# Lecture 13: Number Theory/Cryptography (1 of ...?)

### Please note: This lecture will be recorded and made available for viewing online. If you do not wish to be recorded, please adjust your camera settings accordingly. 

# Reminders/Announcements:
- Assignment 4 is due Thursday at 8pm.
- Final Project Topics are available. Take a look!

## The Greatest Common Divisor

The *greatest common divisor* of two numbers $a$ and $b$ is the largest integer $d$ which divides $a$ and $b$. We write $d = \gcd(a,b)$. 

In [0]:
gcd(6,10)

In [0]:
gcd(13,169)

If two numbers $a$ and $b$ have $\gcd(a,b) = 1$, we say $a$ and $b$ are *coprime*.

In [0]:
gcd(100,101)

In [0]:
p = random_prime(100000)
q = random_prime(100000)
print(p)
print(q)
gcd(p,q)

The gcd of two integers is *incredibly easy* for computers to compute:

In [0]:
gcd(2^300 - 7, 2^256 + 43)

In [0]:
(2^300 - 7).ndigits()

In [0]:
(2^256 + 43).ndigits()

This is thanks to the *Euclidean algorithm*:https://en.wikipedia.org/wiki/Euclidean_algorithm . An important property of the greatest common divisor is *Bezout's identity*. Given $a,b$ integers and $d = \gcd(a,b)$, there exists *integers* $m$ and $n$ with 
$$
d = ma+nb.
$$
Note that $m$ and $n$ will not always be *positive* integers.
## ***** Participation Check ***************************
For the examples $2 = \gcd(6,10)$ and $13 = \gcd(13,169)$, find instances of $m$ and $n$ which exhibit Bezout's identity explicitly. 
- For $2 = \gcd(6,10)$, enter your answer here: $m = ??$, $n = ??$. 
- For $13 = \gcd(13,169)$, enter your answer here: $m = ??$, $n = ??$.
## ***********************************************************

In general the process for finding $m$ and $n$ is called the *extended* Euclidean algorithm:

In [0]:
xgcd(2^300 - 7, 2^256 + 43)

In [0]:
d, m, n = xgcd(2^300 - 7, 2^256 + 43)

m*(2^300 - 7) + n*(2^256 + 43)

Be careful! Don't confuse `xgcd` with the closely related `xkcd`...

From the documentation: "This function is similar to the xgcd function, but behaves in a completely different way." https://doc.sagemath.org/html/en/reference/rings_standard/sage/arith/misc.html

In [0]:
xkcd(42)

## Chinese Remainder Theorem

Being coprime is a special property of pairs of numbers. In particular, we have the following famous theorem:

Let $a$ and $b$ be coprime integers, $\gcd(a,b) = 1$. Let $k_1$ and $k_2$ be arbitrary integers. There exists an integer $c$ with *both*
$$
c \equiv k_1 \mod a 
$$
and 
$$
c\equiv k_2 \mod b.
$$
Note that the integer $c$ *will not be unique*. In fact, there are infinitely many choices of $c$!
## ***** Participation Check ***************************
Let $a = 5$ and $b = 7$. Find an integer $c$ which is satisfies $c \equiv 3\mod 5$ and $c \equiv 6\mod 7$ (you can either do this by just thinking about it, or by writing some Sage code:)
- Answer here: $c = ??$

In [0]:
#Possible sage code here if desired


## ***********************************************************

We can do this in Sage directly, as you might suspect. The syntax is `CRT(list1,list2)`:

In [0]:
CRT([3,6],[5,7])

In [0]:
13%5

In [0]:
13%7

In [0]:
CRT([3,4],[4,8])

## Factorization

Factoring a number into prime divisors is a *notoriously* difficult problem. A *lot* of modern security relies on this fact! *Some numbers are quite easy to factor*:

In [0]:
factor(10)

In [0]:
n = 2^300 + 23
print(n.ndigits())

In [0]:
factor(n)

In [0]:
p = random_prime(16428731586668563557701 ,2*16428731586668563557701 )
q = random_prime(16428731586668563557701 ,2*16428731586668563557701 )
r = random_prime(16428731586668563557701 ,2*16428731586668563557701 )

m = p*q*r
print(m.ndigits())

In [0]:
factor(m)

Why are some numbers "easy" to factor, and others more difficult? There are *many* things at play here. We could talk about it for hours.
- Some numbers are products of very small prime factors and very large prime factors
- Small prime factors are very easy to find
- Testing if a large number is prime can be done fairly efficiently
- So occasionally, the "dumb" algorithm of just trial division works quite well.

