Implementing cryptographic algorithms in SageMath

This worksheet contains

• Diffie-Hellman(-Merkle) Key Exchange (1976)

• RSA Cryptosystem (Rivest, Shamir, Adleman, 1977)

Homework exercises

• ElGamal Cryptosystem (Unlike RSA, ElGamal offers randomized encryption) (1985)

• Naor-Pinkas Oblivious Transfer (standard model version, 1999)

Diffie-Hellman-Merkle Key Exchange

Key Exchange protocols allow two parties (Alice and Bob) to establish a shared secret key over a public channel. The shared key is typically used later to encrypt communications using a symmetric cipher. DH key exchange was published in 1977, and it used even today, see for example the SSL/TLS protocol.

Please note that we use $G$ a subgroup of the multiplicative group mod p in this example, but the protocol is generic and works with any cyclic group $G$. Today, it is more typical to use the group of points on an elliptic curve. For example, see Dan Bernstein's paper Curve25519: new Diffie-Hellman speed records (2006).

1. Find a cyclic group $G = \lt g \gt$ where discrete logarithm is difficult. In this example, we will use a $384$-bit safe prime $p = 2q + 1$ and work in the subgroup generated by an element $g \in \mathbb{Z}_p^\times$ of order $q$. These parameters can be re-used for multiple key exchanges; however, in this case please consider Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice by Adrian et al. (2015).

2. Alice picks a random $a \in \mathbb{Z}_q$ and sends $x = g^a$ to Bob.

3. Bob picks a random $b \in \mathbb{Z}_q$ and sends $y = g^b$ to Alice.

4. Both Alice and Bob can compute the shared key $g^{ab} = x^b = y^a$.

RSA Cryptosystem

RSA is (one of?) the first asymetric encryption algorithm.

The public key is a product of two large primes $n = pq$ and a small prime exponent, typically $e = 2^{16}+1 = 65537$.

Private key $d \equiv e^{(-1)} \pmod{\varphi(n)}$, where $\varphi(n) = (p-1)(q-1)$ is the order of multiplicative group mod $n$. It is easy to compute the inverse, when factorization of $n$ is known, using the extended euclidean algorithm.

Encryption and decryption

To encrypt a message $M \in \{1, \ldots, n-1\}$, you compute hte e-th power of M (mod n).

$C \equiv M^e \pmod{n}$.

So, to decrypt a cryptotext $C$, you have to compute its $e$-th root. $M' \equiv C^d \pmod{n}$.

$M' \equiv C^d \equiv M^{ed} \equiv M^{k \varphi(n) + 1} \equiv M . M^{\varphi(n)k} \equiv M \pmod{n}$