## Programming Assignment 4
## Phạm Thanh Trường
## 20194460


In [1]:
!pip install gmpy2

Collecting gmpy2
  Downloading gmpy2-2.1.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.6 MB)
[K     |████████████████████████████████| 3.6 MB 5.2 MB/s 
[?25hInstalling collected packages: gmpy2
Successfully installed gmpy2-2.1.2


In [34]:
from gmpy2 import mpz, isqrt, invert, digits, powmod, is_prime, divexact, mul

## Question 1

The following modulus 𝑁 is a products of two primes p and q where $|p-q| < 2N^\frac{1}{4}$. Find the smaller of the two factors and enter it as a decimal integer.  
>N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581



Let:
<center>
$A=\frac{p+q}{2}$
</center>  

According to Cauchy's inequality:
<center>
$2A=p+q\ge2\sqrt{pq}=2\sqrt{N}$
</center>
<center>
$=>A\ge\sqrt{N}$
</center>

Since $p$ and $q$ are prime numbers, we know that $p+q$ is even and thus $A$ is an integer.  
We observe that:  
<center>
$A^2-N=(\frac{p+q}{2})^2-N=\frac{p^2-2pq+q^2}{4}=\frac{(p-q)^2}{4}$
</center>  

Also:  
<center>
$A-\sqrt{N}=\frac{A^2-N}{A+\sqrt{N}}=\frac{(p-q)^2/4}{A+\sqrt{N}}$
</center>  

Since $A\ge\sqrt{N}$, and $|p-q|\lt2N^\frac{1}{4}$, it follows that:
<center>
$A-\sqrt{N}\le\frac{4\sqrt{N}}{8\sqrt{N}}=\frac{1}{2}\lt1$
</center>  

So $A$ is greater than $N$ but the difference is smaller than 1. $A$ is also an integer, thus can be calculated by rounding $\sqrt{N}$ up to the closest integer above.  
Since $A$ is the exact mid-point between $p$ and $q$, there exists an integer x such that $p=A-x$ and $q=A+x$ (assuming that $p\lt q$). Then:  
<center>
$N=pq=(A-x)(A+x)=A^2-x^2$
</center>  

Therefore, $x=\sqrt{A^2-N}$.

In [19]:
n1 = mpz('179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581')
A1 = isqrt(n1) + 1 # calculate A = sqrt(n1) + 1 = (p+q)/2 
p1 = A1 - isqrt(A1**2 - n1) # smaller factor: p = A - x,
print("RESULT:")
print(f'The smaller factor is: {p1}')

# check p is a prime number
if is_prime(p1):
  print("The number found is confirmed to be a prime !")
else:
  print("Not prime, please check !")

# check again bigger factor is prime and pq = N
print("CHECK:")
q1 = A1 +isqrt(A1**2 - n1) # bigger factor: q = A + x
print(f'The bigger factor is: {q1}')

# check q is a prime number
if is_prime(q1):
  print("The number found is confirmed to be a prime !")
else:
  print("Not prime, please check !")

# check pq = N
if (p1 * q1 == n1):
  print("pq = N. It's Ok")
else:
  print("pq is not equal to N")

RESULT:
The smaller factor is: 13407807929942597099574024998205846127479365820592393377723561443721764030073662768891111614362326998675040546094339320838419523375986027530441562135724301
The number found is confirmed to be a prime !
CHECK:
The bigger factor is: 13407807929942597099574024998205846127479365820592393377723561443721764030073778560980348930557750569660049234002192590823085163940025485114449475265364281
The number found is confirmed to be a prime !
pq = N. It's Ok


## Question 2

The following modulus 𝑁 is a products of two primes 𝑝 and 𝑞 where $|𝑝 − 𝑞| < 2^{11}𝑁^\frac{1}{4}$. Find the smaller of the two factors and enter it as a decimal integer. 
Hint: in this case $𝐴 − \sqrt{𝑁} < 2^{20}$ so try scanning for 𝐴 from $\sqrt{𝑁}$ upwards, until you succeed in factoring 𝑁.  
>N = 648455842808071669662824265346772278726343720706976263060439070378797308618081116462714015276061417569195587321840254520655424906719892428844841839353281972988531310511738648965962582821502504990264452100885281673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877

We choose $A=\frac{p+q}{2}$:  
<center>
$A-\sqrt{N} \le \frac{2^{22}\sqrt{N}}{8\sqrt{N}}=2^{19}$
</center>  

Also, A is an integer, we will scan all integers starting from $\sqrt{N}$ to find A. This scanning process wouldn't take more than $2^{20}$ attemps.

Again, similar to question 1, $p=A-x$, where $x=\sqrt{A^2-N}$.

In [22]:
n2 = mpz('648455842808071669662824265346772278726343720706976263060439070378797308618081116462714015276061417569195587321840254520655424906719892428844841839353281972988531310511738648965962582821502504990264452100885281673303711142296421027840289307657458645233683357077834689715838646088239640236866252211790085787877')
A2 = isqrt(n2)

# scan for intrger from sqrt(n)
while True:
    try:
        x2 = isqrt(A2**2 - n2)
        if n2 == (A2 - x2) * (A2 + x2): # check if n = pq
            break
    except ValueError:
        pass
    
    A2 += 1
p2 = A2 - x2
print("RESULT:")
print(f'The smaller factor is: {p2}')

# check for prime number
if is_prime(p2):
  print("The number found is confirmed to be a prime !")
else:
  print("Not prime, please check !")

