In [1]:
import matplotlib.pyplot as plt
import numpy as np
import random

In [4]:
# import functions from given RSA.ipynb file

# Euclidian greatest common denominator (egcd)
#
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)
#
# Modular inverse
#
def modular_inverse(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m
#
#


def rsa_generate_key(p: int, q: int) -> \
        tuple[tuple[int, int, int], tuple[int, int]]:
    """Return an RSA key pair generated using primes p and q.

    The return value is a tuple containing two tuples:
      1. The first tuple is the private key, containing (p, q, d).
      2. The second tuple is the public key, containing (n, e).

    Preconditions:
        - p and q are prime
        - p != q
    """
    # Compute the product of p and q
    n = p * q

    # Choose e such that gcd(e, phi_n) == 1.
    phi_n = (p - 1) * (q - 1)

    # Since e is chosen randomly, we repeat the random choice
    # until e is coprime to phi_n.
    e = random.randint(2, phi_n - 1)
    while egcd(e, phi_n)[0] != 1:
        e = random.randint(2, phi_n - 1)

    # Choose d such that e * d % phi_n = 1.
    # Notice that we're using our modular_inverse from our work in the last chapter!
    d = modular_inverse(e, phi_n)

    return ((p, q, d), (n, e))
#
#
#
def rsa_encrypt(public_key: tuple[int, int], plaintext: int) -> int:
    """Encrypt the given plaintext using the recipient's public key.    
    Preconditions:
        - public_key is a valid RSA public key (n, e)
        - 0 < plaintext < public_key[0]
    """
    n, e = public_key[0], public_key[1]

    encrypted = (plaintext ** e) % n

    return encrypted
#
def rsa_decrypt(private_key: tuple[int, int, int], ciphertext: int) -> int:
    """Decrypt the given ciphertext using the recipient's private key.

    Preconditions:
        - private_key is a valid RSA private key (p, q, d)
        - 0 < ciphertext < private_key[0] * private_key[1]
    """
    p, q, d = private_key[0], private_key[1], private_key[2]
    n = p * q

    decrypted = (ciphertext ** d) % n

    return decrypted
#
#

# 1. Group Theory.
For this problem, let $p = 5$ and $q = 11$. 

## 1a. List all elements of $G_{pq}$. 

$G_{pq} = \{1, 2, 3, 4, 6, 7, 8, 9, 12, 13, 14, 16, 17, 18, 19, 21, 23, 24, 26, 27, 28, 29, 31, 32, 34, 36, 37, 38, 39, 41, 42, 43, 46, 47, 48, 49, 51, 52, 53, 54 \}$


## 1b. State the four axioms that $G_{pq}$ satisfies to be a group, and give an explicit example of each. 

i. **Existence of Identity**: There exists an element $e \in G_{pq}$ such that for all $g \in G_{pq}$, $g \cdot e = g$ and $e \cdot g = g$.
- Example: $1$ is the identity element in $G_{pq}$, since for any $g \in G_{pq}$, $g \cdot 1 = g$ and $1 \cdot g = g$.

ii. **Multiplication is closed**: For all $g_1, g_2 \in G_{pq}$, the product $g_1 \cdot g_2$ is also in $G_{pq}$.
- Example: For $g_1 = 2$ and $g_2 = 3$, we have $g_1 \cdot g_2 = 2 \cdot 3 = 6$, which is also in $G_{pq}$.

iii. **Associativity**: For all $g_1, g_2, g_3 \in G_{pq}$, $(g_1 \cdot g_2) \cdot g_3 = g_1 \cdot (g_2 \cdot g_3)$.
- Example: For $g_1 = 2$, $g_2 = 3$, and $g_3 = 4$, we have $(g_1 \cdot g_2) \cdot g_3 = (2 \cdot 3) \cdot 4 = 6 \cdot 4 = 24$ and $g_1 \cdot (g_2 \cdot g_3) = 2 \cdot (3 \cdot 4) = 2 \cdot 12 = 24$, so the associativity holds.

iv. **Existence of Inverses**: For each $g \in G_{pq}$, there exists an element $g^{-1} \in G_{pq}$ such that $g \cdot g^{-1} = g^{-1} \cdot g = 1 \pmod{N}$.
- Example: 14 is the inverse of 4 in $G_{pq}$, since $4 \cdot 14 = 56 \equiv 1 \pmod{55}$ and $14 \cdot 4 = 56 \equiv 1 \pmod{55}$. Hence $4^{-1} = 14$, and we have shown an example of the existence of inverses.

## 1c. Show the elements of the group $G_{(p-1)(q-1)} = G_{40}$.
$G_{40} = \{1, 3, 7, 9, 11, 13, 17, 19, 21, 23, 27, 29, 31, 33, 37, 39\}$


## 1d. Find the inverse of the first 4 elements of $G_{40}$.
We can use code supplied in RSA.ipynb to expedite this process. 


In [5]:
G_40 = [1, 3, 7, 9, 11, 13, 17, 19, 21, 23, 27, 29, 31, 33, 37, 39]

inverses = []

for i in range(0, 4):
    inverses.append(modular_inverse(G_40[i], 40))
    print(f'{G_40[i]}^-1 = {inverses[i]}')
print()


# We can then check these values. 
for i in inverses: 
    print(f'({G_40[inverses.index(i)]} * {i}) (mod 40) = {i * G_40[inverses.index(i)]} (mod 40) = {(i * G_40[inverses.index(i)]) % 40}')
# The output should be 1 for each of the values.

