## Quick Fix for RSA

Burton Rosenberg

12 November 2021


1. __Notation:__
   1. I will generally not write $\pmod n$ when working in the modular system.
We are working in some number system, and for me, a tag notation does not emphasize that enough.
That is, it is not one certain line that is "mod p", it is the entire setup. 
   1. Hopefully I will make it clear which particular number system is being used.
   1. Also, I write simply $(a,b)$ for $\mbox{gcd}(a,b)$.

1. __Bezouts Theorem:__ $\forall a,n \in \mathcal{Z},\; \exists s,t\in \mathcal{Z}\; \mbox{ s.t. } s \,a + t\, n = (a,n)$.

   1. There is an efficient algorithm for computing $s, t$ given $a, n$.
   1. The group of units is defined as $\mathcal{Z}_n^* = \{\,a\in\mathcal{Z_n}\,|\, \exists\, b: b\,a = 1\,\}$.
   1. The group of units is categorized as those numbers relatively prime to $n$, $(a,n)=1 \implies \exists\,s,t: \; a\, s + n\,t = 1\implies s\,a = 1 \pmod{b}$.
   1. Given $a\in\mathcal{Z}_n^*$ being invertible, the map $a(x)\mapsto a\,x$ is a permutation on $\mathcal{Z}_n$. 
   1. _Little Fermat:_ Let $\phi(n)=|\,\mathcal{Z}_n^*\,|$. Then $\Pi_{x\in\mathcal{Z}_n^*} x = \Pi_{a\in\mathcal{Z}_n^*} a\,x = a^{\phi(n)} \Pi_{x\in\mathcal{Z}_n^*} x \implies a^{\phi(n)} =1$.
   1. __Note:__ Little Fermat says that every unit is a $\phi(n)$ root of unity, but perhaps not stictly so. For instance, $1^{\phi(n)}=1$. But there are elements such for no lesser power than $\phi(n)$ does the element power to 1.

1. __Euler Totient:__ Define $\phi(n)=|\,\mathcal{Z}_n^*\,|$,

   1. For $p$ a prime, $\phi(p)=p-1$.
   1. For distinct primes, $p, q$, counting gives $\phi(pq) = pq - p - q + 1 = (p-1)(q-1)$. Of the $pq-1$ numbers, the $p-1$ multiples of $q$ are removed, as the $q-1$ multiples of $p$.
   1. While this is sufficient for our purposes, in general $\forall a, b\in \mathcal{Z}, (a,b)=1: \phi(a\,b) = \phi(a)\,\phi(b)$.
   1. Given $n$ and $\phi(n)$, then $p+q = n+1-\phi(n)$. The factors $p, q$ are then the roots of the quadraic $(x-p)(x-q)=0$. This form is expressable in $n$ and $\phi(n)$. Therefore, given $n, \phi(n)$ we easily compute the factors $p, q$ using the quadratic formula.
   
1. __RSA:__ Let $p, q\in\mathcal{Z}$ be distinct primes and publish $n=p\,q$. 
   1. Choose and publish $e\in\mathcal{Z}_{\phi(n)}^*$. 
   1. Secretly compute $d=e^{-1}\pmod{\phi(n)}$. 
   1. For a message $m\in\mathcal{Z}_n$, the encryption is $c = m^e\pmod{n}$. 
   1. The decryption of $c$ is $m=c^d\pmod{n}$.
   1. Proof: $(m^e)^d=m^{k\phi(n)+1} = (m^{\phi(n)})^k\,m = 1 \pmod{n}$.
   1. _Note well:_ The messages are encrypted in arithmetic mod $n$, but the decryption exponent is calculated in arithmetic $\phi(n)$.
 
1. __Security of RSA:__ To keep $d$ a secret, $\phi(n)$ must not be known. It is therefore necessary that the factors of $n$ not be known. We have seen above, that knowing $\phi(n)$ and $n$ gives the factors of $n$, so either we factor $n$ or we know $\phi(n)$ by some other way. 
   1. However, perhaps $d$ can be known with $\phi(n)$ being known.
   1. In $\mathcal{Z}_n^*$, with $n$ the product of two distint primes, there are four solutions to $x^2=1$.
   1. Given the relation $x\,p+y\,q=1$, the square is also equal to one, there are no middle terms mod $n$, and the outer terms are invarient with the signs of $x$ and $y$. Hence $\zeta=x\,p-y\,q$ is a non-trival square root of 1 mod $pq$ (as would be $-\zeta$).
   1. Note this interesting property of the non-trivial square root. That $\zeta+1=x\,p-y\,q+1= x\,p-y\,q+x\,p+y\,q=2x\,p$, and $\zeta-1 = x\,p-y\,q-1= x\,p-y\,q-x\,p-y\,q=-2y\,q$.
   1. Continuing, so $(\zeta+1,pq)=p$ and $(\zeta-1,pq)=q$. The cases that say $(\zeta+1,pq)=pq$ or $(\zeta-1,pq)=pq$ are eliminated by $p, q$ being odd.
   1. The typical demonstration is to consider solutions to $x^2-1=(x+1)(x-1)=0\pmod{n}$. If this congruence is because of divisors of zero (two non-zeros that multiply to a zero), then on of the terms is a multiple of $p$, and the other a multiple of $q$. I just find it interesting to reverse the logic, and pose $x$ as the middle number between a multiple of $p$ and a multiple of $q$ separated by 2.
   1. If $x$ is a square root of $y$, then so are $x, -1x \zeta x, -\zeta x$. In this group, a number has either no square roots, or 4 square roots.
   1. This proves that there are at least 4 square roots of 1 mod $n$, and if $p$ and $q$ are known, gives an efficient way to compute a pair of non-trival square roots.

