## Introduction

The RSA encryption algorithm uses elementary number theory. We will learn the concepts and see how it works. You will be suprised how simple the RSA algorithm is. Don't be put off by the fancy sounding terms or symbols--
these concepts only require arithmetic to understand.

Click on each concept below to learn about it:

- gcd, modulo arithmetic
- Bezout's Identity, extended gcd algorithm
- coprime and Euler's totient function (also known as 'phi')
- multiplicative inverses under a modulus
- Euler's theorem


## RSA Algorithm



### Step 1. Generate a large number n which is the product of two large primes

Pick two large primes, p and q. TODO explain 2^128

In [None]:
## Overview

The core trick is to use a 

In [2]:
p = random_prime(2^128)
q = random_prime(2^128)
print(f'p = {p}')
print(f'q = {q}')

p = 210410793837887225582511423490780614887
q = 310176223850799339151299235097610855667


Multiply them together. This number `n = pq` is one component of your public key. It is extremely difficult for someone to reverse engineer what `p` and `q` are from `n` alone. Our security rests upon this fact.

In [3]:
n = p*q
print(f'n = {n}')

n = 65264425490084898278707085038821844388167762266346888835970011349896468514629


### Step 2. Calculate the phi of n

As mentioned in the concepts, `phi(n)` is just the number of natural numbers less than `n` which are coprime to `n`. Since phi is a product of two primes, using the fact that the phi function is multiplicative we can calculate 

In [None]:
This is "Euler's Phi" or "Euler's Totient" function. It is the number of natural 
numbers less than n which are coprime to n. Coprime means they don't share any factors other than 1¹. For example, 
`phi(12) = 4`, with 1, 5, 7 and 11 being the numbers coprime to 12:

In [2]:
[x for x in range(12) if gcd(x,12) ==1]

[1, 5, 7, 11]

This number, phi(n), is key to the whole process. We are going to use it and [Euler's theorem](https://brilliant.org/wiki/eulers-theorem/)³ to do some magic. Euler's theorem:

![Euler's theorem](https://wikimedia.org/api/rest_v1/media/math/render/svg/6a8462fedd83478425cea1c06dbb60c14c08c2bb)

says, for any numbers a and n that are coprime to eachother, a raised to the phi(n)th power has a remainder of 1 modulo n³. We'll show how we use it soon. But first, we need a phi(n)!

So how do we calculate phi(n) for our very large n? It turns out² that phi is 'multiplicative', which means if n has factors a and b, provided a and b are coprime, `phi(n) = phi(a)*phi(b)`. For example,`phi(3) = 2` and `phi(4) = 2`, and 3 and 4 are coprime, so `phi(12) = phi(3)*phi(4) = 4`. 

Every number can be written as a [product of primes](https://en.wikipedia.org/wiki/Fundamental_theorem_of_arithmetic), which means we can use this multiplicative rule to calculate it's phi. Our number n, is the product of two primes, so for us:

`phi(n) = phi(p)*phi(q) = (p-1)(q-1)` since phi(p) where p is prime is p-1, since all numbers less than a prime number are coprime to it. So let's calculate our phi(n):


In [5]:
phi_n = (p-1)*(q-1)
print(f'phi(n) is {phi_n}')

phi(n) is 16914598361843965801102184824339976023069014789976490429646475487346389658192


Since phi(n) is part of the secret sauce, we must also keep it secret. It is easy to calculate phi(n) if we know the
prime factors of n, but very difficult otherwise. This is another fact upon which our security rests.

```
I pick two large primes p and q.

I calculate their product, n = pq.

I calculate phi(n), which in this case is just phi(p)*phi(q).

I pick an e which is coprime to phi(n).

I calculate the multiplicative inverse of e mod phi(n), it d, where e*d = 1 mod phi(n)

I publish n and e, and keep p,q and d secret.

You pick a number m which is coprime to n (and less than n). This number is the secret message you want to send me. 

You raise m to the power of e and take the remainder modulo n, let's call that y, so y = m^e mod n.

I take your y, and raise it to the power of d. y^d = m^(e*d). Since e*d = 1 mod phi(n), y^d = m^(e*d)= m^(k*phi(n) + 1) = m^(k*phi(n))*m = (m^phi(n))^k*m. Since m is coprime to n we can apply the fact a^phi(n) = 1 so (m^phi) = 1 mod n, so y^d = (m^phi(n))^k*m = m mod n. So now I have your secret message, m.
```

You can see that the facts we exploited to recover m from m^e were that we had a number d which we could use to get a power of 1 + k*phi(n), and then we were able to use Euler's theorem. Pretty ingenious right?

