(archived) Applied Cryptography Notes

Abbreviated as "Big Network Security and Data".

Overview of Cryptography

The four properties of modern cryptography: confidentiality, integrity, authentication, and non-repudiation.

Three periods: classical cryptography (algorithm secrecy), modern cryptography (key secrecy), and contemporary cryptography.

Attacks on cryptographic systems: ciphertext-only attack, known-plaintext attack, chosen-plaintext attack, chosen-ciphertext attack.

Kerckhoffs' principle: Security depends only on the secrecy of the key, not the algorithm. Otherwise, it is a "restricted cryptographic algorithm."

Security classifications: unconditional security, computational security, provable security.

Functions of cryptographic algorithms: encryption, hashing, digital signatures, identity authentication, key agreement.

Private keys are used for signing, public keys are used for verification.

Homework (p14):

1-1, 1-2, 1-4, 1-6, 1-7

Classical Cryptography

Monoalphabetic Substitution Cipher

Caesar

$c = m + k$

$m = c - k$

Affine Cipher

$k = (k_{1}, k_{2})$

$c = k_{1} m + k_{2}$

$m = (c - k_{2}) k_{1}^{- 1} (\mod 26)$

Key Phrase Cipher

Place the key at the beginning, and arrange the remaining letters after the key to form the substitution table.

Disadvantages

Word frequency analysis.

Polyalphabetic Substitution Cipher

Vigenère

$c_{i} = m_{i} + k_{i}$

$m_{i} = c_{i} - k_{i}$

Hill Cipher

$C = K \cdot M$

$M = K^{- 1} \cdot C (\mod 26)$

where $C$ and $M$ are column vectors, and $K_{n}$ is the encryption matrix.

Advantages and Disadvantages:

Resistant to ciphertext-only attacks; large key space.
Vulnerable to known-plaintext attacks and chosen-plaintext attacks.

OTP (Vernam)

$c_{i} = m_{i} \oplus k_{i}$

$m_{i} = c_{i} \oplus k_{i}$

The key must not be reused, and it is theoretically unbreakable.

Playfair

Remove duplicate letters from the key, place them at the beginning, and append the remaining letters. Treat "i" and "j" as occupying the same cell. Arrange them into a 5×5 matrix.

Group the plaintext into pairs (denoted as p1, p2). Then:

If they are in the same row, the ciphertext is the letter to the right of each plaintext letter (the rightmost wraps around to the first in the row).
If they are in the same column, the ciphertext is the letter below each plaintext letter (the bottommost wraps around to the top in the column).
If neither, take the opposite diagonal as the ciphertext, where each ciphertext letter shares the same row as its corresponding plaintext letter.
If the two letters are the same (or only one remains), insert a predetermined letter (e.g., "x") in the middle (to the right).

Chained Cipher Algorithm

Uses the result of encrypting one plaintext as the encryption key for the next plaintext.

Disadvantage: Error propagation.

Substitution Cipher

Cyclic Permutation

The key specifies the permutation of positions.

It is a special case of the Hill cipher, belonging to the category of linear transformation ciphers.

Columnar Transposition Cipher

Fill the plaintext into a matrix row by row, and the key specifies the order in which columns are read.

Rotor Machine Cipher

Not tested.

Homework:

2.1 2.4 2.5 2.7 2.8 2.10 2.11 2.13 2.14 2.15

Block Cipher

Design Principles

Diffusion Principle: Each bit of the plaintext should affect as many bits of the ciphertext as possible, and each bit of the ciphertext should be influenced by as many bits of the plaintext as possible.
Confusion Principle: Even if an adversary obtains both the plaintext and the ciphertext, they should not be able to deduce any information about the key.
Software Design: Use sub-blocks and simple operations.
Hardware Implementation: Strive to use regular structures.

If $S^{2} = S$ , it is an idempotent cryptosystem, such as affine ciphers, permutation ciphers, etc.

Iterative cryptosystems must be non-idempotent.

