In [11]:
import math

# SW05 Exercises
## Exercise 01: Shamir's three-pass protocol

**Alice and Bob want the implement Shamir’s three-pass protocol using the Vernam cipher, i.e.
one-time pad. This is supposed to provide perfect secrecy. Is the following protocol secure? 
Can You compute the message? Make an example with M = 010110111101,
KA = 101101110100, and KB = 001011011011.**

<img src="SW05_01_g.png" alt="Grafik" width="600"/>

**M** : *010110111101*

**K(a)** : *101101110100*

**K(b)** : *001011011011*

<img src="SW05_01_a.png" alt="Wahrheitstabelle Verschlüsselung" width="700"/>

Mit der Wahrheitstabelle lässt sich die Nachricht bis zum Punkt verfolgen, an dem sie mit beiden Schlüsseln verschlüsselt wurde.

Die **verschlüsselte Nachricht** lautet nun *110000010010*.

Zur Entschlüsselung werden die beiden Schlüssel wieder entfernt, wobei die ursprüngliche Nachricht lesbar wird.

## Exercise 2: Diffie-Hellman
**Alice and Bob agree to use n = 13 and e = 11. Alice chooses her secret number a = 5, whereas Bob chooses b = 7.**

**What are the requirements for n and e? Are they fullfilled?**

Alle Bedingungen sind erfüllt
* n = 13 ist eine (grosse) Primzahl
* a, b $< n -2$
* a, b $\in$ $\mathbb{Z}_{13}^*$
* e muss ein Generator von $\mathbb{Z}_{13}^*$ sein 

In [35]:
n = 13
e = 11
zns = range(1, n)
g = [e**i%n for i in zns]
print("e ist Generator: ", len(set(g)) == len(zns))

e ist Generator:  True


---
Describe the key agreement protocol step by step using the above assumptions about a and b. What is the common
secret key?


1) Alice schickt A = $e^a$ mod $p = 11^5$ mod $13 = 7$ an Bob

2) Bob schickt B = $e^b$ mod p$ = 11^7$ mod $13 = 2$ an Alice

3) Alice und Bob berechnen Geheimschlüssel k = $B^a $ mod $ p =  7^7$ mod $13 = A^b$ mod $ 13 =  2^5$ mod $ 13 = e^{a*b}$ mod $13 =  11^{5\cdot 7}$ mod $13 = 6 $

## Exercise 3: Discrete Logarithm Problem
Assume Mallory intercepts the message A = 9 from Alice to Bob and B = 3 from Bob to Alice.
He also knows n = 13 and g = 11

----
Mallory müsste a oder b finden: ${A = g^a}$ mod $n = 11^a$ mod $13, B = g^b$ mod $ n $

Diese Art der Berechnung ist nur mit Brute-Force möglich: 

$11^8$ mod $13 = 9$. Also ist a = 8.

$11^4$ mod $13 = 3$. Also ist b = 4. 

K = $3^8$ mod $13 = 4^8$ mod $13 = 9^4$ mod $13 = 9$


## Exercise 4: Attack on textbook RSA

**The public key (n, e) = (2537, 13) was used to encrypt the plaintext M. Eve intercepts the
ciphertext C = 2081.**

----

**Your Task: Show how Eve computes the plaintext M!**

1) $c = m^e$ mod $n = 2081 = m^{13}$ mod $2537$ 

In [12]:
n = 2537
e = 13
C = 2081

c = math.floor(math.sqrt(2537))

for i in range(c - 1, 0, -2):
    if n % i == 0:
        p = i
        break
        
q = int(n / p)
phi = (p - 1) * (q - 1)

def ExtendedGCD(a,b):
    # initialization
    s1 = a; s2 = b
    u1 = 1; u2 = 0
    v1 = 0; v2 = 1
    while s2 > 0: # loop if not finished
        q = s1 // s2
        r = s1 % s2
        s1 = s2; s2 = r
        t = u2; u2 = u1 - q*u2; u1 = t
        t = v2; v2 = v1 - q*v2; v1 = t
    return u1, v1, s1

d, v1, s1 = ExtendedGCD(e, phi)

M = pow(C, d, n)
print("Plaintext:", M)
C = pow(M, e, n)
print("Ciphertext:", C)

Plaintext: 1819
Ciphertext: 2081


## Exercise 5: Attack on textbook RSA - small exponent


**Use python in a Jupyter notebook. Use the (extended) Euklidean algorithm to compute the
inverses and find or invent a python code, which implements the CRT.**

In [18]:
n = [377, 391, 589]
c = [330, 34, 419]

In [17]:
n = [3, 5, 7]
c = [2, 3, 2]

In [14]:
import functools

def mul_inv(a, b):
    return ExtendedGCD(a, b)[0] % b

def chinese_remainder(n, a):
    s = 0
    prod = functools.reduce(lambda a, b: a*b, n)
 
    for n_i, a_i in zip(n, a):
        p = prod / n_i
        s += a_i * mul_inv(p, n_i) * p
    return s % prod

## https://rosettacode.org/wiki/Chinese_remainder_theorem

In [19]:
print("Message m:", chinese_remainder(n, c))

