# COM402: Crypto Basics Demo

In [1]:
import random
import math
import secrets

For running Jupyter notebook in VSCode, you can check out this page: [Jupyter Notebooks in VS Code](https://code.visualstudio.com/docs/datascience/jupyter-notebooks)

We first introduce some utility functions:

- `is_prime(n, k = 128)`: a randomized method that tests whether *n* is a prime efficiently. When parameter $k$ is picked large enough, it will be able to do that with high probability. The idea of this method is as following:
    -   First write $n-1$ as $r\cdot 2^s$ (such that $r$ ends with 1 and $s$ counts the number of zeros at the end of $n-1$.) 
    - Then picking a random $a$ between $2$ and $n-1$, we check using Fermat's little theorem:
        - The idea is the order of $a$ should be exactly $p-1$ in the group $\mathbb{Z}_p$
        - Check that $a^{r\cdot 2^j}$ does not become 1 for all j < s
        - Check that when $j = s-1$, $a^{r\cdot 2^j} = -1 \mod n$

- `generate_prime(bits)`: return primes with *bits* number of bits generated using the **is_prime** method.

In [10]:
def is_prime(n, k=128):
    if n == 2 or n == 3:
        return True
    if n <= 1 or n % 2 == 0:
        return False
    
    s = 0
    r = n - 1
    '''
    '&' is the bitwise and operator, the while loop terminates when r ends with 1
    s equals the number of zeros at the end of r (n-1)
    remove all zeros at the end of r
    '''
    while r & 1 == 0:
        s += 1
        r //= 2
        # n-1 = r* (2^s)

    for _ in range(k):
        a = random.randrange(2, n - 1)
        x = pow(a, r, n) # x= a^r mod n
        
        if x != 1 and x != n - 1:
            j = 1
            '''
            Checked using Fermat's little theorem
            The idea is the order of 'a' should be exactly p-1 in the group $\mathbb{Z}_p$
            we check that a^{r*2^j} does not become 1 for all j < s
            '''
            while j < s and x != n - 1:
                x = pow(x, 2, n) # x= x^2 mod n
                if x == 1:
                    return False
                j += 1
            # and check that when j = s-1, a^{r*2^j} = -1 mod n
            if x != n - 1:
                return False
    return True



In [11]:
def generate_prime(bits):
    while True:
        p = random.randrange(2**(bits-1), 2**bits)
        if is_prime(p):
            return p

In [12]:
# Generates a RSA keypair
def generate_keypair():
    e = 65537
    while True:
        p = generate_prime(1024)
        q = generate_prime(1024)
        phi = (p - 1) * (q - 1)
        if math.gcd(e, phi) == 1:
            break
        
    n = p * q
    d = pow(e, -1, phi)

    assert (e * d) % phi == 1
    # public key, secret key
    return ((n, e), (n, d))


---

## Don't use textbook RSA I
In the slides, and probably previously, you might have seen the `textbook RSA` encryption scheme. I have been told I cannot explicitly threaten you if I find you using it, so I will not say ðŸ˜œ

This exercise models a fundamental security notion in cryptography: indistinguishability under chosen plaintext attack (IND-CPA). 
Informally, this models the fact that an adversary which does not have access to the secret key should not be able to tell anything about the plaintext from an encrypted message.

![IND-CPA game](IND-CPA%20game.png)

The game is defined as follows:
1. The challenger samples a public private key pair $(\mathsf{pk}, \mathsf{sk})$ and a bit $b$ at random. $\mathsf{pk}$ is sent to the adversary.
2. The adversary can submit many pairs of messages $m[0], m[1]$ of the same length to the challenger, and receives the encryption of one of them, $c := \mathsf{Enc}(\mathsf{pk}, m[b])$.
3. The adversary outputs a bit $b'$, and wins if $b = b'$.

Intuitively, if an adversary is able to guess the bit $b$ with high probability (more than random chance, i.e. 1/2), it means that the encryption leaks some information about the message encrypted.

You task is to design an adversary that wins this game with probability 1, against a textbook RSA scheme. 


In the python script, you will find a `Challenger` struct. This models the challenger of the IND-CPA game. When running `challenger = Challenger()`, it will execute step 1 as described above, generating an RSA keypair and sampling a bit `b`, which is kept hidden.

