# IT Security - Sheet 3 "Asymmetric Crypography"

**Total achievable points: 20**

**Released: 14.11.2024**

**Submission Deadline: 21.11.2023**

---
Group: 128

Names and matriculation numbers of **ALL** team members: Samuel Rode (445160), Nils Maasch (445796), Pau Azpeita Bergos (443428), Gereon Geuchen (445328), Ben-Jay Huckebrink (445219)

Format: John Doe (999999)

---

**Important Information**

The assignments have to be submitted by groups of 5 students. Even if you are registered in RWTHmoodle to a submission group, **please include the group number as well as the name and matriculation number of every group member in this notebook**. In case you are not part of a submission group and want to hand in assignments, please contact `ba-itsec@itsec.rwth-aachen.de`. We will then assign you to a submission group.

Enter your solutions for the tasks in the respective cells of this notebook. These cells are either marked by "YOUR ANSWER HERE" or `#YOUR CODE HERE`. In code cells, you have to remove `raise NotImplementedError()`. Please do not add any new cells or remove existing ones, especially do not copy cells. Cells marked with `###PLAYGROUND` can be used to test your implementation and generate output (see example for the first tasks). Please do not add any other output or tests in the cell of the task, just implement the function with the header provided. If you want to test your implementation, use the `###PLAYGROUND` cells. They will be ignored during grading. **Do not change any other cells or add new ones.**

Please **do not import any further Python packages** except the default Python ones and the ones that are explicitly given by us.

## Content of this Assignment

This week, everything is about RSA. You learned in the lecture about asymmetric ciphers and now it's your turn to show what you learned.

## 1. RSA (8.5 points)

Before we can use any asymmetric ciphers, we need to generate keying material. As you learned from the lecture, for asymmetric ciphers you need two different keys. In this task, you create functions to generate valid RSA key pairs.
A valid RSA key pair consists of the private key $d$ and the public key $(N,e)$ where $N$ is called the RSA-modulus. The process of key generation also involves the usage of two prime numbers called $p$ and $q$.
The RSA-modulus can be computed using $N = pq$. In a later step, we will also need Eurler's phi function of the RSA-modulus $\phi(N)$ which can be computed using $\phi(N) = (p-1)(q-1)$.
In the following, you will use all of these components to build the RSA key generation on your own.

### Task 1.1 (1 point)

The first step is to find a public key $e$. A valid $e$ fulfills a specific property: $gcd(\phi(N), e) = 1$.

Your first task is to implement the function `gcd(x: int, y: int) -> int`. The arguments of this function (`x` and `y`) are both integers and the output is an integer as well. The function has to return the greatest common divisor of `x` and `y`. An example of this could be `gcd(6,9) = 3`.

In [1]:
def gcd(x: int, y: int) -> int:
    # YOUR CODE HERE
    if x == 0:
        return y
    if y == 0:
        return x
    if y > x:
        return gcd(y, x)
    return gcd(y, x % y)

In [2]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

print(gcd(6,9))

3


In [3]:
# This test just checks the output format of your solution

div = gcd(6,9)
assert type(div) == int
assert div == 3

In [4]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

### Task 1.2  (2 point)

Now, we turn to the actual key generation. We want to find an $e$ that fulfills the property $gcd(\phi(N),e) = 1$.

Implement the function `get_e(phi_N: int) -> int`. This function gets $\phi(N)$ as `phi_N` as an argument and returns the first valid value for $e$ as an integer. Please make sure that $e$ is the smallest possible value with $1 < e < \phi(N)$ (this is a strict relation). Note that it still needs to hold that $gcd(e, \phi(N) = 1$. 

In [5]:
def get_e(phi_N: int) -> int:
    # YOUR CODE HERE
    e = 2
    while gcd(e, phi_N) != 1:
        e += 1
        if e == phi_N:
            print("No e found between 2 and phi_N")
            return None
    if (gcd(phi_N, e) != 1):
        print("gcd(phi_N, e) != 1")
        return None
    return e

In [6]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

print(get_e(24))

5


In [7]:
# This test just checks the output format of your solution

e = get_e(24)
assert type(e) == int

In [8]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

### Task 1.3  (2 points)

As we have the public key $(N,e)$ now, we need to find the corresponding private key $d$. In general, $d$ has to be the multiplicative inverse of $e mod \phi(N)$.

