# Introduction to RSA (Rivest, Shamir, Adleman)

RSA is an encryption algorithm that uses number theoretic identities for asymmetrical encryption.

### Division Algorithm

The basis for many algorithms in Number Theory is division with remainder.  For example, considering the number 53 and 8, division gives a **quotient** of 6 and a **remainder** of 5, which we express by
$$ 
    53 = 6 \cdot 8 + 5. 
$$
For any two positive integers $a$ and $b$, there exists a unique quotient $q$ and remainder $r$ such that
$$ 
    a = q \cdot b + r
    \quad \text{and} \quad
    0 \le r < b. 
$$
In other words, when we divide $a$ by $b$, we get a quotient $q$ and a remainder $r$ which is necessarily smaller than the divisor $b$.  If the remainder is equal to 0, then $a$ is divisible by $b$; equivalently, $b$ is a factor of $a$.

In python 3, we compute the quotient $q$ and the remainder $r$ of $a$ divided by $b$ as
```python
q = a // b
r = a % b
```

In [7]:
def division_with_remainder(a, b):
    q = a // b
    r = a % b
    return q, r

a, b = 53, 8 #try changing these values!

q, r = division_with_remainder(a, b)
print('{} = {} * {} + {}'.format(a, q, b, r))

53 = 6 * 8 + 5


### Greatest Common Divisor

The **Greatest Common Divisor (gcd)** of two integers $a$ and $b$ is the largest *positive* factor that they have in common. 

For example, the divisors of 12 are [1, 2, 3, 4, 6, 12] and the divisors of 20 are [1, 2, 4, 5, 10, 20], so $ \gcd(12, 20) = 4. $

The most efficient way to calculate the greatest common divisor is with the Euclidean Algorithm.

### Euclidean Algorithm

The Euclidean Algorithm uses repeated division with remainder, replacing $a$ by $b$ and $b$ by $r$ until the remainder equals zero. For example, 
$$\begin{align*}
    53 &= 6 \cdot 8 + 5 \\
     8 &= 1 \cdot 5 + 3 \\
     5 &= 1 \cdot 3 + 2 \\
     3 &= 1 \cdot 2 + 1 \\
     2 &= 2 \cdot 1 + 0
\end{align*}$$

The relationship between the greatest common divisor and the Euclidean Algorithm relies on the following lemma.

___
## Lemma
If $a = q \cdot b + r$, then $\gcd(a, b) = \gcd(b, r)$

**proof:** If $d$ is a common divisor of $b$ and $r$, then $b = dx$ and $r = dy$, so 
$$
    a = q(b) + r = q (dx) + dy = d( qx + y ),
$$
so $d$ is also divisor of $a$.

Conversely, if $d$ is a common divisor of $a$ and $b$, then $a = dx$ and $b = dy$, so
$$
    r = a - q(b) = dx - q(dy) = d( x - qy ),
$$
so $d$ is also divisor of $r$.

Therefore, the common divisors of $b$ and $r$ are exactly the same as the common divisors of $a$ and $b$.
___

In the example above, repeated application of this lemma shows that
$$
    \gcd(53, 8) = \gcd(8, 5) = \gcd(5, 3) = \gcd(3, 2) = \gcd(2, 1) = 1.
$$
In general, the last non-zero remainder encountered in the Euclidean Algorithm is the greatest common divisor.

The number of steps required for the Euclidean Algorithm is *less than 5 times the number of decimal digits min(a, b).*  The proof involves the Fibonacci sequence and can be found [here](https://en.wikipedia.org/wiki/Euclidean_algorithm#Worst-case).

In the example above, repeated application of this Lemma shows that
$$
    \gcd(53, 8) = \gcd(8, 5) = \gcd(5, 3) = \gcd(3, 2) = \gcd(2, 1) = 1.
$$
In general, the last non-zero remainder encountered in the Euclidean Algorithm is the greatest common divisor.

