1)
    for i in range(1, n):
        y = set((i**k) % n for k in range (1, n))
        if x == y:
            ans = i 
    return ans

def gen_key(n):
    p = generate_big_prime(n)
    x = randint(1,p-1)
    g = roots(p)
    y = (g**x)%p
    return p,g,x,y



2.Implement functions that realize the encryption and decryption functions. (2 points)

In [96]:
def encrypt(m,n):
    p,g,x,y = gen_key(n)
    if m > p:
        return 0
    else:
        k = randint(1,p-1)
        a = (g**k)%p
        b = ((y**k)*m)%p
    return a,b,p,x

def decrypt(a,b,p,x):
    m = (b*a**(p-1-x))%p
    return m

3.Test your functions on random values and show that your realization works correctly (1 point)

In [97]:
def test(n):
    number =  randint(1,2**(n-1))
    print('Message:', number)
    a,b,p,x = encrypt(number,n)
    print('Encrypcted: (a,b) = ',a,b)
    d = decrypt(a,b,p,x)
    print('Decrypted, message:', d)


In [98]:
test(10)

Message: 248
Encrypcted: (a,b) =  317 490
Decrypted, message: 248


4.Implement functions that realize creation and verification of digital signature (2 points)

In [99]:
def egcd(n1, n2):
    if n1 == 0:
        return (n2, 0, 1)
    else:
        g, y, x = egcd(n2 % n1, n1)
        return (g, x - (n2 // n1) * y, y)

def inv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('Inv does not exist')
    else:
        return x % m
    
def hashed(m):
    return m%199

In [100]:
def sig_create(m,n):
    p,g,x,y = gen_key(n)
    m1 = hashed(m)
    k = randint(1,p-1)
    while math.gcd(k,p-1) != 1:
        k += 1 
    r = (g**k)%p
    s = ((m1 - x*r)*inv(k,p-1))%(p-1)
    return m,r,s,p,g,y
    
def sig_verify(m,r,s,p,g,y):
    if  0 < r < p  or 0 < s < p-1:
        m1 = hashed(m)
        left = (y**r)*(r**s)%p
        right = (g**m1)%p
        if left == right:
            print('Signature right:', left,'=',right)
        else:
             raise Exception('Wrong signature!')
    else: 
        raise Exception('Wrong signature!')

5.Test your functions on random values and show that your algorithm works correctly (1 point)

In [101]:
def test1(n):
    number =  randint(1,2**(n-1))
    print('Message:', number)
    m,r,s,p,g,y = sig_create(number,n)
    print('Signatured message: (m,r,s)= ',m,r,s)
    sig_verify(m,r,s,p,g,y)

In [102]:
test1(10)

Message: 330
Signatured message: (m,r,s)=  330 125 553
Signature right: 798 = 798


## Problem 3 (15 points)

1.Implement SHA256 (https://en.wikipedia.org/wiki/SHA-2) hashing algorithm using the pseudo-code below. Note the great increase in mixing between bits of the w[16..63] words compared to SHA-1 (10 points)

2.Calculate hashes of the texts below (1 point)

In [None]:
string_small = 'This is a very small string with a few characters.'
string_larger = 'This is a larger string that contains more characters.'
string_big = 'This is a larger string that contains more characters. This demonstrates that no matter how big the input stream is, the generated hash is the same size (but of course, not the same value). If two files have a different hash, they surely contain different data.'
string_empty = ''

3.What is a bit length of each hash? (1 point)

4.What is the bitwise distance between them? What is bitwise distance between their hashes? (1 point)

5.Typically use apply hash function to our passwords and texts that we want to digitally sign. Implement digital signature of hashed string using El-Gamal digital signature. Compare the digital signature of pain text and hashed text. (2 points)

## Problem 4 (15 points)

Merkle hash trees play an important role in forming transaction blocks in blockchain. In this assignment we ask you to plot your own Merkle hash tree and check its' properties. Below we provide you with some code fragment what you can use in your assignment

In [None]:
import matplotlib
import networkx as nx
%matplotlib qt5
from networkx import balanced_tree, draw_networkx, draw

Let us plot graph basis for Merkle hash tree

In [None]:
G = nx.Graph()
positions = {}
coordinates = [
    [0, 4],
    [-2, 3],
    [2, 3],
    [-3, 2],
    [-1, 2],
    [1, 2],
    [3, 2],
    [-3, 1],
    [-1, 1],
    [1, 1],
    [3, 1]
]
parents = [0, 0, 0, 1, 1, 2, 2, 3, 4, 5, 6]
for index in range(11):
    G.add_node(index)
    G.add_edge(index, parents[index])
    positions[index] = coordinates[index]
nx.draw(G, positions, node_size = 1000)
labels = {
    0: '0',
    1: '1',
    2: '2',
    3: '3',
    4: '4',
    5: '5',
    6: '6',
    7: 'tx1',
    8: 'tx2',
    9: 'tx3',
    10: 'tx4',
}
nx.draw_networkx_labels(G, positions, labels = labels)

In Bitcoin double sha256 hash scheme is used. Here is an example.

In [None]:
import hashlib


first_hash = hashlib.sha256(b"hello") # "b" stands for binary representation
second_hash = hashlib.sha256()
print('First hash represented as a hexadecimal number:', first_hash.hexdigest())
second_hash.update(first_hash.digest())
print('Second hash represented as a hexadecimal number:', second_hash.hexdigest()

Now we can easily change vertices' labels to hashes of corresponding messages and plot new graph

In [None]:
labels[3] = hashlib.sha256(hashlib.sha256(b"tx1").digest()).hexdigest()

# and plot the graph again

nx.draw(G, positions, node_size = 1000)
nx.draw_networkx_labels(G, positions, labels = labels, font_size = 8)
print(labels[3])

1.Construct Merkle hash tree using previously constructed graph by finding corresponding SHA256 hashes on vertices (2 points). Plot obtained Merkle hash tree (1 point)

2.Provide a proof of correctness of leaf tx2 (2 points). 

3.Provide a proof of correctness for set of leafs (tx3-tx4) (2 points)

4.Change the value on leaf tx1 and recompute corresponding hashes. Plot newly obtained Merkle hash tree (2 points)

5.Nodes in Merkle hash trees may have arbitrary fanout. In previouse items we consider the case of fanout equals to two. But what will change if we set a fanout equals to three? Construct Merkle hash trees with fanout 3 to sign 9 values? Construct the hash tree with fanout 2 to sign the same set of values? Plot obtained trees (4 points) 

6.What is the optimum tree fanout for signing first 4 values in the set up of previouse item? (2 points)