**Show all your work for full credit. Each source code you submit should include detailed comments and instructions on how to run it in order to confirm that it works as expected. If the program that does not run or throws runtime errors, it cannot be graded. You can refer to the programming guidelines from the TAs here: https://tinyurl.com/CPEG-472-672-Programming-Guide/**

**This is an individual assignment and each student should work on their own. Ensure you don't share any code online or with others (note, using Replit, GitHub and similar online platforms can make your code accessible to others).**

**To submit the assignment, you need to use Jupyter Notebook with the provided cell blocks and follow the naming conventions and instructions posted here: https://tinyurl.com/CPEG-472-672-Programming-Guide/**

Before you turn this problem in, make sure everything runs as expected. First, **restart the kernel** (in the menubar, select Kernel $\rightarrow$ Restart) and then **run all cells** (in the menubar, select Cell $\rightarrow$ Run All).

Make sure you fill in any place that says `YOUR CODE HERE` or "YOUR ANSWER HERE", as well as your name and section below:

In [None]:
NAME = "Shruthilaya Arun"
#SECTION = "472"
SECTION = "672"

---

## <font color='blue'> (optional) Question 3 [35 points total extra credit] </font>
In this question you will implement a software-oriented counter-based stream cipher called babySalsa, which resembles a scaled-down version of Salsa20 stream cipher (see https://cr.yp.to/snuffle/spec.pdf to an external site.). Our babySalsa stream cipher receives a key K, nonce N, counter Ctr and plaintext P and returns a ciphertext C, similar to Salsa20 presented in the lecture and the reading. The main part of babySalsa is the core, which transforms its internal state based on inputs K, N and Ctr (each one of these inputs is 32 bits).

The babySalsa core internal state is a 3x3 array A of 16-bit values and is initialized as follows: The array diagonal A[1,1] to A[3,3] are initialized with the bytes of string 'bSalsa', A[1,2] and A[1,3] are initialized with the most significant and least significant bytes of K respectively, A[2,1] and A[2,3] are initialized with the most significant and least significant bytes of N respectively, and A[3,1] and A[3,2] are initialized with the most significant and least significant bytes of Ctr respectively.

The Third-Round (TR) function of babySalsa transforms three 16-bit input values (y0,y1,y2) into three 16-bit output values as follows:

(z0, z1, z2) = TR (y0,y1,y2), where:
z1 = y1 xor ((y0+y2) <<< 5),
z2 = y2 xor ((z1+y0) <<< 7),
z0 = y0 xor ((z2+z1) <<< 11),
so that <<< denotes bitwise rotation by the given number of bit positions within a 16-bit value, and + denotes addition modulo 0x10000.

The Column-Round (CR) function of babySalsa transforms the three columns of the internal state array as follows: For the leftmost column of the state array, TR is applied to the three values in the column starting with the value in the top row as y0 towards the bottom. For the middle column of state array, TR is applied to the three values starting from the value in the middle row as y0 and continuing to the bottom and then the top row. For the rightmost column of state array, TR is applied to the three values starting from the value at the bottom row as y0 and continuing to the top and then the middle row.

The Row-Round (RR) function of babySalsa transforms the three rows of the internal state array as follows: For the top row of the state array, TR is applied to the three row values starting from the value on the left as y0 towards the right. For the middle row of the state array, TR is applied to the three row values starting from the middle value as y0 and continuing to the right value and then the leftmost value. For the bottom row of the state array, TR is applied to the row values starting from the rightmost value as y0 and continuing to the leftmost and then the middle value.

We define as a Double-Round (DR) the sequence of applying one CR followed by one RR to the state array.

To transform the initial 3x3 state array, the babySalsa core applies DR four times. At the DR step, the original matrix A is added to the permated matrix A'. The resulting matrix is flattened to become the keystream output for encryption. 

