## Exercise 4 ~ Bat-Crypt, Diffie-Helman Over The Linear Group

In [1]:
import utils
params = utils.get_parameters()

In [2]:
p = params.Q4_p
generator = params.Q4_generator
public_key = params.Q4_public_key
ciphertext = params.Q4_ciphertext

In [3]:
# We create the $Z_p$ ring
ring = IntegerModRing(p)

### What we know

- $S_a$ : random in $Z_{p-1}$
- $r$ : $generator^{S_a}$
- $s$ : $PK^{S_a}$
- $c$ : $(r, sm)$

In [4]:
r = Matrix(ZZ.quo(p * ZZ), ciphertext[0])
C = Matrix(ZZ.quo(p * ZZ), ciphertext[1])

In [5]:
gen = Matrix(ZZ.quo(p * ZZ), generator)

In [6]:
PK = Matrix(ZZ.quo(p * ZZ), public_key)

### What we can see

$C=sm=PK^{S_a}m=\begin{pmatrix}1 & x \\ 0 & 1\end{pmatrix}\begin{pmatrix}a & b \\ c & d\end{pmatrix}=\begin{pmatrix}a+xc & b+xd \\ c & d\end{pmatrix}$

This means we know $c$ and $d$ !

In this formula, we have $x=PK_{0,1}^{S_a}$

In [7]:
c = C[1][0].lift()
d = C[1][1].lift()

### Oh no batman, what have you done ?

It looks like $r = g^{S_a} = \begin{pmatrix}1 & g_{0,1}\\ 0 & 1\end{pmatrix}^{S_a} = \begin{pmatrix}1 & S_a\times g_{0,1} \\ 0 & 1\end{pmatrix}$

This means we can more than easily compute $S_a$, to the great shock of both Batman and Alfred :

In [8]:
Sa = ring(r[0, 1]) / ring(gen[0, 1]) 

Now that we know $S_a$, Batman cannot hide his secrets from us anymore.

In [9]:
x = PK[0, 1] * Sa

In [10]:
a = ring(C[0, 0].lift() - x * c)
b = ring(C[0, 1].lift() - x * d)

In [11]:
print a
print b
print c
print d

72183823406034509235986586944502383596377699130816560539868646933200483877969
95718758738497920252346111702638870293528859908622092482544148559048233181545
64967421248684864379889327593325353110390216977711986294038512996956299557015
7339505830888704565540323351330274914845452103920341534257862753661522891484