You will be playing as the adversary in this game, and write after the `Write your code here` comment. The challenger exposes two methods: `lor` and `submit`.

- `lor` takes as input two messages `m0` and `m1`, and returns a ciphertext `c` which is the encryption of `m0` if `b == 0` or `m1` otherwise.
- `submit` is used to submit your guess of what `b` is. You only get to call this method once.

Your adversary should win the game (and make `Challenger` output `Correct!`) with probability 1. Good luck!

In [13]:

"""
The challenger of the IND-CPA game.
You are not supposed to modify this class, nor to access its private members.
"""
class Challenger:
    def __init__(self):
        pk = generate_keypair()[0]
        self._b = random.randint(0, 1)
        self.pk = pk
    
    """
    Given two messages m0 and m1, return the encryption of m0 if b = 0, or the encryption of m1 if b = 1.
    """
    def lor(self, m0, m1):
        n, e = self.pk
        return pow(m1 if self._b else m0, e, n)

    """
    Once you are convinced, use this to submit your answer.
    """
    def submit(self, b):
        if b == self._b:
            print('Correct!')
        else:
            print('Nah!')
            exit(-1)
    
    

In [14]:
challenger = Challenger()
challenger.submit(0 if challenger.lor(0, 1) == 0 else 1)

Correct!


## Don't use textbook RSA II
In this exercise you will explore yet-another reason not to use textbook RSA.
The `Challenger` struct samples a RSA keypair, samples a random secret and encrypts it using textbook RSA.
Your task will be to recover this secret.
The challenger exposes two methods:

- `decrypt` takes as input a ciphertext, and returns its decryption.
- `submit` is used to submit your guess of what `secret` is. You only get to call this method once.

Your adversary should win the game (and make `Challenger` output `Correct!`) with probability 1. Of course, you are not allowed to use the `decrypt` method with the secret ciphertext, or are you?.
Good luck!

In [15]:
"""
The challenger of this game.
You are not supposed to modify this class, nor to access its private members.
"""
class Challenger:
    def __init__(self):
        pk, sk = generate_keypair()
        n, e = pk
        _, d = sk
        self.n = n
        self.e = e
        self._secret = secrets.randbelow(n)
        self.d = d
        # Encryption of the secret under RSA
        self.ciphertext = pow(self._secret, e, n)
    
    """
    Given a message, returns its decryption.
    """
    def decrypt(self, m):
        m = m % self.n
        if m == self.ciphertext:
            return 'Nice try...'
        return pow(m, self.d, self.n)

    """
    Once you are convinced, use this to submit your answer.
    """
    def submit(self, secret):
        if secret == self._secret:
            print('Correct!')
        else:
            print('Nah!')
            exit(-1)


In [16]:
challenger = Challenger()
# Write your code here
new = (challenger.ciphertext * pow(2, challenger.e, challenger.n)) % challenger.n
dec = challenger.decrypt(new)
challenger.submit((dec * pow(2, -1, challenger.n)) % challenger.n)


Correct!


## Don't use textbook RSA III
In this exercise you will explore a reason to not use RSA with an exponent $e$ that is very small.
The challenger exposes two methods:
 - `encrypt`, which generate a new public/private keys pair, with $e=3$
 - `submit` is used to submit your guess of what `secret` is. You only get to call this method once.

In [17]:
# Uncomment the following line to install PyCryptodome and gmpy2
#!pip install pycryptodome gmpy2

In [18]:
from Crypto.Util.number import getPrime
from math import gcd
import gmpy2
gmpy2.get_context().precision = 1024 # use gmpy2 for proper precision

def generate_keypair_small_e():
    #e = 65537
    e = 3
    while True:
        p = getPrime(1024)
        q = getPrime(1024)
        phi = (p - 1) * (q - 1)
        if math.gcd(e, phi) == 1:
            break
        
    n = p * q
    d = pow(e, -1, phi)

    assert (e * d) % phi == 1
    # public key, secret key
    return ((n, e), (n, d))

class Challenger:
    def __init__(self):
        self._secret = secrets.randbelow(2 ** 1023)

    """
    Generate a new public key, private key pair, encrypt plaintext.
    Return: n, ciphertext
    """
    def encrypt(self):
        n = 0
        pk, sk = generate_keypair_small_e()
        n, e = pk
        
        return (n, pow(self._secret, e, n))

