<a href="https://colab.research.google.com/github/byui-cse/cse380-notebooks/blob/master/08_3_About_Why_RSA_Works.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# About Why RSA Works
## Class Directed Learning
### Due: Tuesday, 23 February 2021, 11:59 pm

## The Reason

The reason RSA works is that the encryption and decryption operations are "inverses" of each other. But why does that make it work?

## Repeat Chat Post

Clarification: In the inside chat, Kyle pointed out an error in what I said while going over the reading quiz, specifically regarding Question 6, which states: If $m$ is a factor of $a$, and $n$ is a factor of $a$, then $mn$ is a factor of $a$.

Restated: If $m | a$ and $n | a$ then does $mn | a$ for any integers $m, n$?

Convince yourself that the answer is no. I said if $m$ and $n$ are both prime, then the answer is yes. Kyle gave the example of $m = 5$ and $n = 5$, both $5$ and $5$ divide $15$, but $25$ doesn't.

But the correct answer is, if m and n are **coprime** (which excludes them from being the same prime) then it is a true statement. And if $m$ and $n$ are different primes they are automatically coprime.

So, for coprime $m$ and $n$, if $m | a$ and $n | a$, then $mn | a$. For example, $8$ and $9$ are coprime (though neither is prime), and $8 | 144, 9 | 144,$ and $72 | 144$ also.

What does this have to do with the Chinese Remainder Theorem guaranteeing that, for example, with $p$, $q$ and $s$ being different primes, if $x \equiv_{p} r$ and $x \equiv_{q} r$ and $x \equiv_{s} r$, then $x \equiv_{pqs} r$?

If you need help visualizing how simultaneous congruences work (read "[=]" as $\equiv$):


In [None]:
def format_congruence(x, m, r):
  d = x - r
  return f'{x} [=] {r} (mod {m}) -> {m} | {x} - {r} (= {d}) -> {d} = {m} * k where k = {d // m}.'

x_list = [8, 8, 8]
m_list = [3, 4, 5]
r_list = [2, 0, 3]
for f in map(format_congruence, x_list, m_list, r_list):
  print(f, '\n')

x_list = [16, 16]
m_list = [3, 11]
r_list = [1, 5]
for f in map(format_congruence, x_list, m_list, r_list):
  print(f, '\n')

## TODO Study and Learn

A proof that shows why RSA works goes as follows:

We chose two different primes $p$ and $q$, and because we chose $e$ such that for $t = (p - 1)(q - 1)$, gcd($e$, $t$) $= 1$, an inverse of $e$ mod $t$ exists and can be found. This inverse is the decryption key $d$.

Knowing $d$ and $c$ (the ciphertext), $m$ (the plaintext message) can be recovered by noting that if

$de \equiv_{t} 1$, then there is an integer $k$ such that

$de = 1 + k(p - 1)(q - 1)$.

So we know that $c^d \equiv_{n} (m^e)^d$.

But then $(m^e)^d = m^{ed} = m^{de} = m^{1 + k(p - 1)(q - 1)}$.

Enter Fermat's Little Theorem: If $r$ is prime and does not divide integer $a$, then $a^{r-1} \equiv_{r} 1$.

That means $m^{p-1} \equiv_{p} 1$, and $m^{q-1} \equiv_{q} 1$.

Combining those two facts with the above (continued)

$c^d \equiv_{n} (m^e)^d = m^{ed} = m^{de} = m^{1 + k(p - 1)(q - 1)} = m^1 \cdot m^{k(p - 1)(q - 1)}$

$= m^1 \cdot m^{(p - 1)k(q - 1)} = m^1 \cdot m^{(q - 1)k(p - 1)}$.

Because $x \equiv_{rs} y \rightarrow x \equiv_{r} y$ and $x \equiv_{s} y$, we know that

$c^d \equiv_{p} m^1 \cdot (m^{p - 1})^{k(q - 1)} \equiv_{p} m \cdot (1)^{k(q - 1)} \equiv_{p} m \cdot 1 \equiv_{p} m$,

and

$c^d \equiv_{q} m^1 \cdot (m^{q - 1})^{k(p - 1)} \equiv_{q} m \cdot (1)^{k(p - 1)} \equiv_{q} m \cdot 1 \equiv_{q} m$.

Finally, that consequence of the Chinese Remainder Theorem guarantees what we need, namely that since $c^d \equiv_{p} m$ and $c^d \equiv_{q} m$, then

$c^d \equiv_{pq} m$, or $c^d \equiv_{n} m$ which, because $0 \le m < n$, means $m$ is the unique solution.



### Concretize

Get your hands dirty with $p = 23$ and $q = 29$:

In [None]:
def igcd(b, n):
    x0, x1, y0, y1 = 1, 0, 0, 1
    while n != 0:
        q, b, n = b // n, n, b % n
        x0, x1 = x1, x0 - q * x1
        y0, y1 = y1, y0 - q * y1
    return b, x0, y0

def TUMMI(e, t):
    hcf, x, y = igcd(e, t)
    if hcf != 1:
        raise ValueError(f"TUMMI does not exist for e = {e} and t = {t}.")
    return x % t

p = 23
q = 29
n = p * q
t = (p - 1) * (q - 1)
e = 3
d = TUMMI(e, t)
de = d * e
k = (de - 1) // t

print({'p':p, 'q':q, 'n':n, 't':t, 'e':e, 'd':d, 'de':de, 'k':k})

#### Alternate

What other types of encryption are there besides RSA?

##### Answer

Learning this is a GPAO of gargantuan proportions!

Start small with a site like https://www.di-mgt.com.au/rsa_alg.html.


###### Favorite

What is your favorite resource that you think explains RSA the best?

When you have one, enter a link to it with a brief description in the outside chat channel.