In [16]:
# helper functions
def xor(x,y):
    if type(x) == str:
        return "".join([chr(ord(a) ^ ord(b)) for a,b in zip(x,y)])
    elif type(x) == bytes:
        return "".join([chr(a ^ b) for a,b in zip(x,y)]).encode('iso-8859-1')

### <font color='blue'> (a) [10 extra credit points] Implement the TR function of babySalsa core as described above. </font>

In [17]:
def rotate(val:int, pos:int) -> int:
    """ Rotate (left) val by pos bits """
    rotated=0
    # YOUR CODE HERE
    rotated=((val<<pos)& 0xFFFF) | (val >> (16-pos)) # rotating by pos bits
    #raise NotImplementedError()
    return rotated
    
def TR(y0:int, y1:int, y2:int) -> (int, int, int):
    """ Implement the TR function """
    z0=0
    z1=0
    z2=0
    # YOUR CODE HERE
    z1=y1^rotate((y0+y2)%0x10000,5) # z1 equation
    z2=y2^rotate((z1+y0)%0x10000,7) # z2 equation
    z0=y0^rotate((z2+z1)%0x10000,11) # z0 equation
    #raise NotImplementedError()
    return z0, z1, z2


In [18]:
# YOUR CODE HERE
#raise NotImplementedError()

In [19]:
# EMPTY CELL FOR GRADING - PLEASE DO NOT EDIT

In [20]:
assert TR(8, 16, 10) == (55674, 592, 11275)
assert TR(1, 2, 3) == (10769, 130, 16771)

In [21]:
# EMPTY CELL FOR GRADING - PLEASE DO NOT EDIT

### <font color='blue'> (b) [10 extra credit points] Implement the DR function of babySalsa core as described above, comprising one transformation of the state implemented using CR followed by one transformation of the state implemented using RR. </font>

In [22]:
def init_state(k:int, n:int, ctr:int) -> [int, int]:
    """ Implement the inialization function of babySalsa, using the key, nonce and block counter. """
    # YOUR CODE HERE
    A=[[0,0,0],[0,0,0],[0,0,0]] # initialise 3x3 array
    A[0][0],A[1][1],A[2][2]=25171,24940,29537 # ascii values for bSalsa
    A[0][1],A[0][2]=(k>>16)&0xFFFF,k&0xFFFF #split key by most and lest significant byte
    A[1][0],A[1][2]=(n>>16)&0xFFFF,n&0xFFFF#split nonce by most and lest significant byte
    A[2][0],A[2][1]=(ctr>>16)&0xFFFF,ctr&0xFFFF#split counter by most and lest significant byte
    return A

In [23]:
# YOUR CODE HERE
#raise NotImplementedError()

In [24]:
key = int("0x54e2f185",0)
nonce = int("0x06b41a39",0)
ctr = 1
A_i = init_state(key, nonce, ctr)
print(A_i)
assert A_i == [[25171, 21730, 61829], [1716, 24940, 6713], [0, 1, 29537]]

[[25171, 21730, 61829], [1716, 24940, 6713], [0, 1, 29537]]


In [27]:
def CR(A: [int, int]) -> [int, int]:
    """ Implement the Column-Round function of babySalsa."""
    res = [[0, 0, 0], [0, 0, 0], [0, 0, 0]]
    
    # YOUR CODE HERE
    res[0][0],res[1][0],res[2][0]=TR(A[0][0],A[1][0],A[2][0]) #leftmost column tranformation
    res[0][1],res[1][1],res[2][1]=TR(A[1][1],A[2][1],A[0][1]) #middle coulumn transformation
    res[0][2],res[1][2],res[2][2]=TR(A[2][2],A[0][2],A[1][2]) #rightmost column transformation
    
    #raise NotImplementedError()
    return res


In [28]:
A = [[25171, 21730, 61829], [1716, 24940, 6713], [0, 1, 29537]]
A_i = CR(A)
assert A_i == [[7494, 5270, 49532], [19672, 51671, 17108], [38359, 62839, 226]]


A = [[28271, 65278, 61829], [65204, 30561, 6713], [0, 0, 121]]
A_i = CR(A)
assert A_i == [[9938, 7755, 40212], [13145, 52206, 42950], [58448, 22879, 1517]]



In [31]:
def RR(A: [int, int]) -> [int, int]:
    """ Implement the Row-Round function of babySalsa."""
    res = [[0, 0, 0], [0, 0, 0], [0, 0, 0]]
    
