## 2 Diffie-Hellman
**Alice and Bob agree to use n = 13 and e = 11. Alice chooses her secret number a = 5, whereas Bob chooses b = 7.**

**What are the requirements for n and e? Are they fullfilled? **



Alle Bedingungen sind erfüllt
* n = 13 ist eine (grosse) Primzahl
* a, b $< n -2$
* a, b $\in$ $\mathbb{Z}_{13}^*$
* e muss ein Generator von $\mathbb{Z}_{13}^*$ sein 

In [34]:
n = 13
e = 11
zns = range(1, n)
g = [e**n%13 for n in zns]
print("e ist Generator: ", len(set(g)) == len(zns))

e ist Generator:  True


---
Describe the key agree-
ment protocol step by step using the above assumptions about a and b. What is the common
secret key?


1) Alice schickt A = $e^a$ mod $p = 11^5$ mod $13 = 7$ an Bob

2) Bob schickt B = $e^b$ mod p$ = 11^7$ mod $13 = 2$ an Alice

3) Alice und Bob berechnen Geheimschlüssel k = $B^a $ mod $ p =  7^7$ mod $13 = A^b$ mod $ 13 =  2^5$ mod $ 13 = e^{a*b}$ mod $13 =  11^{5\cdot 7}$ mod $13 = 6 $



## 3 Discrete Logarithm Problem
Assume Mallory intercepts the message A = 9 from Alice to Bob and B = 3 from Bob to Alice.
He also knows n = 13 and g = 11

----
Mallory müsste a oder b finden: ${A = g^a}$ mod $n = 11^a$ mod $13$, B = g^b$ mod $ n $

Diese Art der Berechnung ist nur mit Brute-Force möglich: 

$11^8$ mod $13 = 9$. Also ist a = 8.

$11^4$ mod $13 = 3$. Also ist b = 4. 

K = $3^8$ mod $13 = 4^8$ mod $13 = 9^4$ mod $13 = 9$


## 4 Attack on textbook RSA

The public key (n, e) = (2537, 13) was used to encrypt the plaintext M. Eve intercepts the
ciphertext C = 2081.

----

Your Task: Show how Eve computes the plaintext M!

1) $c = m^e$ mod $n = 2081 = m^{13}$ mod $2537$ 

In [25]:
def find_m(n, e, c):
    m=1
    c_i=1
    while  c_i != 2081:
        m+=1
        c_i=m**e%n
    return m

print("m: ", find_m(2537, 13, 2081))



m:  1819


## 5 Attack on textbook RSA - small exponent


In [35]:
def ExtendedGCD(a,b):
	# initialization
	s1 = a; s2 = b
	u1 = 1; u2 = 0
	v1 = 0; v2 = 1
	while s2 > 0: # loop if not finished
		q = s1 // s2
		r = s1 % s2
		s1 = s2; s2 = r
		t = u2; u2 = u1 - q * u2; u1 = t
		t = v2; v2 = v1 - q * v2; v1 = t
	return u1, v2, s1

def crt(m1, m2, m3):
    r1, mod1 = m1
    r2, mod2 = m2
    r3, mod3 = m3
    m = mod1 * mod2 * mod3
    M1 = m/mod1
    M2 = m/mod2
    M3 = m/mod3
    x,y,mi1 = ExtendedGCD(mod1, M1)
    x,y,mi2 = ExtendedGCD(mod2, M2)
    x,y,mi3 = ExtendedGCD(mod3, M3)
    return r1*M1*mi1 + r2*M2*mi2 + r3*M3*mi3


m3 = crt((330, 377), (34, 391), (419, 589))
print(m3 % 377)
print(m3 % 391)
print(m3 % 589)
print(m3 ** (1. /3))


371.0
374.0
404.0
525.7353324000089
