# Cryptography

## Public key cryptography

### Number theory - part 2

Formuation of propositions, lemmas, definitions comes from:
**Introduction to modern cryptography** by *Jonathan Katz* and *Yehuda Lindell*

To see the notebook as a slide-show, use [RISE](https://rise.readthedocs.io/en/stable/)

In [54]:
import math
import random
from sympy import randprime, isprime, Mod

**Proposition 7.2** Let $a, b$ be positive integers. Then there exists integers $X, Y$ such that $Xa + Yb = \gcd(a, b)$. 

Furthermore, $\gcd(a, b)$ is the smallest positive integer that can be expressed in this way.

In [55]:
def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
    gcd = b
    return gcd, x, y

In [57]:
a = 10
b = 21

gcd, x, y = egcd(a, b)

In [58]:
print(a, "*", x, "+", b, "*", y, "=", math.gcd(a,b))
a * x + b * y

10 * -2 + 21 * 1 = 1


1

If for $b$ there exists an integer $b^{-1}$ such that $b b^{-1} = 1 \bmod N$ then we call:

* $b$ invertible

* $b^{-1}$ modular inverse of $b$ modulo $N$

**Proposition 7.7** Let $a, N$ be integers, with $N > 1$. Then $a$ is invertible modulo $N$ if and only if $\gcd(a, N) = 1$.

$a X + N Y = \gcd(a, N) = 1$

$a X = 1 \bmod N$

$X = a^{-1} \bmod N$

In [59]:
N = 37
a = 4

In [60]:
gcd, x, y = egcd(a, N)
print(a, " *", x, " + ", N, " * ", y, " = ", gcd)

4  * -9  +  37  *  1  =  1


In [None]:
Mod(a * x, N)

In [61]:
Mod(a * (N - 9), N)
print(x, N+x)

-9 28


**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$ such that $g \oplus h = e$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if
for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$Z^+_n = (Z_n, +) = (\{0, 1, \ldots, n-1\}, +_{ \bmod n})$ for $n \geq 2$ is an abelian group of order $|Z_n^+| = n$

$Z_n^* = (\{a: \gcd(a, n) = 1\}, \cdot_{ \bmod n})$. If $n$ is prime:
$Z_p^* = (Z_p, \cdot) = (\{1, \ldots, p-1\}, \cdot_{ \bmod p})$ for $p$ prime is an abelian group of order $|Z_p^*| = p - 1$

$Z_n^* = (\{a: \gcd(a, n) = 1\}, \cdot_{ \bmod n})$. 

Let $n = p \cdot q$, $\qquad p, q$ are primes -- an abelian group of order $|Z_{pq}^*| = (p - 1)(q-1)$

**Theorem 7.14** Let $\mathbf{G}$ be finite group with $m = |\mathbf{G}|$ with $m = |\mathbf{G}|$, the order of the group. Then for any element $g \in \mathbf{G}$, $g^m = 1$.

**Corollary 7.15** Let $\mathbf{G}$ be a finite group with $m = |\mathbf{G}| > 1$. Then for any $g \in \mathbf{G}$ and any integer $i$, we have $g^i = g^{[i \bmod m]}$.

In [63]:
p = randprime(2, 100)
m = p - 1
print("p = ",p, " m = ", m)
i = random.randint(p+1, 10 * p)
a = random.randint(1, p-1)
print(a," ** ", i, " = ",
      a, " ** (", i, " % ", m, ") = \n",
      a, " ** ", i % m, " (mod ",
      p, ")")
print(a ** i % p)
print(a ** (i % m) % p)

p =  71  m =  70
11  **  702  =  11  ** ( 702  %  70 ) = 
 11  **  2  (mod  71 )
50
50


In [64]:
p = random.randint(2, 100)
m = p
i = random.randint(p, 10 * p)
a = random.randint(0, p-1)
print(a, " * ", i, " = ", 
      a, " * (", i, " % ", m, ") = ",
      a, " * ", i % m, " (mod ", p, ")")
print(a * i % p)
print(a * (i % m) % p)

4  *  172  =  4  * ( 172  %  24 ) =  4  *  4  (mod  24 )
16
16


**Corollary 7.17** Let $\mathbf{G}$ be a finite group with $m = |G| > 1$. Let $e > 0$ be an integer, and define the function $f_e: \mathbf{G} \rightarrow \mathbf{G}$ by
$$f_e(g) = g^e.$$

If $\gcd(e, m) = 1$, then $f_e$ is a permutation (i.e., a bijection). Moreover, if 
$$d = [e^{-1} \bmod m]$$ then $f_d$ is the inverse of $f_e$.