Implement the function `extended_gcd(a: int, b: int) -> tuple[int, int]`. This function should implement the extended Euclidean algorithm. The given arguments `a` and `b` represent the integer inputs $a$ and $b$ of the algorithm. The function returns a tuple of two integers $x$ and $y$. The function should return values for $x$ and $y$ such that $a \cdot x + b \cdot y = 1$. The values $x$ and $y$ must be ordered in the tuple the following way: `(x,y)` whereas `x`represents $x$ and `y` represents $y$. If the function is called as `extended_gcc(phi_N, e)` then $\phi(N) \cdot x + e \cdot y = 1$ has to hold for the returned values `(x, y)`.

**Hint: Mind the order of the returned values!**

In [9]:
def extended_gcd(a: int, b: int) -> tuple[int, int]:
    # YOUR CODE HERE
    if (b > a):
        (_, x, y) = extended_gcd_recursive(b, a)
        return (x, y)
    elif b == 0:
        # gcd of (a, 0) is a for any a
        return (1, 0)
    else:
        (_, x, y) = extended_gcd_recursive(a, b)
        return (x, y)
        
def extended_gcd_recursive(a: int, b: int) -> tuple[int, int, int]:
    if b == 0:
        # gcd(a, 0) has coefficients (1, 0) with a = 1*a + 0*b
        return (a, 1, 0)
    else:
        gcd, x, y = extended_gcd_recursive(b, a % b)
        # gcd(a, b) = gcd(b, a % b) = b*x + (a % b)*y
        return (gcd, y, x - (a // b) * y)   
    

In [10]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

print(extended_gcd(240, 46))
print(extended_gcd(240, 59))
print(extended_gcd(131,41))

(-9, 47)
(15, -61)
(-5, 16)


In [11]:
# This test just checks the output format of your solution

res = extended_gcd(240, 46)
assert type(res) == tuple
assert len(res) == 2
assert type(res[0] == int)
assert type(res[1] == int)

In [12]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

### Task 1.4  (2.5 points)

To streamline the process of key generation, we want to put it all together. For this we want a single function that takes two primes $p$ and $q$ and outputs the public and private key as a tuple $(e,d,N)$.

Implement the function `generate_rsa_key(p: int, q:int) -> tuple[int, int, int]`. The arguments `x` and `y` are the two primes. The function has to return a valid RSA key generated using the two arguments as the primes $x$ and $y$. The output format has to be a tuple of the format `(e,d,N)`.

**Hint: You need to take care of the fact that `d`, as a result of the extended Euclidean algorithm, may be negative.**

In [13]:
def generate_rsa_key(p: int, q: int) -> tuple[int, int, int]:
    n = p * q
    phi_n = (p-1) * (q-1)
    e = get_e(phi_n)
    (_, d) = extended_gcd(phi_n, e)
    if d < 0:
        d += phi_n
    return (e, d, n)
    

In [14]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

print(generate_rsa_key(7, 11))

(7, 43, 77)


In [15]:
# This test just checks the output format of your solution

res = generate_rsa_key(7, 11)
assert type(res) == tuple
assert len(res) == 3
assert type(res[0] == int)
assert type(res[1] == int)
assert type(res[2] == int)

In [16]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

### Task 1.5  (1 point)

As we have valid key pairs, it is now time to test them out. For this, we have to implement the encryption and decryption first.

So implement the functions `rsa_enc(message: int, e: int, N: int) -> int` and `rsa_dec(cipher: int, d: int, N: int) -> int`.

Regarding the encryption, the arguments `e` and `N` of the function `rsa_enc(message: int, e: int, N: int) -> int` represent the public key, as multiple times discussed in the previous tasks. The argument `message` represents the message to be encrypted using the given key. This message is in an integer format and is not a human-readable string. Just assume it to be some message as an integer and process it as discussed in the lecture. Further, it always holds that $message < N$. This function has to encrypt the given `message` with the given public key `e` and `N`.

The function `rsa_dec(cipher: int, d: int, N: int) -> int` works similarly, but has to decrypt the message against using the private key. The private key is represented by `d` and `N`. The encrypted message is delivered as the argument `cipher`.