# check for bigger factor is prime and also pq = N
print("CHECK:")
q2 = A2 + x2 # bigger factor: q = A + x
print(f'The bigger factor is: {q2}')

# check q is a prime number
if is_prime(q2):
  print("The number found is confirmed to be a prime !")
else:
  print("Not prime, please check !")

# check pq = N
if (p1 * q1 == n1):
  print("pq = N. It's Ok")
else:
  print("pq is not equal to N")


RESULT:
The smaller factor is: 25464796146996183438008816563973942229341454268524157846328581927885777969985222835143851073249573454107384461557193173304497244814071505790566593206419759
The number found is confirmed to be a prime !
CHECK:
The bigger factor is: 25464796146996183438008816563973942229341454268524157846328581927885777970106398054491246526970814167632563509541784734741871379856682354747718346471375403
The number found is confirmed to be a prime !
pq = N. It's Ok


## Question 3 
The following modulus $𝑁$ is a products of two primes $𝑝$ and $𝑞$ where $|3𝑝 − 2𝑞| < 𝑁^\frac{1}{4}$. Find the smaller of the two factors and enter it as a decimal integer.  
Hint: use the calculation below to show that $\sqrt{6𝑁}$ is close to $\frac{3𝑝+2𝑞}{2}$ and then adapt the method above to factor 𝑁.  
>N = 720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929

In [33]:
n3 = mpz('720062263747350425279564435525583738338084451473999841826653057981916355690188337790423408664187663938485175264994017897083524079135686877441155132015188279331812309091996246361896836573643119174094961348524639707885238799396839230364676670221627018353299443241192173812729276147530748597302192751375739387929')
a3 = isqrt(n3 * 24) + 1 # a = sqrt(24n) + 1, to get the closest integer above
x3 = (a3**2) - 24*n3 # x = a^2 - 24n
assert x3 > 0 
p3 = divexact(a3 - isqrt(x3), 6) # p = a - sqrt(x3)
print("RESULT:")
print(f'The smaller factor is: {p3}')

# check for smaller factor is prime
if is_prime(p3):
  print("The number found is confirmed to be a prime !")
else:
  print("Not prime, please check !")

# check for bigger factor is prime and pq = n
print("CHECK:")
q3 = divexact((a3 + isqrt(x3)), 4)
print(f'The bigger factor is: {q3}')

# check for q is prime
if is_prime(q3):
  print("The number found is confirmed to be a prime !")
else:
  print("Not prime, please check !")

# check for pq = n
if p3 * q3 == n3:
  print("pq = N. It's Ok")
else:
  print("pq is not equal to N")


RESULT:
The smaller factor is: 21909849592475533092273988531583955898982176093344929030099423584127212078126150044721102570957812665127475051465088833555993294644190955293613411658629209
The number found is confirmed to be a prime !
CHECK:
The bigger factor is: 32864774388713299638410982797375933848473264140017393545149135376190818117189240035825816494954711821626076210364113848440012285863311027426121370050758081
The number found is confirmed to be a prime !
pq = N. It's Ok


## Question 4

The challenge ciphertext provided below is the result of encrypting a short secret ASCII plaintext using the RSA modulus given in the first factorization challenge. The encryption exponent used is $e=65537$. The ASCII plaintext was encoded using PKCS v1.5 before the RSA function was applied  

Use the factorization you obtained for this RSA modulus to decrypt this challenge ciphertext and enter the resulting English plaintext in the box below. Recall that the factorization of $N$ enables you to compute $\varphi(N)$ from which you can obtain the RSA decryption exponent.  

>Challenge ciphertext (as a decimal integer):
22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540

>N = 179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581

**RSA** 

Randomize algorithm $G()$:  
  - Choose random primes $p$, $q$. Set $N=pq$.
  - Choose integer $e$, $d$ such that $ed=1$ mod $\varphi(N)$.
  - Output $pk=(N,e)$, $sk=(N,d)$.  

Algorithm $F(pk, x)$:  $RSA(x)=x^e$ (in ZN)

Algorithm $F^{-1}(sk, y)$: $y^d = RSA(x)^d = x^{ed} = (x^{\varphi{N}})^kx = x$

In [37]:
c4 = mpz('22096451867410381776306561134883418017410069787892831071731839143676135600120538004282329650473509424343946219751512256465839967942889460764542040581564748988013734864120452325229320176487916666402997509188729971690526083222067771600019329260870009579993724077458967773697817571267229951148662959627934791540')
n4 = mpz('179769313486231590772930519078902473361797697894230657273430081157732675805505620686985379449212982959585501387537164015710139858647833778606925583497541085196591615128057575940752635007475935288710823649949940771895617054361149474865046711015101563940680527540071584560878577663743040086340742855278549092581')
e = mpz(65537)

# We calculate the prime factors p and q just like in question 1
a4 = isqrt(n4) + 1
x4 = isqrt(a4**2 - n4)
p4 = a4 - x4
q4 = a4 + x4

fi = mul((p4-1), (q4-1)) # fi = (p-1)*(q-1)

# sk = (n, d) where e*d = 1 mod fi(n)
# We can retrieve d by invert e mod phi(N)
d4 = invert(e, fi)

m4_padded = powmod(c4, d4, n4) # r = c^d mod n

# Convert padded message to hex
# Split the hex string at the separator 0x00 and take the second half
m4 = m4_padded.digits(16).split('00')[1]

# Convert the message to ASCII string
m4 = ''.join([chr(b) for b in bytes.fromhex(m4)])
print(f'The message is: "{m4}"')

The message is: "Factoring lets us break RSA."
