# Homework 9

## Problem 1: Index Calculus

We will do an incomplete implementation of the index calculus algorithm, [described in the book](https://luisfinotti.org/pcimc/14-Quad_Sieve_Index_Calc.html#index-calculus).

### 1(a): Using Sage to Compute Logs of Primes

In this part we will do the whole algorithm: given $g$ a primitive element of $\mathbb{F}_p^{\times}$ and $h \in \mathbb{F}_p^{\times}$, as well as upper bounds $B$ and $M$, we will find $x$ such that $g^x = h$ (i.e., $x = \log_g(h)$).

**But we will cheat:** part of the problem is to find $\log_g(\ell)$ for all primes $\ell \leq B$.  You will compute those using Sage's own `discrete_log` function.  (On part 3(b) we will take the first steps in computing those without cheating.)  Of course, you can only use `discrete_log` in this part.

Here the argument $M$ is simply an upper bound for $k$, when computing $h \cdot g^{-k}$ (so, we compute it only for $k=0,1,2, \ldots, M$ at most).

Your output should be an *integer* in $\{0, 1, 2, \ldots, p-2\}$.

If our algorithm fails to find the discrete log (which means that $B$ or $M$ were too small), return $-1$.

**Remember:** To find what is the highest power of `l` dividing `n` we use `valuation(n, l)`.

In [None]:
def indcalc(g, h, B, M):
    """
    Index Calculus computation of log_g(h), using B-smooth numbers.

    INPUTS:
    g, h: units of a Zmod(p) for some prime p;
    B: upper bound for the prime factors to be used;
    M: upper bound for k in h * g^(-k) to be used.

    OUTPUT:
    Either the discrete log of h base g, or -1 if it failed to compute it.
    """
    ...

Let's test it:

In [None]:
number_of_tests = 30

min_p = 1000
max_p = 2000

min_B = 100
max_B = 200

for _ in range(number_of_tests):
    p = random_prime(max_p, lbound=min_p)
    B = randint(min_B, max_B)
    M = ceil(sqrt(p))
    F = GF(p)
    h = F(randint(2, p - 1))
    g = F.multiplicative_generator()
    result = indcalc(g, h, B, M)
    expected = discrete_log(h, g)
    if result != expected:
        print(f"Failed.  The answer should be {expected}, not {result}.")
        break
else:
    print("It works!")

### 1(b): Computing Logs of Primes (First Steps)

Now, given $g \in \mathbb{F}_p^{\times}$ a primitive root and an upper bound $B$, we will take the first step in computing $\log_g(\ell)$ for all primes $\ell \leq B$.

Your output should be a square matrix $M$ with $\pi(B)$ lines and columns (remember that $\pi(B)$ denotes the number of primes less than or equal to $B$) and a vector $\vec{a}$ of length $\pi(B)$, all of which have entries in $\{0,1,2, \ldots, p-2\}$ (don't forget to reduce modulo $p-1$!), such that a solution $\vec{x}$ of $M \cdot \vec{x} = \vec{a}$ would contain the desired logs.  (See the [corresponding section of the book](https://luisfinotti.org/pcimc/14-Quad_Sieve_Index_Calc.html#discrete-logs-of-small-primes) for more detail.)

(The last step, which we will skip, would be to find this solution.  It's a bit more involved than simple linear algebra since $\mathbb{Z}/(p-1)\mathbb{Z}$ is not a field.)

**Hint:** Most of the work is done in [the example in the book](https://luisfinotti.org/pcimc/14-Quad_Sieve_Index_Calc.html#id2).  You just need to adapt it to the function.

The "matrix" you will output is a list containing the rows as lists.  (No need to use Sage's `matrix` function.)  Similarly, the vector is simply a list.  (No need to use Sage's `vector` function.)

In [None]:
def dll(g, B):
    """
    Given g, a unit in Zmod(p), computes the matrix and vector that can be used
    to compute the discrete logs of all primes less than or equal to B.

    INPUTS:
    g: a unit of Zmod(p);
    B: an upper bound for the primes we want to compute the discrete logs base
       g of.

    OUTPUTS:
    A matrix M, meaning a list containg the rows (as a list) and list, and a vector
    a such that the solution of M * x = a in Zmod(p - 1) would give all the discrete
    logs base g of primes less than or equal to B.
    """
    ...

Let's test it:

In [None]:
number_of_tests = 30

min_p = 1000
max_p = 2000

min_B = 100
max_B = 200

for _ in range(number_of_tests):
    p = random_prime(max_p, lbound=min_p)
    B = randint(min_B, max_B)
    F = FiniteField(p)
    g = F.multiplicative_generator()
    M, a = dll(g, B)
    v = [discrete_log(l, g) for l in primes(B + 1)]
    MM = matrix(Zmod(p - 1), M)
    vv = vector(Zmod(p - 1), v)
    aa = vector(Zmod(p - 1), a)
    if MM*vv != aa:
        print("Your matrix and vector do not have the logs as solution.")
        break
else:
    print("It works!")

## Problem 2: RSA Digital Signature

In this problem we implement the RSA Digital Signature, [as described in the book](https://luisfinotti.org/pcimc/15-Digital_Signatures.html#rsa-digital-signature).

### 2(a): Sign

Given a modulus $N$ (with $N=pq$), the signing exponent $d$, and a "document" $D$ (i.e., a number in $\{2, \ldots, N-1\}$), the function below should produce the pair $(D,S)$ where $S$ is the signature for the document $D$ (which was given as input).

**Note:** The signature $S$ should be in $\mathbb{Z}/N \mathbb{Z}$.  We will assume $D$ is given in $\mathbb{Z}$.

In [None]:
def RSA_sign(N, d, D):
    """
    Use RSA to sign document D with signing key d.

    INPUTS:
    N: the modulus, a product of two distinct primes;
    d: the signing key;
    D: the document to be signed.

    OUTPUTS:
    A pair with D itseld and the signature.
    """
    ...

### 2(b): Verify

Given a modulus $N$, a verifictation exponent $e$, a document $D$ (in $\{2, \ldots , N-1\}$) and a signature $S$ (in $\mathbb{Z}/N\mathbb{Z}$), the function should return `True` if the singnature $S$ is valid, and `False` otherwise.

In [None]:
def RSA_ver(N, e, D, S):
    """
    Verifies if the S is a valid signature for the document D with verification
    key e.

    INPUTS:
    N: the modulus, a product of two distinct primes;
    e: the verification key;
    D: the document that was signed;
    S: the signature for D.

    OUTPUT:
    True if the signature is valid, False if not.
    """
    ...

### 2(c): Key Generation

I will not ask you to do the key generation here since it is exactly the same as for the RSA cryptosystem.

My own key generation function appears in the test below.

So, let's test it.  (Note that if one of the functions is correct, but the other isn't, the test will not know.)

In [None]:
def rsa_keys(b):
    """
    Generates b-bits RSA keys.

    INPUT:
    b: number of bits for the primes.

    OUTPUTS:
    A private key [p, q, d] and a public key [p * q, e], with p and q distinct
    b-bit primes and e * d congruent to 1 modulo (p-1)*(q-1).  So, p * q is the
    modulus, d is the signing key and e the verification key.
    """
    e = 2^16 + 1
    p = random_prime(2^b, lbound=2^(b - 1))
    while (p - 1) % e == 0:
        p = random_prime(2^b, lbound=2^(b - 1))
    q = p
    while q == p or (q - 1) % e == 0:
        q = random_prime(2^b, lbound=2^(b - 1))
    g, d, _ = xgcd(e, (p - 1) * (q - 1))
    return [p, q, d], [p * q, e]