Other numbers have no small factors, but are still "special":

In [0]:
16428731586668563562947 in Primes()

In [0]:
16428731586668563562951 in Primes()

In [0]:
m = 16428731586668563562947*16428731586668563562951

In [0]:
factor(m)

You could've actually done this one on your own without the computer!

In [0]:
RF = RealField(200)
RF(sqrt(m)).str(no_sci=2)

This number is *very close* to the square of a number:

In [0]:
16428731586668563562949^2 - m

This yields 
$$
(16428731586668563562949)^2 - m - 4 = 0
$$
If we group terms, we get 
$$
m = (16428731586668563562949)^2 - 4
$$
we can now factor this! Remember: $a^2 - b^2 = (a-b)(a+b).$ So
$$
m = (16428731586668563562949 + 2)(16428731586668563562949 - 2).
$$

## A Test for (Non)-Primality

Here is a test which can be applied to see if a number is not prime.

Theorem: If $p$ is a prime number, then for all integers $a$, $a^p \equiv a\mod p$. 

This is known as *Fermat's little theorem*. 

In [0]:
p = 31
a = 7
a^p % p

In [0]:
(a^p - a)/p

There are *many* ways to prove Fermat's little theorem (and they are all nice): https://en.wikipedia.org/wiki/Proofs_of_Fermat%27s_little_theorem

Here is a sketch of a proof using the binomial theorem:
- For any integers $a$ and $b$, $(a+b)^p \equiv a^p + b^p \mod p$. This is called the *Freshman's dream*.
    - To see this, use the binomial theorem to write 
    $$
    (a+b)^p = \sum_{k=0}^p\binom{p}{k}a^kb^{{p-k}}.
    $$
    - One then proves that *since $p$ is prime*, the binomial coefficients satisfy
    $$
    \binom{p}{k} \equiv 0\mod p \text{ if }1\leq k\leq p-1.
    $$
- One then inducts; the induction step uses the observation that
$$
(k+1)^p \equiv k^p + 1^p \mod p
$$
and then applies the induction hypothesis to $k$ to finish.

What happens if we take the contrapositive of this theorem statement?

Contrapositive of Fermat's Little Theorem: Let $p$ be an integer. *If there exists an integer $a$* with $a^p\not\equiv a\mod p$, *then $p$ is not prime*.

In [0]:
p = 32
a = 6
a^p % p

## Reminder on Modular Exponentiation

Recall from Lectures 4,5: You *should not* do exponentiation like I just did! If $p$ is a big number, this test will never work if you use this syntax!

In [0]:
p = 10^19 + 423
a = 7
a^p % p

Instead use `power_mod`

In [0]:
power_mod(a, p, p)

In [0]:
is_prime(p)

## Warning!

Be *very* careful! Fermat's little theorem *can never prove a number is prime*. It can only be used to show that a number is not prime. There are annoying numbers called *Carmichael numbers*: https://en.wikipedia.org/wiki/Carmichael_number

In [0]:
factor(561)

In [0]:
print(all([power_mod(a,561,561) == a for a in range(561)]))

In [0]:
for k in range(1,12):
    print(power_mod(k, 561, 561))

In [0]:
factor(512461)

In [0]:
print(all([power_mod(a,512461,512461) == a for a in range(512461)]))

Despite this, people occasionally use Fermat's little theorem as a *probabilistic* test to see if a number is prime or not. Carmichael numbers become pretty rare, so the test can be helpful, but again: it *is not* ever a proof.