    """
    Once you are convinced, use this to submit your answer.
    """
    def submit(self, secret):
        if secret == self._secret:
            print('Correct!')
        else:
            print('Nah!')
            exit(-1)
            
        

In [19]:
def ext_euclid(a,b):
    """Extended Euclid algorithm"""
    # https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm
    assert a != 0 and b != 0
    
    r = a
    s = 1
    t = 0
    
    r_next = b
    s_next = 0
    t_next = 1

    while r_next != 0:
        r_tmp = r_next
        s_tmp = s_next
        t_tmp = t_next

        q = r // r_next
        
        r_next = r % r_next
        s_next = s - q * s_next
        t_next = t - q * t_next
        
        r = r_tmp
        s = s_tmp
        t = t_tmp
        
    return (r,s,t)


def crt(a1,n1,a2,n2):
    """return solution for chinese remainder theorem"""
    r, m1, m2 = ext_euclid(n1,n2)
    s = (a1 * m2 * n2 + a2 * m1 * n1) % (n1 * n2)
    assert s % n1 == a1 and s % n2 == a2
    return s

In [20]:
# Hastad's broadcast attack: https://en.wikipedia.org/wiki/Coppersmith%27s_attack
C = Challenger()
n1, c1 = C.encrypt()
n2, c2 = C.encrypt()
n3, c3 = C.encrypt() # in general, need e (pk,ciphertext) pairs

assert gcd(n1,n2) == 1 and gcd(n1,n3) == 1 and gcd(n2,n3) == 1

c1_2 = crt(c1,n1,c2,n2)
m_3 = crt(c1_2,n1 * n2,c3,n3)
secret = int(gmpy2.cbrt(m_3))

C.submit(secret)

Correct!


---

## Mallory attacks Diffie-Hellman (bonus)

Suppose that two students, Alice and Bob, decide they want to communicate over an unsafe channel. In class, they have heard of amazing symmetric cryptography algorithms that allow them to do so, but to use them, they would need to share a key between each other.

Luckily for them, they just read up on Diffie-Hellman and decide to use it as a key exchange method.

The typical exchange would go as follows (figures are adapted from "Information Security Principles and Practice" by Mark Stamp):

![Typical DH exchange](DH_Normal.png)

where $g$ and $p$ are publically known. As explained in the slides, Alice and Bob will then use $(g^a)^b \mod p \equiv (g^b)^a \mod p$ as a shared key `K_shared`.

In [21]:
# Uncomment the next line to install cryptography, needed for convenicence for the exercice
# !pip install cryptography

In [22]:
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from functools import cached_property
import sys

The `Student` class implements Alice/Bob. The `compute_full_key` function derives `K_shared` as described above. `partial_key` is the public key ($(g^a) \mod p$ or $(g^b) \mod p$)
`encrypt_message` and `decrypt_message` use `K_shared` to encrypt/decrypt messages. 

In [23]:
class Student:
    def __init__(self,name,g,p) -> None:
        self.g = g
        self.p = p
        self.name = name

        self.__secret = secrets.randbits(2048)

        self._shared_key : int = None

    def _key_check(self,k: int):
        if not k:
            raise ValueError(f"{self.name}: the provided key is None, have you called `compute_full_key`?")
        
    
    def _convert_key(self,k:int) -> bytes:
        """
        Helpful function to convert an integer key to 32 bytes (256 bit) bytes key (used in AES256 for example), by using only the first bytes of the key 
        """
        self._key_check(k)
        truncated = k.to_bytes(k.bit_length()//8+1,byteorder=sys.byteorder)[:256//8]
        return truncated