Proof: $f_d(f_e(g)) = f_d(g^e) = (g^e)^d = g^{e \cdot d \bmod m} = g^1 = g$

In [81]:
p = randprime(10, 50)
q, n, m = randprime(p+1, 2 * p), p * q, (p-1)*(q-1)
print(p, q, n, m)

41 79 1517 1440


In [85]:
e = random.randint(3,m)
gcd, d, y = egcd(e, m)
if d < 0:
    d = m + d
print(e, d)

518 139


In [68]:
def f(x, g, n):
    return g ** x % n

In [86]:
g = random.randint(1, n)
valid = math.gcd(g, n)
ct = f(e, g, n)
pt = f(d, ct, n)
print(g, valid, ct, pt)

1270 1 821 329


**Theorem 7.19** Let $N = \prod_i p_i^{e_i}$, where  the $\{p_i\}$ are distinct primes and $e_i \geq 1$. Then $\phi(N) = \prod_i p_i^{e_i - 1}(p_i - 1)$.

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [88]:
def GenModulus(w):
    n = len(w)
    p = random.randint(2 ** n, 2 ** (n+1))
    q = random.randint(2 ** n, 2 ** (n+1))
    N = p * q
    return N

GenModulus("111111")

7029

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [95]:
def GenModulus(w):
    n = len(w)
    p = random.randint(2 ** n, 2 ** (n+1))
    q = random.randint(2 ** n, 2 ** (n+1))
    N = p * q
    return N, p, q

GenModulus("111111")

(9594, 123, 78)

In [96]:
def Factor(n):
    N, p, q = GenModulus("1" * n)
    pp, qq = A(N)
    if pp > 1 and qq > 1 and pp * qq == N:
        return 1
    else:
        return 0

In [97]:
def A(N):
    if N % 2 == 0:
        return 2, N // 2
    else:
        return 1, N

In [102]:
sec_param = 100
num_of_succ = 0
tries = 100

for i in range(tries):
    num_of_succ = num_of_succ + Factor(sec_param)

num_of_succ/tries

0.74

In [107]:
from sympy import primefactors

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [111]:
def GenModulus(w):
    n = len(w)
    p = randprime(2 ** n, 2 ** (n+1))
    q = randprime(2 ** n, 2 ** (n+1))
    N = p * q
    return N, p, q

GenModulus("111111")

(7081, 97, 73)

In [112]:
def Factor(n):
    N, p, q = GenModulus("1" * n)
    pp, qq = A(N)
    if pp > 1 and qq > 1 and pp * qq == N:
        return 1
    else:
        return 0

In [113]:
def A(N):
    factors = primefactors(N)
    return factors[0], factors[1]

In [118]:
%%time
sec_param = 60
num_of_succ = 0
tries = 100

for i in range(tries):
    num_of_succ = num_of_succ + Factor(sec_param // 2)

num_of_succ/tries

CPU times: user 34.5 s, sys: 0 ns, total: 34.5 s
Wall time: 34.5 s


1.0

In [129]:
def GenRSA(w):
    n = len(w)
    N, p, q = GenModulus(w)
    m = (p-1) * (q-1)
    e = 2 ** 16 + 1
    gcd, d, y = egcd(e, m)
    if d < 0:
        d = m + d
    return N, e, d

N, e, d = GenRSA("111111")
print("private key: ", d)
print("public key: ", N, e)

x  = 124

def enc(x, N, e):
    return x ** e % N

def dec(c, N, d):
    return c ** d % N

c = enc(x, N, e)
pt = dec(c, N, d)

print(x, pt, c)

private key:  10925
public key:  16129 65537
124 15491 8550


**The RSA experiment** $\textsf{RSA-inv}_{\mathcal{A}, GenRSA}(n)$
1. $(N, e, d) := GenRSA(1^n)$

2. choose $y \leftarrow Z_N^*$

2. $x = \mathcal{A}(N, e, y)$

3. Output: 1 if $x^e = y \bmod N$

**Definition 7.46** We say that RSA problem is hard relative to **GenRSA** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{RSA-inv}_{\mathcal{A}, GenRSA}(n) = 1] \leq negl(n)$$

# Cyclic groups

Let $\mathbf{G}$ be a finite group of order $m$.

Let $g \in \mathbf{G}$, consider the set:
$$\langle g \rangle = \{g^0, g^1, \ldots \}$$

From *Theorem 7.14* we have $g^m = 1$.

Let $i \leq m$ be the samallest positive integer for which $g^i = 1$.

Then the sequence repeats after $i$ terms, so:
$$\langle g \rangle = \{g^0, \ldots, g^{i-1}\}$$

The set contains exactly $i$ elements since:

if $g^j = g^k$ with $0 \leq j < k < i$

then $g^{k-j} = 1$ and $0 < k - j < i$ (contradicting choice of $i$).