In [0]:
m = 10^300
for n in range(10^4):
    if power_mod(2,n+m,n+m) == 2 and not is_prime(m+n):
        print('Failure of probabilistic test')
        
#There are 16 primes in this range; so of the ~10000 possibile failures, there were none!

## Inverses Mod N

Let $N$ be a positive integer. If $a$ is a positive integer which is *coprime* to $N$, then $a$ has a multiplicative inverse mod $N$:

In [0]:
N = 16
a = 7

mod(1/a, N)

In [0]:
1/mod(a,N)

In [0]:
mod(a,N)^(-1)

In [0]:
7*a % N

In [0]:
b = 6
mod(1/b, N)

You can find this using Bezout's identity again. If $a$ and $N$ are coprime, take integers 
$$
ax + Ny = 1.
$$
Reducing mod $N$, 
$$
ax \equiv 1\mod N.
$$

In the language of abstract algebra, we are simply saying that the set 
$$
(\mathbb{Z}/N\mathbb{Z})^\times = \{a: 0\leq a\leq N-1: \gcd(a,N) = 1\}
$$
forms a group under multiplication mod $N$. This is often called a *unit group*.

A consequence of this is that if $a$ and $N$ are coprime, there exists a positive integer $d$ with $a^d \equiv 1\mod N$.

In [0]:
N = 43
a = 7
for i in range(1,7):
    print(power_mod(a,i,N))

In [0]:
a^6 % N

Here is an extension of Fermat's little theorem (due to Euler). Recall the totient function $\phi$, with 
$$
\phi(N) = \#\{a:1\leq a\leq N, \gcd(a,N) = 1\}.
$$

The totient function has a simple formula if $p$ is prime: $\phi(p) = p-1$. Moreover, if $N$ and $M$ are coprime integers, then $\phi(NM) = \phi(N)\phi(M)$ (this second fact is actually a consequence of the CRT!). If you play around with this, you can get a closed formula for $\phi$ in terms of the prime divisors of a given number. 

In [0]:
p = 31
euler_phi(p)

In [0]:
N = 98
M = 351
gcd(N,M)

In [0]:
euler_phi(N)

In [0]:
euler_phi(M)

In [0]:
euler_phi(N*M)

In [0]:
42*216

Then we have:

Theorem: Let $a$ and $N$ be coprime integers. Then 
$$
a^{\phi(N)}\equiv1\mod N.
$$

In [0]:
N = 43
euler_phi(43)

In [0]:
a^42 % 43

In [0]:
M = 14
for i in range(M):
    print(i,': ',power_mod(i,euler_phi(M),M))

## Multiplicative Orders, Primitive Roots

This leads immediately into the concept of *multiplicative order*. Given an integer $N$ and an integer $a$ with $\gcd(a,N) = 1$, the *multiplicative order of $a \mod N$* is the smallest integer $d$ with $a^d \equiv 1\mod N$. 

Euler's theorem tells us that $\phi(N)$ is always an upper bound on $d$; but it is not always tight:

In [0]:
N = 11
for i in range(1,11):
    print(i,': ',mod(i,N).multiplicative_order())

Notice anything?

In [0]:
euler_phi(N)

In [0]:
N = 11
for i in range(1,11):
    print(i, ': ',euler_phi(N) % mod(i,N).multiplicative_order())

Aha! The multiplicative order of $a$ *always divides* $\phi(N)$. 

In this context if $a$ has order $\phi(N)$, then we say $a$ is a *primitive root* mod $N$. 

Theorem: Let $p$ be a prime number. There exists a primitive root mod $p$.

In the language of abstract algebra, the group $(\mathbb{Z}/p\mathbb{Z})^\times$ is always a *cyclic group* if $p$ is prime. 

In [0]:
for p in prime_range(3,20):
    print(p,': ', primitive_root(p))

In [0]:
for i in range(18):
    print(power_mod(2,i,19))

Primitive roots and the multiplicative structure of elements mod $N$ form the backbone of several cryptographic schemes. In particular, you may have heard of the *discrete logarithm* problem; this is directly related to this! We will explore more of this next lecture.