    @cached_property
    def partial_key(self):
        return pow(self.g,self.__secret,self.p)
    
    def compute_full_key(self,received_partial_key):
        self._shared_key = pow(received_partial_key,self.__secret,self.p)

    def print_key(self):
        self._key_check(self._shared_key)
        print(f"{self.name} computed key k={self._shared_key}")

    def encrypt_message(self,msg : str, key=None) -> bytes:
        # Provided for convenience : encryption using AES-256 GCM
        if key is None :
            key = self._shared_key
        self._key_check(key)
        nonce = secrets.token_bytes(12)  # GCM mode needs 12 fresh bytes every time
        ciphertext = nonce + AESGCM(self._convert_key(key)).encrypt(nonce, msg.encode("utf-8"), b"")
        return ciphertext
    
    def decrypt_message(self, encrypted_payload: bytes, key=None) -> str:
        # Provided for convenience
        if key is None :
            key = self._shared_key
        self._key_check(key)
        nonce,encrypted = encrypted_payload[:12],encrypted_payload[12:]
        decrypted = AESGCM(self._convert_key(key)).decrypt(nonce,encrypted, b"").decode("utf-8")
        return decrypted

The `DH` class implements the key exchange between Alice and Bob.

In [24]:
class DH:
    def __init__(self) -> None:
        # Publicly known constants
        # group id 14 from RFC 3526
        self.g = 2
        self.p = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF

        self.alice = Student("Alice",self.g,self.p)
        self.bob = Student("Bob",self.g,self.p)


    def key_exchange(self):
        self.bob.compute_full_key(self.alice.partial_key)
        self.bob.print_key()

        self.alice.compute_full_key(self.bob.partial_key)
        self.alice.print_key()

    def communicate(self):
        msg = "Test message"
        alice_encrypted = self.alice.encrypt_message(msg)
        print(f"Alice sends K(\"{msg}\") to Bob = {alice_encrypted}")
        bob_decrypted = self.bob.decrypt_message(alice_encrypted)
        print(f"Bob decrypted \"{bob_decrypted}\"")

In [25]:
dh = DH()
dh.key_exchange()

Bob computed key k=1748372751790191483143348868959493744877807810025074142695797181623352734403468199776104834143864637327522892324349515753587611745191525848275443308631903327391847532386637703968797574350983625825567447286406001724905623946363460048820499389898140253269625572725136350167023466164790136347536675052740091537236881022092281579053017613740676447289323923147644847636129490617856434559880833487800213366711005901178140300580693540649748528177721436351793255768535836
Alice computed key k=1748372751790191483143348868959493744877807810025074142695797181623352734403468199776104834143864637327522892324349515753587611745191525848275443308631903327391847532386637703968797574350983625825567447286406001724905623946363460048820499389898140253269625572725136350167023466164790136347536675052740091537236881022092281579053017613740676447289323923147644847636129490617856434559880833487800213366711005901178140300580693540649748528177721436351793255768535836


After having established a shared key, Alice and Bob can send each other encrypted messages.

In [26]:
dh.communicate()

Alice sends K("Test message") to Bob = b'\x91\x05_\xca\xdcsb\xf8\\\xfd\x8agk\xf9\xd1^\xc6Z\xfe\xb8F\x14\xeb\xce!<4REy\xa6\xc7\x84\xbb\xabr\xf4o\xd3M'
Bob decrypted "Test message"


We can see that the keys match and secure communication can be achieved, DH worked as expected! 

Now suppose you are Mallory, a malicious actor that has managed to place itself on the channel between Alice and Bob. 

![DH exchange with a MITM](DH_MITM.png)

For this exercise your goal is to finish implementing a MITM attack by mallory.

The `Mallory` class simulates a MITM attacker. `alice_k` and `bob_k` are the keys Mallory agreed on with Bob and Alice respectively. To implement the MITM attack you'll need to complete the key exchange protocol - fill in the functions marked with `#TODO`.

In [30]:
class Mallory(Student):
    # Modify as needed
    def __init__(self, name, g, p) -> None:
        super().__init__(name, g, p)
        self.__previously_saved = None

        self.alice_k = None
        self.bob_k = None
        

    def receive_from_alice(self,alice_partial):
        self.compute_full_key(alice_partial) # compute_full_key updates self._shared_key
        self.alice_k = self._shared_key
        print(f"{self.name} shares with Alice K_AM={self.alice_k}")
    
    def send_to_bob(self):
        #TODO
        return self.partial_key
    
    def receive_from_bob(self,bob_partial_key):
        #TODO
        self.compute_full_key(bob_partial_key)
        self.bob_k = self._shared_key
        print(f"{self.name} shares with Bob K_MB={self.bob_k}")
    
    def send_to_alice(self):
        #TODO
        return self.partial_key

    def message_from_alice(self,encrypted_payload:bytes,save_decrypted=True):
        self._key_check(self.alice_k)
        decrypted = self.decrypt_message(encrypted_payload,self.alice_k)
        if save_decrypted:
            self.__previously_saved = decrypted
        print(f"Mallory intercepts a message from Alice and decrypts it to \"{decrypted}\"")

    def message_to_bob(self):
        self._key_check(self.bob_k)
        if not self.__previously_saved:
            raise ValueError("Mallory receive_from_alice without saving the message")
        return self.encrypt_message(self.__previously_saved,self.bob_k)