Typical Structures

SPN Structure: Faster diffusion, but encryption and decryption are not similar.
Feistel Structure: Encryption and decryption are similar, with slower diffusion (at least two rounds are required to change every bit of the input).

$L_{i + 1} = R_{i}$

$R_{i + 1} = L_{i} \oplus F (R_{i}, K_{i})$

DES (Key Points)

Security entirely depends on the confidentiality of the key.
Key length is 64 bits (8 bits used for parity check).

Steps:

Initial Permutation (IP) of the plaintext.
$E$ expansion of $R_{0}$ to obtain $R_{0} (32 \to 48)$ : Divide $R_{0}$ into 8 blocks, denoted as $B_{1}$ to $B_{4}$ , then prepend the last $B_{4}$ of the previous block to $B_{1}$ , and append the first $B_{1}$ of the next block to $B_{4}$ .
Add parity bits to $K_{0}$ (multiple of 8), obtain C[0] and D[0] via $PC-1$ , left-shift once to get C[1] and D[1], and obtain the 48-bit $K_{1}$ via PC-2.
$R_{0} \oplus K_{1}$
$S$ -box transformation $(48 \to 32)$ : Different blocks use different $S$ -boxes. Take $B_{2}$ to $B_{5}$ as the row of the $S$ -box, and $B_{1} B_{6}$ as the column of the $S$ -box (big-endian). The value obtained from the lookup table serves as the key block. (Key Point)
$P$ -box transformation.
XOR with $L_{0}$ to obtain $R_{1}$ , completing one round of iteration.
After 16 rounds of iteration, perform an inverse IP permutation.

Advantages:

Encryption and decryption structures are identical.
High strength.

Proof of complement symmetry:

For the $F$ function, $F (k, R) = P S (k \oplus E (R)) = P S (\overset{―}{k} \oplus E (\overset{―}{R})) = F (\overset{―}{k}, \overset{―}{R})$

Thus, the round function $Q_{k} (L, R) = (R, L \oplus F (k, R)) = (R, L \oplus F (\overset{―}{k}, \overset{―}{R}))$ , and further $\overset{―}{Q_{k} (L, R)} = (\overset{―}{R}, \overset{―}{L} \oplus F (\overset{―}{k}, \overset{―}{R})) = Q_{\overset{―}{k}} (\overset{―}{L}, \overset{―}{R})$

Let $D$ be the swap of left and right blocks, and $x = (L, R)$ . Then the encryption function $E_{\overset{―}{k}} (\overset{―}{x}) = D \cdot Q_{k_{16}} Q_{k_{15}} . . . Q_{k_{1}} (\overset{―}{x}) = D \cdot \overset{―}{Q_{k_{16}} Q_{k_{15}} . . . Q_{k_{1}} (x)} = \overset{―}{D \cdot Q_{k_{16}} Q_{k_{15}} . . . Q_{k_{1}} (x)} = \overset{―}{E_{k} (x)}$

Improvement: Triple DES.

Block Cipher Modes of Operation

ECB: Each block of plaintext is encrypted into the corresponding ciphertext block. The last incomplete block (less than 64 bits) is padded with a random string. (Essentially a large monoalphabetic substitution.)
CBC (Commonly Used): The current plaintext block is XORed with the previous ciphertext block before encryption. The initial vector must be kept strictly confidential.
CFB: Encryption is performed in units much smaller than the block size. The ciphertext depends on all previous plaintext.
OFB: Feedback occurs within the block. (Vulnerable to tampering.)
CTR: Allows parallel processing and precomputation, and can generate a good pseudorandom number sequence.

How to Choose:

Security
Efficiency
Functionality

AES (Key Points)

Mathematical Foundations

Multiplication in the finite field $GF (2^{8})$ : omitted.

x-multiplication: Since the modulus chosen for AES is 0x11b, i.e., $x^{8} + x^{4} + x^{3} + x + 1$ , when the high bit of the multiplier is 0, it is equivalent to a left shift; otherwise, it is equivalent to a left shift followed by an XOR with 0x1b.