$\langle g \rangle$ is a subgroup of $\mathbf{G}$

In [136]:
def group(n):
    G = []
    m = 0
    for i in range(n):
        if math.gcd(i, n) == 1:
            G.append(i)
            m = m + 1
    return G, m
            
p = 11
print(group(p)) 

([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10)


In [152]:
def subgroup(g, n, m):
    H = {}
    for i in range(m):
        H[(g ** i % n)] = 1
    return H

p = 11
gs = subgroup(2, p, p-1)

print(gs.keys(), len(gs))

dict_keys([1, 2, 4, 8, 5, 10, 9, 7, 3, 6]) 10


In [153]:
p, q = 5, 7
n, m = p * q, (p-1)*(q-1)
print(p, q, n, m)
#group(n)
w = subgroup(4, n, m)
print(len(w), w.keys())

5 7 35 24
6 dict_keys([1, 4, 16, 29, 11, 9])


*Definition 7.48* Let $\mathbf{G}$ be a finite group and $g \in \mathbf{G}$. The **order** of $g$ is the smallest positive integer $i$ with $g^i = 1$.

In [157]:
def order(g, n):
    o = 1
    while g ** o % n != 1:
        o = o + 1
    return o

order(10, 11)

2

Definition 7.49 Let $\mathbf{G}$ be a finite group, and $g \in \mathbf{G}$ an element of order $i$. Then for any integer $x$ we have $g^x = g^{x \bmod i}$.

Proposition 7.50 Let $\mathbf{G}$ be a finite group, and $g \in \mathbf{G}$
an element of order $i$.

Then $g^x = g^y$ if and only if $x = y \bmod i$.

$\langle 1 \rangle = \{ 1\}$ - order 1

if there exists $g \in \mathbf{G}$ with order $m = | \mathbf{G}|$ then $\langle g \rangle = \mathbf{G}$ and we call $\mathbf{G}$ **cyclic**

In [None]:
print(group(21))
print(order(8, 21))

Proposition 7.51 Let $\mathbf{G}$ be a finite group of order $m$, and say $g \in \mathbf{G}$ has order $i$ then $i | m$.

Corollary 7.52 If $\mathbf{G}$ is a group of prime order $p$, then $\mathbf{G}$ is cyclic.

Furthermore, all elements of $\mathbf{G}$ except the identity are generators of $\mathbf{G}$.

Theorem 7.53 If $p$ is prime then $\mathbf{Z}_p^*$ is cyclic.

$Z_{15}$

In [45]:
group(15)

([1, 2, 4, 7, 8, 11, 13, 14], 8)

$DLOG_{\mathcal{A}, G}(n)$:
1. Run $\mathcal{G}(1^n)$ to obtain $(G, q, g)$:
    * $\mathcal{G}$ - cyclic group 
    * $m$ - group order
    * $g$ - generator
2. Choose $h \leftarrow \mathcal{G}$
3. $x \leftarrow \mathcal{A}(\mathcal{G}, q, g, h)$
4. Output is $1$ if $g^x = h$

Definintion 7.59 We say that the **discrete logarithm problem is hard relative to $\mathcal{G}$** if for all PPT algorithms $\mathcal{A}$ there exists a negligible function $\mathsf{negl}$ such that 
$$P[DLOG_{\mathcal{A}, G}(n) = 1] \leq \mathsf{negl}.$$

**Computational Diffie-Hellman (CDH)**

Fix a cyclic group $\mathbf{G}$ and a generator $g \in \mathbf{G}$. Given $h_1, h_2$, define
$$DH_g(h_1, h_2) = g^{\log_g h_1 \cdot \log_g h_2}$$

If $h_1 = g^x$ and $h_2 = g^y$ then 
$$DH_g(h_1, h_2) = g^{x \cdot y} = h_1^y = h_2^x.$$

Definition 7.60 We say that DDH problem is hard relative to $\mathbf{G}$ if for all PPT algorithms $\mathcal{A}$ there exists a negligible function $\mathsf{negl}$ such that
$$\left|P\left[\mathcal{A}(\mathbf{G}, q, g, g^x, g^y, g^z) = 1\right] - P\left[\mathcal{A}(\mathbf{G}, q, g, g^x, g^y, g^{xy}\right) = 1\right| \leq \mathsf{negl},$$
where in each case the probabilities are taken over the experiment in which $\mathcal{G}(1^n)$ outputs $(\mathbf{G}, q, g)$, and then random $x, y, z \in \mathbf{Z}_q$ are chosen.

In [182]:
p = randprime(2, 20)
q = 2 * p  + 1
a = isprime(q)

print(p, q, a)

11 23 True


In [193]:
print(group(q))

x = random.randint(1, 2 * p)
print(x)
g = x ** 2 % q
print(g)

S = subgroup(g, q, q -1)
print(S.keys(), print(len(S)))

([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], 22)
5
2
11
dict_keys([1, 2, 4, 8, 16, 9, 18, 13, 3, 6, 12]) None
