# **User's Manual for RSA**

> THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE, ALTHOUGH YOU CAN STILL ASK US IF YOU NEED HELP :3c

<div class="alert alert-block alert-danger">
If you downloaded a copy of this manual locally, do <strong>NOT</strong> run any of the code blocks; important data will be erased.
</div>

## Preface

Thank you, esteemed customer(s), for purchasing 1 *perpetual* license of our patented <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>! It's so simple, this user manual will explain (almost) everything you need to get it off the ground in no time!

You may know that an encryption scheme generally requires a key to encrypt and decrypt the plaintext and the ciphertext. Let me illustrate with an example:
Let's say you want to send a secret message to your friend, Bob, perhaps "I love blahaj!" 

Now, of course, to keep it secret from the outside world, you encrypt it with your key (using whatever encryption you prefer). You then proceed to send Bob the encrypted message, without a care in the world. But wait! How will he read it if he can't decode it? Well, you'd just send him the key for him to decode it, right? However, if you were to do that, anyone listening in could just obtain the key and decrypt the original message. Thus, to stop eavesdroppers from just reading the key, you'd have to encrypt it with another key, which you'd encrypt again, and again, and again...

## <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">The Really Simple Algorithm™</span>

Such an encryption scheme, where the method of encryption and decryption are identical, is known as *symmetric*. Our patented <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>, however, is *asymmetric*; that is, the encryption and decryption processes differ, through use of two separate keys (a *public* key for encryption, and a *private* key for decryption).

To make such an asymmetric scheme, we can exploit already existing asymmetries in nature, known as *trapdoor functions*; functions where it is easy to evaluate one way, but the inverse is very difficult without special knowledge. For the <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>, this trapdoor function is integer factorisation.

To begin, let us first generate two primes, $p$ and $q$ , which we keep secret. For the purpose of simplicity, these can be any 2 primes. We will also calculate the modulus $N = pq$, which will be public.

Now, we will need to find a public key $e$ and private key $d$ such that for some message $m$, $m^{ed} \equiv m\ (\mathrm{mod}\ N)$. Generally, only one is fixed (usually $e$) and the other is calculated from the above equation.

From that, we can obtain the equations for encryption $(1)$ & decryption $(2)$:
$$
\begin{align}
c &\equiv m^e \ &(\mathrm{mod}\ N) \\
m &\equiv c^d \ &(\mathrm{mod}\ N)
\end{align}
$$

of which form the core of the <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>.

## Security

You may have some doubts on the security of such a wonderfully simple algorithm. "What's stopping an attacker from just calculating $d$ from $e$ and decrypting the ciphertext? And what does this have to do with integer factorisation?", you may wonder. 

To kill two birds with one stone, notice how we intentionally omitted *how* exactly one would obtain $d$ from $e$ (or vice versa). You may remember Fermat's little theorem:

$$a^{p-1} \equiv 1\ (\mathrm{mod}\ p)$$

There exists a generalisation to a non-prime modulus $n$, by Euler:

$$a^{\varphi(n)} \equiv 1\ (\mathrm{mod}\ n)$$

where $a$ is coprime to $n$, and $\varphi(n)$ is Euler's totient function, which counts the number of positive integers below $n$ that are coprime to $n$.

Now, notice that, for any integer $k$,

$$
\begin{align*}
m^{ed} &\equiv 1^km\ &(\mathrm{mod}\ N) \\
m^{ed} &\equiv m^{k\varphi(N)+1}\ &(\mathrm{mod}\ N)
\end{align*}
$$

and thus
$$
\begin{align*}
ed &\equiv 1 &(\mathrm{mod}\ \varphi(N)) \\
d &\equiv e^{-1} &(\mathrm{mod}\ \varphi(N))
\end{align*}
$$

which allows us to calculate $d$ as the multiplicative inverse of $e$, as long as we know $\varphi(N)$. To obtain $\varphi(N)$, we can use the identity that $\varphi(ab) = \varphi(a)\varphi(b)$ for coprime $a$, $b$:

$$\varphi(N) = \varphi(p)\varphi(q) = (p-1)(q-1)$$

and herein lies the security of the <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>: To calculate $d$ from $N$ and $e$, we must calculate $\varphi(N) = (p-1)(q-1)$, which requires factorising $N$ to obtain $p$ and $q$!

## Application

Here, we will provide an example usage of the <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>. To encourage thorough reading, we have used the first half of the flag as the plaintext; your goal is to decrypt it with the provided information.

In [64]:
from Crypto.Util.number import bytes_to_long, getPrime
from math import gcd

#p & q
p = 230115307858050157663752792038769502589 # getPrime(128)
q = 182712788804936604983979668429911195033 # getPrime(128)

N = p*q

# public key
e = 65537
assert gcd(e, p-1) == 1 and gcd(e, q-1) == 1

N

42045009645450887212686031474524658488582934639618352254927085776871977440437

In [65]:
# encryption
flag1 = b"REDACTED"
c = pow(bytes_to_long(flag1), e, N)

c

37814713539672821316905785692591641180288654985038053453462316411423429906938

## Precautions

### Factorisable Modulus

As the security of the <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span> depends on the difficulty of factorising the modulus, care must be taken to select $p, q$ so as to not make it more easily factorisable. For example, $p$ and $q$ should not be too small, or else $N$ may be easily factorisable by trial division; $p$ and $q$ should not be too close either for a similar reason.

### Low Public Exponent Attack

The <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span> generally uses Fermat primes for the public exponent $e$; the smallest of which is $3$, which has the upside of being very cheap to compute when used in the <span style="color:#FFFFFF;text-shadow:0 0 0.5em #FFFFFF">Really Simple Algorithm™</span>. However, if the plaintext & public exponent is too small and modulus too big, there is a possibility of $c = m^e < N$, making the ciphertext trivially decryptable by a simple $e$ th-root.

This attack is illustrated below, with the second part of the flag:

In [55]:
#p & q
p = getPrime(128)
q = getPrime(128)

N = p*q

# public key
e = 3
assert gcd(e, p-1) == 1 and gcd(e, q-1) == 1

N

43512041389227605596402137631053240847706952543011775018199827061466990921881

In [56]:
# encryption
flag2 = b"REDACTED"
c = pow(bytes_to_long(flag2), e, N)

c

8592206451542845087530438337780735965391588022391063847102439291373669

As such, to prevent this attack from occurring, a larger $e$ is recommended; if one still requires the speedup from an $e$ of $3$, ensure that the plaintext is padded before encryption.