# Cryptography (CC4017) -- Week 8

## Exercice 1

In a public-key system using RSA, you intercept the ciphertext C = 20 sent to a user whose
public key is e = 13, n = 77. What is the plaintext M ?

To decrypt the message, we need to compute the private key d. For that we can use the public key key components e and n. The private key is the modular multiplicative inverse of $e \ mod \ \phi (n)$, where $\phi (n)$ is the Euler's totient function of n.

1. Factorize n : n = 77 then can be factorized as $n = 7 \times 11$

2. Compute $\phi (n) = (p-1)(q-1)$ where p and q are the prime factors of n. In this case, $\phi (n) = 6 \times 10 = 60$

3. Compute the modular multiplicative inverse of e mod $\phi (n)$, i.e. $d = e^{-1} \ mod \ \phi (n)$ 

4. Decrypt the message using the formula $M = C^d \ mod \ n$



In [7]:
# Compute the modular multiplicative inverse

def modinv(a, m):
    m0, x0, x1 = m, 0, 1
    while a > 1:
        q = a // m
        m, a = a % m, m
        x0, x1 = x1 - q * x0, x0
    return x1 + m0 if x1 < 0 else x1

a = 13
m = 60
print(f"The modular multiplicative inverse of {a} modulo {m} is {modinv(a, m)}")



The modular multiplicative inverse of 13 modulo 60 is 37


In [8]:
def modular_exponentiation(base, exponent, modulus):
    result = 1
    base = base % modulus
    while exponent > 0:
        if (exponent % 2) == 1:
            result = (result * base) % modulus
        exponent = exponent >> 1
        base = (base * base) % modulus
    return result

C = 20
d = 37
n = 77

M = modular_exponentiation(C, d, n)
print(M)

48


So for the first question, we can conclude that the plaintext M is 48.

## Exercice 2

In a RSA system ,the public key ofa given user is e = 65 , n = 2881. What is the private key of this user?

To find the private key, we need to compute the modular multiplicative inverse of e mod $\phi (n)$, where $\phi (n)$ is the Euler's totient function of n.

1. Factorize n : n = 2881 then can be factorized as $n = 43 \times 67$

2. Compute $\phi (n) = (p-1)(q-1)$ where p and q are the prime factors of n. In this case, $\phi (n) = 42 \times 66 = 2772$

3. Compute the modular multiplicative inverse of e mod $\phi (n)$, i.e. $d = e^{-1} \ mod \ \phi (n)$

In [9]:
# Factorization
def factorize(n):
    factors = []
    i = 2
    while i * i <= n:
        if n % i:
            i += 1
        else:
            n //= i
            factors.append(i)
    if n > 1:
        factors.append(n)
    return factors

n = 2881
result  = factorize(n)

# Print the factors
print(result)

# Euler's totient function
d = modinv(65, 2772)
print(f"The modular multiplicative inverse of 65 modulo 2772 is {d}")


[43, 67]
The modular multiplicative inverse of 65 modulo 2772 is 725


We can conclude that the private key of this user is 725.

## Exercice 3

In the RSA public-key encryption scheme, each user has a public key $ e $ and a private key $ d $ . Suppose Bob leaks his private key. Rather than generating a new modus, he decides to generate a new public key $e $ and a new private key $ d $. Is this safe?

> No, if Bob's private key has been compromised or leaked, it is not safe for him to create a new public key and a new private key using the same modulus. An attacker can factorize the modulus n using Bob's leaked private key, and then use the factorized n to decrypt the messages encrypted with the new public key and private key. The security of the RSA relies on the difficulty of factorizing the modulus n. If the modulus n is factorized, the attacker can easily decrypt the messages encrypted with the new public key and private key.


## Exercice 4

Suppose Bob uses the RSA cryptosystem with a very large modulus n for which the factorisation cannot be found in a reasonable amount of time. Suppose Alice sends an enciphered message to Bob containing only her phone number: $number^e (mod \ n)$. Is this safe?

> No, it is not safe for Alice to send only her phone number encrypted with RSA to Bob. A phone number typically has a very limited range of possible values low entropy makes it feasible for an attacker to perform a brute-force attack. An attacker can easily decrypt the message by encrypting all possible phone numbers and comparing the result with the encrypted message. Since the phone number is a small number, the attacker can easily find the phone number that corresponds to the encrypted message.


## Exercice 5

Although, since 2002, there is a published algorithm with polynomial complexity to test primality of an integer, its performance for small sizes is too slow to be considered as usable. What is normally used is a probabilistic test, that can be iterated the necessary number of times so that the probability of a false positive may be made negligible. The Miller-Rabin is a primality test of this kind.

**Theorem 1.**  If p is an odd prime, then the equation
$$ x^2 \equiv 1 \ (mod \ p) $$
has exactly two solutions: x = 1 and x = -1.

