# Basic principles of Cryptography

## 1. Objectives of adversary:

   - The objective of the attacker/adversary is to attack an encryption scheme and to recover plaintext from ciphertext which was intended for someone else(say A).
   - An encryption scheme is said to be formally broken when the attacker can successfully intercept the ciphertext and recover plain text from it. 
   - A more lucrative objective for the adversary is to recover the private key of A. If the adversary recovers A's private key, then the adversary has the ability to decrypt all ciphertext sent to A. In such a case the encryption scheme is said to be informally broken. 
   
## 2. Types of attacks:

Since the encryption schemes are public in nature , an attacker can either do one of the following:
1. In the first case, the attacker may mount a chosen-plaintext attack (plain text chosen by the adversary) on a public-key encryption scheme i.e., the attacker may encrypt arbitrary messages to obtain the corresponding cipher-texts. 
2. In the second case, often referred to as chosen cipher-text attack, the attacker chooses the ciphertext before hand and obtains by some means the corresponding plain-text i.e., the attacker may encrypt as well as decrypt arbitrary messages.<br><br>
Chosen ciphertext attacks are further classified into two:  
- Indifferent chosen-ciphertext attack:
Before the adversary is provided with the decryption of target ciphertext $c$ ,that it actually wishes to decrypt, it is provided with decryptions of any ciphertexts of their choice.
- Adaptive chosen-ciphertext attack:
In this attack, the adversary does not have access to the private key of A and may have access to the decryption machine of A. The adversary can  request decryptions of ciphertext which may be related to both the target ciphertext, and to the decryptions obtained from previous queries but cannot request decryption of the target ciphertext $c$.

Chosen-ciphertext attacks are of concern only if the attacks can be mounted on the encryption scheme, if not then the existence of a chosen-ciphertext attack is typically viewed as a certificational weakness against a particular scheme.
## 3. Distributing public keys

- The puclic key encryption schemes are not bothered about the distribution of the public keys but rather assumes that a mechanism for the transportation of the public key exists. In the absence of such a mechanism, the encryption scheme is susceptible to an impersonation attack.
- There are many techniques in practice by which authentic public keys can be distributed. A few of them are listed below:
    1. Exchanging keys over a trusted channel
    2. Using a trusted public file
    3. Using an on-line trusted server
    4. Using an off-line server and certificates.   
    <br>
    
## 4. Message blocking

- Some Public key encryption schems assume that the message to be encrypted is of a fixed size or fixed length(bit length). 
- Plaintext messages which are longer than this maximum must be broken into blocks, each of the appropriate size. This is called as message blocking. The blocks of the message can then be encrypted independently adn hence must be decrypted the same as well. 
- To avoid re-ordering of the broken blocks, Cipher Block Chaining (CBC) must be used .Public key encryption schemes do not support message blocking and CBC mode .

# RSA public-key encryption
- The RSA cryptosystem is the most used public key cryptosystem and was named after its inventors R. Rivest, A. Shamir, and L. Adleman.
- It's Security is based on the difficulty of Integer Factorization problem. 
- If an algorithm is discovered which can factor an arbitrary number , then it would render the RSA method insecure.

### Algorithm: Key generation for RSA public-key encryption

 #### SUMMARY: Each entity creates an RSA public key and a corresponding private key.
 
 Each entity A should do the following:
 1. Generate two large random (and distinct) primes $p$ and $q$, each roughly the same size.
 2. Compute $n = pq$ and $φ = (p − 1)(q − 1)$.
 3. Select a random integer $e, 1 <e<φ$, such that $\gcd(e, φ)=1$.
 4. Use the extended Euclidean algorithm to compute the unique integer $d, 1 <d<φ$, such that $ed ≡ 1\pmod{φ}$.
 5. A’s public key is $(n, e)$; A’s private key is $d$
 

### Definition 
The integers $e$ and $d$ in RSA key generation are called the encryption exponent and the decryption exponent, respectively, while $n$ is called the modulus.

### Algorithm RSA public-key 
 
 #### SUMMARY: B encrypts a message $m$ for A, which A decrypts.

1. Encryption. B should do the following:
    1. Obtain A’s authentic public key $(n, e)$.
    2. Represent the message as an integer $m$ in the interval $[0, n − 1]$.
    3. Compute $c = m^e \bmod{n}$ (e.g., using repeated squaring).
    4. Send the ciphertext $c$ to A.

2. Decryption. To recover plaintext m from c, A should do the following:
 (a) Use the private key d to recover $m = c^d \bmod{n}$.

# Proof that decryption works. 
Since $ed ≡ 1 \pmod {φ}$, there exists an integer $k$ such that $ed =1+ kφ$. Now, if $\gcd(m, p)=1$ then by Fermat’s theorem,   
$$m^{p−1} ≡ 1 \pmod {p}$$  
Raising both sides of this congruence to the power $k(q−1)$ and then multiplying both sides by $m$ yields  
$$m^{1+k(p−1)(q−1)} ≡ m \pmod {p}$$  
On the other hand, if $\gcd(m, p) = p$, then this last congruence is again valid since each side is congruent to $\bmod {p}$.  Hence, in all cases  
$$m^{ed} ≡ m \pmod {p}$$  
By the same argument,    
$$m^{ed} ≡ m \pmod {q})$$  
Finally, since  $p$ and $q$ are distinct primes, it follows that  
$$m^{ed} ≡ m \pmod {n})$$  
and hence,
$$c^d ≡ (m^e)^d ≡ m \pmod {n})$$

