# Cryptography

## Secure Multiparty Computation - part 1

# Intro

**A Pragmatic Introduction to Secure Multi-Party Computation** by David Evans, Vladimir Kolesnikov, Mike Rosulek

To see the notebook as a slide-show, use [RISE](https://rise.readthedocs.io/en/stable/)

## Agenda

### Motivation

* Auctions
* Procurement
* Benchmarking
* Data Mining
* Voting
* Any computable function/functionality

### Tools

* (verifiable) secret sharing
* oblivious transfer
* (homomorphic) commitments
* zero-knowledge proofs 


![oblivious transfer](img/ot.png)

In [10]:
import math
import random
from sympy import randprime, isprime, Mod

In [12]:
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

In [13]:
from sympy import primefactors

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [14]:
def GenModulus(w):
    n = len(w)
    p = randprime(2 ** n, 2 ** (n+1))
    q = randprime(2 ** n, 2 ** (n+1))
    N = p * q
    return N, p, q

In [15]:
def Factor(n):
    N, p, q = GenModulus("1" * n)
    pp, qq = A(N)
    if pp > 1 and qq > 1 and pp * qq == N:
        return 1
    else:
        return 0

In [16]:
def A(N):
    factors = primefactors(N)
    return factors[0], factors[1]

In [None]:
%%time
sec_param = 52
num_of_succ = 0
tries = 100

for i in range(tries):
    num_of_succ = num_of_succ + Factor(sec_param // 2)

num_of_succ/tries

In [17]:
def GenRSA(w):
    n = len(w)
    N, p, q = GenModulus(w)
    m = (p-1) * (q-1)
    e = 2 ** 16 + 1
    d = modinv(e, m)
    return N, e, d, p, q
# N, e - public key
# N, d - private key

def enc(x, N, e):
    return x ** e % N

def dec(c, N, d):
    return c ** d % N

N, e, d, p, q = GenRSA("111111111")
#print("private key: ", d)
#print("public key: ", N, e)

xx  = 120 * p % N #random.randint(2, N)

y = enc(xx, N, e)
x = dec(y, N, d)
print(N, e, y)

512893 65537 467343


**The RSA experiment** $\textsf{RSA-inv}_{\mathcal{A}, GenRSA}(n)$
1. $(N, e, d) := GenRSA(1^n)$

2. choose $y \leftarrow Z_N^*$

2. $x = \mathcal{A}(N, e, y)$

3. Output: 1 if $x^e = y \bmod N$

**Definition 7.46** We say that RSA problem is hard relative to **GenRSA** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{RSA-inv}_{\mathcal{A}, GenRSA}(n) = 1] \leq negl(n)$$

In [18]:
def randomZnElement(N):
    g = N
    while math.gcd(g, N) != 1:
        g = random.randint(2, N)
    return g

# Naive Identification Scheme

## Password Scheme

Peggy $(x, f(x))$, Vic $f(x)$
1. Peggy:
    * sends $x$ to Vic
2. Vic:
    * checks if $f(x)$ is correct
  

## Identification based on Public-Key Encryption

Peggys $(x, f(x))$, Vic: $f(x)$

1. Vic:
    * selects $m$
    * encrypts $c = Enc(f(x), m)$
    * sends $c$ to Peggy
2. Peggy:
    * decrypts $m' = Dec(x, c)$
    * sends $m'$ to Vic
3. Vic:
    * accepts the identity of Peggy iff $m=m'$
    
Dishonest Vic :
1. captures an encryption $c$ that was sent to Peggy and then Vic can sent $c$ as a challenge
2. Peggy decrypts $m' = Dec(x, c)$
3. Vic learns the value of $m' = m$

Before the protocol:
- f(x)
- c

After the protocol:
- he knows that $$m = Dec(x, c)$$

![Naive authentication scheme](img/auth-enc.png)

A (Peggy) has:
    - secret key $x$
    - public key $f(x)$, for one-way function $f$
    
B (Vic) has:
    - public key $f(x)$
    
    
A's input: x
$$F_A = 0$$


B's input: $f(x) = y$
$$F_B(x, y) = (y = f(x)) ? 1:0$$


**Completenes**: If Peggy knows the prover's secret, then Vic will always accept Peggy's proof.

**Soundness**: If Peggy can convince Vic with reasonable probability, then she know the prover's secret.

If Peggy does not know the secret then with high probability Vic will detect that

**Zero-knowledge** (intuition): whatever the verifier can efficiently compute after interacting with the prover, can be efficiently simulated without interaction.

