# Modular Arithmetics

Unlike the integers which just get bigger and bigger, modular arithmetic instead "wraps around" and returns back to zero. Think about clocks, and that how after 23:59 we reach 00:00 instead of 24:00. This introduces subtle changes from the mathematics of our childhood and it's worth taking the time to get used to these differences.

Code sollutions can also be found as seperate files in `./modular_arithmetics` folder

Cryptohack does not go deeply into the number theory behind the assignments, so you are expected to either know or get smart on the subject trough other means. Below are my notes on the different subjects.



#### Basic Number Theory

Suppose $a,b \in \Z$ and $a \ne 0$, then we say that:
- `b` is divisible by `a`
- `a` divides `b`
- `b` is a multiple of `a`

if there exists some $n \in \Z$ such that $b=an$.

These are really just three ways of saying the exact same thing, and we annote that that as `a divides b` $\implies a \mid b$.
If `a does not divide b` then that is written as $a \nmid b$.

We also suppose the following to be true;
$\\a^{m} \parallel b$ if $a^{m} \equiv b$ but $a^{m+1} \nmid b$.

What this means is that `m` would be the largest power of `a` that divides `b`. For example:
$\\2 \mid 40 \implies 2^3 \parallel 40$, because $2^3 * 5 = 40$. But $2^4 = 16$, so $2^4 \nmid 40$ as 40 divided by 16 is not an integer. Meaning `m = 3` in this case

These rules also work on negative numbers:
$\\-5 \mid 30 \implies 30=(-5)(-6) \implies$ true
$\\12 \mid -84 \implies -84=12(-7) \implies$ true

#### Building further intuition for Modular Arithmetics

> If $a,b\in\Z$ and $m\in\Z^{+}$, then $a \equiv b (mod\,m)$ if $m|a-b$.<br>

If `a` and `b` are integers, and `m` is a positive integer, then `a` is congruent to `b` if `m` divides `a - b`:

$\\3|(18-12)\implies 18 = 12\,mod\,3$

Does:
$\\53 \equiv 17 (mod 3)? \implies 3|(53-17) \implies 3|36 \implies$ Yes! The quotient `12` exists in $\Z$
$\\53 \equiv 14 (mod 3)? \implies 3|(53-14) \implies 3|39 \implies$ Yes! The quotient `13` exists in $\Z$
$\\53 \equiv 11 (mod 3)? \implies 3|(53-11) \implies 3|42 \implies$ Yes! The quotient `14` exists in $\Z$

Does this mean that:
$\\17(mod3) \equiv 14(mod3)? \implies$ Yes! And notice that the value of `m` is the difference between the two numbers - They are called congruencies and m is their equivalence class.

> For some `mod n` there will be `[0],...,[n-1]` equivalence classes

So for some number `mod 4`, we would have
```
[0] = {...,-4,0,4,...}
[1] = {...,-3,1,5,9,...}
[2] = {...,-2,2,6,10,...}
[3] = {...,-1,3,7,11,...}
```

What this means is that any number divided by 4 with a remainder of 0 would go in the first equivalence class, and any giving a remainder of 1 would go in the second equivalence class etc. In what class would the number `15` belong?
$\\15 = 4*3+3 \implies$ equivalance class 3, right after the number `11`

> We see that $a=nq+r$ where r (the remainder) is the equivalence class

**But why is there no equivalence class 4, or 5 etc.?**

They wrap around - so in our example with `mod 4` this would mean `[4] == [0], ..., [7] == [3]`. This means that we can also draw a table for all numbers `mod 4`:
```
mod4:
    [0] [1] [2] [3]
     0   1   2   3
     5   5   6   7
     8   9   10  11
     12  ..  ..  ..
```

So what would `9 (mod 4)` be? Well, the number `9` is in equivalence class `[1]` so $9(mod4) = 1$


#### Fermat's Little Theorem

> If $p$ is prime, then for every integer $a$:
$\\a^{p}\equiv a(mod\,p)$
<br><br>
> If $p$ is a prime number and $p \nshortmid a$ (i.e. coprime), then $a^{p-1} \equiv 1(mod\,p)$

For an example, let us consider $p=5$:

$\\5 \nshortmid 2 \implies 2^{5-1} \equiv 1(mod\,5) \implies2^{4} \equiv 1(mod\,5)$
$\\5 \nshortmid 3 \implies 3^{5-1} \equiv 1(mod\,5) \implies3^{4} \equiv 1(mod\,5)$
$\\5 \nshortmid 4 \implies 4^{5-1} \equiv 1(mod\,5) \implies4^{4} \equiv 1(mod\,5)$
$\\5 \mid 5 \implies 5\,\,does\,\,divide\,\,5!\, \implies5^{4} \equiv 0(mod\,5)$
$\\5 \nshortmid 6 \implies 6^{5-1} \equiv 1(mod\,5) \implies6^{4} \equiv 1(mod\,5)$
$\\5 \nshortmid 7 \implies 7^{5-1} \equiv 1(mod\,5) \implies7^{4} \equiv 1(mod\,5)$
$\\5 \nshortmid 8 \implies 8^{5-1} \equiv 1(mod\,5) \implies8^{4} \equiv 1(mod\,5)$
$\\5 \nshortmid 9 \implies 9^{5-1} \equiv 1(mod\,5) \implies9^{4} \equiv 1(mod\,5)$
$\\5 \mid 10 \implies 5\,does\,divide\,10! \implies10^{4} \equiv 0(mod\,5)$


Notice how the theorem does not apply when $p\mid a$, and how the pattern repeats!

If we accept the above, then we can also rewrite the second proposition as:
$\\a^{p-2} \equiv a^{-1}(mod\,p)$

```
Since `b` will be some factor of `a` with some multiplicator `q`, we can say that $\\b*q=a-m$
```

---

### 01: Greatest Common Divisor (GCD)

The Greatest Common Divisor (GCD), sometimes known as the highest common factor, is the largest number which divides two positive integers (a,b).

For `a = 12, b = 8` we can calculate the divisors of a: `{1,2,3,4,6,12}` and the divisors of b: `{1,2,4,8}`. Comparing these two, we see that `gcd(a,b) = 4`.

Now imagine we take `a = 11, b = 17`. Both `a` and `b` are prime numbers. As a prime number has only itself and `1` as divisors, `gcd(a,b) = 1`.

We say that for any two integers `a,b`, if `gcd(a,b) = 1` then `a` and `b` are coprime integers.

If `a` and `b` are prime, they are also coprime. If `a` is prime and `b < a` then `a` and `b` are coprime.

There are many tools to calculate the GCD of two integers, but for this task we recommend looking up [Euclid's Algorithm](https://en.wikipedia.org/wiki/Euclidean_algorithm).

Try coding it up; it's only a couple of lines. Use `a = 12`, `b = 8` to test it.

Now calculate `gcd(a,b)` for `a = 66528`, `b = 52920` and enter it below.


In [None]:
# Greates Common Divisor using Euclid's Algorithm

# Get input values
# input = [12, 8]
input = [66528, 52920]

# Sort them in descending order of magnitude
input.sort(reverse=True)

# Get the values into variables that are more litteral
a = input[0]
b = input[1]

# The GCD will be the value of a and b when the remainder is zero. We will call gcd() recursivly until that happens
def gcd(a,b):
    if(b == 0): return a
    return gcd(b, a % b)

print("GCD:", gcd(a,b))


In [None]:
# Alternate solution using conditional (ternary) expressions.
def gcd(a, b): return gcd(b % a, a) if a else b
print("GCD: ", gcd(66528, 52920))

---

### 02: Extended GCD

Let `a` and `b` be positive integers.

The extended Euclidean algorithm is an efficient way to find integers `u`,`v` such that:
`a * u + b * v = gcd(a,b)`

> Later, when we learn to decrypt RSA, we will need this algorithm to calculate the modular inverse of the public exponent.

For more details on the extended Euclidean algorithm, check out [this page](http://www-math.ucdenver.edu/~wcherowi/courses/m5410/exeucalg.html) as well as [wikipedia](https://en.wikipedia.org/wiki/Extended_Euclidean_algorithm). See also [modular multiplactive inverse](https://en.wikipedia.org/wiki/Modular_multiplicative_inverse)

But the best resouce is [this page over at brilliant.org](https://brilliant.org/wiki/extended-euclidean-algorithm/)



Using the two primes `p = 26513`, `q = 32321` - find the integers `u`,`v` such that:
`p * u + q * v = gcd(p,q)`

Enter whichever of u and v is the lower number as the flag.