Cross multiplication: Refers to the multiplication of two degree-4 polynomials in $GF (2^{8})$ modulo $x^{4} + 1$ . The process can be simplified using matrix multiplication. Specifically, for polynomials $\overset{―}{a_{3} a_{2} a_{1} a_{0}}$ and $\overset{―}{b_{3} b_{2} b_{1} b_{0}}$ , the product $\overset{―}{d_{3} d_{2} d_{1} d_{0}}$ is given by:

[\begin{matrix} d_{0} \\ d_{1} \\ d_{2} \\ d_{3} \end{matrix}] = [\begin{matrix} a_{0} & a_{3} & a_{2} & a_{1} \\ a_{1} & a_{0} & a_{3} & a_{2} \\ a_{2} & a_{1} & a_{0} & a_{3} \\ a_{3} & a_{2} & a_{1} & a_{0} \end{matrix}] \cdot [\begin{matrix} b_{0} \\ b_{1} \\ b_{2} \\ b_{3} \end{matrix}]

Here, the dot product between terms corresponds to multiplication in $GF (2^{8})$ (using x-multiplication), and addition corresponds to XOR.

Steps

Key length: 128 bits.

SubBytes: Lookup table substitution.
ShiftRows: Cyclically shift the $i$ -th row left by $i$ bytes.
MixColumns (Key step): For each column, perform a cross multiplication, where $\overset{―}{a_{3} a_{2} a_{1} a_{0}}$ is fixed as 3112H.
AddRoundKey: XOR with the round key column by column.

Overall process:

AddRoundKey()

for i from 1 to 9:
  SubBytes()
  ShiftRows()
  MixColumns()
  AddRoundKey()

SubBytes()
ShiftRows()
MixColumns()

Other Symmetric Encryption Algorithms

IDEA (Block size 64bit, Key length 128bit, Non-Feistel structure)
RC6 (Block size 128bit, Key length 128, 192, 256bit, Feistel structure)
SM4 (Block size 128bit, Key length 128bit, Asymmetric Feistel structure)

Asymmetric Encryption

Disadvantages of Symmetric Cryptography

Poor system openness (how to transmit the key)
Difficult key management: $n$ devices require $\frac{n (n - 1)}{2}$ keys.
Issues with digital signatures.

Characteristics of Public Keys

Convenient key management with high openness
High computational cost for encryption and decryption

Functions of a Public Key

Conventional key distribution and negotiation
Digital signatures
Encryption and decryption (less efficient and not recommended for direct use)

RSA

Specific process: Omitted

Using the Chinese Remainder Theorem (CRT) to achieve fast computation in RSA

Example: Compute $m^{d} (\mod n)$ , where $n = p q$ , $p$ and $q$ are distinct primes, and $d$ is the private key.

Solution: Use Euler's theorem to compute $m^{d} (\mod p)$ and $m^{d} (\mod q)$ separately, then apply CRT to compute $m^{d} (\mod n)$ .

Miller-Rabin

Fermat's Little Theorem is a necessary condition for a modulus to be prime.

Quadratic Residue Theorem: If $p$ is an odd prime, then the solutions to $x^{2} \equiv 1 (\mod p)$ are only $x \equiv 1$ or $x \equiv - 1$ .

Pseudocode:

# false rate: 1 - 4^(-s)
def WITNESS(a, n):
  if pow(a, n-1, n) != 1:
    return FALSE
  else while n % 2 == 0:
    n /= 2
    if pow(a, n-1, n) != 1 or -1:
      return FALSE
  return TRUE

for i from 1 to s:
  if WITNESS(integers[i], n) == FALSE
    return NOT_PRIME
return PRIME

ElGamal

Description

System parameters: $p, α \in Z_{p}^{*}$ .

Select a private key $x_{A}$ , and the public key is $y_{A} = α^{x_{A}} (\mod p)$ .