In [11]:
class EuclideanAlgorithm:
    def __init__(self, a, b):
        self.a = a
        self.b = b
        if b <= 0:
            raise ValueError('b should be a positive integer.')
        self.equations = self.populate()
        self.gcd = self.get_gcd()
        
    def pretty_print(self):
        for (a, q, b, r) in self.equations:
            print('{} = {} * {} + {}'.format(a, q, b, r))
    
    def populate(self):
        equations = []
        a, b = self.a, self.b
        while b != 0:
            q, r = self.division_with_remainder(a, b)
            equation = (a, q, b, r)
            equations.append(equation)
            a, b = b, r
        return equations
        
    def division_with_remainder(self, a, b):
        q = a // b
        r = a % b
        return q, r

    def get_gcd(self):
        return self.equations[-1][2]
            
a, b = 53, 8
ea = EuclideanAlgorithm(a, b)
ea.pretty_print()
print(ea.gcd)


53 = 6 * 8 + 5
8 = 1 * 5 + 3
5 = 1 * 3 + 2
3 = 1 * 2 + 1
2 = 2 * 1 + 0
1


# Primes

It's essential that two primes are used.

In [9]:
import math
def naive_primality_test(num):
    all_nums = [x for x in range(2, int(math.sqrt(num))+1)]
    while all_nums:
        sm = all_nums[0]
        if num % sm == 0:
            return 'composite'
        else:
            all_nums = [x for x in all_nums if x % sm != 0]
    return 'prime'

def sieve_of_eratosthenes(upper_bound):
    primes = []
    all_nums = [x for x in range(2, upper_bound)]
    sm = all_nums[0]
    while sm <= math.sqrt(upper_bound):
        primes.append(sm)
        all_nums = [x for x in all_nums if x % sm != 0]
        sm = all_nums[0]
    for n in all_nums:
        primes.append(n)
    return primes

#len(sieve_of_eratosthenes(10000))
naive_primality_test(549811)

'composite'

Fermat's Little Theorem:
if $p$ is prime, then
$a^{p-1} \equiv 1 \pmod{p}$ for any $a$ not divisible by $p$.

This can be rephrased as: if $p$ is prime, then
$a^p \equiv a \pmod{p}$ for any integer $a$.

In other words, for a prime $p$, 
```
a == pow(a, p, p)
``` 
or 
```
a == a**(p) % p
```

In [5]:
from random import randint
p = 541                     #this is a known prime
print('{} is prime'.format(p))
for i in range(10):
    a = randint(2,p-1)
    print('{} == {}**{} % {}'.format(pow(a, p, p), a, p, p))
    
p = 531                     #this is a composite number
print('\n{} is composite'.format(p))
for i in range(10):
    a = randint(2,p-1)
    print('{} == {}**{} % {}'.format(pow(a, p, p), a, p, p))

541 is prime
147 == 147**541 % 541
146 == 146**541 % 541
505 == 505**541 % 541
295 == 295**541 % 541
116 == 116**541 % 541
529 == 529**541 % 541
120 == 120**541 % 541
291 == 291**541 % 541
73 == 73**541 % 541
481 == 481**541 % 541

531 is composite
467 == 326**531 % 531
370 == 130**531 % 531
17 == 428**531 % 531
189 == 255**531 % 531
451 == 313**531 % 531
325 == 13**531 % 531
494 == 104**531 % 531
494 == 458**531 % 531
406 == 232**531 % 531
289 == 343**531 % 531


We can use this theorem as a test to distinguish prime numbers from composite numbers.
However, there are some composite numbers which exhibit this same behavior, so the test is unreliable.  

For example, 561 is divisible by 3, so it is composite.  But it satisfies Fermat's Little Theorem, so this test would incorrectly identify 561 as a prime number.

In [20]:
p = 561
for i in range(10):
    a = randint(2,p-1)
    print('{} == {}**{} % {}'.format(pow(a, p, p), a, p, p))

516 == 516**561 % 561
43 == 43**561 % 561
9 == 9**561 % 561
446 == 446**561 % 561
464 == 464**561 % 561
451 == 451**561 % 561
392 == 392**561 % 561
179 == 179**561 % 561
284 == 284**561 % 561
466 == 466**561 % 561


Calculating $a^n \pmod{n}$ for various $a$, if we ever get something besides $a$, we can conclude with absolute certainty that the number $n$ is not prime.