number_of_tests = 30
min_b = 30
max_b = 40

for _ in range(number_of_tests):
    b = randint(min_b, max_b)
    v, w = rsa_keys(b)
    d = v[2]
    N = w[0]
    e = w[1]
    D = randint(2, N - 1)
    signv = RSA_sign(N, d, D)
    if not RSA_ver(N, e, signv[0], signv[1]):
        print("The signature was valid, but you couldn't verify.")
        break
    DD = randint(2, N - 1)
    while D == DD:
        DD = randint(2, N - 1)
    if RSA_ver(N, e, DD, signv[1]):
        print("The document was altered, but you verified it.")
        break
    SS = mod(randint(2, N - 1), N)
    while SS == signv[1]:
        SS = Mod(randint(2, N - 1), N)
    if RSA_ver(N, e, signv[0], SS):
        print("The signature is false, but you verified it.")
        break
else:
    print("It works!")

## Problem 3: ElGamal Digital Signature

In this problem we implement the ElGamal Digita Signature, as [described in the book](https://luisfinotti.org/pcimc/15-Digital_Signatures.html#elgamal-digital-signature).

### 3(a): Sign

Here given a prime $p$, a primitive root $g$ of $\mathbb{F}_p$, a secret exponent $a$ (in $\{2, \ldots , p-1\}$), and a document $D$ (an integer in $\{2, \ldots, p-1\}$), it should return $(D,S_1,S_2)$, where $D$ is the original document (an integer), and $S_1 \in \mathbb{F}_p$, $S_2 \in \mathbb{Z}/(p-1)\mathbb{Z}$ are the ElGamal signature for $D$.

In [None]:
def elgamal_sign(p, g, a, D):
    """
    Use Elgamal to sign document D with signing key a.

    INPUTS:
    p: a prime (the modulus);
    g: a primitive root in Zmop(p);
    a: the signing key;
    D: the document to be signed.

    OUTPUTS:
    The original document D, plus the two items of the signature.
    """
    ...

### 3(b): Verify

Now, given $p$, $g$ and $D$ as above, plus $A = g^a$ (public) and $S_1$ (in $\mathbb{F}_p$) and $S_2$ (in $\mathbb{Z}/(p-1)\mathbb{Z}$), the function below should return `True` if the signature $(S_1,S_2)$ is a valid signature for the document $D$ and `False` otherwise.

**Note:** When using elements of $\mathbb{Z}/m\mathbb{Z}$ (for some $m$) as exponent, you probably want to convert it to an integer, for instance, using `ZZ`, like `ZZ(<your exponent>)`.

In [None]:
def elgamal_ver(p, g, A, D, S1, S2):
    """
    Verifies if the (S1, S2) is a valid signature for the document D with
    verification key A.

    INPUTS:
    p: a prime (the modulus);
    g: a primitive root in Zmop(p);
    A: the verification key;
    D: the document that was signed;
    S1, S2: the supposed signature for D.

    OUTPUT:
    True if the signature is valid, False if not.
    """
    ...

### 3(c): Key Generation

Given $b$, you function should return two vectors: $v_{\mathrm{priv}} = (p,g,a)$ and $v_{\mathrm{pub}} = (p,g,g^a)$, where $p$ is a random prime with $b$-bits, $g$ is a primitive unit modulo $p$, and $a$ is a secret exponent in $\{2, \ldots, p-2\}$.

**You *can* use Sage's own functions for all the steps.**

**Note:** In practice you would most likely just copy the $p$ (large enough) and $g$ from someone and choose your $a$. 

In [None]:
def elgamal_keys(b):
    """
    Find a b-bit prime, a primitive element, and a random signing key.

    INPUTS:
    b: the number of bits for the the prime modulus.

    OUTPUTS:
    (p, g, a) and (p, g, g^a), where p is a b-bit prime, g a primitive
    root in Zmod(p), and a is random element between 2 and p-2.
    """
    ...

OK, so let's test them.