## Example

In [3]:
# basic RSA
p=random_prime(100)
q=random_prime(100)
e=3
φ =(p-1)*(q-1)
while((gcd(e, φ)!=1)):
    p=random_prime(100)
    q=random_prime(100)
    φ =(p-1)*(q-1)
n=p*q
φ =(p-1)*(q-1)
show("p=",p)
show("q=",q)
show("n= p*q =",n)
show("φ = (p-1)*(q-1) =",φ)
show("gcd(e,φ)= ",gcd(e, φ))
d=e^-1 %φ
show("Public Key of A :(n,e) =({},{})".format(n,e))
me=random_prime(100)
show("message=",me)
c=me^e %n
show("Private Key of A :d =",d)
show("Message before Encryption=",me)
show("Encrypted Message c1=",c)
de=c^d % n
show("decrypted Message =",de)

In [15]:
# Blinding Attack
def invmod(a, n): 
    b=0
    while(b<n):
        if(a*b==1%n):
            return b
        else:
            b+=1;
p=random_prime(100)
q=random_prime(100)
e=3
φ =(p-1)*(q-1)
while((gcd(e, φ)!=1)):
    p=random_prime(100)
    q=random_prime(100)
    φ =(p-1)*(q-1)
n=p*q
φ =(p-1)*(q-1)
show("p=",p)
show("q=",q)
show("n= p*q =",n)
show("φ = (p-1)*(q-1) =",φ)
show("gcd(e,φ)= ",gcd(e, φ))
d=e^-1 %φ
show("Public Key of A :(n,e) =({},{})".format(n,e))
me=random_prime(100)
x=random_prime(10)
show("x=",x)
show("me=",me)
m=me*x
cm=me^e %n
cx=x^e%n
R = IntegerModRing(n)
xinv=R(x)
show("inv=",xinv)
show("cm=",cm)
show("cx=",cx)
c=cm*cx%n
show("Private Key of A :d =",d)
show("Message before Encryption=",m)
show("Encrypted Message c1=",c)
de=c^d % n
show("decrypted Message =",de)
show(de*xinv)

In [None]:
# Hastad's Broadcast Attack
# step 1: take 2 prime numbers
p=random_prime(100)
q=random_prime(100)
p2=random_prime(100)
q2=random_prime(100)
p3=random_prime(100)
q3=random_prime(100)
e=3
φ =(p-1)*(q-1)
φ2 =(p2-1)*(q2-1)
φ3 =(p3-1)*(q3-1)
n=p*q
n2=p2*q2
n3=p3*q3
while((gcd(e, φ)!=1)):
    p=random_prime(100)
    q=random_prime(100)
    n=p*q
    φ =(p-1)*(q-1)
while((gcd(e, φ2)!=1)):
    p2=random_prime(100)
    q2=random_prime(100)
    n2=p2*q2
    φ2 =(p2-1)*(q2-1)
while((gcd(e, φ3)!=1)):
    p3=random_prime(100)
    q3=random_prime(100)
    n3=p3*q3
    φ3 =(p3-1)*(q3-1)

show("p=",p)
show("q=",q)
show("p2=",p2)
show("q2=",q2)
show("p3=",p3)
show("q3=",q3)
# step 2: compute n and φ


show("n= p*q =",n)
show("φ = (p-1)*(q-1) =",φ)


show("n2= p2*q2 =",n2)
show("φ2 = (p2-1)*(q2-1) =",φ2)


show("n3= p3*q3 =",n3)
show("φ3 = (p3-1)*(q3-1) =",φ3)
# step 3: Choose e such that gcd(e,φ)
#e=random_prime(10000)

e=3
show("gcd(e,φ)= ",gcd(e, φ))
show("gcd(e,φ)= ",gcd(e, φ2))
show("gcd(e,φ)= ",gcd(e, φ3))
# step 4: Compute d such that de=1 modφ
#d=e^-1 %φ
##d2=e^-1 %φ2
#d3=e^-1 %φ3
#show("d =",d)
#show("d2 =",d2)
#show("d3 =",d3)
# step 5: declare the public and private keys
show("Public Key of A :(n,e) =({},{})".format(n,e))
#show("Private Key of A :d =",d)
# step 6: perform encryption of the message m to get ciphertext c
m=random_prime(100)
c=m^e %n
c2=m^e %n2
c3=m^e %n3
show("N=",n*n2*n3)
show((m^3)<(n*n2*n3))
show("Message before Encryption=",m)
show("Encrypted Message c1=",c)
show("Encrypted Message c2=",c2)
show("Encrypted Message c3=",c3)
# step 7: perform decryption on the ciphertext to get the plaintext de
z = CRT_list([c,c2,c3],[n,n2,n3])
show("solution= ",z)
AB=z^(1/3)
show("fifth root=",AB)
#de=c^d % n
#show("Decrypted message =",de)

In [None]:
# Franklin-Reiter Related Message Attack
p =433 
q = 953
show("p=",p)
show("q=",q)
n = p * q # 1024-bit modulus
show("n=",n)
m = 133075 # some message we want to recover
show("m=",m)
r = 217827 # random padding
show("r=",r)

c1 = pow(m + 0, 3, n)
show("c1=",c1)
c2 = pow(m + r, 3, n)
show("c2=",c2)
R.<X> = Zmod(n)[]
show(X)
f1 = X^3 - c1
show("f1=",f1)
f2 = (X + r)^3 - c2
show("f2=",f2)
# GCD is not implemented for rings over composite modulus in Sage
# so we'll do it ourselves. Might fail in rare cases, but we
# don't care.
def my_gcd(a, b): 
    return a.monic() if b == 0 else my_gcd(b, a % b)

show(m)
show(my_gcd(f1,f2))
show(my_gcd(f1, f2).coefficients())
show(-my_gcd(f1, f2).coefficients()[0]) # coefficient 0 = -m
show(my_gcd(f1, f2).coefficients()[0])