But if $a^n \pmod{n}$ is equal to $a$ for all checked values, the most we can conclude is that $n$ might be prime.

This is where we introduce another theorem that can be used to detect whether a number is prime or not.

Lagrange's Theorem:
If $p$ is prime, then a polynomial of degree $d$ has at most $d$ roots modulo $p$.  In other words, for a polynomial $p(x)$ with degree $d$, there are at most $d$ solutions to $p(x) = 0$.

For example, the polynomial $x^4 - 1$ has degree 4.  Let's examine roots of this polynomial modulo various numbers.  If $m$ is our modulus, we are trying to solve
```
x**4 % m == 1
```
or
```
pow(x, 4, m) == 1
```

In [35]:
#First, for modulus m = 71 (a prime), there are 2 solutions.
m = 71
solutions = [x for x in range(m) if pow(x, 4, m) == 1]
solutions

[1, 70]

In [36]:
#Second, for modulus m = 61 (a prime), there are 4 solutions.
m = 61
solutions = [x for x in range(m) if pow(x, 4, m) == 1]
solutions

[1, 11, 50, 60]

In [37]:
#Last, for modulus m = 51 (not a prime), there are 8 solutions. 
m = 51
solutions = [x for x in range(m) if pow(x, 4, m) == 1]
solutions

[1, 4, 13, 16, 35, 38, 47, 50]

Lagrange's Theorem guarantees that for $m = 71$ and $m = 61$, which are both primes, there are at most 4 solutions, which checks out.

The contrapositive of Lagrange's Theorem (which is logically equivalent), states that if a polynomial has more roots than its degree modulo some number $m$, then $m$ cannot be prime.  In our example, the fact that $x^4 - 1$ has 8 solutions modulo 51 proves that 51 is not prime.

We can use this as a test for primality, but it is also imperfect.  There are some composite numbers $m$ and some polynomials $p(x)$ where the number of roots of $p(x)$ modulo $m$ is less than or equal to the degree of $p(x)$, even though $m$ isn't prime.

In [38]:
# For modulus m = 51 and polynomial x^6 - 1, there are 4 solutions.
m = 51
solutions = [x for x in range(m) if pow(x, 6, m) == 1]
solutions

[1, 16, 35, 50]

The Miller-Rabin primality test, puts these two tests together in a clever way.  If we have a number $n$, which may be prime or composite,
we want to choose a number $a$, which we call a witness; then
1. Calculate $a^{n-1}$ modulo $n$ to see if we get 1.  If we don't, then Fermat's Little Theorem is violated, which proves that $n$ is composite.
2. Along the way, we want to check if the polynomial $x^2 - 1$ has more than two roots.  If there are more than two roots, then $n$ is composite.  

For the second step, the roots of the polynomial $x^2 - 1$ are the square roots of 1.  We use the specific knowledge that $1$ and $n-1$ are always square roots of 1, since 
```
1**2 == 1
(n-1)**2 % n == (-1)**2 % n == 1
```
so if we detect any other "square root of 1", we can conclude that $n$ is composite.

If both tests are passed, then the witness $a$ did not detect that $n$ is composite, so $a$ thinks that $n$ is possibly prime.

By choosing many witnesses, we can hope to identify primes with some level of confidence that they are actually prime.  If any witness finds a number to be composite, then the number is definitely composite.  But if every witness identifies $n$ as possibly prime, then we can only conclude that $n$ is probably prime.

It has been proved that at most 25% of possible witnesses will incorrectly identify a composite as prime.  Therefore, if we choose $k$ witnesses for a number $n$ and each of the $k$ witnesses identifies $n$ as possibly prime, then the probability that all of the witnesses are incorrect is less than $(.25)^k$.  (For details, visit the wikipedia page for [Miller-Rabin primality test](https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test).