In [None]:
number_of_tests = 30
min_b = 30
max_b = 40

for _ in range(number_of_tests):
    b = randint(min_b, max_b)
    v, w = elgamal_keys(b)
    p, g, a = v
    pp, gg, AA = w
    if (pp != p) or (gg != g) or (AA != g^a):
        print("The private and public keys are not matching!")
        if pp != p:
            print(f"Different p's: {p} and {pp}.")
        if gg != g:
            print(f"Different g's: {g} and {gg}.")
        if AA != g^a:
            print(f"{AA = } but g^a = {g^a}.")
        break
    D = randint(2, p - 1)
    signv = elgamal_sign(p, g, a, D)
    DD = signv[0]
    S1 = signv[1]
    S2 = signv[2]
    if not elgamal_ver(pp, gg, AA, DD, S1, S2):
        print("The signature was valid (from your function), but you couldn't verify.")
        break
    DDD = randint(2, p - 1)
    while D == DDD:
        DDD = randint(2, p - 1)
    if elgamal_ver(pp, gg, AA, DDD, S1, S2):
        print("The document was altered, but you verified it.")
        break
    SS1 = Mod(randint(2, p - 1), p)
    SS2 = Mod(randint(2, p - 2), p - 1)
    while (S1, S2) == (SS1, SS2):
        SS1 = Mod(randint(2, p - 1), p)
        SS2 = Mod(randint(2, p - 2), p - 1)
    if elgamal_ver(pp, gg, AA, DD, SS1, SS2):
        print("The signature is false, but you verified it.")
        break
else:
    print("It works!")

## Problem 4: DSA

In this problem we implement the Digital Signature Algorithm (DSA), as [described in the book](https://luisfinotti.org/pcimc/15-Digital_Signatures.html#digital-signature-algorithm).

### 4(a): Sign

Given a prime $p$, a prime $q$ such that $q \mid (p-1)$, and element $g \in \mathbb{F}_p$ with $|g| = q$, a signing exponent $a$, and a document $D \in \{2, \ldots, q-1\}$, your function should return $D$, $S_1$, $S_2$ (with $S_1, S_2 \in \mathbb{F}_q$), where $(S_1, S_2)$ is the DSA signature for $D$.

<hr />

**Note:** It seems that you can directly convert an element of $\mathbb{Z}/p\mathbb{Z}$ to an element of $\mathbb{Z}/q\mathbb{Z}$ and vice-versa:

In [None]:
p, q = 23, 11
R, S = Zmod(p), Zmod(q)
a, b = R.random_element(), S.random_element()
a, b

Now convert:

In [None]:
aa, bb = S(a), R(b)
aa, aa.parent(), bb, bb.parent()

On the other hand, I remember having trouble with this in the past.  You can always first convert to an integer and then convert to the other, like: 

In [None]:
aa, bb = S(ZZ(a)), R(ZZ(b))
aa, aa.parent(), bb, bb.parent()

But, since it seems to work, you can do it either way.

<hr />

In [None]:
def DSA_sign(p, q, g, a, D):
    """
    Use DSA to sign document D with signing key a.

    INPUTS:
    p: a prime (the modulus);
    q: another prime dividing (p-1), the order of g;
    g: an element of order g in Zmod(p);
    a: the signing key;
    D: the document to be signed.

    OUTPUTS:
    The original document D, plus the two items of the signature.
    """
    ...

### 4(b): Verify

Given a prime $p$, a prime $q$ such that $q \mid (p-1)$, and element $g \in \mathbb{F}_p^{\times}$ with $|g| = q$, a public key $A$ in $\mathbb{F}_p^{\times}$, a document $D \in \{2, \ldots, q-1\}$, and a signature $(S_1, S_2)$ (with $S_1, S_2 \in \mathbb{F}_q$), your function should return  `True` if the signature $(S_1,S_2)$ is a valid signature for the document $D$ and `False` otherwise.

In [None]:
def DSA_ver(p, q, g, A, D, S1, S2):
    """
    Verifies if the (S1, S2) is a valid signature for the document D with
    verification key alpha.

    INPUTS:
    p: a prime (the modulus);
    q: another prime dividing (p-1), the order of g;
    g: an element of order g in Zmod(p);
    A: the verification key;
    D: the document to be signed;
    S1, S2: the supposed signature for D.

