### Mathematical Idea

RSA, public-key or asymmetric cryptography, involves a **public key** and a **private key** for encryption and decryption. The basic intention is that a message encrypted with the public key can only be decrypted in a reasonable amount of time by using the private key. 

A basic mathematic principle behind RSA is modular arithmetic. With a public key represented by the integers $e$ and $n$; and a private key $d$ together with $n$, a message $m$ can be encrypted to cipher text $c$: 

$ c \equiv m^e \mod{n} $

and the message $m$ can be recovered again from the cipher text $c$:

$ m \equiv c^d \mod{n} $

While $e$ and $n$ as public key are available to everyone, the private key $d$ must be kept secret and cannot be figured out easily. The integer $n$ is a composite number from two prime numbers (i.e. $n = p \cdot q$) and must be chosen in the way so that its prime factors (i.e. $p$ and $q$) cannot be factorized easily. 

The security of RSA depends mainly on two hard problems:
- **prime factorization** 
 - finding prime numbers $p$ and $q$ so that $n = p \cdot q$
- **modular discrete logarithm calculation**
 - finding $x$ from $a = b^x$ with given $a$ and $b$

### Algorithm

The RSA algorithm involves four steps: 
 - key generation
 - key distribution
 - encryption
 - decryption

#### Key Generation

**Choose two distinct prime numbers $p$ and $q$**.

**Compute modulus $n$**. Its length, usually expressed in bits, is the **key length**. While $n$ will be known as part of public key, **$p$ and $q$ are kept secret**.

$n = p \cdot q$

Compute **Carmichael's totient function $\lambda(n)$ which is kept secret**. Since $p$ and $q$ are prime, $\lambda(p) = \phi(p) = p − 1$ where $\phi(p)$ is **Euler's totient function**; and likewise $\lambda(q) = q − 1$. Hence 

$ 
\begin{align}
\lambda(n) & = lcm(\lambda(p),\lambda(q)) \\
           & = lcm(p − 1, q − 1)
\end{align}            
$

**Choose an integer $e$** such that $1 < e < \lambda(n)$ and $\gcd(e, \lambda(n)) = 1$ (i.e. $e$ and $\lambda(n)$ are coprime).

Having $e$ a short bit-length results in more efficient encryption and the most **commonly chosen value for $e$** is $2^{16} + 1 = 65537$.
    
**Public key** can be represented now with the pair $(e, n)$.

**Determine private key $d$** where 

$d \equiv e^{−1} \mod{\lambda(n)}$ 

or

$d \cdot e \equiv 1 \mod{\lambda(n)}$

Namely, $d$ is the **modular multiplicative inverse** of $e$ with respect to the modulus  $\lambda(n)$.

Private key can be represented now with the pair $(d, n)$ **where $d$ is kept secret**.

Difference from the original RSA paper:
 - Euler's totient function $\phi(n)$ is used instead of Carmichael's $\lambda(n)$
 - $d$ is choosen at first and then $e$ is computed

Euler's totient function $\phi(a \cdot b) = \phi(a) \cdot \phi(b)$ when $a$ and $b$ are coprime.

Any $d$ satisfying 

$d \cdot e \equiv 1 \mod{\phi(n)}$ 

also satisfies 

$d \cdot e \equiv 1 \mod{\lambda(n)}$

Since any common factors of $(p − 1)$ and $(q − 1)$ are present in the factorisation of $(n-1)$

$
\begin{align}
n − 1 & = pq − 1 \\
      & = (p − 1) \cdot (q − 1) + (p − 1) + (q − 1)
\end{align}
$

#### Key Distribution

Distribute public key and keep private key secret. 

#### Encryption

Let $m$ as plain message where $ 0 \leq m < n $

Its ciphertext $c$ is encrypted with

$ c \equiv m^e \mod{n} $ 
 
#### Decryption

The plain message $m$ can be recovered from $c$ with:

$ c^d \equiv (m^e)^d \equiv m \mod{n} $

$ m \equiv c^d \mod{n} $


In [12]:
#### Walk-Through example

def compute_private_d(e, totient_n):
    """ compute with primitive brute force method for simplicity.
        better with extended Euclidean algorithm
    """    
    k = 1
    while int(totient_n * k + 1) % e != 0:
        k += 1
    return int((totient_n * k + 1) / e)

# Choose two distinct prime numbers p and q
p = 13
q = 11

# Compute modulus 𝑛
n = p * q

# use Euler totient function 𝜙(𝑛) for simplicity
totient_n = (p-1) * (q-1)
    
# Choose an integer 𝑒 such that 1 < 𝑒 < 𝜙(𝑛)
e = 17

# determine d
d = compute_private_d(e, totient_n)

# distribute public key
public_key = (e, n) # (17, 33)
# keep provate key secret
private_key = (d, n) # (13, 33)

# plain message
m = 9
# encrypted ciphertext with public key
c = (m**e % n)
# recover original message with private key
m_recovered = (c**d % n)

print (f"plain text is: {m}")
print (f"ciphertext is: {c}")
print (f"recovered text from ciphertext: {m_recovered}")


plain text is: 9
ciphertext is: 81
recovered text from ciphertext: 9