Encryption:

Choose a random number $k \in [2, p - 2]$ .
$c_{1} = α^{k} (\mod p)$
$c_{2} = m \cdot y_{A}^{k} (\mod p)$

Decryption:

$m = c_{2} \cdot (c_{1}^{x_{A}})^{- 1} (\mod p)$

Features

Non-deterministic (dependent on k)
Ciphertext space is larger than the plaintext space

ECC

SM2 also employs the elliptic curve cryptography system.

Elliptic Curves over the Real Number Field

The equation $y^{2} = x^{3} + a x + b$ can be denoted as $E (a, b)$ , or simply $E$ .

If points $P$ , $Q$ , and $R$ are collinear, the additive identity $O$ is defined as $O = P + Q + R$ . For any point $P$ on the curve, $P + O = P$ .

It follows that the additive inverse of a point has the same $x$ -coordinate but opposite $y$ -coordinate.

Thus, the addition operation is defined as follows: draw the line through $P$ and $Q$ , which intersects $E$ at $R$ ; then $- R$ is the result of $P + Q$ . The doubling operation can be defined analogously (omitted here). It can be shown that this addition satisfies the commutative and associative laws.

From an algebraic perspective, $P + Q = (x_{3}, y_{3}) = (λ^{2} - x_{1} - x_{2}, λ (x_{1} - x_{3}) - y_{1})$ , where $λ$ is the slope of the line. If $P$ and $Q$ coincide, then $λ = \frac{3 x^{2} + a}{2 y}$ .

Elliptic Curves over Finite Fields

Focus on $GF (p)$ ; $GF (2^{n})$ is not included in the exam.

$y^{2} = x^{3} + a x + b (\mod p)$ can be denoted as $E_{p} (a, b)$ , abbreviated as $E_{p}$ .

It can be proven that an elliptic curve over a finite field forms a cyclic group under the + operation.

The definition of addition involves taking the corresponding coordinates modulo $p$ , and doubling is similar.

Example: Find the number of points in $E_{11} (1, 6)$ :
Answer: There are 13 points in total (don't forget the point at infinity $O$ !).

ElGamal on Elliptic Curves

Let $ord (P)$ be the smallest integer $n$ such that $n P = O$ .

ECDLP: Given $α$ and $β$ , finding $k \in [0, ord (α) - 1]$ such that $k α = β$ is computationally hard.

Similar to the Discrete Logarithm Problem (DLP), point addition can be analogized to modular multiplication, and point doubling to exponentiation.

System parameters: $E (a, b)$ , base point $G$ (with order $n$ ).

Key generation: Select a private key $d_{A}$ , and compute the public key $P_{A} = d_{A} G$ .

Encryption:

Map the plaintext message $m$ to a point $P_{m}$ .
Select a random number $k \in [2, n - 1]$ .
$c_{1} = k G$
$c_{2} = P_{m} + k P_{A}$

Decryption:

$P_{m} = c_{2} - d_{A} c_{1}$
Apply the inverse mapping to $P_{m}$ to recover $m$ .

Menezes-Vanstone

Primarily addresses the problem of mapping plaintext $m$ to $P_{m}$ .

System parameters: $E (a, b)$ , base point $G$ (with order $n$ ).

Key generation: Select private key $d_{A}$ , public key is $P_{A} = d_{A} G$ .

Encryption:

$m = (m_{1}, m_{2})$
Select a random number $k \in [2, n - 1]$
$c_{1} = k G$
$Y = (y_{1}, y_{2}) = k P_{A}$
$c_{2} = y_{1} m_{1} (\mod p)$
$c_{3} = y_{2} m_{2} (\mod p)$

Decryption:

$d_{A} c_{1} = (z_{1}, z_{2})$ (Note that $d_{A} c_{1} = k P_{A}$ , so $y_{1} = z_{1}, y_{2} = z_{2}$ )
$m_{1} = c_{2} z_{1}^{- 1} (\mod p)$
$m_{2} = c_{3} z_{2}^{- 1} (\mod p)$
Obtain $m$ from $(m_{1}, m_{2})$

Example: Let base point $G$ in $E_{11} (1, 6)$ be $(2, 7)$ , key $d = 7$ , plaintext be $(9, 1)$ , random number $k = 6$ , compute the ciphertext.