    OUTPUTS:
    True if the signature is valid, False if not.
    """
    ...

### 4(c): Key generation

Again, in practice we would just copy the parameters from someone else, but let's do it here for the sake of practice.  This can take a long time to generate, and so using someone else's parameter is a much better idea, but we will stick with small sizes for testing.

Given $B$ and $b$, you function should return two vectors: $v_{\mathrm{priv}} = (p,q,g,a)$ and $v_{\mathrm{pub}} = (p,q,g,g^a)$, where $p$ and $q$ are random primes with $B$-bits and $b$-bits respectively, with $q \mid (p-1)$ (so $B>b$), $g \in \mathbb{F}_p$ with $|g| = q$, and $a$ is a secret exponent in $\{2, \ldots, q-1\}$.

You *can* use Sage's own functions for all the steps.

**Hints:** 

1) I think the most efficient way to find $p$ and $q$ (primes with $q \mid (p - 1)$) is to find $q$ first and then loop:
    ```python
    for k in range(ceil(2^(B - 1) / q), floor(2^B / q)):
        p = q * k + 1
        if is_prime(p):
            break  # this p-works
    ```
    If this loop finishes without finding $p$, then try another $q$ and repeat.
2) To find $g$ of order $q$, we could use a primitive root in $\mathbb{F}_p^{\times}$, but Problem 4 from Homework 3 gives an efficient method!

In [None]:
def DSA_keys(b, B):
    """
    Find a B-bit prime p, a b-bit prime q dividing p-1,
    an element g of order q, and a random signing key.
    """
    ...

Let's first just test the key generation (this might take a minute, especially if your implementation is not efficient):

In [None]:
number_of_tests = 15

min_b = 25
max_b = 50

for _ in range(number_of_tests):
    b = randint(min_b, max_b)
    B = 3 * b
    v, w = DSA_keys(b, B)
    p, q, g, a = v
    if (v[:-1] != w[:-1]) or (g ^ a != w[3]):
        print(
            f"The lists {v} and {w} do not match the necessary structure."
        )
        break
    if not is_prime(p):
        print(f"{p = } is not prime.")
        break
    if not is_prime(q):
        print(f"{q = } is not prime.")
        break
    BB = len(p.bits())
    # if (BB > B + 1) or (BB < B):
    if BB != B:
        print(f"Prime {p = } does not have {B} bits.  It has {BB} bits.")
        break
    bb = len(q.bits())
    # if (bb > b + 1) or (bb < b):
    if bb != b:
        print(f"Prime {q = } does not have {b} bits.  It has {bb} bits.")
        break
    if g.multiplicative_order() != q:
        print(f"The element {g = } (module {p}) does not have order {q}.")
        break
else:
    print("It works!")

Now let's test them all:

In [None]:
number_of_tests = 15
min_b = 25
max_b = 50

for _ in range(number_of_tests):
    b = randint(min_b, max_b)
    B = 3 * b
    v, w = DSA_keys(b, B)
    p, q, g, a = v
    A = w[3]
    D = randint(2, q - 1)
    signv = DSA_sign(p, q, g, a, D)
    DD, S1, S2 = signv
    if not DSA_ver(p, q, g, A, DD, S1, S2):
        print("The signature was valid, but you couldn't verify.")
        break
    DDD = randint(2, q - 1)
    while D == DDD:
        DDD = randint(2, q - 1)
    if DSA_ver(p, q, g, A, DDD, S1, S2):
        print("The document was altered, but you verified it.")
        break
    SS1 = Mod(randint(2, q - 1), q)
    SS2 = Mod(randint(2, q - 2), q)
    while (S1, S2) == (SS1, SS2):
        SS1 = Mod(randint(2, q - 1), q)
        SS2 = Mod(randint(2, q - 2), q)
    if DSA_ver(p, q, g, A, DD, SS1, SS2):
        print("The signature is false, but you verified it.")
        break
else:
    print("It works!")