Homework 4: Computing discrete logs

Update October 6: Homework deadline extended; assignment extended.

The Pretty Bad Privacy encryption tool can be used to insecurely encrypt files to a 530-bit ElGamal public key using 256-bit AES.

The pdf file for your next homework assignment has been encrypted using PBP to the following ElGamal public key:

-----BEGIN PRETTY BAD PUBLIC KEY BLOCK----- QwAAAAb5nmEtsHx7JuAjGz7dEdznka4XRTBdYZkcD0KoVs0//x+LEzHjPcZjJw3ohRe/N7OaIEQ2 BZuPQN0XTZ8+LxAwJncBAAAAC0MAAAAEiZTbZBTQkq/FD8sHAEQJiqBuMBP/zA4J5XXJ00bzsP20 K1R5u0UuEauJLjOmphik61fCRI+sjf4b0icqcHzF2EZL -----END PRETTY BAD PUBLIC KEY BLOCK-----

The encrypted file is available here. Your task is to compute the discrete log of the public key and use it to decrypt the homework so you can do the rest of the problems.

You may use any programming language you like. Please implement your own discrete log algorithm. You do not need to implement your own factoring algorithm. The code used to encrypt the homework is here. It uses Sage for mathematical calculations and PyCrypto for symmmetric encryption. I recommend you use a library with fast arithmetic; Sage uses GMP for its integer types.

Please submit your code and a short description of how you solved
the problem along with a PDF of your LaTeXed solutions to the other
problems to Canvas before class on October ~~13~~ 20. You may discuss
this assignment in small groups with classmates, but please code and
write up your solutions yourself. Please credit any collaborators
you discussed with and any references you used.

For reference, we give some excerpts from the OpenPBP RFC, inspired by the OpenPGP RFC.

3.2. Multiprecision Integers Multiprecision integers (also called MPIs) are unsigned integers used to hold large integers such as the ones used in cryptographic calculations. An MPI consists of two pieces: a four-octet scalar that is the length of the MPI in bits followed by a string of octets that contain the actual integer. 5.5.2. Public-Key Formats A public key contains: - MPI of Elgamal prime p; - MPI of Elgamal group generator g; - MPI of Elgamal public key value y (= g**x mod p where x is secret). 5.1. Public-Key Encrypted Messages The body of the message consists of a string of octets that is the encrypted session key, followed by the symmetrically encrypted data. The symmetric session key is derived from m by interpreting m as an appropriate length string of octets. - MPI of Elgamal (Diffie-Hellman) value g**k mod p. - MPI of Elgamal (Diffie-Hellman) value m * y**k mod p. - Encrypted data, the output of the AES symmetric-key cipher operating in CBC mode, with PKCS 7 padding. 6.2. Forming ASCII Armor When PBP encodes data into ASCII Armor, it puts specific headers around the Radix-64 encoded data, so PBP can reconstruct the data later. A PBP implementation MAY use ASCII armor to protect raw binary data. PBP informs the user what kind of data is encoded in the ASCII armor through the use of the headers. Concatenating the following data creates ASCII Armor: - An Armor Header Line, appropriate for the type of data - The ASCII-Armored data - The Armor Tail, which depends on the Armor Header Line An Armor Header Line consists of the appropriate header line text surrounded by five (5) dashes ('-', 0x2D) on either side of the header line text. The header line text is chosen based upon the type of data that is being encoded in Armor, and how it is being encoded. Header line texts include the following strings: BEGIN PRETTY BAD ENCRYPTED MESSAGE Used for encrypted files. BEGIN PRETTY BAD PUBLIC KEY BLOCK Used for armoring public keys. Note that all these Armor Header Lines are to consist of a complete line. That is to say, there is always a line ending preceding the starting five dashes, and following the ending five dashes. The header lines, therefore, MUST start at the beginning of a line, and MUST NOT have text other than whitespace following them on the same line. These line endings are considered a part of the Armor Header Line for the purposes of determining the content they delimit.