Solution: Compute public key $P_{A} = d G = 7 (2, 7) = (7, 2)$

$c_{1} = 6 G = (7, 9)$

$Y = k P_{A} = k d G = 42 G = 3 G = (8, 3)$

$c_{2} = 8 \times 9 = 6 (\mod p)$

$c_{3} = 3 \times 1 = 3 (\mod p)$

Therefore, the ciphertext is $((7, 9), 6, 3)$

Code implementation (done while working on homework at night)

# ECC en&decrypt in GF(p)
# 4/24/2023 junyu33
import gmpy2
a = 1
b = 6
p = 11
G = [2, 7]
d_A = 5
def Add(A: list, B: list) -> list:
    lamb = 0
    if A == B:
        lamb = (3*A[0]*A[0]+a)*gmpy2.invert(2*A[1], p) % p
    else:
        lamb = (B[1]-A[1])*gmpy2.invert(B[0]-A[0], p) % p
    s = (lamb**2 - A[0] - B[0]) % p
    t = (lamb*(A[0]-s) - A[1]) % p
    return [s,t]

def Mult(X: list, t: int) -> list:
    R = X
    t = t - 1
    while t:
        if t & 1:
            R = Add(R, X)
        X = Add(X, X)
        t >>= 1
    return R

def enc(M: list, G: list, k: int):
    c_1 = Mult(G, k)
    P_A = Mult(G, d_A)
    Y = Mult(P_A, k)
    c_2 = Y[0] * M[0] % p
    c_3 = Y[1] * M[1] % p
    print(c_1, c_2, c_3)

def dec(c_1: list, c_2: int, c_3: int):
    Y = Mult(c_1, d_A)
    z_1 = Y[0]
    z_2 = Y[1]
    m_1 = c_2 * gmpy2.invert(z_1, p) % p
    m_2 = c_3 * gmpy2.invert(z_2, p) % p
    print(m_1, m_2)

enc([7,9],G,3)

Hash

SHA-1 (Cracked)

big-endian

2**64-1 -> 160 bit

Steps

Padding: origin + 1000...000 (length 448 - len % 512) + len
Initial MD buffer: A = 67452301, B = EFCDAB89, C = 98BADCFE, D = 10325476, E = C3D2E1F0
Process the message in 512-bit blocks:
A, B, C, D, E ← [(A << 5) + f_t(B, C, D) + E + W_t + K_t], A, (B << 30), C, D
A total of 80 rounds are performed, where:
- $f_{t}$ is the logical function, defined as:
  (B & C) | (~B & D), B ^ C ^ D, (B & C) | (B & D) | (C & D), B ^ C ^ D for rounds 1–20, 21–40, 41–60, and 61–80, respectively.
- $W_{t}$ is the 32-bit sub-message block W[t]. The first 16 entries correspond directly to the 512-bit input block. Subsequent entries (for t = 16 to 79) are computed as:
  W[t] = (W[t-16] ^ W[t-14] ^ W[t-8] ^ W[t-3]) << 1
- $K_{t}$ is a fixed constant (for $1 \leq t \leq 4$ ):
  5A827999, 6ED9EBA1, 8F1BBCDC, CA62C1D6
- The first 20 rounds use $t = 1$ , the next 20 use $t = 2$ , and so on.
The initial A, B, C, D, E values are added to the final A', B', C', D', E' values to form the new buffer. After processing all blocks, the resulting buffer is the SHA-1 hash.

Birthday Attack

If the size of the message space is $N$ , then approximately $\sqrt{N}$ randomly selected messages are required to have a 50% probability of producing a collision.

SM3

A domestic commercial cryptographic hash function.

Operates on 512-bit blocks and produces a 256-bit output.

Used in smart electricity meters and TPM 2.0.

Message Authentication

Classification of Message Authentication Code (MAC):

Encryption Techniques
Hash Functions
HMAC Algorithm (Keyed One-Way Hash Function)

Digital Signature

RSA

The sender uses $s_{A} = m^{d} (\mod n)$ to sign.