   1. Suppose a decryption exponent $d$ is found out, by any method. Then $\forall x\in\mathcal{Z}_n^*: x^{ed-1}=1$. 
   1. Write $ed-1 = 2^st$. For $u=2^{s-1}t: x^u$ is a square root of 1. 
   1. This power can be easily calculated for various $x$ until a non-trivial square root is found. Then $n$ is factored.

In [15]:
class RSA:
    
    def __init__(self,p,q):
        self.p = p
        self.q = q
        self.n = p*q
        self.phi = (p-1)*(q-1)
        self.gen_exponents(3)

    def get_public_key(self):
        return (self.n,self.e)
    
    def get_private_key(self):
        return (self.n,self.d)
                        
    def get_secrets(self):
        return (self.p,self.q,self.phi)
                        
    def extended_gcd(self,a,b):
        """
        extended GCD algorithm. recursive. returns (d,s,t) 
        where d = s*a+t*b and d = gcd(a,b)
        """
        assert(
            a>=0 and b>=0 )
        if b==0:
            return (a,1,0)
        (q,r) = divmod(a,b)
        (d,s,t) = self.extended_gcd(b,r)
        # gcd(a, b) == gcd(b, r) == s*b + t*r == s*b + t*(a - q*b)
        return (d,t,s-q*t)

    def invert_n(self,x):
        (d,t,s) = self.extended_gcd(x,self.n)
        assert d==1
        return t%self.n

    def is_unit_n(self,x):
        (d,t,s) = self.extended_gcd(x,self.n)
        return d==1
    
    def invert_phi(self,x):
        (d,t,s) = self.extended_gcd(x,self.phi)
        assert d==1
        return t%self.phi

    def is_unit_phi(self,x):
        (d,t,s) = self.extended_gcd(x,self.phi)
        return d==1
    
    def exp(self,a,n):
        if n==0:
            return (1,0)
        if n==1:
            return a
        if n%2==0:
            c = self.exp(a,n//2)
            return c*c%self.n
        c = self.exp(a,n-1)
        return a*c%self.n
 
    def gen_exponents(self,smallest_e):
        for e in range(smallest_e,self.n):
            if self.is_unit_phi(e):
                d = self.invert_phi(e)
                break
        self.e = e%self.phi
        self.d = d%self.phi
        return (self.e,self.d)
                
    def encrypt(self,m):
        assert self.is_unit_n(m), "message is not a unit"
        return self.exp(m,self.e)
    
    def decrypt(self,c):
        assert self.is_unit_n(c), "ciphertext is not a unit"
        return self.exp(c,self.d)
    
    def non_triv_sqroot(self):
        (d,t,s) = self.extended_gcd(self.p,self.q)
        ntsq = (t*self.p-s*self.q)%self.n
        assert (ntsq*ntsq)%self.n==1
        return ntsq
    
    def factor_ntsq(self,ntsq):
        (p1,s,t) = self.extended_gcd(ntsq+1,self.n)
        (p2,s,t) = self.extended_gcd(ntsq-1,self.n)
        return (p1,p2)
    
    def find_sq(self,a):
        
        def factor_twos(a):
            s = 0
            u = a
            while u%2==0:
                s += 1
                u //= 2
            return (s,u)
        
        (s,u) = factor_twos(self.d*self.e-1)
        
        if not self.is_unit_n(a):
            return 0
        
        a = self.exp(a,u)
        b = a
        while a!=1:
            b = a
            a = self.exp(a,2)
        return b
        

In [16]:
p = 5
q = 7
rsa = RSA(p,q)
rsa.get_public_key()
c = rsa.encrypt(9)

for i in range(35):
    print(rsa.find_sq(i))

0
1
29
29
29
0
6
0
29
29
0
1
29
29
0
0
1
29
29
34
0
0
29
29
34
0
6
29
0
29
0
6
29
29
34


In [20]:
p97 = 97
p83 = 83
rsa = RSA(83,97)
ntsq = rsa.non_triv_sqroot()
print(ntsq)
print(rsa.factor_ntsq(ntsq))

6888
(83, 97)


In [14]:
ntsq = (6*97+7*83)%(97*83)
(ntsq*ntsq)%(97*83)

1

In [24]:
print(2*6888%(97*83))
((2*6888)**2)%(97*83)

5725


4