Message m: 1061208.0


## Exercise 6: Attack on textbook RSA — common module *n*

**Your Task: Design a example with small numbers which demonstrates, this attack! Assume
n = 11  13, i.e. p = 11 and q = 13.**

In [20]:
p = 11
q = 13
n = p * q

# Random values for eA and eB
e_A = 5
e_B = 11

math.gcd(e_A, e_B)

1

In [21]:
# Messages
m1 = 58
m2 = 58

# Ciphers
c1 = pow(m1, e_A, n)
c2 = pow(m2, e_B, n)

In [22]:
def calculate_comm_mod_n(e_A, e_B, c1, c2, n):
    x, y, temp = ExtendedGCD(e_A, e_B)
    C1, C2 = c1, c2
    
    if x < 0:
        C1 = ExtendedGCD(c1, n)[0]
        x = -x
    elif y < 0:
        C2 = ExtendedGCD(c2, n)[0]
        y = -y
        
    M1 = pow(C1, x)
    M2 = pow(C2, y)
    
    M = M1 * M2 % n
    
    return M

In [23]:
print("Plaintext m1:", m1)
print("Plaintext m2:", m2)
print("Ciphertext c1:", c1)
print("Ciphertext c2:", c2)
print("Decrypted ciphertext M:", calculate_comm_mod_n(e_A, e_B, c1, c2, n))

Plaintext m1: 58
Plaintext m2: 58
Ciphertext c1: 67
Ciphertext c2: 102
Decrypted ciphertext M: 58


## Exercise 7: Elgamal

**The prime number p=13 and the generator g=3 was used. Check if 3 is a genarator: otherwise
use the next larger number after 3. Bob chooses the secret key skB = j =3 and Alice skA =i=4.**

***Your Task: Compute all intermediate results if Alice wants to securely send the message m =
12 to Bob.***

<img src="SW05_07.png" alt="ElGamalEx7" width="1100"/>

## Exercise 8: Elgamal

**Alice uses the private key a=1751 and computes the public key (p=2357;a =2;a^a =1185).
Now Bob wants to encrypt the message m = 2035. He uses the random k = 1520.**

***Your Task: Compute the encrypted message and show how Alice decrypts the message.***

<img src="SW05_08.png" alt="ElGamalEx8" width="950"/>

## Exercise 7: Elgamal (in Python)

In [27]:
for i in range(0, g + 1):
    print(pow(g, i, p))

1
11
4
5
3
7
12
2
9
8
10
6


In [26]:
p = 13
g = 11


a = 4 # Alice's secret key
b = 3 # Bob's secret key

m = 12

In [28]:
# Bob calculates part of his public key (p, g, pk_B)
pk_B = pow(g, b, p)
print("Bob's public key:", p, g, pk_B)

Bob's public key: 13 11 5


In [29]:
# Alice selects random k (1 ≤ k ≤ p − 2)
k = 7
# Alice calulates temporary key and ciphertext
pk_A = pow(g, k, p)
y = m * pow(pk_B, k)
print("Temporary key:", pk_B)
print("Ciphertext:", y)

Temporary key: 5
Ciphertext: 937500


In [30]:
z = pow(pk_A, p - 1 - b, p) # pk_B
M = z * y % p
z

5

In [31]:
print("Plaintext x:", m)
print("Decrypted ciphertext M:", M)

Plaintext x: 12
Decrypted ciphertext M: 12


http://wwwmayr.in.tum.de/konferenzen/Jass05/courses/1/presentations/Meier%20Andreas%20The%20ElGamal%20Cryptosystem.pdf

## Exercise 8: Elgamal (in Python)

In [32]:
p = 2357
g = 2
a = 1751 # Alice's secret key
pk_A = 1185

m = 2035
k = 1520

In [33]:
# Bob calculates temp key and ciphertext
pk_B = pow(g, k, p)
y = m * pow(pk_A, k)
print("Temporary key:", pk_A)
print("Ciphertext:", y)

Temporary key: 1185
Ciphertext: 22932792403564589667959594096630853365622493513514878135542945887805226172536820259039753922604208754553838123562540011792779155477175662385208782341438288009678191010803316853145067431369966714750828946808477010721897196035639758211717000672704619914068460897222182669183485698464009726021777421316843095400423570986080358681029893312739038144477384687164118287543309070313320609693454520622209835589681719177731518563520077894071759169556090772479755807438140863912358002926558608226396415665473328369859205069493432363276422018404942543677129752024209434479387462945380585508990606803700921240012272029346381905613853643112423033712684876327128234889811597278311634921277749007063632785703223599559084620791806164615009568687873194540068922737387715071169720271361210791114399907081021091270520373325511874334964358427267568908867357030944845038239065123695770231434994710401237759937212844148255974218625327539694380213325345288370037209250132560630970322890430589

In [34]:
z = pow(pk_B, p - 1 - a, p) # pk_A
M = z * y % p
print("Plaintext x:", m)
print("Decrypted ciphertext M:", M)

Plaintext x: 2035
Decrypted ciphertext M: 2035