The receiver uses $m = s_{A}^{e} (\mod n)$ for verification.

ElGamal

Initialization: $e_{A} = α^{d_{A}} (\mod p)$

Signature Transformation:

Select a random number $k$ that is coprime with $p - 1$ .
Signature:
- $r = α^{k} (\mod p)$
- $s = (H (M) - d_{A} r) k^{- 1} (\mod p - 1)$ , where $H$ is a one-way hash function.
- Send $(r, s)$ .
Verification:
- Compute $H (M)$ .
- Compute $e_{A}^{r} r^{s} (\mod p)$ and $α^{H (M)} (\mod p)$ . If they are equal, the signature is valid.

Note: $k$ must not be leaked. The same applies to the encryption part.

DSA

$p$ , $q$ , and $g$ are public, where $q$ is a prime factor of $p - 1$ , and $g = h^{(p - 1) / q} (\mod p)$ .

A random $x$ is selected as the private key, and the public key is $y = g^{x} (\mod p)$ .

Signature transformation:

Signing:
- Select $k \in (0, q)$ .
- $r = (g^{k} (\mod p)) (\mod q)$ .
- $s = k^{- 1} (H (m) + x r) (\mod q)$ .
- Send $(r, s)$ .
Verification:
- $w = s^{- 1} (\mod q)$ .
- $u_{1} = H (m) w (\mod q)$ .
- $u_{2} = r w (\mod q)$ .
- $v = (g^{u_{1}} y^{u_{2}} (\mod p)) (\mod q)$ . If $v = r$ , the signature is valid.

ECDSA

$E (F_{p}), G, n$ are the system parameters.

Randomly select $d \in (1, n)$ as the private key, and $Q = d G$ as the public key.

Signing:
- Choose a random number $k \in (1, n - 1)$
- $k G = (x_{1}, y_{1})$
- $r = x_{1} (\mod n)$
- $s = k^{- 1} (h (M) + d r) (\mod n)$
- Send $(r, s)$
Verification:
- $u_{1} = h (M) s^{- 1} (\mod n)$
- $u_{2} = r s^{- 1} (\mod n)$
- $X (x_{2}, y_{2}) = u_{1} G + u_{2} Q$
- $v = x_{2} (\mod n)$ ; if $v = r$ , accept the signature.

Special Signatures

Undeniable Signatures
Blind Digital Signatures
Group Signatures

Key Management Technologies

Diffie-Hellman (Asymmetric, only used for key exchange between two users)

System parameters: $p, α$

Alice selects a private $r_{a}$ and computes $s_{a} = α^{r_{a}} (\mod p)$
Bob selects a private $r_{b}$ and computes $s_{b} = α^{r_{b}} (\mod p)$
Both parties exchange $s_{a}$ and $s_{b}$
Alice computes $s_{b}^{r_{a}} (\mod p)$
Bob computes $s_{a}^{r_{b}} (\mod p)$

Clearly, the two computed values are equal, and the key agreement is completed.

Vulnerable to man-in-the-middle attacks.

Shamir's Threshold Scheme

System parameters: $k, n, q$

Secret: $s, a_{1}, a_{2}, \dots, a_{k - 1}$

A secret polynomial can be constructed as follows:

f (x) = s + a_{1} x + a_{2} x^{2} + \dots + a_{k - 1} x^{k - 1}

The key distributor calculates $f (x_{i})$ for each participant based on their key $x_{i}$ and distributes the corresponding value to them.

Using Lagrange interpolation, the secret polynomial can only be reconstructed by any subset of $\geq k$ participants. The process is as follows:

f (x) = \sum_{i = 1}^{k} f (x_{i}) \prod_{j = 1, j \neq i}^{k} \frac{x - x_{j}}{x_{i} - x_{j}} (\mod q)

Specifically, when $x = 0$ , the secret $s$ can be computed:

s = f (0) = (- 1)^{k - 1} \sum_{i = 1}^{k} f (x_{i}) \prod_{j = 1, j \neq i}^{k} \frac{x_{j}}{x_{i} - x_{j}} (\mod q)

Shortcomings:

Fixed threshold value
The secret distributor knows the participants' shadows
Unable to prevent fraud by the secret distributor or participants

Identity Authentication Technology

Concepts, Threats, and Attack Methods

Challenge–Response Authentication:

Additional communication overhead
Prevents replay attacks by the claimant but not by the verifier: requires mutual authentication and timestamps.