In [None]:
p = 26513
q = 32321

def extended_gcd(a, b):
    if a == 0: 
        return b, 0, 1

    gcd, u, v = extended_gcd(b%a, a)
    return gcd, v - (b//a) * u, u

g, u, v = extended_gcd(p, q)
print("au+bv = gdc(a,b) => u,v:", u, v)
print("GCD:", g)

---
### 03: Modular Arithmetic 1

Imagine you lean over and look at a cryptographer's notebook. You see some notes in the margin:
```
4 + 9 = 1
5 - 7 = 10
2 + 3 = 5
```

At first you might think they've gone mad. Maybe this is why there are so many data leaks nowadays you'd think, but this is nothing more than modular arithmetic modulo 12 (albeit with some sloppy notation).

You may not have been calling it modular arithmetic, but you've been doing these kinds of calculations since you learnt to tell the time (look again at those equations and think about adding hours).

Formally, "calculating time" is described by the theory of congruences. We say that two integers are congruent modulo m if `a ≡ b mod m`.

Another way of saying this, is that when we divide the integer `a` by `m`, the remainder is `b`. This tells you that if m divides a (this can be written as `m | a`) then `a ≡ 0 mod m`.

> For a positive integer `n`, the integers `a` and `b` are congruent mod `n` if their remainders when divided by `n` are the same.

Calculate the following integers:
```
11 ≡ x mod 6
8146798528947 ≡ y mod 17
```

The solution is the smaller of the two integers.

In [None]:
"""
The Congruence modulo relatuon can be transformed to a modulo operation:
a ≡ b mod m <=> a % m = b

Since a ≡ b mod m, then if we divide the integer a by m we get the remainder is b . b is then the remainder of the euclidean division between a and m.
"""
x = 11 % 6                  # 11 ≡ x mod 6
y = 8146798528947 % 17      # 18146798528947 ≡ y mod 17

print(min(x, y))


---

### 04: Modular Arithmetic 2

We'll pick up from the last challenge and imagine we've picked a modulus `p`, and we will restrict ourselves to the case when `p` is prime.

The integers modulo `p` define a field, denoted `Fp`.

> If the modulus is not prime, the set of integers modulo `n` define a ring.

A finite field `Fp` is the set of integers `{0,1,...,p-1}`, and under both addition and multiplication there is an inverser element `b` for every element `a` in the set, such that `a + b = 0` and `a * b = 1`.

> Note that the identity element for addition and multiplication us different! This is because the identity when acted with the operator should do nothing: `a + 0 = a` and `a * 1 = a`.

Lets say we pick `p = 17`. Calculate `3^17 mod 17`. Now do the same but with `5^17 mod 17`. What would you expect to get for `7^16 mod 17`? Try calculating that.

This interesting fact is known as _Fermat's little theorem_. We'll be needing this (and its generalisations) when we look at RSA cryptography.

Now take the prime `p = 65537`. Calculate `273246787654^65536 mod 65537`.
Did you need a calculator?


In [None]:
"""
Looking at Fermat's little theorem (https://en.wikipedia.org/wiki/Fermat%27s_little_theorem):

if p is prime, for every integer a:
        pow(a, p) = a mod p

And, if p is prime and a is an integer coprime with p:
        pow(a, p-1) = 1 mod p

So lets check
        pow(273246787654, 65536) mod 65537

Notice that 65536 is exactly 65537-1, and if 273246787654 and 65537 
are coprime then the result is one:
"""
from math import gcd

# If a and p are indeed coprime, we expect the result to be 1
if gcd(a,p) == 1:
    print("1 - a and p are coprime!")


### We can verify this:

# Calculates x^y under modulo m
def power(x,y,m):
    if(y == 0): 
        return 1
    p = power(x, y // 2, m) % m
    p = (p * p) % m
    return p if (y % 2 == 0) else (x * p) % m


print("Result: " + str(power(273246787654,65536,65537)))

---

### 05: Modular Inverting

As we've seen, we can work within a finite field `Fp`, adding and multiplying elements, and always obtain another element of the field.

