**Show all your work for full credit. Each source code you submit should include detailed comments and instructions on how to run it in order to confirm that it works as expected. If the program that does not run or throws runtime errors, it cannot be graded. You can refer to the programming guidelines from the TAs here: https://tinyurl.com/CPEG-472-672-Programming-Guide/**

**This is an individual assignment and each student should work on their own. Ensure you don't share any code online or with others (note, using Replit, GitHub and similar online platforms can make your code accessible to others).**

**To submit the assignment, you need to use Jupyter Notebook with the provided cell blocks and follow the naming conventions and instructions posted here: https://tinyurl.com/CPEG-472-672-Programming-Guide/**

Before you turn this problem in, make sure everything runs as expected. First, **restart the kernel** (in the menubar, select Kernel $\rightarrow$ Restart) and then **run all cells** (in the menubar, select Cell $\rightarrow$ Run All).

Make sure you fill in any place that says `YOUR CODE HERE` or "YOUR ANSWER HERE", as well as your name and section below:

<font color='red' size="4">Import any additional libraries you need in the same code block that you use it.</font>

In [None]:
NAME = "Shruthilaya Arun"
#SECTION = "472"
SECTION = "672"

---

### Question 1 [45 points total - answer all parts]

### Bob knows that the ElGamal cryptosystem is similar to Diffie-Hellman. To generate the ElGamal keys, Bob selects the cyclic group Z\*_p with prime p=20876441 and generator g=5 as the public parameters (in decimal). Bob also selects his secret key X between 1 and p-1. The public parameters are p, g, and the value h=g^X mod p, while the private parameter is X. Bob’s ElGamal encryption uses a random nonce Y between 1 and p-1 and for a given message M between 1 and p-1, and it outputs a pair of values (C1,C2), so that C1=g^Y mod p, and C2=M*(h^Y) mod p. This pair of values is the ciphertext for M with nonce Y (i.e., the ciphertext is a tuple). Also, the value “h^Y mod p” is called the “shared secret” of Bob.

### Bob’s ElGamal decryption receives ciphertext (C1,C2) and his secret key X as input and multiplies C2 with the modular multiplicative inverse of the shared secret. Specifically, if “D=C1^X=g^(X\*Y) mod p” is the shared secret, and “E=D^(-1) mod p” is the modular multiplicative inverse of the shared secret, the plaintext is “M=E\*C2 mod p”.

In [3]:
from math import ceil , sqrt

In [4]:
def ShanksAlgorithm(alpha, beta, n):
    '''
    solve for x s.t. beta = alpha^(x) (mod n)
    Used to solve the discrete log problem for non-composite moduli
    '''
    m = int(ceil(sqrt(n - 1)))
    a = pow(alpha, m, n)
    b = ExtendedGCD(alpha, n)[1]
    L1 = [(j, pow(a, j, n)) for j in range(0, m)]
    L2 = [(i, beta * pow(b,i,n) % n) for i in range(0, m)]
    L1.sort(key = lambda tup: tup[1])
    L2.sort(key = lambda tup: tup[1])
    i, j, Found = 0, 0, False
    while (not Found) and (i < m) and (j < m):
        if L1[j][1] == L2[i][1]:
            return m * L1[j][0] + L2[i][0] % n
        elif abs(L1[j][1]) > abs(L2[i][1]):
            i = i + 1
        else:
            j = j + 1
def ExtendedGCD(a, b):
    '''
    Extended Euclidian algorithm for finding GCD

    Compute gcd(a, b) and the coefficients of Bezout's identity:
    a*x + b*y = gcd(a, b)
    '''
    a2, a1 = 1, 0
    b2, b1 = 0, 1
    while b:
        q, r = divmod(a, b) # return quotient and remainder
        a1, a2 = a2 - q * a1, a1
        b1, b2 = b2 - q * b1, b1
        a, b = b, r
    return a, a2, b2

### Question 1a [20 points] Bob posts on the Internet the encryption of M=20192834 as (C1,C2)=(9916780, 5260862) using nonce Y1. Can you find Bob’s “shared secret” value? Show all you work.

In [9]:
def part_a () -> int:
    """
    find Bob's shared secret and return it.
    """
    
    p = 20876441
    g = 5
    m = 20192834
    c1 = 9916780
    c2 = 5260862

    shared_secret = 0
    # YOUR CODE HERE
    a,m_inv,b=ExtendedGCD(m, p) #mod inverse of m and p
    shared_secret=(c2 * m_inv)%p #compute shared secret
    return shared_secret
    

In [10]:
p = 20876441
m = 20192834
c2 = 5260862

shared_secret = part_a()
assert type(shared_secret) == int
assert (shared_secret * m) % p == c2

# hidden tests

### Question 1b [15 points] Bob posts another ciphertext (C1,C2)= (7350174, 13786334) for a different message M2 using nonce Y2. What is Bob’s message M2? Implement a program that recovers Bob’s message M2.

In [15]:
from sympy import mod_inverse
def part_b(shared_secret: int) -> int:
    """
    Given shared_secret, Find message M2 and return it.
    (hint): you need to find secret key X first.
    """
    p = 20876441
    g = 5
    c1 = 7350174
    c2 = 13786334

    m2 = 0
    # YOUR CODE HERE
    inv_shared_secret=mod_inverse(shared_secret, p) # compute mod inverse of shared secret
    m2=(c2 * inv_shared_secret)%p # compute m2
    return m2


In [16]:
p = 20876441
g = 5
c1 = 7350174
c2 = 13786334

m2 = part_b(part_a())
assert type(m2) == int
assert (part_a() * m2) % p == c2

# hidden tests

### Question 1c [10 points] Bob notices that ElGamal encryption is malleable. If the encryption of M3=12345 is (C1,C2)= (8698838, 17288353), what is the encryption of M4=382695 (all numbers are decimal)? Show all your work.

In [17]:
from sympy import mod_inverse
def part_c() -> (int,int):
    """
    return encryption of M4.
    """
    p = 20876441
    m3 = 12345
    c1 = 8698838
    c2 = 17288353
    m4 = 382695

    c4 = (0,0)
    # YOUR CODE HERE
    #compute m4/m3 mod p
    inv_m3=mod_inverse(m3, p)  # compute mod inverse of m3 mod p
    a=(m4 * inv_m3)%p #m4/m3 mod p
    c2_new=(a * c2)%p # compute c2
    c4=(c1,c2_new) # c4=c1,c2'
    return c4



In [18]:
c1 = 8698838
p = 20876441
c4 = part_c()
assert type(c4) == tuple
assert type(c4[0]) == type(c4[1]) == int

b = 9784370109832758631
assert pow(b,c4[0],p) == 15050662
assert pow(b,c4[1],p) == 15021330


# hidden tests