In [17]:
def rsa_enc(message: int, e: int, N: int) -> int:
    return pow(message, e) % N

In [18]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

In [19]:
# This test just checks the output format of your solution

res = rsa_enc(51, 7, 77)
assert type(res) == int
print(res)

72


In [20]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

In [21]:
def rsa_dec(cipher: int, d: int, N: int) -> int:
    # YOUR CODE HERE
    return pow(cipher, d) % N

In [22]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

In [23]:
# This test just checks the output format of your solution

res = rsa_dec(72, 43, 77)
assert type(res) == int
print(res)

51


In [24]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

## 2. Efficient RSA (2.5 points)

As we have implemented an RSA key generation and the respective encryption and decryption, we now turn towards an RSA implementation that is way more efficient in handling large prime numbers. In this task, we will use the right-to-left binary method that was introduced in the lecture to allow for more efficient binary exponentiation. If you can't remember the details, take a look at the lecture slides again.

### Task 2.1 (2 points)

Implement the function `binary_exp(b: int, e: int, m: int) -> int` that implements the more efficient binary exponentiation. The argument `b` denotes the base, `e` the exponent, and `m` the modulus. The function has to return the result of the computation as an int.

In [25]:
def binary_exp(b: int, e: int, m: int) -> int:
    binary_e = bin(e)[2:]
    res = 1
    for i in binary_e:
        res = (res * res) % m
        if i == '1':
            res = (res * b) % m
    return res

In [26]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.
print(binary_exp(2, 5, 13))

6


In [27]:
# This test just checks the output format of your solution

res = binary_exp(72, 43, 77)
assert type(res) == int
assert res == 51

In [28]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

### Task 2.2 (0.5 points)

Now, we want to use this more efficient implementation within our RSA encryption and decryption. So you have to reimplement the encryption and decryption using this more efficient approach.

Implement the functions `rsa_enc_eff(message: int, e: int, N: int) -> int` and `rsa_dec_eff(cipher:int, d: int, N: int) -> int`. These functions have the same arguments and returns as in Task 1.5. However, you have to use the more efficient implementation `binary_exp(b: int, e: int, m: int) -> int` of the previous task.

In [29]:
def rsa_enc_eff(m, e, N):
    # YOUR CODE HERE
    return binary_exp(m, e, N)

In [30]:
def rsa_dec_eff(m, d, N):
    # YOUR CODE HERE
    return binary_exp(m, d, N)

In [31]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

In [32]:
# This test just checks your solution

res = rsa_enc_eff(155, 5, 73827113627)
assert type(res) == int
reres = rsa_enc_eff(res, 59061256109, 73827113627)
assert reres == 155

In [33]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

## 3. Backdoors on RSA (3 points)

### Task 3.1 (2 points)

As we took care about encrypting and decrypting stuff, now it is time to do some more interesting and fun stuff. What would an assignment be without breaking something? While RSA today is considered secure, one thing that we can still do is: backdoors! In the following task, we will take a look at RSA backdoor construction. 

The backdoor is part of the RSA key pair generation by fixing one of the two prime numbers needed to generate the RSA key. Your task now is to exploit an RSA key that was created with a naive backdoor. 

Implement the function `decrypt_naive_backdoor(cipher: int, p: int, e: int, N: int) -> int` which decrypts a cipher text with the help of a fixed prime number, as described in the lecture. The arguments are:
- `cipher`: cipher text to be attacked
- `p`: the fixed prime that was used during the key generation
- `e`, `N`: the public key

The function has to return the decrypted plain text as an int.

You can use the functions previously implemented by you in task 2 and disregard anything about padding. Use the `### PLAYGROUND` cell to debug your own implementation and the provided format check cell to test its proper functioning.

*Hint: Remember that the public key `(e, N)` is known by potentially anyone!*

In [61]:
def decrypt_naive_backdoor(cipher: int, p: int, e: int, N: int) -> int:
    q = N // p  
    phi = (p - 1) * (q - 1)
    d = compute_d(e, phi)
    decrypted = binary_exp(cipher, d, N)
    return decrypted

#e*d mod N = 1
def compute_d(e, phi):
    _, x = extended_gcd(e, phi)
    return x % phi

In [62]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.
p = 3
q = 5
N = p*q
message = 7
phi = 8
e = 3
d = 3
encrypted_message = rsa_enc(message, e, N)
print(decrypt_naive_backdoor(encrypted_message, p, e, N))

7


In [63]:
# This test just checks your solution

some_prime_numbers = [92119, 92143, 92153, 92173, 92177, 92179, 92189, 92203, 92219, 92221]
fixed_prime = 92227 # Set by the manufacturer

my_message = 123

for q in some_prime_numbers:
    (e, d, N) = generate_rsa_key(fixed_prime, q)
    c = rsa_enc_eff(my_message, e, N)
    plain_mess = decrypt_naive_backdoor(c, fixed_prime, e, N)
    assert type(plain_mess) == int
    assert plain_mess == 123
    print(plain_mess)

123
123
123
123
123
123
123
123
123
123


In [None]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.