S/Key One-Time Password Authentication:

Prevents replay attacks
Vulnerable to small number attacks (intercepting the server's seed and iteration value, modifying it to a smaller iteration value sent to the user, intercepting the user's password, and computing a larger iteration value)
Lacks integrity protection mechanisms

Zero-Knowledge Proof Protocol

Let $n = p \times q$ , and assume that Alice knows the factors of $n$ . If Alice wants to convince Bob that she knows the factors without revealing them, she can perform the following steps:

Bob randomly selects $x$ , computes $y = x^{4} (\mod n)$ , and sends $y$ to Alice.
Alice computes $z = \sqrt{y} (\mod n)$ and sends $z$ to Bob.
Bob verifies whether $z = x^{2} (\mod n)$ holds.
If the verification succeeds multiple times in repetition, it proves that Alice indeed knows the factors of $n$ .

The theoretical foundation lies in the fact that the difficulty of computing $\sqrt{y} (\mod n)$ is equivalent to factorizing $n$ .

Kerberos Authentication

Uses a symmetric key system, with authentication services provided by a trusted third party.

Distributes shared keys to communicating parties through tickets.

Secure Communication

Pseudocode:

Sender:

# send.py
# Example usage:
with open("public_key_B.pem", "rb") as f:
  public_key_B = RSA.import_key(f.read())

with open('data', 'rb') as f:
  data = f.read()

# Party A encrypts the data and signs it
ciphertext = encrypt(data, key)
signature = sign(data, private_key_A)

# Party A encrypts the key using the public key of party B
encrypted_key = encrypt_key(key, public_key_B)

with open('encrypted_key', 'wb') as f:
  f.write(encrypted_key)

with open('ciphertext', 'wb') as f:
  f.write(ciphertext)

with open('signature', 'wb') as f:
  f.write(signature)

with open('public_key_A.pem', 'wb') as f:
  f.write(public_key_A.export_key('PEM'))

Receiver:

# receive.py
with open('public_key_A.pem', 'rb') as f:
  public_key_A = RSA.import_key(f.read())
with open('encrypted_key', 'rb') as f:
  encrypted_key = f.read()

with open('signature', 'rb') as f:
  signature = f.read()

with open('ciphertext', 'rb') as f:
  ciphertext = f.read()

# Party B decrypts the key and uses it to decrypt the data
key = decrypt_key(encrypted_key, private_key_B)
decrypted_data = decrypt(ciphertext, key)
with open('decrypted_data', 'wb') as f:
  f.write(decrypted_data)

# Party B verifies the signature of party A
is_valid = verify_signature(decrypted_data, signature, public_key_A)

if is_valid:
  print("The signature is valid")
else:
  print("The signature is not valid")

Stream Cipher Fundamentals

Also known as stream ciphers, they belong to the symmetric cryptosystem and are suitable for hardware implementation.

Classification

Synchronous Stream Ciphers: The state of the memory element is independent of the plaintext or ciphertext, with no error propagation but requiring synchronization.
Self-Synchronizing Stream Ciphers: The keystream generation is related to the ciphertext, featuring limited error propagation and self-synchronization.

LFSR

Note that the shift direction is from high-order bits to low-order bits, where $x_{1}$ is the output, and the value of $f$ becomes the next $x_{n}$ .

The properties are entirely determined by the feedback function. The period $T$ of an $n$ -stage LFSR satisfies $T \leq 2^{n} - 1$ .

Stream cipher generators based on LFSR include:

Geffe generator
Clock-controlled generator
Alternating step generator

RC4

Two algorithms: Key Scheduling Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA).