# Programming Assignment #4: RSA Encryption

Encryption is used in the internet every day. It is the only reason that you can buy somehting from Amazon without letting everybody in the world your credit card number. Encryption can seem mysterious, but (mostly) it boils down to number theory and especially to modular arithmetic.

In this programming assignment, you will learn a little bit about encryption by implementing the RSA encryption algorithm. RSA is one of the original encryption algorithms, and it's still widely used in web browsers, email, VPNs, and many other communication channels. The security of RSA depends entirely on the difficulty of factoring. I.e., suppose that $N=p \cdot q$ where $p$ and $q$ are primes. Even if you know $N$, it can be computationally prohibitive to factor $N$ into $p$ and $q$.

## TODO-0 (no points)

Below, you will some ACL2 code that defines the `:prime` datatype. You do not need to do anything other than submit this cell to ACL2, so that those functions are defined for you. In particular,

    (primep 7)    => T
    (nth-prime 3) => 7

> Note: The function `nth-prime` is used for testing, to create some prime numbers. Because prime generation is a difficult problem in its own right, we take the easy way out and hardcode a bunch of small primes. We started writing a function that generated the nth prime, but we discovered that it was too slow! Remember, the testing framework will try to create 1000s of random primes!

> Note: Did you just notice that we defined a **data type for prime numbers**. How many languages let you do that? How cool is that, huh?


In [1]:
(defsnapshot from-the-top)
(defsnapshot todo-0)

(definec compositep (n :nat k :nat) :bool
  (if (and (integerp k)
           (< 1 k))
      (if (= (mod n k) 0)
          t
          (compositep n (1- k)))
      nil))

(definec primep (n :all) :bool
  (and (integerp n)
       (<= 2 n)
       (not (compositep n (1- n)))))

(defconst *SMALL-PRIMES* 
 '(2 3 5 7 11 13 17 19 23 29 31
   37 41 43 47 53 59 61 67 71 73 79 83 89
   97 101 103 107 109 113 127 131 137 139
   149 151 157 163 167 173 179 181 191 193
   197 199 211 223 227 229 233 239 241 251
   257 263 269 271 277 281 283 293 307 311
   313 317 331 337 347 349 353 359 367 373
   379 383 389 397 401 409 419 421 431 433
   439 443 449 457 461 463 467 479 487 491
   499 503 509 521 523 541 547 557 563 569
   571 577 587 593 599 601 607 613 617 619
   631 641 643 647 653 659 661 673 677 683
   691 701 709 719 727 733 739 743 751 757
   761 769 773 787 797 809 811 821 823 827
   829 839 853 857 859 863 877 881 883 887
   907 911 919 929 937 941 947 953 967 971
   977 983 991 997 1009 1013 1019 1021 1031
   1033 1039 1049 1051 1061 1063 1069 1087
   1091 1093 1097 1103 1109 1117 1123 1129
   1151 1153 1163 1171 1181 1187 1193 1201
   1213 1217 1223 1229 1231 1237 1249 1259
   1277 1279 1283 1289 1291 1297 1301 1303
   1307 1319 1321 1327 1361 1367 1373 1381
   1399 1409 1423 1427 1429 1433 1439 1447
   1451 1453 1459 1471 1481 1483 1487 1489
   1493 1499 1511 1523 1531 1543 1549 1553
   1559 1567 1571 1579 1583 1597 1601 1607
   1609 1613 1619 1621 1627 1637 1657 1663
   1667 1669 1693 1697 1699 1709 1721 1723
   1733 1741 1747 1753 1759 1777 1783 1787
   1789 1801 1811 1823 1831 1847 1861 1867
   1871 1873 1877 1879 1889 1901 1907 1913
   1931 1933 1949 1951 1973 1979 1987 1993
   1997 1999 2003 2011 2017 2027 2029 2039
   2053 2063 2069 2081 2083 2087 2089 2099
   2111 2113 2129 2131 2137 2141 2143 2153
   2161 2179 2203 2207 2213 2221 2237 2239
   2243 2251 2267 2269 2273 2281 2287 2293
   2297 2309 2311 2333 2339 2341 2347 2351
   2357 2371 2377 2381 2383 2389 2393 2399
   2411 2417 2423 2437 2441 2447 2459 2467
   2473 2477 2503 2521 2531 2539 2543 2549
   2551 2557 2579 2591 2593 2609 2617 2621
   2633 2647 2657 2659 2663 2671 2677 2683
   2687 2689 2693 2699 2707 2711 2713 2719
   2729 2731 2741 2749 2753 2767 2777 2789
   2791 2797 2801 2803 2819 2833 2837 2843
   2851 2857 2861 2879 2887 2897 2903 2909
   2917 2927 2939 2953 2957 2963 2969 2971
   2999 3001 3011 3019 3023 3037 3041 3049
   3061 3067 3079 3083 3089 3109 3119 3121
   3137 3163 3167 3169 3181 3187 3191 3203
   3209 3217 3221 3229 3251 3253 3257 3259
   3271 3299 3301 3307 3313 3319 3323 3329
   3331 3343 3347 3359 3361 3371 3373 3389
   3391 3407 3413 3433 3449 3457 3461 3463
   3467 3469 3491 3499 3511 3517 3527 3529
   3533 3539 3541 3547 3557 3559 3571 3581
   3583 3593 3607 3613 3617 3623 3631 3637
   3643 3659 3671 3673 3677 3691 3697 3701
   3709 3719 3727 3733 3739 3761 3767 3769
   3779 3793 3797 3803 3821 3823 3833 3847
   3851 3853 3863 3877 3881 3889 3907 3911
   3917 3919 3923 3929 3931 3943 3947 3967
   3989 4001 4003 4007 4013 4019 4021 4027
   4049 4051 4057 4073 4079 4091 4093 4099
   4111 4127 4129 4133 4139 4153 4157 4159
   4177 4201 4211 4217 4219 4229 4231 4241
   4243 4253 4259 4261 4271 4273 4283 4289
   4297 4327 4337 4339 4349 4357 4363 4373
   4391 4397 4409 4421 4423 4441 4447 4451
   4457 4463 4481 4483 4493 4507 4513 4517
   4519 4523 4547 4549 4561 4567 4583 4591
   4597 4603 4621 4637 4639 4643 4649 4651
   4657 4663 4673 4679 4691 4703 4721 4723
   4729 4733 4751 4759 4783 4787 4789 4793
   4799 4801 4813 4817 4831 4861 4871 4877
   4889 4903 4909 4919 4931 4933 4937 4943
   4951 4957 4967 4969 4973 4987 4993 4999
   5003 5009 5011 5021 5023 5039 5051 5059
   5077 5081 5087 5099 5101 5107 5113 5119
   5147 5153 5167 5171 5179 5189 5197 5209
   5227 5231 5233 5237 5261 5273 5279 5281
   5297 5303 5309 5323 5333 5347 5351 5381
   5387 5393 5399 5407 5413 5417 5419 5431
   5437 5441 5443 5449 5471 5477 5479 5483
   5501 5503 5507 5519 5521 5527 5531 5557
   5563 5569 5573 5581 5591 5623 5639 5641
   5647 5651 5653 5657 5659 5669 5683 5689
   5693 5701 5711 5717 5737 5741 5743 5749
   5779 5783 5791 5801 5807 5813 5821 5827
   5839 5843 5849 5851 5857 5861 5867 5869
   5879 5881 5897 5903 5923 5927 5939 5953
   5981 5987 6007 6011 6029 6037 6043 6047
   6053 6067 6073 6079 6089 6091 6101 6113
   6121 6131 6133 6143 6151 6163 6173 6197
   6199 6203 6211 6217 6221 6229 6247 6257
   6263 6269 6271 6277 6287 6299 6301 6311
   6317 6323 6329 6337 6343 6353 6359 6361
   6367 6373 6379 6389 6397 6421 6427 6449
   6451 6469 6473 6481 6491 6521 6529 6547
   6551 6553 6563 6569 6571 6577 6581 6599
   6607 6619 6637 6653 6659 6661 6673 6679
   6689 6691 6701 6703 6709 6719 6733 6737
   6761 6763 6779 6781 6791 6793 6803 6823
   6827 6829 6833 6841 6857 6863 6869 6871
   6883 6899 6907 6911 6917 6947 6949 6959
   6961 6967 6971 6977 6983 6991 6997 7001
   7013 7019 7027 7039 7043 7057 7069 7079
   7103 7109 7121 7127 7129 7151 7159 7177
   7187 7193 7207 7211 7213 7219 7229 7237
   7243 7247 7253 7283 7297 7307 7309 7321
   7331 7333 7349 7351 7369 7393 7411 7417
   7433 7451 7457 7459 7477 7481 7487 7489
   7499 7507 7517 7523 7529 7537 7541 7547
   7549 7559 7561 7573 7577 7583 7589 7591
   7603 7607 7621 7639 7643 7649 7669 7673
   7681 7687 7691 7699 7703 7717 7723 7727
   7741 7753 7757 7759 7789 7793 7817 7823
   7829 7841 7853 7867 7873 7877 7879 7883
   7901 7907 7919 7927 7933 7937 7949 7951
   7963 7993 8009 8011 8017 8039 8053 8059
   8069 8081 8087 8089 8093 8101 8111 8117
   8123 8147 8161 8167 8171 8179 8191 8209
   8219 8221 8231 8233 8237 8243 8263 8269
   8273 8287 8291 8293 8297 8311 8317 8329
   8353 8363 8369 8377 8387 8389 8419 8423
   8429 8431 8443 8447 8461 8467 8501 8513
   8521 8527 8537 8539 8543 8563 8573 8581
   8597 8599 8609 8623 8627 8629 8641 8647
   8663 8669 8677 8681 8689 8693 8699 8707
   8713 8719 8731 8737 8741 8747 8753 8761
   8779 8783 8803 8807 8819 8821 8831 8837
   8839 8849 8861 8863 8867 8887 8893 8923
   8929 8933 8941 8951 8963 8969 8971 8999
   9001 9007 9011 9013 9029 9041 9043 9049
   9059 9067 9091 9103 9109 9127 9133 9137
   9151 9157 9161 9173 9181 9187 9199 9203
   9209 9221 9227 9239 9241 9257 9277 9281
   9283 9293 9311 9319 9323 9337 9341 9343
   9349 9371 9377 9391 9397 9403 9413 9419
   9421 9431 9433 9437 9439 9461 9463 9467
   9473 9479 9491 9497 9511 9521 9533 9539
   9547 9551 9587 9601 9613 9619 9623 9629
   9631 9643 9649 9661 9677 9679 9689 9697
   9719 9721 9733 9739 9743 9749 9767 9769
   9781 9787 9791 9803 9811 9817 9829 9833
   9839 9851 9857 9859 9871 9883 9887 9901
   9907 9923 9929 9931 9941 9949 9967 9973))

(definec nth-prime-builtin (n :nat) :nat
    (nth (mod n (len *SMALL-PRIMES*)) *SMALL-PRIMES*))
            
(register-type prime
               keyword::predicate primep
               keyword::enumerator nth-prime-builtin)

ACL2S !>>(DEFSNAPSHOT FROM-THE-TOP)
          20:x(DEFMACRO DEFSNAPSHOT (LABEL) ...)

Summary
Form:  ( DEFLABEL FROM-THE-TOP ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 FROM-THE-TOP
ACL2S !>>(DEFSNAPSHOT TODO-0)

Summary
Form:  ( DEFLABEL TODO-0 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-0
ACL2S !>>(DEFINEC COMPOSITEP (N NAT K NAT)
                  BOOL
                  (IF (AND (INTEGERP K) (< 1 K))
                      (IF (= (MOD N K) 0)
                          T (COMPOSITEP N (1- K)))
                      NIL))

Form:  ( TEST-DEFINITION COMPOSITEP ... )
Form:  ( TEST-BODY-CONTRACTS COMPOSITEP... ) 
Form:  ( TEST-FUNCTION-CONTRACT COMPOSITEP ...) 
Testing: Done 
Elapsed Run Time: 0.64 seconds
Form:  ( ADMIT-DEFINITION COMPOSITEP ... )
Time:  0.08 seconds (prove: 0.06, print: 0.00, other: 0.02)
Form:  ( PROVE-FUNCTION-CONTRACT COMPOSITEP ... )
Time:  0.08 seconds (prove: 0.03, print: 0.00, other: 0.05)
Form

## TODO-1 (10 points)

One of the fundamental operations in cryptography is $a^n \pmod p$ where $p$ is a prime number, and $a$ and $n$ are natural numbers. This is fairly easy to define, e.g.,

    (definec a^n%p (a :nat n :nat p :pos) :nat
      (mod (expt a n) p))

But there's something very wrong with this definition. The problem is that
1. it takes too long to compute, and
2. the intermediate nubers (i.e., $a^n$) get too large.
Let's consider an extreme example just to drive the point home. Consider $2^{300} \pmod 3$. The value $2^{300}$ is close to $10^{100}$ which is a one followed by 100 zeros. Yeah, that's a big number to be doing arithmetic with.

One way to do this faster is to use the fact that $xy \pmod n = ((x \bmod n)(y \bmod n)( \pmod n$. Now, we can see that $2^{300} \bmod 3= (2\times 2^{299} \bmod 3 \pmod 3$ Since $2^{299} \bmod 3$ is a small number (0, 1, or 2), the intermediate results for computing $2^{300}$ stay small. The trick is to write a recursive function that computes $a^n \mod p$ by pushing the $\bmod p$ computation into the computation of $a^n$. The moral of the story is "take mods early and often".

That helps a lot, but we still have the problem that the computation takes too long. When working with cryptography, you have to keep in mind that the numbers are gigantic. E.g., it is common to talk about numbers with $1024$ or $2048$ bits (meaning a one followed by more than 300 zeros). To put it another way, these integers **do not fit in a long long integer in C**! (Remember: A long long integer is 64 bits.) So if the exponent $n$ is that large, the code will take that many steps to execute. Forget it -- the computer will never finish getting the answer.

So we have to be more clever in computing $x^n$, and we can do that with the laws of exponents. In particular, $x^{2n} = (x^n)^2$. That basic idea means that we can compute $x^n$ in $\log n$ steps instead of $n$ steps. For $n=1000$, that means 10 steps instead of $1000$ steps. For $n=1000000000$ that means $30$ steps instead of $1000000000$ steps. For $n$ a 1000-bit number, that means $1000$ steps instead of $2^{1000}$ steps. Much better! (Remember: $2^{1000}$ is on the order of $1\underbrace{000\cdots0}_{300\,\,0s}$.)

So here is a way to define `(a^n%p a n p)` in such a way that the numbers stay small (about the same size as $p$) and the execution time isn't too long (about $\log n$ steps instead of $n$ steps):
$$a^n \bmod p = \begin{cases}
1, & \text{if $n=0$} \\
\left(a^{n/2} \bmod p\right)^2 \bmod p, & \text{if $n$ is even} \\
a \times \left(a^{n-1} \bmod p\right) \bmod p, & \text{otherwise} 
\end{cases}$$

> **Hint:** Use `(evenp n)` to check if $n$ is even. Also, make sure `p` is of type `pos` and not `nat`, because you can't do arithmetic "mod zero".

> **Important Note:** Notice that this is a recursive function, and that there are two recursive calls, one with exponent $n-1$ and another with exponent $n/2$. You should not recurse more than two times. In particuylar, use the expression `(expt x 2)` instead of `(* x x)` to square the result of the first recursive call, so the recursive call isn't computed twice. Notice also that each of the recursive parts of the definition have a single multiplication, and that we always do a mod operation immediately after the multiplication. 


In [2]:
(defsnapshot todo-1)

(definec an-mod-p (a :nat n :nat p :pos) :nat
    (if (= n 0)
        (mod 1 p)
        (if (= n 1)
            (mod a p)
            (if (evenp n)
                (mod (expt (an-mod-p a (/ n 2) p) 2) p)
                (mod(* a (an-mod-p a (- n 1) p))p)
            )
        )
    )
)

(check-expect (an-mod-p 2 2 2) 0)
(check-expect (an-mod-p 2 2 3) 1)
(check-expect (an-mod-p 2 2 5) 4)
(check-expect (an-mod-p 2 2 7) 4)
(check-expect (an-mod-p 3 3 10) 7)
(check-expect (an-mod-p 5 6 11) 5)
(check-expect (an-mod-p 10 7 2) 0)
(check-expect (an-mod-p 33 1 11) 0)
(check-expect (an-mod-p 10 0 2) 1)
(check-expect (an-mod-p 11 11 1) 0)








ACL2S !>>(DEFSNAPSHOT TODO-1)

Summary
Form:  ( DEFLABEL TODO-1 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-1
ACL2S !>>(DEFINEC AN-MOD-P (A NAT N NAT P POS)
                  NAT
                  (IF (= N 0)
                      (MOD 1 P)
                      (IF (= N 1)
                          (MOD A P)
                          (IF (EVENP N)
                              (MOD (EXPT (AN-MOD-P A (/ N 2) P) 2) P)
                              (MOD (* A (AN-MOD-P A (- N 1) P)) P)))))

Form:  ( TEST-DEFINITION AN-MOD-P ... )
Form:  ( TEST-BODY-CONTRACTS AN-MOD-P... ) 
Form:  ( TEST-FUNCTION-CONTRACT AN-MOD-P ...) 
Testing: Done 
Elapsed Run Time: 2.62 seconds
Form:  ( ADMIT-DEFINITION AN-MOD-P ... )
Time:  0.11 seconds (prove: 0.08, print: 0.00, other: 0.02)
Form:  ( PROVE-FUNCTION-CONTRACT AN-MOD-P ... )
Time:  0.08 seconds (prove: 0.04, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS AN-MOD-P ... )
Time:  0.07 seconds (prove: 0.02, prin

## TODO-2 (10 points)

The definition of `a^n%p` is pretty complicated, right? But we know its value should always be `(mod (expt a n) p)`. Use `test?` to make sure that this is actually the case.

> Note: No credit will be given for this TODO unless your solution to TODO-1 has a **fast** implementation of `a^n%p`, i.e., along the lines of the recursive call suggested in TODO-1.

In [3]:
(defsnapshot todo-2)


(test? (implies (and (natp a)(natp n)(posp p))
               (= (an-mod-p a n p)
          (mod (expt a n) p))))







ACL2S !>>(DEFSNAPSHOT TODO-2)

Summary
Form:  ( DEFLABEL TODO-2 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-2
ACL2S !>>(TEST? (IMPLIES (AND (NATP A) (NATP N) (POSP P))
                         (= (AN-MOD-P A N P)
                            (MOD (EXPT A N) P))))

**Summary of Cgen/testing**
We tested 3000 examples across 3 subgoals, of which 3000 (3000 unique)
satisfied the hypotheses, and found 0 counterexamples and 3000 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((P 510) (N 41) (A 67))
 -- ((P 386) (N 690) (A 116))
 -- ((P 339) (N 918) (A 859))

Test? succeeded. No counterexamples were found.

## TODO-3 (10 points)

Prime numbers are really, really special. One of the truly strange things about them is that whenever $p$ is a prime, $a^{p-1} \bmod p = 1$. For example, when $a=4$ and $p=5$, we have $4^{5-1} = 4^4 = 2^8 = 256 \equiv 1 \pmod 5.$ This theorem was first proved by the French mathematician Pierre de Fermat, and it's known as Fermat's Little Theorem. You may have heard of Fermat's Last Theorem, but his "Little" theorem is actually much more useful!

Use `test?` to verify Fermat's Little Theorem. 

Note: My statement of Fermat's Little Theorem above is almost correct, but not quite. Make sure you get the hypotheses right, e.g., $p$ is a prime. More importantly, $a$ cannot be zero (obviously). More subtly, $a \bmod p$ cannot be zero! If $a \bmod p = 0$, then $a^ n \bmod p$ also equals zero! So you have to rule this possibility out in your hypotheses.

In [4]:
(defsnapshot todo-3)

(test? (implies 
            (and 
                 (posp a)
                     (primep p)
                         (> (mod a p) 0)
                             (= n (- p 1)))
            (= (an-mod-p a n p) 1)
        )
)




















ACL2S !>>(DEFSNAPSHOT TODO-3)

Summary
Form:  ( DEFLABEL TODO-3 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-3
ACL2S !>>(TEST? (IMPLIES (AND (POSP A)
                              (PRIMEP P)
                              (> (MOD A P) 0)
                              (= N (- P 1)))
                         (= (AN-MOD-P A N P) 1)))

**Summary of Cgen/testing**
We tested 3000 examples across 3 subgoals, of which 2896 (2896 unique)
satisfied the hypotheses, and found 0 counterexamples and 2896 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((N 22) (P 23) (A 542))
 -- ((N 466) (P 467) (A 505))
 -- ((N 9748) (P 9749) (A 616))

Test? succeeded. No counterexamples were found.

## TODO-4 (10 points)

The next step is to compute the **greatest common divisor (gcd)** of two natural numbers. In middle school, you probably filled out some worksheets where you computed, say, the gcd of 18 and 24 is 6. You probably did this by factoring 18 and 24 into powers of primes as $18=2^1\times3^2$ and $24=2^3\times3^1$, then finding the primes that appear in both factorizations and choosing the lowest exponents, in this case $2^1$ and $3^1$. The answer is the product of those factors, i.e., $2^1 \times 3^1 = 6$. See Book of Proof Definition 4.6.

Take it on faith that factoring a number into primes is a **hard problem**. It's easy enough for numbers up to 100, like you knew in middle school. But as the numbers get large, factoring becomes infeasible, even with modern computers.

So how can we compute the gcd of $x$ and $y$ without factoring? This problem was solved 2,300 years ago by the Greek mathematician Euclid who worked at the famous library of Alexandria (one of the Seven Wonders of the Ancient World). If you took a proof-based geometry course in high school, you may remember Euclid as the founder of Geometry and for his five postulates of what we now call Euclidean Geometry.

What Euclid observed was that $\gcd(a, b) = \gcd(b, a \bmod b)$. This can be used to define gcd as follows:

$$\gcd(a,b) = \begin{cases}
a,& \text{if $b=0$} \\
b,& \text{if $a=0$} \\
\gcd(b, a \bmod b), & \text{otherwise}
\end{cases}$$

(See https://www.khanacademy.org/computing/computer-science/cryptography/modarithmetic/a/the-euclidean-algorithm for a longer discussion of this algorithm.) It is helpful to see it in action, so here is a table that will help you to understand this and the Extended Euclidean Algorithm (coming up).

| Step | a   | b   | 
| ----:|----:|----:|
| 1    | 18  | 24  |
| 2    | 24  | 18  |
| 3    | 18  |  6  |
| 4    |  6  |  0  |

Notice, for example, how the value of $a_{i} = b_{i-1}$ at every step, and how $b_i = a_{i-1} \bmod b_{i-1}$. And notice how those two equations capture the definition of $\gcd(a,b)$ given above.

Implement the function `(egcd a b)` that computes the gcd of a and b using Euclid's algorithm


In [5]:
(defsnapshot todo-4)

(definec GCD_ (a :nat b :nat) :nat
    (if (= b 0)
        a
        (if (= a 0)
            b
            (GCD_ b (mod a b))
        )
    )
)

(check-expect (GCD_ 2 10) 2)
(check-expect (GCD_ 5 10) 5)
(check-expect (GCD_ 11 33) 11)
(check-expect (GCD_ 310 10) 10)
(check-expect (GCD_ 10 310) 10)
(check-expect (GCD_ 0 1) 1)
(check-expect (GCD_ 1 0) 1)
(check-expect (GCD_ 3 1092) 3)
(check-expect (GCD_ 9967 9973) 1)















ACL2S !>>(DEFSNAPSHOT TODO-4)

Summary
Form:  ( DEFLABEL TODO-4 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-4
ACL2S !>>(DEFINEC GCD_ (A NAT B NAT)
                  NAT
                  (IF (= B 0)
                      A (IF (= A 0) B (GCD_ B (MOD A B)))))

Form:  ( TEST-DEFINITION GCD_ ... )
Form:  ( TEST-BODY-CONTRACTS GCD_... ) 
Form:  ( TEST-FUNCTION-CONTRACT GCD_ ...) 
Testing: Done 
Elapsed Run Time: 0.67 seconds
Form:  ( ADMIT-DEFINITION GCD_ ... )
Time:  0.36 seconds (prove: 0.34, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT GCD_ ... )
Time:  0.08 seconds (prove: 0.03, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS GCD_ ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.48 seconds
Function Name : GCD_ 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T
ACL2S !>>(CHECK-EXPECT (GCD_ 2 10) 2)
 :PASSED
ACL2S !>>(CHECK-EXPECT (GCD_ 5 10)

## TODO-5 and TODO-6 (20 points)

The gcd of a and b has some important properties:
1. $gcd(a,b)$ divides $a$, and $gcd(a,b)$ divides $b$
2. If $g>gcd(a,b)$, then either $g$ does not divide $a$ or $g$ does not divide $b$
Here, $a$, $b$, and $g$ are all natural numbers, and $a$ and $b$ are not both zero. (The Book of Proof explains why $\gcd(0,0)$ doesn't really make sense.)

Use `test?` to verify these two properties below. 

> Hint: You can check that $x$ divides $y$ by using `(integerp (/ y x))`.

In [6]:
(defsnapshot todo-5)

(test? (implies 
            (and 
                 (natp a)
                    (natp b))
            (and 
                 (integerp (/ a (GCD_ a b)))
                    (integerp (/ b (GCD_ a b))))
        )
)













ACL2S !>>(DEFSNAPSHOT TODO-5)

Summary
Form:  ( DEFLABEL TODO-5 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-5
ACL2S !>>(TEST? (IMPLIES (AND (NATP A) (NATP B))
                         (AND (INTEGERP (/ A (GCD_ A B)))
                              (INTEGERP (/ B (GCD_ A B))))))

**Summary of Cgen/testing**
We tested 4000 examples across 4 subgoals, of which 4000 (4000 unique)
satisfied the hypotheses, and found 0 counterexamples and 4000 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((B 833) (A 577))
 -- ((B 93) (A 383))
 -- ((B 100) (A 3))

Test? succeeded. No counterexamples were found.

In [7]:
(defsnapshot todo-6)

(test? (implies 
            (and 
                 (natp a)
                    (natp b)
                         (natp g)
                             (> g (GCD_ a b))
                                 (not (and (= a 0)(= b 0)))
            )
            (not 
                (and
                    (integerp (/ a g))
                        (integerp (/ b g))
                )
            )
        )
)

































ACL2S !>>(DEFSNAPSHOT TODO-6)

Summary
Form:  ( DEFLABEL TODO-6 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-6
ACL2S !>>(TEST? (IMPLIES (AND (NATP A)
                              (NATP B)
                              (NATP G)
                              (> G (GCD_ A B))
                              (NOT (AND (= A 0) (= B 0))))
                         (NOT (AND (INTEGERP (/ A G))
                                   (INTEGERP (/ B G))))))

**Summary of Cgen/testing**
We tested 4000 examples across 4 subgoals, of which 1910 (1910 unique)
satisfied the hypotheses, and found 0 counterexamples and 1910 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((G 80) (B 88) (A 197))
 -- ((G 735) (B 424) (A 996))
 -- ((G 5) (B 833) (A 337))

Test? succeeded. No counterexamples were found.

## TODO-7 (10 points)

Here is an interesting fact. If $a$ and $b$ are natural numbers, you can always find **integers** $x$ and $y$ such that $ax + by = \gcd(a,b)$. For example, when $a=18$ and $b=24$, we know that $\gcd(a,b)=6$, and indeed for $x=-1$ and $y=1$ we have $ax + by = 18(-1) + 24(1) = 6 = \gcd(18, 24)$. But how do we find the right choice of $x$ and $y$? The **Extended Euclidean Algorithm** does just that.

This is the hardest recursive function you will write in this class, so I will try to explain it very carefully. To start, let's define a sequence of numbers $r_i$ and $q_i$ like this:
$$
\begin{aligned}
r_0 &= a \\
r_1 &= b \\
r_{i+1} &= r_{i-1} \bmod r_i
\end{aligned}
$$
Also, define $q_i = r_{i-1} // r_i$, where "//" means integer division, as in $10 // 4 = 2$. And recall that ACL2 computes that integer division with `(floor 10 4)`.

Notice that if you know the values of the sequence $r_0, r_1, \dots r_i$ and $q_0, q_1, \dots q_i$, then you can compute $r_{i+1}$ using the definition of the $r$ sequence, then computing $q_{i+1}$ using the definition of the $q$ sequence. So you can write a recursive call that computes all the $r_i$ and $q_i$. Here is how that works using our running example:

| Step | a   | b   | q  | r   |
| ----:|----:|----:|---:|----:|
| 0    |     |     |    | 18  |
| 1    | 18  | 24  | 0  | 24  |
| 2    | 24  | 18  | 1  | 18  |
| 3    | 18  |  6  | 3  |  6  |
| 4    |  6  |  0  |    |  0  |

Notice a few more things. First, the steps start at 1, just like in the Euclidean algorithm. The step "0" is just a convenient fiction to list the value of $r_0$. Also, notice that for the real steps ($i>0$), the value of $b_i$ is always equal to $r_i$ and that $a_i=r_{i-1}$. In essence, we don't really need the columns for $a$ and $b$, since those values are completely captured by the $r$ column. And at any given point, we need to know only the previous two values of $q$ and $r$ to fill the next row. In fact, a more careful analysis shows we only need to know the previous two values of $q$ to fill the next row, since those completely define $q_i$. What that means is that we could (in principle) define a function whose only two arguments are $r_{i-1}$ and $r_i$, and it would compute all the rows in the table until $r_k=0$. 

We could do that now, but instead we are going to consider an even bigger table. Let's introduce another two sequences with these equations:
$$
\begin{aligned}
x_0     &= 1                            & y_0     &= 0 \\
x_1     &= 0                            & y_1     &= 1 \\
x_{i+1} &= x_{i-1} - q_i\times x_i      & y_{i+1} &= y_{i-1} - q_i\times y_i
\end{aligned}
$$
Recall that $q_i$ was defined previously as $q_i = r_{i-1} // r_i$.

Our table now looks like this:

| Step | a   | b   | q  | r   | x   | y    |
| ----:|----:|----:|---:|----:|----:|-----:|
| 0    |     |     |    | 18  |  1  |  0   |
| 1    | 18  | 24  | 0  | 24  |  0  |  1   |
| 2    | 24  | 18  | 1  | 18  |  1  |  0   |
| 3    | 18  |  6  | 3  |  6  | -1  |  1   |
| 4    |  6  |  0  |    |  0  |  4  | -3   |

Notice something interesting in each row: $ax_i + by_i = r_i$. Be careful here! That equation uses the **original** values of $a$ and $b$, not the values for each row. For instance, in row 2 we have $ax_2 + by_2 = 18(1) + 24(0) = 18 = r_2$. And reading the penultimate row gives us $ax_3 + by_3 = 18(-1) + 24(1) = 6 = r_3$. In other words, we found the values of $x$ and $y$ that make $ax + by = \gcd(a,b)$.

Define the function `(egcd-ext-aux r0 r1 x0 x1 y0 y1)` that computes the penultimate row above. The subscripts indicate the previous two values of those variables. In particular,

    (egcd-ext-aux 18 24 1 0 0 1) = (egcd-ext-aux 24 18 0 1 1 0) = ... = '(6 -1 1)

See how the arguments reflect the values of $r$, $x$, and $y$ in rows 0 and row 1 of the table above. For a quick exercise before coding, see if you can fill in the "..." above.

After writing `egcd-ext-aux`, use it to define `(egcd-ext a b) = (exgc-aux a b 1 0 0 1)`. That should just be one quick line!

> **Important Note:** The termination analysis for this function takes too long, so I got a timeout in my solution. To get around this, I had to give ACL2 a special hint regarding the termination argument. I also found it useful to prove the type theorems about the elements $g$, $x$, and $y$ in the return type for this function. I left those theorems and hint for you in the TODO cell below.

In [8]:
(defsnapshot todo-7)

(defdata gcd-triple (list nat int int))

(defthm natp-first-gcd-triple
    (implies (gcd-triplep gxy)
             (natp (first gxy))))

(defthm integerp-second-gcd-triple
    (implies (gcd-triplep gxy)
             (integerp (second gxy))))

(defthm integerp-third-gcd-triple
    (implies (gcd-triplep gxy)
             (integerp (third gxy))))


;; next r = (prevR mod crntR)
;; next x = (prevX - crntQ * crntX)
;; crnt q = (prevR // crntR)

(definec next-xy (prevXY :int crntXY :int prevR :pos crntR :pos) :int
    (- prevXY (* (floor prevR crntR) crntXY))
)

(definec egcd-ext-aux (prevR :pos crntR :nat prevX :int crntX :int prevY :int crntY :int) :gcd-triple
    (declare (xargs keyword::consider-only-ccms (crntR)))
    ;; your code here
    (if (= crntR 0)
        (list prevR prevX prevY)  ;; I had this as '(...) and could not figure out why it was breaking, (list ...) fixed it 
        (egcd-ext-aux crntR
                      (mod prevR crntR) 
                      crntX
                      (next-xy prevX crntX prevR crntR)
                      crntY
                      (next-xy prevY crntY prevR crntR))
        )
)

(definec egcd-ext (a :pos b :nat) :gcd-triple
    (egcd-ext-aux a b 1 0 0 1))



(check-expect (egcd-ext 18 24) '(6 -1 1))
(check-expect (egcd-ext 30 10) '(10 0 1))
(check-expect (egcd-ext 34 6 ) '(2 -1 6))
(check-expect (egcd-ext 302 2) '(2 0 1))
(check-expect (egcd-ext 42 12) '(6 1 -3))




ACL2S !>>(DEFSNAPSHOT TODO-7)

Summary
Form:  ( DEFLABEL TODO-7 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-7
ACL2S !>>(DEFDATA GCD-TRIPLE (LIST NAT INT INT))
 Predicate events...
Form:  ( DEFUN GCD-TRIPLEP ...)
Form:  ( IN-THEORY (DISABLE* ...))
Form:  ( IN-THEORY (ENABLE ...))
Form:  ( TABLE ACL2::RULESET-TABLE ...)
Form:  ( MAKE-EVENT (LET* ...))
 Tau characterization events...
 (GCD-TRIPLEP ACL2::V1) <= body -- not complete. 
Reasons: 
("Nesting i.e. (P (f ... (g x1 ...) ...) not allowed in conclusion of signature rule")

 (GCD-TRIPLEP ACL2::V1) => body -- not complete. 
Reasons: 
("The formula fails to fit any of the forms for acceptable :TAU-SYSTEM rules."
 "Nesting i.e. (P (f ... (g x1 ...) ...) not allowed in conclusion of signature rule")

Form:  ( DEFTHM GCD-TRIPLE=>DEF ...)
 Enumerator events...
Form:  ( DEFUN NTH-GCD-TRIPLE-BUILTIN ...)
Form:  ( DEFUN NTH-GCD-TRIPLE/ACC-BUILTIN ...)
Form:  ( PROGN (SET-BOGUS-DEFUN-HINTS-OK T) ...)
Form:

## TODO-8 (10 points)

The Extended Euclidean Algorithm computes the gcd of $a$ and $b$, **and** the fancy constants $x$ and $y$. But the value it returns for the gcd should be exactly the same as what `egcd` algorithm returns. Use `test?` to verify this property.

In [9]:
(defsnapshot todo-8)

(test? (implies 
            (and (posp a)(posp b))
            (= (GCD_ a b)(first (egcd-ext a b)))
        )
)














ACL2S !>>(DEFSNAPSHOT TODO-8)

Summary
Form:  ( DEFLABEL TODO-8 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-8
ACL2S !>>(TEST? (IMPLIES (AND (POSP A) (POSP B))
                         (= (GCD_ A B) (FIRST (EGCD-EXT A B)))))

**Summary of Cgen/testing**
We tested 3000 examples across 3 subgoals, of which 3000 (3000 unique)
satisfied the hypotheses, and found 0 counterexamples and 3000 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((B 91) (A 391))
 -- ((B 546) (A 964))
 -- ((B 6) (A 304))

Test? succeeded. No counterexamples were found.

## TODO-9 (10 points)

The Extended Euclidean Algorithm computes the gcd of $a$ and $b$, **and** the fancy constants $x$ and $y$ such that $ax + by = \gcd(a,b)$. Use `test?` to check that this property holds.

In [10]:
(defsnapshot todo-9)

(test? (implies (and (posp a)(posp b))
                (= (+ (* a (second (egcd-ext a b)))
                      (* b (third (egcd-ext a b)))
                   )
                   (GCD_ a b)
                )
        )
)


























ACL2S !>>(DEFSNAPSHOT TODO-9)

Summary
Form:  ( DEFLABEL TODO-9 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-9
ACL2S !>>(TEST? (IMPLIES (AND (POSP A) (POSP B))
                         (= (+ (* A (SECOND (EGCD-EXT A B)))
                               (* B (THIRD (EGCD-EXT A B))))
                            (GCD_ A B))))

**Summary of Cgen/testing**
We tested 3000 examples across 3 subgoals, of which 2997 (2997 unique)
satisfied the hypotheses, and found 0 counterexamples and 2997 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((B 66) (A 51))
 -- ((B 6) (A 9))
 -- ((B 3) (A 51))

Test? succeeded. No counterexamples were found.

## TODO-10 (10 points)

Suppose that $\gcd(a,b) = 1$. Using the Extended Euclidean Algorithm, we can find $x$ and $y$ such that $ax+by = \gcd(x,y) = 1$. Now, take that equation but modulo $b$:
$$
\begin{align}
1 &\equiv ax+by & \pmod b \\
  &\equiv ax    &\pmod b
\end{align}
$$
In other words, $ax = 1 \bmod p$ which means $a^{-1} = x \bmod b$.

That's worth repeating. If $\gcd(a,b)=1$, we can find a number $a^{-1}$ such that $a a^{-1} = 1 \bmod b$. We usually say: if $a$ and $b$ are *relatively prime*, then $a$ has a multiplicative inverse modulo $b$. And "relatively prime" just means that the gcd is equal to 1.

> Note: Technically, $a^{-1}$ should be a number from $0$ to $b-1$, since it's the inverse **modulo $b$**. So it is correct to say that $a^{-1} = x \mod b$, but $x$ is not necessarily the same as $a^{-1} \bmod b$, since $x$ can be negative.

Use the Extended Euclidean Algorithm to define `(modinv a b)` that returns the multiplicative inverse of $a$ modulo $b$.

> Note: The Extended Euclidean Algorithm is really cool, but `modinv` is acutally the big payoff for us of the whole gcd business.

> **Important Note:** In fact, once we define `modinv` we really don't want to think about gcd anymore. The function `modinv` should really be a black box, so I added an ACL2 command below to disable the definition. Keep that command in place! It's a useful trick to disable the definition of functions when their internals aren't really necessary, because it helps to keep ACL2 focused on the important functions instead. E.g., I found out that ACL2 got confused on a different definition later, so disabling `modinv` really helped.

In [11]:
(defsnapshot todo-10)

(definec modinv (a :nat b :pos) :nat
    ;; your code here
    (if (= a 0)
        0
        (mod (second (egcd-ext a b)) b))
)

(in-theory (disable modinv modinv-definition-rule))

(check-expect (modinv 123 11) 6)
(check-expect (modinv 22 5) 3)
(check-expect (modinv 1 99) 1)
(check-expect (modinv 1 1) 0)
(check-expect (modinv 321 1) 0)

ACL2S !>>(DEFSNAPSHOT TODO-10)

Summary
Form:  ( DEFLABEL TODO-10 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-10
ACL2S !>>(DEFINEC MODINV (A NAT B POS)
                  NAT
                  (IF (= A 0)
                      0 (MOD (SECOND (EGCD-EXT A B)) B)))

Form:  ( TEST-DEFINITION MODINV ... )
Form:  ( TEST-BODY-CONTRACTS MODINV... ) 
Form:  ( TEST-FUNCTION-CONTRACT MODINV ...) 
Testing: Done 
Elapsed Run Time: 0.83 seconds
Form:  ( ADMIT-DEFINITION MODINV ... )
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT MODINV ... )
Time:  0.14 seconds (prove: 0.09, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS MODINV ... )
Time:  0.07 seconds (prove: 0.03, print: 0.00, other: 0.04)
Elapsed Run Time: 0.25 seconds
Function Name : MODINV 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T
ACL2S !>>(IN-THEORY (DISABLE MODINV MODINV-DEFINITION-RULE))

Su

## TODO-11 (10 points)

Now that we have `modinv`, use `test?` to verify that $a a^{-1} \bmod b = 1$ when $a$ and $b$ are relatively prime (i.e., their gcd is 1).

> Hint: You will probably need an additional hypothesis that $b>1$. The case when $b=1$ is special.

In [12]:
(defsnapshot todo-11)
;;got confused interpreting PEMDAS for modulo, makees sense that it is equivalent ordering to division

(test? (implies 
            (and (natp a)(> b 1)(= 1 (GCD_ a b)))
            (= 1 (mod (* a (modinv a b)) b))
        )
)



ACL2S !>>(DEFSNAPSHOT TODO-11)

Summary
Form:  ( DEFLABEL TODO-11 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-11
ACL2S !>>(TEST? (IMPLIES (AND (NATP A) (> B 1) (= 1 (GCD_ A B)))
                         (= 1 (MOD (* A (MODINV A B)) B))))

**Summary of Cgen/testing**
We tested 4000 examples across 4 subgoals, of which 8 (8 unique) satisfied
the hypotheses, and found 0 counterexamples and 8 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((B 10) (A 143))
 -- ((B 2) (A 965))
 -- ((B 13) (A 15))

Test? succeeded. No counterexamples were found.

## TODO-12 (10 points)

We are just about ready to implement the RSA algorithm. (Yeah, that's right. The RSA algorithm and related algorithms are the backbone of security and privacy in the internet, and all we need to implement them is $a^n\bmod p$ and "inverses mod p"!)

### Public-Key Cryptography with Magic

Before we can implement the RSA algorithm, however, we need to understand a handful of concepts about cryptography. RSA was the first encryption scheme in what is known as public-key cryptography. Let's say Alice wants to send Bob a secret message. Ahead of time, Bob uses magic to create two "keys", a **public key** and a **private key**. This next bit is very important: Bob guards his **private key** with his life. You know how you shouldn't let anybody know your social security number or you credit card numbers? The **private key** is just like that. You *never* share your private key with anybody. The **public key**, on the other hand, is meant to be completely public. It's like your phone number or your email address--anybody who wants to send you a message should have your **public key**. 

So here's the neat part. Alice has a message $M$ that she wants to send to Bob, but the message is private so she wants Bob and only Bob to be able to read it. What she does is that she gets Bob's public key and uses magic to create an *encrypted* message $M'$. The magic requires two spell components, $M$ and Bob's public key. Alice can then send $M'$ to Bob over an open channel, e.g., the internet, a QR code, public radio, or even carrier pigeons. It doesn't matter if somebody else gets to see $M'$, because $M'$ reads like gibberish. It is totally uninterpretable. However, $M'$ can be *unencrypted* using another spell that requires two spell components, $M'$ and Bob's private key. Since Bob never shared his private key with anyone, **only Bob can unencrypt $M'$**. Read that again. That is the secret of public key cryptography:
1. Bob creates a public key and a private key
2. Anybody can encrypt a message using Bob's public key
3. A message encrypted with a public key can be unencrypted using the corresponding private key
4. You need to have the private key to unencrypt messages, so only Bob can read messages intended for Bob

### Public-Key Cryptography with Math

Now that we know about public and private keys, we can use math to replace magic. Math is a lot like magic, but it's real. 

The first step is to describe how Bob can create a public and a private key. First, we start out with two **different** prime numbers $p$ and $q$. These should be random prime numbers, and they should not be too close to each other. They should also be fairly large; e.g., in my laptop the program `ssh-keygen` can be used to create public keys, and it does so using primes with a minimum of 1,024 bits (and the default and recommended size is 2,048 bits). Now that you have $p$ and $q$, define $N=(p-1)(q-1)$ and choose a $k$ such that $k$ and $(p-1)(q-1)$ have no factors in common. Since $k$ and $(p-1)(q-1)$ have no factors in common, we can find $d = k^{-1} \bmod (p-1)(q-1)$.

Then the keys are given by
* Public key: $(N, k)$
* Private key: $(N, d)$

Note that the public key has $N$ and $k$. The private key has $N$ and $d$, so if we find $d$ from the values of $N$ and $k$, the encryption system is broken. But to find $d$, you need to know not just $k$ but also $p$ and $q$. The security of RSA rests entirely on the fact that given $N$, it is still computationally infeasible to factor it into $N=p\cdot q$. (Quantum computers will be able to factor numbers quickly, and that will break RSA encryption, but let's ignore that, ok? Cryptographers are already working on new encryption schemes that are quantum-proof. Even just using conventional computers, if you choose $p$ and $q$ poorly, it is actually possible to factor $N$. See https://arstechnica.com/information-technology/2022/03/researcher-uses-600-year-old-algorithm-to-crack-crypto-keys-found-in-the-wild/ for a recent security exploit caused by poorly chosen primes. Oh, and the mathematician mentioned in that exploit is none other than our very own Pierre de Fermat!)

Now, RSA works by sending a message $M$ that is a natural number less than $N$. Alice encrypts $M$ by computing $M'=M^k \bmod N$. Again, note that both $N$ and $k$ are in Bob's public key, so Alice can perform this operation.

When Bob receives $M'$, he unencrypts it by computing $M'' = (M')^d \bmod N$. It turns out that $M''=M$ always (as long as $M<N$, that is), so Bob is able to compute Alice's original message $M$. This actually follows from Fermat's Little Theorem (above) and a few facts about modular arithmetic. See https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Proof_using_Fermat's_little_theorem for a short proof that you should be able to follow with just the math you learned in this class.

Define the function `(public-key p q k)` that returns a public key using the given values of $p$, $q$, and $k$. Note that $p$ and $q$ are primes, and that $k$ some positive number.

In [13]:
(defsnapshot todo-12)

;; ACL2 is indeed fussy about prime * prime = 0

(defdata pub-key (cons pos nat))
(defdata priv-key (cons pos nat))

;; just saw that (p-1)(q-1) announcment
(definec key-n (p :prime q :prime) :pos
    (if (<= (* (- p 1)(- q 1)) 0)
        1
        (* (- p 1)(- q 1))
    )
)

(check-expect (key-n 13 17) 192)
(check-expect (key-n 3 5) 8)
(check-expect (key-n 173 61) 10320)
(check-expect (key-n 83 149) 12136)
(check-expect (key-n 3 3) 4)

(definec public-key-g (p :prime q :prime k :pos) :pub-key
    (cons (* p q) k)
)

(check-expect (public-key-g 3 3 3) '(9 . 3))
(check-expect (public-key-g 3 5 11) '(15 . 11))
(check-expect (public-key-g 13 11 23) '(143 . 23))
(check-expect (public-key-g 2 3 3) '(6 . 3))
(check-expect (public-key-g 2 2 2) '(4 . 2))



ACL2S !>>(DEFSNAPSHOT TODO-12)

Summary
Form:  ( DEFLABEL TODO-12 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-12
ACL2S !>>(DEFDATA PUB-KEY (CONS POS NAT))
 Predicate events...
Form:  ( DEFUN PUB-KEYP ...)
Form:  ( IN-THEORY (DISABLE* ...))
Form:  ( IN-THEORY (ENABLE ...))
Form:  ( TABLE ACL2::RULESET-TABLE ...)
Form:  ( MAKE-EVENT (LET* ...))
 Tau characterization events...
Defdata/Note: PUB-KEYP relatively complete for Tau.
Form:  ( DEFTHM DEF=>PUB-KEY ...)
Form:  ( DEFTHM PUB-KEY=>DEF ...)
 Enumerator events...
Form:  ( DEFUN NTH-PUB-KEY-BUILTIN ...)
Form:  ( DEFUN NTH-PUB-KEY/ACC-BUILTIN ...)
Form:  ( PROGN (SET-BOGUS-DEFUN-HINTS-OK T) ...)
Form:  ( ENCAPSULATE NIL (LOGIC) ...)
Time:  0.05 seconds (prove: 0.01, print: 0.00, other: 0.04)
 Registering type...
Form:  ( DEFUN NTH-PUB-KEY ...)
Form:  ( ENCAPSULATE (((NTH-PUB-KEY * ...) ...) ...) ...)
Form:  ( DEFUN NTH-PUB-KEY/ACC ...)
Form:  ( ENCAPSULATE (((NTH-PUB-KEY/ACC * ...) ...) ...) ...)
For

## TODO-13 (10 pts)

Now define the function `(private-key p q k)` as described above.

> Hint: This function takes the inverse modulo $(p-1)(q-1)$, but ACL2 finds it hard to believe that this number is never zero. Of course it cant be zero when $p$ and $q$ are primes, but ACL2 isn't clever enough to realize that on its own. We could (should?) prove that this is the case, but that is more than I want to do in this assignment. So what I did to define this function is to add an if statement that handles this "special" case when $(p-1)(q-1)=0$. In that case, what the function returns doesn't matter, as long as it returns a valid key (so that typing works correctly). It doesn't matter exactly what it returns, since that condition should never be true! That is absolutely a hack, but it avoids a bit of tedious work, so feel free to do the same.

In [14]:
(defsnapshot todo-13)


(definec private-key-g (p :prime q :prime k :pos) :priv-key
    
    (cons (* p q)(modinv k (key-n p q)))
)

(check-expect (private-key-g 3 3 3) '(9 . 3))
(check-expect (private-key-g 3 5 11) '(15 . 3))
(check-expect (private-key-g 13 11 23) '(143 . 47))
(check-expect (private-key-g 2 3 3) '(6 . 1))
;; obviously we should never choose a k such that D = 0/DNE, however the problems above said to treat k as 'some positive'
(check-expect (private-key-g 2 2 2) '(4 . 0))















ACL2S !>>(DEFSNAPSHOT TODO-13)

Summary
Form:  ( DEFLABEL TODO-13 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-13
ACL2S !>>(DEFINEC PRIVATE-KEY-G (P PRIME Q PRIME K POS)
                  PRIV-KEY
                  (CONS (* P Q) (MODINV K (KEY-N P Q))))

Form:  ( TEST-DEFINITION PRIVATE-KEY-G ... )
Form:  ( TEST-BODY-CONTRACTS PRIVATE-KEY-G... ) 
Form:  ( TEST-FUNCTION-CONTRACT PRIVATE-KEY-G ...) 
Testing: Done 
Elapsed Run Time: 1.76 seconds
Form:  ( ADMIT-DEFINITION PRIVATE-KEY-G ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Form:  ( PROVE-FUNCTION-CONTRACT PRIVATE-KEY-G ... )
Time:  0.23 seconds (prove: 0.18, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS PRIVATE-KEY-G ... )
Time:  0.07 seconds (prove: 0.03, print: 0.00, other: 0.04)
Elapsed Run Time: 0.34 seconds
Function Name : PRIVATE-KEY-G 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T
ACL2S !>>(CHECK-EXPECT (

## TODO-14 (10 points)

Define the function `(encrypt message public-key)` that encrypts the given message with the given key. Recall that the key looks like $(N, k)$ and the encryption algorithm is $M' = M^k \bmod N$. Be sure to use the fast version of exponentiation modulo $N$.

In [15]:
(defsnapshot todo-14)
;; had to change my key type to a pair from a list, then tracked down car and cdr usage, works now

(definec encrypt (m :nat pub-key :pub-key) :nat
    (an-mod-p m (cdr pub-key) (car pub-key))
)

(check-expect (encrypt 3 '(2 . 1)) 1)
(check-expect (an-mod-p 3 1 2) 1)

(check-expect (encrypt 9021 '(33 . 4)) 12)
(check-expect (an-mod-p 9021 4 33) 12)

(check-expect (encrypt 13 '(12 . 11)) (an-mod-p 13 11 12))
(check-expect (encrypt 88 '(12 . 31)) (an-mod-p 88 31 12))
(check-expect (encrypt 63 '(72 . 14)) (an-mod-p 63 14 72))




ACL2S !>>(DEFSNAPSHOT TODO-14)

Summary
Form:  ( DEFLABEL TODO-14 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-14
ACL2S !>>(DEFINEC ENCRYPT (M NAT PUB-KEY PUB-KEY)
                  NAT
                  (AN-MOD-P M (CDR PUB-KEY)
                            (CAR PUB-KEY)))

Form:  ( TEST-DEFINITION ENCRYPT ... )
Form:  ( TEST-BODY-CONTRACTS ENCRYPT... ) 
Form:  ( TEST-FUNCTION-CONTRACT ENCRYPT ...) 
Testing: Done 
Elapsed Run Time: 0.31 seconds
Form:  ( ADMIT-DEFINITION ENCRYPT ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Form:  ( PROVE-FUNCTION-CONTRACT ENCRYPT ... )
Time:  0.07 seconds (prove: 0.03, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS ENCRYPT ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.12 seconds
Function Name : ENCRYPT 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T
ACL2S !>>(CHECK-EXPECT (ENCRYPT 3 '(2 . 1)) 1)

## TODO-15 (10 points)

Define the function `(decrypt message private-key)` that encrypts the given message with the given key. Recall that the key looks like $(N, d)$ and the encryption algorithm is $M' = M^d \bmod N$. Be sure to use the fast version of exponentiation modulo $N$.

> Hint: This should be remarkably similar to TODO-14.

In [16]:
(defsnapshot todo-15)

(definec decrypt (m1 :nat priv-key :priv-key) :nat
    (an-mod-p m1 (cdr priv-key) (car priv-key))
)

(check-expect (decrypt 3 '(2 . 1)) 1)
(check-expect (an-mod-p 3 1 2) 1)

(check-expect (decrypt 9021 '(33 . 4)) 12)
(check-expect (an-mod-p 9021 4 33) 12)

(check-expect (decrypt 13 '(12 . 11)) (an-mod-p 13 11 12))
(check-expect (decrypt 88 '(12 . 31)) (an-mod-p 88 31 12))
(check-expect (decrypt 63 '(72 . 14)) (an-mod-p 63 14 72))











ACL2S !>>(DEFSNAPSHOT TODO-15)

Summary
Form:  ( DEFLABEL TODO-15 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-15
ACL2S !>>(DEFINEC DECRYPT (M1 NAT PRIV-KEY PRIV-KEY)
                  NAT
                  (AN-MOD-P M1 (CDR PRIV-KEY)
                            (CAR PRIV-KEY)))

Form:  ( TEST-DEFINITION DECRYPT ... )
Form:  ( TEST-BODY-CONTRACTS DECRYPT... ) 
Form:  ( TEST-FUNCTION-CONTRACT DECRYPT ...) 
Testing: Done 
Elapsed Run Time: 0.31 seconds
Form:  ( ADMIT-DEFINITION DECRYPT ... )
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT DECRYPT ... )
Time:  0.07 seconds (prove: 0.03, print: 0.00, other: 0.04)
Form:  ( PROVE-BODY-CONTRACTS DECRYPT ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.12 seconds
Function Name : DECRYPT 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T
ACL2S !>>(CHECK-EXPECT (DECRYPT 3 '(2 . 

## TODO-16 (10 points)

Suppose we have a message $M$, two (different) primes $p$ and $q$, and a valid value of $k$ (457 will do, and you can just this magic value of $k$). Then if you encrypt $M$ with the public key generated by $p$, $q$, and $k$, then decrypt the result with the private key (or $p$, $q$, and $k$), the result is the original message $M$. Use `test?` to verify this property.

> Hint: You have to be careful with the hypothesis. This only works if $M<p\cdot q$.

In [17]:
(defsnapshot todo-16)

;; had lots of trouble (and sorrow) getting all instances to work, then saw the announcment about p*q, welp now it works

(test? (implies 
            (and 
                (primep p)
                    (primep q)
                        (not (= p q))
                             (= k 457)
                                 (posp m)
                                     (< m (* p q)))
            (= m 
                (decrypt 
                    (encrypt m (public-key-g p q k))
                        (private-key-g p q k)))
        )
)

;; -- ((M 533) (K 457) (Q 17) (P 9181))
(check-expect (public-key-g 9181 17 457) '(156077 . 457))
(check-expect (private-key-g 9181 17 457) '(156077 . 145273))
(check-expect (encrypt 533 '(146880 . 457)) 145973)
(check-expect (decrypt 145973 '(146880 . 145273)) 533)

;;-- ((M 236) (K 457) (Q 269) (P 6679))
(check-expect (public-key-g 6679 269 457) '(1796651 . 457))
(check-expect (private-key-g 6679 269 457) '(1796651 . 1186609))
(check-expect (encrypt 236 '(1796651 . 457)) 353728)
(check-expect (decrypt 353728 '(1796651 . 1186609)) 236)

;;-- ((M 2) (K 457) (Q 7) (P 79))
(check-expect (public-key-g 79 7 457) '(553 . 457))
(check-expect (private-key-g 79 7 457) '(553 . 85))
(check-expect (encrypt 2 '(553 . 457)) 408)
(check-expect (decrypt 408 '(553 . 85)) 2)



ACL2S !>>(DEFSNAPSHOT TODO-16)

Summary
Form:  ( DEFLABEL TODO-16 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 TODO-16
ACL2S !>>(TEST? (IMPLIES (AND (PRIMEP P)
                              (PRIMEP Q)
                              (NOT (= P Q))
                              (= K 457)
                              (POSP M)
                              (< M (* P Q)))
                         (= M
                            (DECRYPT (ENCRYPT M (PUBLIC-KEY-G P Q K))
                                     (PRIVATE-KEY-G P Q K)))))

**Summary of Cgen/testing**
We tested 4000 examples across 4 subgoals, of which 2867 (2867 unique)
satisfied the hypotheses, and found 0 counterexamples and 2867 witnesses.

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((M 6) (K 457) (Q 7489) (P 5843))
 -- ((M 85) (K 457) (Q 3853) (P 9551))
 -- ((M 260) (K 457) (Q 13) (P 1021))

Test? succeeded. No counterexamples were found.
ACL2S !>>(CHECK-EXPECT (PUBLIC

## Extra Credit 1 (40 points)

What we proved above is the guts of the RSA algorithm, but we need to do some more work to make the results useful to actual messages, i.e., lists of characters.

Consider only lists of the following characters: a-z and _. So for example, we may want to encode a message that looks like 

    '(h e l l o _ w o r l d)

So the first task (10 points) is to define functions that translate "list messages" into numbers and numbers into "list messages". These should be very similar to the code we wrote for translating numbers to decimal representation, but since there are 27 different characters (26 letters and an underscore), this needs to be base 27. For example,

    '(h e l l o) => 7 + 27*4 + 27^2 * 11 + 27^3 * 11 + 27^4 * 14 = 7,664,821

Of course, you also need the inverse function that goes from a number message to a list of characters.

The second task (10 points) is to use `test?` to verify that if you start with a list of caracters, convert that to a numeric message, then convert the numeric message back, you get the original list of characters. Note that this property isn't exactly true, so you will need to use the right hypothesis to get it to work. (A similar issue comes up in the videos for converting numbers to lists of numerals.) You should also show the other inverse property, i.e., staring with a number, converting to a list of characters, and converting back to a number.

Ths third task (10 points) is to put it all together by writing encrypt and decrypt functions that take in a list of characters, convert them to number messages, then encrypt/decrypt the number, and convert that back to a list of numbers. 

Of course, the fourth task (10 points) is to use `test?` to show that the effect of encrypting a message and decrypting it with the corresponding private key is to get the original message back. You need to be careful here. Remember that the encrypt/decrypt work only works when the number message is small enough. When talking about lists of characters what we mean by "small enough" is fewer than so many characters. You should choose the maximum length of the list allowed to vary depending on the primes $p$ and $q$ (and nothing else).

In [29]:
;; (8:25am 5/9/22) I've worked at this throughout the week and seriously on Saturday and the last 18 hours 
;; straight through the night, the .ipynb file lets you see that if you are concerned about effort.

;; I am and have been petrified of failing this class again because it garuntees I lose my scholarship, 
;; which currently pays my housing, food, and school, which my family is in zero position to help with right now. 
;; Between that and genuinely looking up to Ruben, it has made it very difficult to ask for help when I clearly need it.

;; Clear skies to the 'grading demon'


(defsnapshot ec-1)

;; base 27 notation
(defdata chars 
    (listof
         (enum '(a b c d e f g h i j k l m n o p q r s t u v w x y z _))))


;; converts char to base 10
(definec char-val (m :symbol) :nat
    (if (eql 'a m) 0
    (if (eql 'b m) 1
    (if (eql 'c m) 2
    (if (eql 'd m) 3
    (if (eql 'e m) 4
    (if (eql 'f m) 5
    (if (eql 'g m) 6
    (if (eql 'h m) 7
    (if (eql 'i m) 8
    (if (eql 'j m) 9
    (if (eql 'k m) 10
    (if (eql 'l m) 11
    (if (eql 'm m) 12
    (if (eql 'n m) 13
    (if (eql 'o m) 14
    (if (eql 'p m) 15
    (if (eql 'q m) 16
    (if (eql 'r m) 17
    (if (eql 's m) 18
    (if (eql 't m) 19
    (if (eql 'u m) 20
    (if (eql 'v m) 21
    (if (eql 'w m) 22
    (if (eql 'x m) 23
    (if (eql 'y m) 24
    (if (eql 'z m) 25
    (if (eql '_ m) 26
        0
))))))))))))))))))))))))))))


;; converts base 10 value to char
(definec val-char (n :nat) :list
    (list (nth (mod n 27) '(a b c d e f g h i j k l m n o p q r s t u v w x y z _))))


;; by convention use we never pass this i < 0
(definec encrypt-char (m :chars c :int i :nat) :nat
    (if (<= c 0)
        (* (expt 27 i)(char-val (first m)))
        (+ (* (expt 27 i)(char-val (first m)))
           (encrypt-char (rest m) (- c 1) (+ 1 i)))
    )
)

;; auxilery to encrypt
(definec encrypt-char-aux (m :chars) :nat
    (encrypt-char m (- (len m) 1) 0))
(check-expect (encrypt-char-aux '(d c o d e)) 2195076)
(check-expect (encrypt-char-aux '(h e l l o)) 7664821)


;; finds maximum power of 27 for a given m
(definec max-power (m :pos p :nat) :nat
    (if (<= m 0)
        1
        (if (= m 1)
            0
            (if (> m (expt 27 p))
                (max-power m (+ p 1))
                (- p 1)
            )
        )
    )
)
(check-expect (max-power 900 0) 2)
(check-expect (max-power 19683 0) 3)
(check-expect (max-power 19682 0) 2)


;; ALWAYS called as (max-num m (max-power ...) n), prevents excessive recursion
(definec max-num (m :nat p :nat n :nat) :nat
    (if (<= m 0)
        0
        (if (= m 1)
            1
            (if (> m (* n (expt 27 p)))
                (max-num m p (+ n 1))
                (- n 1)
            )
        )
    )
)
(check-expect (max-num 19682 (max-power 19682 0) 0) 26)
(check-expect (max-num 1350 (max-power 1350 0) 0) 1)


;; find largest power/multiple, append respective char, subtract and recurse
(definec decrypt-char (m :nat) :chars
    (if (<= 1 (max-power m 0))
        (cons
            (val-char (max-num m (max-power m 0) 0))
            (decrypt-char (- m (* (expt 27 (max-power m 0))(max-num m (max-power m 0) 0)))) ;iterate m
        )
        (cons (val-char (max-num m 1 0)) nil)
    )
)





;; reimplement encrypt/decrypt pattern from todo






ACL2S !>>(DEFSNAPSHOT EC-1)
          21:x(DEFLABEL FROM-THE-TOP)

Summary
Form:  ( DEFLABEL EC-1 ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 EC-1
ACL2S !>>(DEFDATA CHARS
                  (LISTOF (ENUM '(A B C D E F G H I
                                    J K L M N O P Q R S T U V W X Y Z _))))
 Predicate events...
Form:  ( DEFUN CHARSP ...)
Form:  ( IN-THEORY (DISABLE* ...))
Form:  ( IN-THEORY (ENABLE ...))
Form:  ( TABLE ACL2::RULESET-TABLE ...)
Form:  ( MAKE-EVENT (LET* ...))
 Listof theory events...
Form:  ( DEFTHM CHARSP-IMPLIES-TLP ...)
Form:  ( TABLE ACL2::RULESET-TABLE ...)
Form:  ( MAKE-EVENT (LET* ...))
 Tau characterization events...
 (CHARSP ACL2::V1) => body -- not complete. 
Reasons: 
("Multiple sig terms i.e. (P1 (f x1 ...)) OR (P2 (f x1 ...))
 not allowed in conclusion of signature rule")

Form:  ( DEFTHM DEF=>CHARS ...)
Form:  ( DEFTHM CHARS=>DEF ...)
 Enumerator events...
Form:  ( DEFUN NTH-CHARS-BUILTIN ...)
Form:  ( DEFUN NTH-CHAR




## Extra Credit 2 (60 points)

Did you see how large a message (i.e., the number of characters) you can enocde using the scheme in the previous extra credit? Not very large, huh?

So what about large messages? One idea is to break up a large message into a bunch of small ones, small enough that we can encrypt and decrypt them correctly. Each chunk is called a block. For example, if the bloicksize is 3, you would break the message as follows:

    '(h e l l o + w o r l d) => '((h e l) (l o _) (w o r) (l d))

Now, Alice can encrypt each of the blocks separately, append all the encrypted blocks together, and send the results to Bob. Bob then takes the cryptext from Alice, breaks it up into blocks of the right size, and decrypts each block separately. Ta da!

There are a couple of glitches, of course. First, you need to know how big you can make the blocks. Remember that the message (as a number) has to be smaller than $p\cdot q$, and you can find that product in the keys. Second, you probably ran into some issues in Extra Credit 1 having to do with leading zeros. You need to handle that here, and that may affect the blocksize, too. (Don't panic if you don't know what I'm talking about yet. You can start with some reasonable value for the blocksize, and the `test?` feature will let you find these bugs later.) 

> Note: The last block in the example above is shorter than the others. This is actually a big deal that could lead to a weak encryption, and "block cyphers" go to extreme lengths to avoid this problem, e.g., by padding appropriately. They also go to great lengths to avoid other potential attacks, like giving an attacker multiple examples of encrypting a small message with the same key! We'll just ignore those problems in this example, but look into an Encryption course if you're interested in these issues.



In [None]:
(defsnapshot ec-2)


(defdata fiveChar 
    ...
    list of enum(a-z) of len 0-5)

(defdata charMessage 
    ...
    listof fiveChar)

(defdata numMessage 
    ...
    listof nat)

;start i as len(m)
(definec encrypt-char-ls (m :charMessage i :nat) :numMessage
    ... 
    (if (<= 0 i))
    (append (encrypt-char (nth i m)) (encrypt-char-ls m (- i 1)))
    '(nil)
    ...
    )

(definec decrypt-char-ls (m :charMessage i :nat) :charMessage
    ... 
    (if (<= 0 i))
    (append (decrypt-char (nth i m)) (decrypt-char-ls m (- i 1)))
    '(nil)
    ...
    )

(test? ... 
       (implies
            charsp m0
                charMessagep m1)
                    m0 == m1
       encrypt-chars-ls m1 == encrypt-chars m0
       
       )


(test? ... 
       (implies
            charsp m0
                charMessagep m1)
                    m0 ~=~ m1 ^ len m0,m1 > 1
       decrypt-chars-ls m1 == decrypt-chars m0
       
       )


(test? ... 
       (implies
            charMessagep m1)
                len m1 > 1
       (decrypt (encrypt-chars-ls m1)) = m1
)







































## Extra Credit 3 (30 points)

If you get this far, good news! Alice sent Bob a secret message:

    '(Q M F X S F L Z L U P A G X E O F A F T N C I D B N V S I F B W P J M A Q J U _ H E A F R Z F C X J G X G A K Q D L R D L O G F I G Q M Q O V F)

You know Bob's **public key**, of course, which is `(98604899 7)`. The problem is, you don't know Bob's **private key**, so you can't read Alice's message.

Or can you? Remember we said earlier that factoring is **hard** in general, but that in some cases it's pretty easy? Maybe Bob picked primes poorly, and you actually **can** recreate $p$ and $q$ from $N$. If you succeed, you can read this secrete messsage by using your solution to Extra Credit 2 with the private key.

Be sure to **show your work**, don't just show the decoded message, ok?