### Task 3.2 (1 point)

We now take a look at the same backdoor construction, but this time we do not have any knowledge about the fixed prime. However, we were able to intercept two messages encrypted with two different public keys, both generated with the same backdoor with the same fixed prime. Your task is now to break the backdoor and find the correct plain texts.

The two intercepted public keys are `(e1, N1)` and `(e2, N2)`. The two intercepted cipher texts are `c1` and `c2` which are encrypted with `(e1, N1)` and `(e2, N2)` respectively.

Implement the function `break_naive_backdoor(e1: int, N1: int, c1: int, e2: int, N2: int, c2: int) -> int`. The arguments of the function are:
- `e1`, `N1`: first public key
- `c1`: first cipher text
- `e1`, `N1`: first public key
- `c1`: first cipher text
  
The function has to return the decryption of both cipher texts `c1` and `c2` as a tuple `(plain1, plain2)` whereas `plain1` is the plain text corresponding to the decryption of `c1` and `plain2` the plain text corresponding to the decryption of `c2`.

Use the `### PLAYGROUND` cell to debug and play with your implementation, and the provided test cell to actually test the proper function of your implementation.

In [64]:
def break_naive_backdoor(e1: int, N1: int, c1: int, e2: int, N2: int, c2: int) -> tuple[int, int]:
    # YOUR CODE HERE
    backdoor_prime = gcd(N1, N2)
    plain1 = decrypt_naive_backdoor(c1, backdoor_prime, e1, N1)
    plain2 = decrypt_naive_backdoor(c2, backdoor_prime, e2, N2)
    return (plain1, plain2)

In [None]:
### PLAYGROUND
# You can use this cell to test out your implementation. Everything in this cell will be ignored during grading.

In [65]:
# This test just checks your solution

some_prime_numbers = [92119, 92143, 92153, 92173, 92177, 92179, 92189, 92203, 92219, 92221]
fixed_prime = 92227 # Set by the manufacturer

my_message = 1024
my_message2 = 999

test_cases = len(some_prime_numbers)//2
for q1, q2 in zip(some_prime_numbers[:test_cases], some_prime_numbers[test_cases:]):
    # The two public keys
    (e1, _, N1) = generate_rsa_key(fixed_prime, q1)
    (e2, _, N2) = generate_rsa_key(fixed_prime, q2)
    # The two cipher texts
    c1 = rsa_enc_eff(my_message, e1, N1)
    c2 = rsa_enc_eff(my_message2, e2, N2)
    res = break_naive_backdoor(e1, N1, c1, e2, N2, c2)
    assert type(res) == tuple
    assert len(res) == 2
    assert type(res[0]) == int
    assert res[0] == 1024
    assert type(res[1]) == int
    assert res[1] == 999
    print(res)

(1024, 999)
(1024, 999)
(1024, 999)
(1024, 999)
(1024, 999)


In [69]:
# Even this cell seems empty, it contains automatic tests. Please do not remove this cell and just ignore it.
extended_gcd(72, 29)
#rsa_dec_eff(5, 22, 91)

(-2, 5)

## 4. General Questions

This task is now focused on written answers regarding RSA and asymmetric cryptography.

### Task 4.1 - Advantages and Disadvantages of Asymmetric Cryptography (1 Points)

Think about asymmetric cryptography in general. There are quite a lot of differences in comparison to symmetric cryptography. However, both are being used for encryption and integrity protection.

**Name** at least one advantage and one disadvantage of asymmetric cryptography in regard to encrypting messages and authenticating them.

Advantage: An arbitrary amount of entites can communicate with the receiver using the same key without making the communication available to other public key holders. In symmetric encryption, everyone who knows the key can use it to decrypt messages that were encrypted with this key.

Disadvanatage: The private key holder cannot communicate securely with a public key holder because the public key holder does not know how to decrypt the message. In a symmetric key setting, both sides can communicate equally.

### Task 4.2 - Digital Signatures and Forgery (2 Points)

Asymmetric cryptography is often used to create signatures on messages or other important information. However, these signatures can also be attacked. There are different kinds of results of attacks.