1^-1 = 1
3^-1 = 27
7^-1 = 23
9^-1 = 9

(1 * 1) (mod 40) = 1 (mod 40) = 1
(3 * 27) (mod 40) = 81 (mod 40) = 1
(7 * 23) (mod 40) = 161 (mod 40) = 1
(9 * 9) (mod 40) = 81 (mod 40) = 1


## 1d. Find the order of the first 4 elements of $G_{40}$.


In [6]:
for i in range(len(inverses)):
    j = 1
    element = inverses[i]
    while (element**j % 40) != 1:
        j += 1
    print(f'Order of {inverses[i]} is {j}')
    

Order of 1 is 1
Order of 27 is 4
Order of 23 is 4
Order of 9 is 2


#2. RSA.
## 2a. Generate a public and private key for Bob. 

In [7]:
#keys = [private_key, public_key] = rsa_generate_key(5, 11) 
keys = [private_key, public_key] = [(5, 11, 27), (55, 3)] # this is done to avoid generating random keys so the numbers I explain and the numbers I generate match. 
print(f'Private key [only Bob knows this]: {private_key}')
print(f'Public key [broadcast for everyone]: {public_key}')


Private key [only Bob knows this]: (5, 11, 27)
Public key [broadcast for everyone]: (55, 3)


## 2b. Choose a numerical element of $G_{55}$ to be the message and explain how Alice can use Bob's public key to encrypt the message and send it secretly to Bob.

For the purpose of this example, we will use the message $a = 26$. 

We can then apply the public key via 

$$ b \equiv{} a^{c} \pmod{N} $$

where $b$ is the encrypted message, $a$ is the original message, $c$ is the public key, and $N = pq$ is the modulus. As $N$ and $c$ are public, Alice can encrypt her original message $a$ and send the encrypted message $b$ to Bob freely over a public channel. 

Hence, we can then calculate the encrypted message as follows:

In [None]:
a = 26 # This is the message. 
print(f'Message: {a}')
print(f'Public key: {public_key}')

b = rsa_encrypt(public_key, a) # This is the encrypted message.
print(f'Encrypted message: {b}')


Message: 26
Public key: (55, 3)
Encrypted message: 31


## 2c. Explain how Bob can decrypt the message using his private key.

As Bob still has his private key, he (and only he, provided his private key is kept secret) can decrypt the message using the following formula:
$$ a \equiv{} b^{d} \pmod{N} $$

where $a$ is the original message, $b$ is the encrypted message, $d$ is the private key, and $N = pq$ is the modulus.

This is because 
$$ cd \equiv{} 1 \pmod{(p-1)(q-1)} $$
where $c$ is the public key, $d$ is the private key, and $(p-1)(q-1)$ is the totient of $N$, as $N$ is the product of two primes. Therefore, we can rest assured that $c$ and $d$ are multiplicative inverses of each other, and therefore can encrypt and decrypt messages using the above formulas.

We can then show the decryption process using the code supplied in RSA.ipynb.

In [6]:
print(f'Decrypted Message: {rsa_decrypt(private_key, b)}')

Decrypted Message: 26


# 3. Hacking RSA with period finding.

We can use a period finding machine to decrypt Alice's message by instituting Shor's algorithm.

As the encryption and decryption process is based on the raising a secret to an arbitrary power, and then applying modulo $N$, we can observe that the function will repeat every $N$ iterations, and therefore we can find the period of the function and decrypt the message.

We will use a period finding attack to find the period $r$ in $f(x) = b^{x} \pmod{N}$.

Hence, $f(x + r) \equiv f(x) $, when $b^{r} \equiv 1 \pmod{N}$. This implies that $f(x)$ is periodic with period $r$.

First, we need to find the "order of b", or equivalently, the "order of a"- therefore, we must find $ k \in \mathbb{Z} $ such that $ b^{k} \equiv 1 \pmod{N} $.

In [None]:
k = 1
N = 55


while ((b ** k) % N) != 1:
    k += 1
print(f'Order of {b} is {k}')

Order of 31 is 5


Now that we know $k = 5$, we know that $k = |S_a|$ is the order of $a$ in $G_{pq} = (p - 1)(q - 1)$.  As Bob picked $c$ to have no common factor with $(p-1)(q-1)$, and $k$ is a divisor of $|G_{pq}|$, we can conclude that $c$ has no common factor with $k$, and begin our search for $c'$. Recall that this is: 

$$ c' = c \pmod{k}; \qquad{} \text{ for } c' \in{} G_{k}$$ 

We can then calculate $d' = c'^{-1} \in{} G_{k}$, where $d'$ satisfies the following:
$$ c'd' \equiv{} 1 \pmod{k} $$

In [None]:
k = 5
c = public_key[1] # = 3
d_prime = 1 # Looking for d_prime


c_prime = c % k # c_prime = 3 % 5 = 3
print(f'c_prime = {c_prime}')



while ((c_prime * d_prime) % k) != 1:
    if (d_prime > k): 
        print(f'No d_prime found for {c} and {k}')
        break
    d_prime += 1
print(f'd_prime = {d_prime}')


c_prime = 3
d_prime = 2


Based on the above, we can then decrypt the message $b$ using the following formula:
$$ a \equiv{} b^{d'} \pmod{N} $$

Observe as we recover the original message $a$ using the above formula.

In [16]:
recovered_message = (b ** d_prime) % N
print(f'Recovered message: {recovered_message}')
# The recovered message should be equal to the original message.
print(f'Original message: {a}')

Recovered message: 26
Original message: 26


As the recovered and original messages are the same, we can conclude that the alternative decryption key is $d' = 2$. 