Performing the protocol with the Prover (Peggy) should not give any new information to Verifier (Vic)

# Simplified Fiat-Shamir Identification Scheme

**Signature scheme (12.1)** a signature scheme is a tuple of three probabilistic polynomial-time algorithms $(Gen, Sign, Vrfy)$ satisfying the following:


1. $(pk, sk) \leftarrow Gen(1^n)$
2. $\sigma \leftarrow Sign_{sk}(m)$, $m \in \{0, 1\}^*$ ($Sign$ is probabilistic)
3. $$b  = Vrfy(pk, m, \sigma)$$
    * $b = 1$ valid 
    * $b = 0$ invalid

Signature experiment $SigForge_{\mathcal{A}, \Pi}(n)$:

1. $(pk, sk) \leftarrow Gen(1^n)$
2. 
    * $\mathcal{A}$ is given $pk$ and oracle access to $Sign_{sk}(\cdot)$
    * $\mathcal{A}$ outputs $(m, \sigma)$
    * $Q$ - the set of messages whose signature were requested by $\mathcal{A}$ during its execution
3. The output of the experiment is defined to be $1$ if and only if:
    1. $Vrfy_{pk}(m, \sigma) = 1$
    2. $m \not \in Q$

**Definition 12.2** A signature scheme $\Pi = (Gen, Sign, Vrfy)$ is **existentially unforgeable under an adaptive chosen-message attack** if for all probabilistic polynomial-time adversaries $\mathcal{A}$, there exists a negligible function **negl** such that
$$P\left[SigForge_{\mathcal{A}, \Pi}(n) = 1\right] \leq \textsf{negl}(n).$$

**Textbook RSA signature**

**Gen** $(N, e, d) \leftarrow GenRSA(1^n)$

* the public key $(N, e)$
* the private key $(N, d)$

**Sign**$([N, d], m)$, $m \in Z_N^*$:

* return $\sigma = [m^d \bmod N]$

**Vrfy**$([N, e], m, \sigma)$, output 1 if and only if

$$ m = [\sigma^e \bmod N]$$

In [None]:
def GenRSA(w):
    n = len(w)
    N, p, q = GenModulus(w)
    m = (p-1) * (q-1)
    e = 2 ** 16 + 1
    gcd, d, y = egcd(e, m)
    if d < 0:
        d = m + d
    return N, e, d, p, q

def sign(x, N, d):
    return x ** d % N

def vrfy(m, sigma, N, e):
    return m == sigma ** e % N

**Example 1** A no-message attack

Goal: forge a signature under a random message

$\mathcal{A}([N, e])$:
1. select $\sigma \leftarrow Z_N^*$
2. compute $m = \sigma^e \bmod N$
3. return $(m, \sigma)$

In [None]:
N, e, d, p, q = GenRSA("11111")

def A(N, e):
    sigma = randomZnElement(N)
    m = sigma ** e % N
    return m, sigma

In [None]:
m, sigma = A(N, e)
print(m, sigma)

In [None]:
vrfy(m, sigma, N, e)

Signature experiment $SigForge_{\mathcal{A}, \Pi}(n)$:

1. $(pk, sk) \leftarrow Gen(1^n)$
2. 
    * $\mathcal{A}$ is given $pk$ and oracle access to $Sign_{sk}(\cdot)$
    * $\mathcal{A}$ outputs $(m, \sigma)$
    * $Q$ - the set of messages whose signature were requested by $\mathcal{A}$ during its execution
3. The output of the experiment is defined to be $1$ if and only if:
    1. $Vrfy_{pk}(m, \sigma) = 1$
    2. $m \not \in Q$

## Textbook RSA signature

**Gen** $(N, e, d) \leftarrow GenRSA(1^n)$

* the public key $(N, e)$
* the private key $(N, d)$

**Sign**$([N, d], m)$, $m \in Z_N^*$:

* return $\sigma = [m^d \bmod N]$

**Vrfy**$([N, e], m, \sigma)$, output 1 if and only if

$$ m = [\sigma^e \bmod N]$$

**Example 2** Forging a signature on an arbitrary message

![forge](img/forge.png)

In [None]:
m = randomZnElement(N)
m1 = randomZnElement(N)
m2 = m * modinv(m1, N) % N

s1 = sign(m1, N, d)
s2 = sign(m2, N, d)

print(m, m1, m2)

print(s1, s2)


vrfy(m, (s1 * s2) % N, N, e)


# Factoring - Fermat

In [None]:
p = randprime(2000, 10000)
q = randprime(2000, 10000)

n = p * q

print(p, q, n)


In [None]:
gcdPlus = 1
gcdMinus = 1

step = 1

while gcdPlus == 1 and gcdMinus == 1:
    x = random.randint(2, n)
    y = random.randint(2, n)
    gcdPlus = math.gcd((x+y) % n, n)
    gcdMinus = math.gcd((x-y) % n, n)
    print(step, gcdPlus, gcdMinus)
    step = step + 1
    
if gcdPlus > 1:
    print(gcdPlus,"*", n // gcdPlus, "=", n)
else:
    print(gcdMinus,"*", n // gcdMinus, "=", n)
    

In [None]:
def P_gen(w):
    N, e, d, p, q = GenRSA(w)