In [41]:
# For k = 10, 20 witnesses, the probabilities of incorrectly 
# identifying a composite number as prime is at most
print((.25)**10)
print((.25)**20)

9.5367431640625e-07
9.094947017729282e-13


## Miller-Rabin Primality Test


In [2]:
# One-witness check
def miller_rabin_witness(n, witness):
    m = n-1
    exp = 0
    while m % 2 == 0:
        m = m // 2
        exp += 1
    # n-1 == 2^exp * m and m is odd
    
    x = pow(witness, m, n) # witness**m % n
    
    if x == 1 or x == n-1:
        return 'probably prime' # Fermat's Little Theorem is satisfied
    
    for i in range(exp):
        x = pow(x, 2, n)
        if x == n-1:
            return 'probably prime' # Fermat's Little Theorem is satisfied
        elif x == 1:
            return 'composite' # Lagrange's Theorem is violated
    
    return 'composite' # Fermat's Little Theorem is violated

In [121]:
# Can return tuple or generator
def get_witnesses(n, num_witnesses):
    if n < 2047:
        return (2,)
    elif n < 1373653:
        return (2,3)
    else:
        return (randint(2, n-1) for i in range(num_witnesses))

In [122]:
def miller_rabin_test(n, num_witnesses):
    for witness in get_witnesses(n, num_witnesses):
        primality = miller_rabin_witness(n, witness)
        if primality == 'composite':
            return 'composite'
    return 'probably prime'

next(get_witnesses(1373653345345)

In [127]:
random_ints = []
for i in range(20):
    n = randint(2, 10**10)
    n = n - 1 + (n % 2) # if it's odd we keep the same number, if it's even we subtract one! Keepin' it odd
    random_ints.append(n)

In [125]:
%%time

for number in random_ints:
    print('{} is {}'.format(number, miller_rabin_test(number)))

3932654323 is composite
650361913 is composite
6054643629 is composite
9107027603 is composite
9395357743 is composite
5787291891 is composite
3205909823 is composite
2017737619 is probably prime
1674746821 is composite
5064597395 is composite
9128226497 is composite
8175739187 is composite
1701147121 is composite
6078083279 is composite
6908006633 is composite
4352819983 is composite
7270375397 is composite
3972237361 is composite
7468389677 is composite
2820182955 is composite
CPU times: user 2.61 ms, sys: 2.15 ms, total: 4.76 ms
Wall time: 3.08 ms


In [126]:
%%time

for number in random_ints:
    print('{} is {}'.format(number, naive_primality_test(number)))

3932654323 is composite
650361913 is composite
6054643629 is composite
9107027603 is composite
9395357743 is composite
5787291891 is composite
3205909823 is composite
2017737619 is prime
1674746821 is composite
5064597395 is composite
9128226497 is composite
8175739187 is composite
1701147121 is composite
6078083279 is composite
6908006633 is composite
4352819983 is composite
7270375397 is composite
3972237361 is composite
7468389677 is composite
2820182955 is composite
CPU times: user 3.75 s, sys: 34.6 ms, total: 3.79 s
Wall time: 3.79 s


In [70]:
%%time

primes_soe = sieve_of_eratosthenes(1000000)

CPU times: user 2.05 s, sys: 104 ms, total: 2.16 s
Wall time: 2.16 s


In [82]:
%%time
primes_mr = (n for n in range(2,1000000) if n == 2 or ((n % 2 != 0) and miller_rabin_test(n) == 'probably prime'))

CPU times: user 1.08 ms, sys: 220 µs, total: 1.3 ms
Wall time: 1.31 ms


## Evaluate

In [103]:
%%time
len(str(17113129348712983749128734918273498127349817239487129384712983479128374918273498127349812734981723948712938471298347912837491287341))

CPU times: user 5 µs, sys: 1e+03 ns, total: 6 µs
Wall time: 9.06 µs


131

In [1]:
p, q = 13, 17
m = p * q
m

221




- Specify bits or number of digits for prime generator
- write prime generator w tricks!
- write public directory
- encrypt something with RSA, decrypt, show what these look like.


In [124]:
from random import random
def random_int(a, b):
    return int(random()*(b - a + 1) + a)

from random import sample
def random_int_2(a, b):
    return sample(range(a, b), 1)[0]
random_int_2(1,2)


1