**Proof.** If x is solution of the equation, then
$$ x^2 \equiv 1 \ (mod \ p) $$
$$ (x + 1)(x - 1) \equiv 0 \ (mod \ p) $$

thus
$$ p \mid (x + 1) \vee p \mid (x - 1) $$

Suppose that $ p \mid (x + 1) \wedge p \mid (x - 1)$. Then we can write $ x + 1 = kp $ and $ x - 1 = jp $ for some integers k and j. Subtracting both equations we get $2 = (k − j)p $ that is only satisfied with p = 2, but the initial assumption states that p is an odd prime. Thus $ p \mid (x + 1) \vee p \mid (x - 1) $. Suppose that $ p \mid (x − 1) $. Then
$$ (\exists k) \ (x - 1 = kp )$$
and hence $ x \equiv 1 \ (mod \ p ) $

In an entirely analogous manner we proceed if $ x \equiv -1 \ (mod \ p ) $

We can look at this theorem in a different perspective: if we can find a solution for $x^2 ≡ 1 \ (mod \ n) $ that is different from $ x = ±1$, then we can conclude that n is not prime.

**Theorem 2.** Let p be an odd prime and a such that $p \nmid a$. We can always express $ p − 1 $ as
$$ p − 1 = 2^k d $$
with d is odd. Thus, one of the two following is true:

(a) $ a^d ≡ 1 \ (mod \ p) $

(b) $\exists i \in \{0, \ldots, k-1\} \ a^{2^i d} \equiv -1 \pmod{p}$.

**Proof.** By Fermat’s theorem, $a^{2^k d} \equiv 1 \pmod{p}$. Thus, in the following sequence
$$ a^d, a^{2d}, a^{2^2d}, \ldots, a^{2^k d} $$

at least the last is congruent with 1. But each of the powers of a is the square of the previous.
Thus, one of the following is true

(a) $ a^d ≡ 1 \ (mod \ p) $

(b) $\exists i \in \{0, \ldots, k\}$,

$$a^{2^i d} \equiv -1 \pmod{p} \wedge a^{2^{i-1} d} \not\equiv 1 \pmod{p} $$

As we are in the conditions of the previous theorem, we conclude that
$$a^{2^{i-1} d} \equiv -1 \pmod{p} $$

We can, then, write a programming function, Witness, that takes a number n and a “witness” $ a $, with $(a,n) = 1$ , and tests if $a^d \not\equiv 1  \pmod{p} $ and $ a^{2^i d} \not\equiv −1 \pmod{p} $ , for all $ 0 ≤ i ≤ k $ . If the test succeeds we know for sure that the number is not a prime. If it fails we cannot conclude, but we have a probability of $\frac{1}{2}$ of $n$ being a prime. We can repeat the test (with a different values for $a$). If we try $ m $ times and all the tests are negative we can ensure that the number $n$ is a prime with a probability $1 − 2^{−m}$.

**Programming assignment:** Write a python program that implements this strategy and test it for large primes.

In [None]:
# Import Required Libraries
import numpy as np # type: ignore
import random

def miller_rabin(n, k):
    # Helper function to perform modular exponentiation
    def power_mod(base, exponent, modulus):
        result = 1
        base = base % modulus
        while exponent > 0:
            if (exponent % 2) == 1:
                result = (result * base) % modulus
            exponent = exponent >> 1
            base = (base * base) % modulus
        return result

    # Helper function to perform the Miller-Rabin test for a single witness
    def witness(a, d, n, s):
        x = power_mod(a, d, n)
        if x == 1 or x == n - 1:
            return False
        for _ in range(s - 1):
            x = (x * x) % n
            if x == n - 1:
                return False
        return True

    # Handle base cases
    if n <= 1:
        return False
    if n <= 3:
        return True
    if n % 2 == 0:
        return False

    # Write n-1 as 2^s * d
    s = 0
    d = n - 1
    while d % 2 == 0:
        d //= 2
        s += 1

    # Perform k iterations of the test
    for _ in range(k):
        a = random.randint(2, n - 2)
        if witness(a, d, n, s):
            return False

    return True

def witness(a, d, n, s):
    # Helper function to perform modular exponentiation
    def power_mod(base, exponent, modulus):
        result = 1
        base = base % modulus
        while exponent > 0:
            if (exponent % 2) == 1:
                result = (result * base) % modulus
            exponent = exponent >> 1
            base = (base * base) % modulus
        return result

    x = power_mod(a, d, n)
    if x == 1 or x == n - 1:
        return False
    for _ in range(s - 1):
        x = (x * x) % n
        if x == n - 1:
            return False
    return True

# Test the Primality of Large Numbers

# Define a list of large numbers to test
large_numbers = [
    15485863,  # 1 millionth prime
    32452843,  # 2 millionth prime
    49979687,  # 3 millionth prime
    67867967,  # 4 millionth prime
    86028121   # 5 millionth prime
]

# Number of iterations for the Miller-Rabin test
k = 5

# Test each large number for primality
results = {}
for number in large_numbers:
    is_prime = miller_rabin(number, k)
    results[number] = is_prime

results

# Run Multiple Tests for Higher Accuracy

# Function to run multiple Miller-Rabin tests for higher accuracy
def run_multiple_tests(n, k, iterations):
    for _ in range(iterations):
        if not miller_rabin(n, k):
            return False
    return True

# Number of iterations for higher accuracy
iterations = 10

# Test each large number for primality with higher accuracy
accurate_results = {}
for number in large_numbers:
    is_prime = run_multiple_tests(number, k, iterations)
    accurate_results[number] = is_prime

accurate_results

{15485863: True,
 32452843: True,
 49979687: True,
 67867967: True,
 86028121: True}