# Cryptography

## Key Exchange
In cryptography, especially key exchange, we have 3 main characters:
* Party **A** aka **Alice**
* Party **B** aka **Bob**
* Evesdropper **E** aka **Eve**

The idea behind key exchange is for **Alice** and **Bob** to communicate over an insecure public channel, which is monitored by **Eve**, but still be able to exchange a **shared private key** which **Eve** is unable to figure out.

How can this be accomplished?

## Diffie-Hellman symmetric key exchange
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

#### Step 1
**Alice** and **Bob** publicly agree upon:
* $p$: The **public modulus** which is a large prime number
* $g$: The **public base** which is a primitive root of $p$

Specifically, $g$ being a primitive root of $p$ means:
$$ 	\forall n \quad \exists k \in \mathbb{Z} \quad g^{k}= n \bmod p $$
Which means that we now have a **shared private key-space** of size $p-1$. 

In [None]:
# Public
p = 23
g = 5
print("Shared public modulus: %s" %p)
print("Shared public base: %s" %g)

#### Step 2
**Alice** and **Bob** privately select their **private keys**:
* $a$: **A's private key** which is an integer that only **Alice** will know
* $b$: **B's private key** which is an integer that only **Bob** will know

These numbers can take on the values of any integer. Specifically:
$$ 	a,b \in \mathbb{Z} $$
But only $p-1$ choices lead to unique public keys. The idea is that $a$ and $b$ from a **private key-space** that is large, so as to make it infeasible to brute-force guess it.

In [None]:
# Private for A
a = 4
# Private for B
b = 3

print("A's private key: %s" % a)
print("B's private key: %s" % b)

#### Step 3
**Alice** and **Bob** privately calculate their **shared public keys** as follows:
* $A = g^{a} \bmod p$: **A's public key**
* $B = g^{b} \bmod p$: **B's public key**

These numbers can take on the values of an integer between $0$ and $p-1$.

In [None]:
# Private for A
A = pow(g, a, p)
print("A's public key: %s" % A)
# Private for B
B = pow(g, b, p)
print("B's public key: %s" % B)

#### Step 4
**Alice** and **Bob** publicly exchange their **shared public keys** $A$ and $B$  
Note that **Eve** is able to see this information, but is unable to deduce neither of the **private keys** $a$ nor $b$ from these **public keys** $A$ and $B$, due to the complexity of the discrete-logarithm problem.

#### Step 5
**Alice** and **Bob** privately calculate their **shared private key** as follows:
$$\begin{aligned} s &= B^{a} \bmod p \\ &=  (g^{b})^{a} \bmod p \\ &= (g^{a})^{b} \bmod p \\ &= A^{b} \bmod p \end{aligned}$$

Note in the above equation how **Alice** and **Bob** arrive at the same **shared private key**. Thus **Alice** and **Bob** have successfully shared information that both know, but **Eve** cannot deduce, despite having witnessed all communication between the two.

This is the fundamental basis for modern cryptography.

In [None]:
# Private for A
s = pow(B, a, p)
print("A's shared private key: %s" % s)
# Private for B
s = pow(A, b, p)
print("B's shared private key: %s" % s)

### Evaluation of computational time

Given the **private key-space** has $p-1$ possibilities, it takes on the order of that many trials to brute force the key.  
Therefore if $p$ is a $256$ bit number it would take on the order of $2^{256} \approx 10^{77}$ trials to brute force the key.  

#### How Large Is This?  
Today all supercomputers combined can bearly break $1$ exaFLOPS = $10^{18}$ FLOPS.  
Therefore even if we assumed 1 modular exponentiation trial $\approx$ 1 FLOP  
We'd still be on the order of $10^{59}$s  
One year is approx $10^{7}$s, so we're still on the order of $10^{52}$ years.  
The age of the universe itself is on the order of $10^{11}$ years.

#### Bremermann's Limit
https://en.wikipedia.org/wiki/Bremermann%27s_limit  
https://en.wikipedia.org/wiki/Transcomputational_problem  
There are physical limits of computation in our universe.  
In particular Bremermann's limit gives the maximum rate of computation for a computer of a given mass. This limit's value is derived from the maximum information contents, by the Heisenberg uncertainty principle, and rate of information propagation by the speed of light.  
The result is:  
$$ \dot{I}_{\mathrm{max}} = \frac{c^2}{h} \approx 1.36 \times 10^{50} \frac{\mathrm{bits}}{\mathrm{s} \cdot \mathrm{kg}} $$  
Where:  
- $\dot{I}_{\mathrm{max}}$ is the maxium rate of computation
- $c$ is the speed of ligth
- $h$ is Planck's constant

Therefore, if we had a perfectly build computer with the mass of the earth ($ m_e = 5.972 \times 10^{24} \mathrm{kg} $), it would still take 2 full minutes to crack a $256$ bit key, but $10^{77}$ years to crack a $512$ bit key.

