#### RSA algorithm in for encryption and decryption.

$1$. Choose two primes p and q and let n = pq.

$2$.Let e $\in \mathbb{Z}$ be positive such that gcd($e,\phi(n)$) = 1.

$3$.Let d $\in \mathbb{Z}$ be the multiplicative inverse of $e$ modulo $\phi(n)$.

$4$. Our public key is the pair $(n,e)$ and our private key is the pair $(n,d)$.

$5$.For any non-zero integer $m <n$, encrypt $m$ using $c = m^{e}$ (mod $n$).

$6$. Decrypt $c$ using $m = c^{d}$ (mod $n)$.

In [5]:
p = next_prime(randint(10^20,10^30))
show("The first prime number is  ", p)
q = next_prime(randint(10^20,10^39))
show("The second prime number is ", q)
#print(""is_prime(p));is_prime(q)
n = p*q
show("The number n is ", n)
e = ZZ.random_element(1,euler_phi(n))
show("The positive integer e is ", e)

In [6]:
while gcd(e,euler_phi(n)) != 1:
    e = ZZ.random_element(euler_phi(n))

In [7]:
d = inverse_mod(e,euler_phi(n))
print("The multiplicative inverse of e is ", d)
m = ZZ.random_element(n) #plaintext
print("The plaintext is ", m)
ciphertext = power_mod(m,e,n)
print("The ciphertext is ", ciphertext)
print(power_mod(ciphertext,d,n) == m) # checking the decryption is equal to plaintext or not

The multiplicative inverse of e is  329269701443654438757513642969929592774355233763579810192216372740967
The plaintext is  30358125731443561697236741245378737252343705038950303286201037230148
The ciphertext is  120177404542769116675254459457238233173276961483188056422508770350501
True


# Primality Testing
### Euler's Criterion for Quadratic Residues

Let p be an odd prime. Then $a$ is quadratic residue modulo p if and only if $a^{\frac{p-1}{2}} \equiv 1$ (mod p).

In [8]:
p = 293
a = 45482
print((a**((p-1)/2))%p)

1


So, now a is quadratic residue modulo p.

In [9]:
a1 = 33354653
(a1**((p-1)/2))%p

292

So a1 is not a quadratic rsidue modulo p.


### Legendre Symbol $\left(\frac{a}{p}\right)$

Suppose  p is an odd prime. For any integer $a$, define the Legendre Symbol $\left(\frac{a}{p}\right)$ as :

$\left(\frac{a}{p}\right) = \begin{cases}
0,~~~~~~~ \mbox{a $\equiv$ 0 modulo p}\\
1, ~~~~~~~  \textrm{a is quadratic residue modulo p}\\
-1,~~~~~~  \mbox{a is quadratic non-residue modulo p}
\end{cases}$

In [17]:
# function which return a number is quadratic residue or not 
def quadratic_residue(a,p):
    if p.is_prime() == False:
        p = p.next_prime()
    print("The prime number is ", p)
    s = legendre_symbol(a,p)
    if s==1:
        print(f"{a} is quadratic residue modulo {p}")
    elif s == -1:
        print(f"{a} is quadratic non-residue modulo {p}")
    elif s==0:
        print(f"{a} is congruent to {0}")

In [19]:
quadratic_residue(25,23)

The prime number is  23
25 is quadratic residue modulo 23


### Solovay-Strassen test

**Algorithm :**

* input is a positive integer n.

* Take a random number $1 \le a \le n-1$.

* If (a,n) > 1, then n is composite.

* Compute $a^{\frac{n-1}{2}},\left(\frac{a}{p}\right)$.

* Check if $a^{\frac{n-1}{2}}\not= \left(\frac{a}{p}\right)$(mod n).Then $n$ is composite. 

* else choose another $a$ and repeat the process.

In [20]:
import random
def solovay_strassen(n):
    a = random.randint(1,n-1)
    x = kronecker(a,n)
    if (x==0):
        print(f"{n} is composite")
    s = ((n-1)/2)
    y = (a**s) % n
    if (x==y):
        print(f"{n} prime")
    else:
         print(f"{n} is composite")

In [21]:
solovay_strassen(293)

293 is composite


###  Miller-Rabin  test

If we have factorization for $n-1$, then this test wil work. 

Goal is to check $n$ is prime or not.

Suppose $n-1 = 2^{k}m, k\ge 1,m$ is odd.
Choose a random integer $a, 1 \le a \le n-1$.

Let $b = a^{m}$(mod $n$). If $b \equiv 1$(mod $n)$, then $n$ is prime.

Take $i = 1$, check if $b \equiv -1$(mod $n)$, then $n$ is prime. 

Otherwise $b = b^2$(mod $n)$ and increase $i$ by 1 and repeat the process until $i$ reach $k$.

In [22]:
# Miller- Rabin test

def miller_rabin(n):
    if (n <=3) :
        raise Exception('n should be greater than 3')
    if (n%2 == 0):
        return False
    # find u odd such that n-1 = 2^k*u
    u = n-1
    k =0
    while(u %2 ==0):
        u //= 2
        k += 1
    a = random.randint(1,n-1) #select a randomly
    b = pow(a,u,n)
    if (b ==1 or b==n-1): #b==-1 is same as n-1
        return True
    for j in range(1,k):
        b = (b*b)%n
        if b == n-1: return True
        if b ==1:
            return False
    return False

In [23]:
miller_rabin(3154050820)

False

In [24]:
miller_rabin(40530101879)

True

**Pollard P-1 method :**

In this algorithm has two inputs : the integer $n$ to be factorized and a prespecified bound B. 

$1$. Set $a = 2$, generally we choose this, another convenient $a$.

$2$. Take $j = 2,3,\cdots, B$ and compute $a =a^{j}$(mod $n$).

$3$. compute $d = (a-1,n)$ where $(,)$ denotes gcd of two numbers.

$4$. If $1 < d< n$, then $d$ is a divisor of $n$ and return $d$.

$5$. Otherwise keep on increasing $j$ upto B. Otherwise we can change the value of $a$.

Once we get one factor $d$ of $n$, easily we can compute other factor by $\frac{n}{d}$.

In [30]:
def Pollard_algo(n,B):
    a = 2  # generally we choose a = 2
    for j in range(2,B,1):
        a = (a**j)%n
        d = gcd(a-1,n)
        if (1 < d < n) and (d.is_prime() == True):
            pass
    return d

In [31]:
timeit('Pollard_algo(15770708441,180)')

625 loops, best of 3: 742 μs per loop

In [32]:
d1 = Pollard_algo(15770708441,180) #example is taken from book
d1

135979

In [33]:
d1

135979

In [34]:
factor(d1-1)

2 * 3 * 131 * 173

since d1-1 has highest factor 173, so for any integer greater than 173, d1-1 will divide the factorial(B).

In [35]:
(d1-1)//(factorial(180))

0

In [36]:
d2 = 15770708441//d1
d2

115979

So, $d1,d2$ are two factors of given $n = 15770708441$.

In the Pollard $p-1$ method, there are $B-1$ modular exponentiations, each requiring at most $2log_{2}B$ modular multiplications using the 'square and multiply algorithm'. The gcd can be computed in time $O((logn)^3)$ using the 'extended euclidean algorithm.Hence the complexity of the algorithm is $O(BlogB(logn)^2 + (logn)^3)$.  

If the integer $O((logn)^i)$ for a fixed integer $i$, then the algorithm isindeed a polynomial-time algorithm(as a function of $log(n)$). 

However, for such a choice of $B$, the probability of success will be very small. On the other hand, if we increase the value of $B$,then this algorithm guaranteed to be successful but it's speed will be decreased.

The drawback of this method is that it requires a prime factor $p$ such that $p-1$ has only small prime factors.

**Pollard Rho method :**

We want to factor a integer $n$.

Let S be a finite  set and take a function $f : S \to S$. Choose $s_{0} \in S$, compute $s_{i+1} = f(s_{i})  \forall i = 1,2,\cdots$.

Store those values of the sequence in a list. Since S is finite, then $s_{i} \equiv s_{j}$(mod $n)$. Using the fact that, $f$ is polynomial function of integer coefficients, then we get $f(s_{i}) \equiv f(s_{j})$(mod $n$). so,  $s_{i+1}=s_{i+2}$(mod $n)$.
So $\exists, s_{i} \equiv s_{2i}$(mod $n)$. Then $(s_{i}-s_{2i},n) = d$, is the non-trivial factor of $n$.

In [37]:
def f(x):
    return x**2  + x +1
def Pollard_rho(n):
    seed = 2
    X = [seed,f(seed)%n] #1st is s0, 2nd one is s1
    X.append(f(X[1])%n) #append s2
    k = 1
    while gcd(X[2*k] - X[k],n) ==1:
        for j in range(2):
            X.append(f(X[2*k +j])%n)
        k += 1
    outfact = gcd(X[2*k] - X[k],n)
    print([outfact,n/outfact])

In [38]:
Pollard_rho(455459)

[613, 743]


## Elgamal Cryptosystem

Suppose Alice  wants to send a message $x$ to Bob. 

From Bob's side there will be the key generation algorithm. 

**key generation algorithm :**

* Choose a large prime p.

* Choose a generator or primitive root $\alpha$.

* Choose $d \in \{2,3,\cdots,p-2 \}$, compute $\beta = {\alpha}^d ($mod$p)$. 

Now Alice will choose $i \in \{2,3,\cdots,p-2\}$ and then compute $k_{e} = {\alpha}^{i}($mod$p)$. After that, compute the massking key $k_{m} = {\beta}^{i}($mod$p)$. 

**Encryption function :**

$E(x) = x \times {\alpha}^{i}($mod$p) = y$,say. The ciphertext is the orderd-pair $(k_{e},y)$ to be send to Bob from Alice. 

**Decryption process :**

For decryption first Bob will compute $k_{m} = {(k_{e})}^{d}$. Then $D(x) = (y.(k_{m})^{-1})$(mod $p)$, that should be equal to $x$.

In [39]:
import random;
p = 29;alpha = 2;
l = list(range(2,p-2,1)) # create the list by  the elements 2 ,3,..29
d = l[random.randrange(len(l))] # selecting the random element
beta = pow(alpha,d,p)
show(beta)
show(d)
x  =l[random.randrange(len(l))] #26 # message is also belong to Z_29*
i = l[random.randrange(len(l))]
k_e = power_mod(alpha,i,p)
show(k_e)
print(x)
massking_key = power_mod(beta,i,p)
show(massking_key)
encryption = (x*pow(alpha,d*i,p))%p
ciphertext = (massking_key,encryption)
show(encryption)
km_inv = pow(massking_key,-1,p)
show(km_inv)
print(pow(massking_key*km_inv,1,p))
decryption = pow(encryption*km_inv,1,p)
show(decryption)
decryption == x

8


1


True

Algorithm of Baby-Steps,Giant steps for solving discrete logarithm problem :

that is we need to find $x$ such that $y = g^{x}$(mod $p)$ for an odd prime $p$. Let $m = \lceil x \rceil$.

So, now $y = g^{x} = g^{im}\circ g^{j}$(mod $p)$ imples that $y.g^{-i.m} = g^{j}$(mod $p$).

In Baby steps, we compute $g^{j}$ for $j \in \{0,1,\cdots m-1\}$.Store it in a list,named X.

In Giant steps, we compute $y.g^{-i.m}$ for $i \in \{0,1,\cdots m-1\}$.Store it in an another list,named Y.

Then look for those indices $i_{0},j_{0}$ of X and Y respectively where $X[i_{0}]$ is same as $Y[j_{0}]$. Then our desired $x$ will be $x = i + j\times m$



In [40]:
def bs_gs(p,alpha,beta):
    m = ceil(sqrt(p-1))
    inv_m = power_mod(alpha,-1,p)
    X = []
    # baby steps
    for j in range(m):
        X.append(pow(alpha,j,p))
    # giant steps
    Y=[]
    for i in range(m):
        y = (22*pow(inv_m,i*m,p))%p
        Y.append(y)    
    X_set=set(X)  
    Y_set=set(Y)
    common=list(X_set.intersection(Y_set))
    temp_X=0
    for i in range(len(X)):
        if X[i]==common[0]:
            temp_X=i
            break
        else:
            pass
    
    temp_Y=0
    for i in range(len(Y)):
        if Y[i]==common[0]:
            temp_Y=i
            break
        else:
            pass
    
    return (temp_X + m*temp_Y)%(p-1)

In [41]:
bs_gs(37,2,5)

31

### Pollard Rho method for DLP
In **Pollard Rho method** for **DLP(Discrete Logarithm Problem)** , First we partitioned the Group into three sets $S_{0},S_1,S_2$ of roughly equal size.

For example, $1 \notin S_1$, then by choosing $x_0 = 1$, we define a sequence of group elements $x_0,x_1,x_2,\cdots$ by $x_{i+1} = 
\begin{cases}
\alpha.x_{i} ~~~~~, x_{i} \in S_0\\
{x_{i}}^2 ~~~~~~~~, x_{i} \in S_1\\
\beta.x_{i} ~~~~~~, x_{i} \in S_2
\end{cases}$ for $i  \ge 0$.

This sequence of group elements $x_0,x_1,x_2,\cdots$ turn out to define two more sequences of integers $a_0,a_1,\cdots$ and $b_0,b_1,b_2,\cdots$ satisfying $x_{i} = {\alpha}^{a_{i}}{\beta}^{b_{i}}$ for $i \ge 0$.  So, $a_0 = 0, b_0 = 0$,  for $i \ge 0$,
$a_{i+1} = 
\begin{cases}
a_{i} +1 ~~~~~~, a_{i} \in S_0\\
2{a_{i}} ~~~~~~, a_{i} \in S_1\\
a_{i} ~~~~~~~~~, a_{i} \in S_2
\end{cases}$
and 
$b_{i+1} = 
\begin{cases}
b_{i} , b_{i} \in S_0\\
2{b_{i}} , b_{i} \in S_1\\
b_{i}+1 , x_{i} \in S_2
\end{cases}$.

We continue finding the finding the tripets $(x_i,a_i,b_i)$ and $x_{2i},a_{2i},b_{2i}$ until $x_i = x_{2i}$. After ending this process,let's take $g_1 = a_i - a_{2i}$ mod$(p-1)$ and $h_1 = b_{2i} - b_{i}$(mod $p-1)$.

If $h_1 \equiv 0$( mod $p-1)$, then the algorithm fails. Let it is not. Then compute $d = \text{gcd}(h1,p-1)$ and also find $s,t$ such that $d = s.h_1 + t(p-1)$.

Now, find that particular $w$ for which $g^{x} \equiv h$(mod $p$) and $x = \frac{su  + (p-1)w}{d}$mod ($p-1)$.

In [42]:
def Pollard_rho_dlp(g,h,p):
    S0 = [k for k in [0..p//3]] #define the three set s0
    S1 = [k for k in [p//3+1..2*p//3]]  #define  the set s1
    S2 = [k for k in [2*p//3+1..p-1]]  # define the set s2
    T1 = [1,0,0] #x0,a0,b0 i.e x_(i-1),a_(i-1),b_(i-1)
    T2 = [1,0,0] # x_(2i-2),a_(2i-2),b_(2i-2)
    def w(t):
        if t[0] in S0: #t is the values  of x,a,b
            return [(g*t[0])%p,(t[1]+1)%(p-1),t[2]] #(alpha.x,a +1 mod p-1,b)
        elif t[0] in S1:
            return [t[0]^2,(2*t[1])%(p-1),(2*t[2])%(p-1)] #(x^2,2a mod p-1,2b mod p-1)
        else:
             return [(h*t[0])%p,t[1],(t[2]+1)%(p-1)] #(beta.x, a,b+1 mod p-1)
    
    jo = True
    while jo:
        T1 = w(T1)
        T2 = w(w(T2))
        if T1[0] == T2[0]:
            jo = False
    
    
    g1 = (T1[1] - T2[1])%(p-1) # (a_i - a_2i) mod (p-1)
    h1 = (T2[2]-T1[2])%(p-1) # (b_2i - b_i) mod (p-1)
    d,s,t = xgcd(h1,p-1)
    possibly = [((s*g1 + i*(p-1))/d)%(p-1) for i in [0..d-1]] #list of possible solutons
    sol0= [j for j in possibly if (g^j)%p == h]
    return sol0[0]
    
        

In [43]:
Pollard_rho_dlp(3,200,283)

97

In [44]:
Pollard_rho_dlp(2,5,1019)

10

### Index calculas method

The Index calculas algorithm is used to solve the discrete logarithm problem $a^x \equiv b$( mod$p)$. First we fix a factor base $B = \{p_1,p_2,\cdots,p_{k}\}$ containing small primes. Consider a sequence $x_1,x_2,\cdots$ of distinct primes from the set $\{0,1,\cdots,p-2\}$. 

Compute $a^{x_{i}}$(mod $p$).and check if the resulting value is only divisible by primes from the set $B$ i.e. $a^{x_{i}} \equiv {p_1}^{u_{i1}}{p_2}^{u_{i2}}\cdots{p_{k}}^{u_{ik}}$(mod $p$).If this is found, then we take `log` in both sides of the above expression,we get $x_{i} \equiv u_{i1}log_{a}(p_1) + u_{i2}log_{a}(p_2) + \cdots + u_{ik}log_{a}(p_k)$mod $(p-1)$.

This gives a linear equation  in the unknows $log_{a}(p_1),\cdots log_{a}(p_k)$. Here we have $k$ many unknows. So, we need to solve  the linear equations.

Finally, we select random integers $m \in \{0,1,\cdots,p-2\}$ and compute $a^{m}b$ mod ($p)$, if it is divisible by primes in $B$, then $log_{a}(b) + m \equiv m_{i1}log_{a}(p_1) + m_{i2}log_{a}(p_2) + \cdots + m_{ik}log_{a}(p_{k})$ mod ($p-1)$. Hence,

$log_{a}(b)  \equiv m_{i1}log_{a}(p_1) + m_{i2}log_{a}(p_2) + \cdots + m_{ik}log_{a}(p_{k}) - m$ mod ($p-1)$.

In [45]:
# B is the factor base
def Index_calculas(a,b,p,B): # find the integer n such that b = a^n
    S = Set([0..p-2]) #define the set 0,1,p-2
    pd = prime_divisors(p-1) #it return the list of prime divisors
    T = True
    M = []
    V =[]
    dimM = 0
    while T:
        xi = S.random_element()
        S = S.difference(Set([xi]))
        q = [valuation((a^xi)%p,k) for k in B] #valuation(b,a) is compute for which integer n such that  a^n =b
        if prod([k^valuation((a^xi)%p,k) for k in B]) == (a^xi)%p:
            M0 = M + [q]
            
            if all(Matrix(GF(x),M0).rank() == dimM+1 for x in pd):
                M.append(q)
                V.append(xi)
                dimM = dimM +1
            else:
                pass
        if dimM == len(B):
            T = False
    LOGs = matrix(Integers(p-1),M).inverse()*vector(V)
    S = Set([0..p-2])
    T = True
    while T:
        xi = S.random_element()
        S = S.difference(Set([xi]))
        q = [valuation((a^xi*b)%p,k) for k in B] 
        if prod([k^valuation((a^xi*b)%p,k) for k in B]) == (a^xi*b)%p:
            DL = (sum(q[k]*LOGs[k] for k in [0..len(q)-1]) -xi)%(p-1)
            return DL
        
    

In [46]:
Index_calculas(3,37,1217,[2,3,5,7,11])

588

In [47]:
Index_calculas(2,37,131,[2,3,5,7])

41

### Pohlig-Hellman algorithm

Suppose we have a group $G = <g>$ such that ord(g) = N = $\prod_{k =1}^{n}{p_K}^{e_k}$ for some primes $p_1,p_2,\cdots,p_n$ and positive integers $e_1,e_2,\cdots,e_n$. Our goal is to find an $x$ for which $g^x = h$. Instead of solving this , first we try to compute $x $(mod ${p_i}^{e_i}$, then apply chinese remainder theorem to obtain $x$ mod($N$). So, we need to solve DLP in
$C_{{p_{i}}^{e_i}}$, where $C_{{p_{i}}^{e_i}}$ is the  cyclic group of order ${p_i}^{e_i}$. So, for all prime divisors of N, we get a system of congruences 

$x \equiv x_1$mod(${p_1}^{e_1})$

$x \equiv x_2$mod(${p_2}^{e_2})$

$\vdots$

$x \equiv x_n$mod(${p_n}^{e_n})$

By applying CRT, we get the solution for the system of linear congruence equations  $x$ mod(${p_1}^{e_1}{p_2}^{e_2}\cdots{p_n}^{e_n}) = N$.

So, we need to only solve the DLP in $C_{{p}^{e}}$. 

Let we want to determine $x$ for which $g^x = h$ in $C_{{p}^{e}}$. Let $x = b_0 + b_1 p + b_2 p^2 + \cdots + b_{e-1}p^{e-1}$.

In recurrent way,,let $x \equiv b_0 + b_1 p + b_2 p^2 + \cdots + b_{k-1}p^{k-1}$mod ($p^k)$ for $0 \le k \le e-1$. Then $x \equiv x_k + b_k p^k$mod($p^{k+1})$, that means  $h = g^{x_k}(g^{p^k})^{b_k}$.

Let $h_k = hg^{-x_k}$ and $g_k = g^{p^k}$. Hence, the reduced DLP is $h_k = {g_k}^{b_k}$.

In [48]:
def Pohlig_hellman(g,h,p):
    F = GF(p) # group of finite field of order p
    g1 = F(g) # return element g1 mod p
    h1 = F(h) # return element h1 mod p
    N = p-1
    qi = [r^N.valuation(r) for r in prime_divisors(N)]
    lqi = len(qi)
    Nqi = [N/q for q in qi]
    gi = [g1^r for r in Nqi]
    hi = [h1^r for r in Nqi]
    xi = [discrete_log(hi[i],gi[i]) for i in range(lqi)]
    x = CRT(xi,qi)
    return x

In [49]:
Pohlig_hellman(2,33,next_prime(12344))

9801