**Name** two different results on attacks on digital signatures and **explain** what the attacker is able to do.

Two possible attacks against digital signatures are:
+ An **existential forgery** attack, where we use the design of a digital signature scheme to forge a valid message-signature pair based on previously observed/obtained message-signature pairs\
  In comparison to some other attack types (like below), the attacker _cannot_ construct valid signatures for _arbitrary_ messages of their choice, but can just construct a valid message-signature pair based on some message-signature pairs they observed previously, _not regarding_ whether the forged message "makes any sense"
+ A **total break** of a signature scheme; such an attack is the worst-case scenario for any signature scheme, as here, the attacker can (partially) recover the _private (!)_ signature key, meaning they can forge valid signatures for messages _at will_, thereby impersonating the "original communication party" the private key belonged to\
  Such an attack is most often a result of a _very poor implementation_ of an otherwise secure digital signature scheme, like e.g. _reusing_ the same $k$ in the DSA signature scheme

### Task 4.3 - RSA Signatures (2 Points)

Now, we consider RSA signatures in general. 
Why is the hash of the message instead of the message itself signed? **Name** two reasons.

+ Signing _just the message_ itself (instead of the hash) **would be insecure**, as it leaves the door open for an **existential forgery attack** (as explored in the lecture): If the attacker (via eavesdropping) has observed some message-signature pair $(m, s)$ (where $s = m^d mod N$ for some private key $(d, N)$), he can forge the _valid (!)_ message-signature pair $(m', s)$ where $m' = s^e mod N$ (which they just need the _public key_ $(e, N)$ for)\
  A (cryptographic) hash function makes this not possible, as a cryptographic hash function is _pre-image resistant_, meaning that given a signature $s$, we can _not feasibly guess_ a message $m$ that will pass the verification (i.e. $h(m)^e = s$)
+ As RSA has a modulus $N$, all messages $m$ wanting to be signed with RSA need to satisfy $m < N$, meaning **especially longer messages** are fully barred from being signed this way; a hash function in this context can be used to "shorten the message"/guarantee that the range of the hash function are values $< N$, thereby allowing for messages of arbitrary length to be signed

## 5. Exam Example Tasks (0.5 points)

> Note: This task is awarded with 0.5 points only if it has been seriously addressed, regardless of whether the answer is correct.

### Task 5.1

Assume the following public RSA key: The public modulus is $N := 91 = 7 \cdot 13$ and the public exponent is $e := 29$.
Decrypt the cipher text $c = 5$ and show your steps.


Let p be the plaintext. We know that p = e^d mode N. We also know that phi(N) = 6 * 12 = 72. We can determine d by using the extended euclidian algorithm, calculating the gcd of 72 and 29. The extended euclidian algorithm yiels d = 5. Thus, p = 5^5 mod 91 = 17.

### Task 5.2

Assume the following scenario, where RSA is used for encryption: The attacker is given two messages $m_1$ and $m_2$ and the encryption $c$ of one of the two messages, i.e., either $E(m_1) = c$ or $E(m_2) = c$. **Decide** for the following scenarios whether the attacker can determine with a probability greater than $\frac{1}{2}$ which message $m_i$ corresponds to the cipher text $c$ (this property is called *semantic security*). Justify your answer.

#### a)

Plain RSA: We use $E(m) := m^e mod N$ without OAEP.

Because we do not use OAEP, the attacker can determine the right plain text with a probability greater than $\frac{1}{2}$. Since e and N are part of the public key, the attacker can simply calculate E(m1) and E(m2) and check which encryption matches.

#### b)

What happens if the *seed* is replaced by $h(m)$ where $h$ is a hash function?

If the hash function is known, this does not make a difference again, because the attacker can simply calculate $h(m)$.

#### c)

What happens if we use OAEP but replace seed with the current (unix) time stamp (in seconds)?

This is probably better than the other two approaches, because the attacker might not know the exact time at which the message was send, however, since we use seconds and we might be able to assume that the message was created not too long ago, there are only so many possible values that the attacker could just try out. Thus, this is not a great encyption.

## 6. Feedback (0.5 points)

> Note: This task is awarded with 0.5 points only if there is feedback in any form to this exercise. It is also okay to state what was especially nice or rewarding. Literally just writing "anything" is not enough. Any feedback will improve the assignments.

And yet another assignment done by you, great! Since we want to know how it went and how we might improve the exercises, we include the following task. Here, you can write constructive feedback! You even get 0.5 points for it if you write anything. But don't worry, we do not grade the content itself!

This exercise was really nice: We especially enjoyed the exercises regarding the backdoors, but also the "theoretical"/text-based tasks in contrast to "just programming". 