## Data Encryption
https://en.wikipedia.org/wiki/Encryption  
https://en.wikipedia.org/wiki/Substitution%E2%80%93permutation_network  
https://en.wikipedia.org/wiki/S-box  
Basic idea is to use the key to scramble the text in a high-entropy way that isn't reversible unless you know the key.  
Modern techniques involve breaking the **plaintext** down into fixed size **blocks** (adding **padding** as nessary).  

### Substitution Ciphers
https://en.wikipedia.org/wiki/Classical_cipher  
Classical encryption was done by simply substituting letters with a reversible rule, this is known as a **cipher**.  
Examples include:
- **Transpositon ciphers**: substitutions by simply rotating the alphabet, as with a codewheel
   - **The Caesar cipher**: Letters are replaced by the letter 3 before them
   - **ROT13**: Letters are replace by the furthest letter in the circular alphabet
- **General substitution ciphers**: defined by any permutation of letters.

#### Code Breaking
Transposition ciphers have $26$ choices (including the identity), which is trivial to **brute force**.  
However substitution ciphers have $26! \approx 4.039 \times 10^{26}$ choices, which is not impossible to brute force, but still not doable on home computers.  

So, how can we do better?  

The answer is to be clever, and look at the structure of the cipher text and look for patterns.  
Indeed humans are easily capable of cracking substitution ciphers, and they are often given as puzzles in magazines, where they are called **cryptogram**.  

The simplest approach, however, is **frequency analysis**.  
By analysing the frequency of letters appearing in the ciphertext and comparing to the distribution of letters in the english langage, one can get a pretty good guess as to which letters are which.  

#### Example

In [None]:
import pandas as pd
import random

First we shall construct a substritution cipher by shuffling an ordered list of the alphabet

In [None]:
letter_frequencies = {"a": 8.167, "b": 1.492, "c": 2.782, "d": 4.253, "e": 12.702, "f": 2.228, "g": 2.015, "h": 6.094, "i": 6.966, 
     "j": 0.153, "k": 0.772, "l": 4.025, "m": 2.406, "n": 6.749, "o": 7.507, "p": 1.929, "q": 0.095, "r": 5.987, 
     "s": 6.327, "t": 9.056, "u": 2.758, "v": 0.978, "w": 2.36, "x": 0.15, "y": 1.974, "z": 0.074}
letters = list(letter_frequencies.keys())

cipher = list(letter_frequencies.keys())
random.shuffle(cipher)
cipher = dict(zip(letters,cipher))

print(cipher)

Next use the cipher to encrypt our plaintext

In [None]:
plaintext = """So, how can we do better?
The answer is to be clever, and look at the structure of the cipher text and look for patterns.
Indeed humans are easily capable of cracking substitution ciphers, and they are often given
as puzzles in magazines, where they are called **cryptogram**.
The simplest approach, however, is **frequency analysis**.
By analysing the frequency of letters appearing in the ciphertext and comparing to the distribution of letters
in the english langage, one can get a pretty good guess as to which letters are which. """.lower()

ciphertext = ''.join(map(lambda c: cipher.get(c,c), plaintext))
print(ciphertext)

In [None]:
freqs = {c:0 for c in letters}
for c in ciphertext:
    if c in freqs: freqs[c] += 1
print(freqs)

In [None]:
df = pd.DataFrame({'plaintext': sorted(letter_frequencies.keys(), key=lambda c: letter_frequencies[c], reverse=True),
                   'predicted_cipher': sorted(freqs.keys(), key=lambda c: freqs[c], reverse=True),
                   'true_cipher': list(map(lambda k: cipher[k], sorted(letter_frequencies.keys(), key=lambda c: letter_frequencies[c], reverse=True))),
                   'global_freq': sorted(letter_frequencies.values(), reverse=True),
                   'cipher_freq': sorted(freqs.values(), reverse=True)
                  })
df['cipher_freq'] /= len(plaintext)/100
print(df)

In [None]:
predicted_cipher = dict(zip(df['predicted_cipher'],df['plaintext']))

predicted_plaintext = ''.join(map(lambda c: predicted_cipher.get(c,c), ciphertext))
print(predicted_plaintext)

### Advanced Encryption Standard (AES)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard  
https://en.wikipedia.org/wiki/Data_Encryption_Standard  
AES was developped after it was alleged that the original DES (Data Encryption Standard) had been purposefully designed with a short key so as to allow the NSA to crack it with brute force.  
There was also concern that some of the parameters (S-boxes) were chosen so as to construct a backdoor, however this hasn't been proven, and analysis shows the S-boxes were chosen to as to increase resistance against differential cyptography attacks, which had been discovered independently by several research groups (the NSA and IBM included) but was classified at the time out of security concerns.  
In 1998 a practical attack against DES was demonstrated that was able to completed decrypt cypher text in under 24hrs.  