    # YOUR CODE HERE
    res[0][0],res[0][1],res[0][2]=TR(A[0][0],A[0][1],A[0][2]) # top row transformation
    res[1][0],res[1][1],res[1][2]=TR(A[1][1],A[1][2],A[1][0]) # middle row transformation
    res[2][0],res[2][1],res[2][2]=TR(A[2][2],A[2][0],A[2][1]) # bottom row transformation
    
    
    return res

In [32]:
A = [[25171, 21730, 61829], [1716, 24940, 6713], [0, 1, 29537]]
A_i = RR(A)
assert A_i == [[49842, 12264, 60492], [40649, 7732, 54923], [37184, 27726, 55278]]

A = [[28271, 65278, 61829], [65204, 30561, 6713], [0, 0, 121]]
A_i = RR(A)
assert A_i == [[21070, 117, 33714], [8632, 55447, 659], [16036, 3872, 52359]]


In [35]:
def DR(arr):
    """ Implement the Double-Round function of babySalsa."""
    res = [[0, 0, 0], [0, 0, 0], [0, 0, 0]]
    
    # YOUR CODE HERE
    col_round=CR(A) # apply column round
    res=RR(col_round) #apply row round
    #raise NotImplementedError()
    return res

In [36]:
A = [[25171, 21730, 61829], [1716, 24940, 6713], [0, 1, 29537]]
A_i = DR(A)
assert A_i == [[43500, 52429, 51337], [15067, 38710, 51816], [2972, 24297, 4312]]

A = [[28271, 65278, 61829], [65204, 30561, 6713], [0, 0, 121]]
A_i = DR(A)
assert A_i == [[14913, 25235, 12240], [42094, 20281, 41172], [35764, 3547, 48470]]


### <font color='blue'> (c) [15 extra credit points] Implement the encryption function of the babySalsa stream cipher for plaintexts of arbitrary bitsize. Clearly describe what are the inputs to the cipher, and what are the additional operations required in addition to the transformations using the core. Demonstrate correct operation by encrypting the message "Stream ciphers generate pseudorandom bits from a key and a nonce and encrypt the plaintext by XORing it with these pseudorandom bits, similar to the one time pad".</font>

In [None]:
def babySalsa_encrypt(ptxt: bytes, key: int, nonce: int, ctr: int) -> bytes:
    """ Implement the encryption function of the babySalsa stream cipher for plaintexts of arbitrary bitsize. """
    ctxt = b''
    
    # YOUR CODE HERE
    raise NotImplementedError()
    return ctxt

In [None]:
# YOUR CODE HERE
raise NotImplementedError()

In [None]:
key = int("0x54e2f185",0)
nonce = int("0x06b41a39",0)
ctr = 1
ptxt = b'HelloHelloHelloHi!'
ctxt = babySalsa_encrypt(ptxt, key, nonce, ctr)

assert ctxt == b'\x17b,D#u\x87n\xed\xf2\x11h\xf8\xb8\xd2w\xa6\x1f'

key = int("0x54e2f185",0)
nonce = int("0x06b41a39",0)
ctr = 1
ptxt = b'Stream ciphers generate pseudorandom bits from a key and a nonce and encrypt the plaintext by XORing it with these pseudorandom bits, similar to the one time pad'
ctxt = babySalsa_encrypt(ptxt, key, nonce, ctr)

assert ctxt == b'\x0cs2M-P\xc2a\xe8\xed1h\xe6\xa7\x9dX\xaaP\xc7\x8f\xa8\xf1Uq\xa7\x15,\xd1\x97\x89\x84\r\'\xc6\xadR\xfe{Rkf\xf4\xc4\x08\xbf\xe6\x95 <\xd8\x1ca\xb0,\x80\xd9a\xda\x15e\x8e\xd3\x96jA\x0f\x145z\x06\xe4k\xecou$\xb9\xc4\xc5\xfd\xe77\x80\xd7L\xf2\x8b1\xddpLO\x13\xd6(\x08\xbc\x85V\x93\xef\xfd\x8c\xc6DO\x90V\xdfB`\x0f\xa4\xca(\xba\x8d"I\x96\x88\x98\x97\xd0\x85\x1cIM5\xfa\x9c\x11\x15\x03l\xcd\x17n\x10\xd9\xbc/\xbe\xcc\xf3\x9bw9\xb1\xf8q4\xf3/&tj\x8e\x11 M'