For all elements `g` in the field, there exists a unique integer `d` such that `g * d ≡ 1 mod p`.
This is the multiplicative inverse of `g`.

Example: `7 * 8 = 56 ≡ 1 mod 11`

What is the inverse element: `3 * d ≡ 1 mod 13`?

> Think about the little theorem we just worked with. How does this help you find the inverse of an element?


In [None]:
"""
Looking again at Fermat's little theorem:

if p is prime, for every integer a:
        pow(a, p) = a mod p
and, if p is prime and a is an integer coprime with p:
        pow(a, p-1) = 1 mod p

We can do some magic like this (a^b means pow(a,b)):
        a^(p-1) = 1 (mod p)
        a^(p-1) * a^-1 = a^-1 (mod p)
        a^(p-2) * a * a^-1 = a^-1 (mod p)
        a^(p-2) * 1 = a^-1 (mod p)

So finally we have:
        a^(p-2) = a^-1 (mod p)

So, doing a^(p-2) and then (mod p) we can achieve our result
"""
from math import gcd, pow

# Finds modular inverse of a under modulo m, assuming m is prime
def mod_inverse(a, m):
    if(gcd(a,m) != 1):
        print("Inverse does not exist!")
    else:
        # if a and m are relatively prime, then mod inverse is a^(m-2) mod m
        print("Modular multiplicative inverse is ", pow(a, m - 2) % m)

mod_inverse(3, 13)

"""
Another way to look at it is like this:

The problem given is 3 * d ≡ 1 mod 13

To calculate d we can divide both sides by 3 which gives us:
  d = (1/3) * 1 mod 13 

And we can rewrite that to:
  d = 3^-1 mod 13

This is what the hint about the theorem eludes to as this is basically the inverse of 3 mod 13.
"""
a = 3
p = 13

print(pow(a, p - 2) % p)

"""
Or - just cheat and use some library ;)
"""
from Crypto.Util.number import inverse
print(inverse(3, 13))

---

### 06: Quadratic Residues

We've looked at multiplication and division in modular arithmetic, but what does it mean to take the square root modulo an integer?

For the following discussion, let's work modulo `p = 29`. We can take the integer `a = 11` and calculate `a^2 = 5 mod 29`.

As `a = 11, a^2 = 5`, we say the square root of `5` is `11`.

This feels good, but now let's think about the square root of 18. From the above, we know we need to find some integer `a` such that `a^2 = 18`

Your first idea might be to start with `a = 1` and loop to `a = p-1`. In this discussion `p` isn't too large and we can quickly look.

Have a go, try coding this and see what you find. If you've coded it right, you'll find that for all `a ∈ Fp*` you never find an a such that `a^2 = 18`.

What we are seeing, is that for the elements of `F*p`, not every element has a square root. In fact, what we find is that for roughly one half of the elements of `Fp*`, there is no square root.

> We say that an integer `x` is a Quadratic Residue if there exists an a such that `a^2 = x mod p`. If there is no such solution, then the integer is a Quadratic Non-Residue.


In other words, `x` is a quadratic residue when it is possible to take the square root of `x` modulo an integer `p`.

In the below list there are two non-quadratic residues and one quadratic residue.

Find the quadratic residue and then calculate its square root. Of the two possible roots, submit the smaller one as the flag.

> If `a^2 = x` then `(-a)^2 = x`. So if `x` is a quadratic residue in some finite field, then there are always two solutions for `a`.

```
p = 29
ints = [14, 6, 11]
```

In [288]:
from math import sqrt

p = 29
ints = [14, 6, 11]  # list of x's that are possible quadratic residues

for x in ints:
    for a in range(x):
        print(pow(a, 2), x % p)


0.0 14
1.0 14
4.0 14
9.0 14
16.0 14
25.0 14
36.0 14
49.0 14
64.0 14
81.0 14
100.0 14
121.0 14
144.0 14
169.0 14
0.0 6
1.0 6
4.0 6
9.0 6
16.0 6
25.0 6
0.0 11
1.0 11
4.0 11
9.0 11
16.0 11
25.0 11
36.0 11
49.0 11
64.0 11
81.0 11
100.0 11