#### Algorithm Description
1. The **plaintext** is broken down into **blocks** and **padded** as necessary.
2. The **private key** is expanded to via a **key schedule** so as to increase its entropy on each round.
3. Several rounds of the following operations are applied:
   1. **Substitute** pairs of bytes via **S-Boxes** (lookup tables).
   2. Cirularly **Shift** the bytes as though they were in a $4 \times 4$ box, with each row shifted more than the last.
   3. **Mix** the columns via an invertible linear transformation.
   4. Add (xor) the scheduled key to the block

![title](https://imgs.xkcd.com/comics/cryptography.png)

#### Example

In [None]:
from Crypto.Cipher import AES
import base64

First define the key and create the encrypting object

In [None]:
key = b'Sixteen byte key'
AES_cipher = AES.new(key, AES.MODE_ECB)

Create the plaintext, and pad it match the required 16 byte block length

In [None]:
plaintext = b'What that?'
plaintext += b' '*(-len(plaintext)%16)
print(plaintext)
print(list(plaintext))

Encrypt the text to ciphertext

In [None]:
ciphertext = AES_cipher.encrypt(plaintext)
print(ciphertext)
print(list(ciphertext))

Decrypt the ciphertext

In [None]:
recovered_plaintext = AES_cipher.decrypt(ciphertext)
print(recovered_plaintext)
print(list(recovered_plaintext))

## Hashing and Digital Signatures

Hashing is a technique in computer science used to encode data of any length into a fixed length string with high entropy.  
One of the primary purposes of doing this is cryptography (which uses so-called "cyrptographic hash functions").
The idea is that given a hash function and an example output, it is infeasbile to determine what the original input was. Furthermore a small change in the original data leads to a large change in the hash-value (also called hash-digest)  

How is this useful to digital signatures?  
Imagine you take your **claims data**, pad it with **secret key** then take the **hash digest** and give to a user. They, and anyone else will be unable to calculate your **secret key**, but the user may later present their **claims data** along with the **hash digest** to you in order to prove you signed their **claims data**.

### JWTs

https://en.wikipedia.org/wiki/JSON_Web_Token  
Javascript Webt Tokens (JWTs) use hashing to sign a payload. This is used by a client to make access claims to a server without having to pass their login credentials with every call.  
Here's a demo on how it works:  

#### Step 1

Select a **JWT secret**. This is generally a large number (byte string) so as to make it infeasible to brute-force.

In [None]:
import base64
import json
import random
JWT_secret = bytearray(random.getrandbits(8) for _ in range(256))
print(base64.b64encode(JWT_secret))

#### Step 2
Define your header which contains a detription of the type of token.  
Has fields:  
* **alg**: The hashing algorithm used
* **type**: The type of token (usually 'JWT')

In [None]:
header = {
    "alg": "HS256",  # This states it is using the standard 256 bit Hashed-Based Message Authentication Code 
    "typ": "JWT"  # This confirms it is a JWT
}
byte_string = bytearray(json.dumps(header), 'utf8')
header_string = base64.encodestring(byte_string)
print(header_string)

#### Step 3
Define your token's payload. This contains the authentication claims made with the token.  
Has optional field:  
* **exp**: The expiration timestamp of the token as a Unix Timestamp. This is used to make temporary login sessions that expire after inactivity. It also ensures that if the JWT is compromised an attacker has a limited window in which to exploit the JWT.
* **username**: The username claimed by the bearer of the token.  

There are many other standard optional fields

In [None]:
payload = {
    "exp": 1606925710,
    "username": "user@domain.com"
}
byte_string = bytearray(json.dumps(payload), 'utf8')
payload_string = base64.encodestring(byte_string)
print(payload_string)

#### Step 4
Create the hash signature using the HMAC algorithm:

In [None]:
import hmac
body_string = header_string+b'.'+payload_string
body_string = b'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9'+b'.'+b'eyJleHAiOiAxNjA2OTI1NzEwLCAidXNlcm5hbWUiOiAibnlsYXN0ZXN0QHViaWNvLmlvIn0'
hash_digest = hmac.new(body_string, JWT_secret).digest()
base64.b64encode(hash_digest).decode()


In [None]:
import jwt
JWT_token = jwt.encode(payload, str(JWT_secret))
print(JWT_token)

In [None]:
print(jwt.decode(JWT_token, str(JWT_secret)))