The `DH_MITM` implements the MITM attack. In `key_exchange` mallory intercepts the DH messages and replaces them with her own messages. If you implemented the functions above correctly you should be able to decrypt the message sent from Alice to Bob.

In [31]:
class DH_MITM(DH):
    def __init__(self) -> None:
        super().__init__()
        self.mallory = Mallory("Mallory",self.g,self.p)

    def key_exchange(self):
        # Alice initiates the key exchange with Mallory
        self.mallory.receive_from_alice(self.alice.partial_key)
        # Mallory can then either first finish the key exhcange with Alice, or create the key exchange with Bob
        # We chose the latter
        self.bob.compute_full_key(self.mallory.send_to_bob())
        self.bob.print_key()
        self.mallory.receive_from_bob(self.bob.partial_key)
        # And then Mallory simply computes the key exchange with Alice
        self.alice.compute_full_key(self.mallory.send_to_alice())
        self.alice.print_key()

    def communicate(self):
        msg = "Test message"
        alice_encrypted = self.alice.encrypt_message(msg)
        print(f"Alice sends K_AM(\"{msg}\") in Bob's direction : {alice_encrypted}")
        self.mallory.message_from_alice(alice_encrypted)
        
        mallory_encrypted = self.mallory.message_to_bob()
        print(f"Mallory then forwards the message to Bob using K_MB(\"{msg}\") = {mallory_encrypted}")
        
        bob_decrypted = self.bob.decrypt_message(mallory_encrypted)
        print(f"Bob decrypted the message to \"{bob_decrypted}\"")

In [32]:
dh = DH_MITM()
dh.key_exchange()

Mallory shares with Alice K_AM=837580143368389996718707787166192249847957125651854479741937374568041981672668225605948586524209061454587172727467471949588919684477958292866566442438066479605379417033601956093918088687300461039672555142062324840827761647366050141777541449365552883282947348517909508915904705342690614336297419154078013441204038368729098720037055116134921919504777626862429174691874554204078564414978498777817242034763162631557815071633596672485443009555111062827029267786384621
Bob computed key k=2327750940456086048517437834282899014339213384295656128803078866531356432172665202324856469322911844383775152483613633013680951843954730016620961579801354820260690869608308756777934568829986073117753131287405643526263545959974098380448434737217647216455421737370184805235137838343648091935195908199794488758826734808444045711555795676800053480926135803120989252813749539431625088283559015927960175345416389419022158405294180485044095862469346990660921945296613365
Mallory shares with Bob

We can see that now Bob and Alice do not have the same keys! Indeed, they each share a key with Mallory, that is in between them. 

![Full MITM DH key exchange diagram](DH_MITM_solved.png)

However, communication between the two parties is still possible when Mallory acts as a proxy, at the cost of her being able to decrypt everything:

In [33]:
dh.communicate()

Alice sends K_AM("Test message") in Bob's direction : b'%\x04\x1a\x0f\x86\x03a\xe4\x13=\x8f\x16\xb3C\xe1\x99E\xaf\x81S\xdeX{\xc3\xc2\x91\x9b\xcc\t\x91l\x10\xbd\x04?V\xbc@\xcb\xa4'
Mallory intercepts a message from Alice and decrypts it to "Test message"
Mallory then forwards the message to Bob using K_MB("Test message") = b'"\x8a\x05TR?r\xe1I\xd3\xf0=\xe4_?\x82\xe6\xc3\x0b\xfb\xc8\xa8s\xc4G+@Fe\xaa\xbf\xc7\xe6\xa5\x1f\x01\xde\xfb\xa0\x83'
Bob decrypted the message to "Test message"