In order for an attacker to be able to deduce m they would need to deduce d. For that, they would need to deduce phi(n). If they new the prime factors of n that would be easy but they don't. In the next blog post we will talk about just how hard it is to deduce phi(n) for large numbers, and find the factors of large numbers.

Homework Q. Is it equally as hard to deduce phi(n) as it is to find the factors of n for large n?

## Footnotes
¹The technical definition of comprime is that their greatest common divisor is 1, ie. gcd(x,n) = 1. From this definition, 
the number 1 is coprime with all numbers.

²There are [proofs](https://en.wikipedia.org/wiki/Euler%27s_totient_function#Phi_is_a_multiplicative_function) for Euler's phi function being multiplicative in elementary number theory.

³The proofs of Euler's theorem a bit tricky, but you would learn it in an undergraduate number theory class. It's an extension to [Fermat's Little Theorem](https://brilliant.org/wiki/fermats-little-theorem/), which has an easier induction-based proof.

16914598361843965801102184824339976023330355038022894813075807295101247862201

In [121]:
p = 143322513141273005153526045087974465773
q = 118017734905131378275805762666883738237
n = p*q
print(f'n is {n}')
e = 2021
phi_n = (p-1)*(q-1)
print(f'phi_n is {phi_n}')

n is 16914598361843965801102184824339976023330355038022894813075807295101247862201
phi_n is 16914598361843965801102184824339976023069014789976490429646475487346389658192


In [124]:
gcd, d, _ = xgcd(e,phi_n)
print(f'd is {d}')
# make d positive
d = mod(d, phi_n).lift()
print(f'd is {d}')
mod(e*d2, phi_n)

d is -502165216086411651690317213983373855212340864620776559019687545393757238739
d is 16412433145757554149411867610356602167856673925355713870626787941952632419453


1

1

In [109]:
mod(1984, n)^e

10470396727201891135249620086044460369985352819239700618363396358499900267134

In [118]:
mod(10470396727201891135249620086044460369985352819239700618363396358499900267134, n)^d2

1984

In [112]:
y = 14616297587505269588504140410958758376677359637867063545225654817658950123919

In [119]:
m = mod(y, n)^d2
m = m.lift()
m

9540721701204608500320657631138968649908991245244230508567315258226742830148

In [91]:
mod(m, my_n)^my_e

14616297587505269588504140410958758376677359637867063545225654817658950123919

In [72]:
m_int% 256

68

In [77]:
"a" * "c"

TypeError: can't multiply sequence by non-int of type 'str'

In [93]:
37268444145330501954377568871636596288706997051735275424091075227448214180*256 + 68

9540721701204608500320657631138968649908991245244230508567315258226742830148

In [84]:
m = 9540721701204608500320657631138968649908991245244230508567315258226742830148
while m != 0:
    m,r = divmod(m, 256)
    print(m,r, chr(r))

37268444145330501954377568871636596288706997051735275424091075227448214180 68 D
145579859942697273259287378404830454252761707233340919625355762607219586 164 ¤
568671327901161223669091321893868961924850418880237967286545947684451 130 
2221372374613911029957387976147925632518946948750929559713070108142 99 c
8677235838335589960771046781827834502027136518558318592629180109 238 î
33895452493498398284261901491514978523543502025618432002457734 205 Í
132404111302728118297898052701230384857591804787572000009600 134 
517203559776281712101164268364181190849967987451453125037 128 
2020326405376100437895172923297582776757687450982238769 173 ­
7891900021000392335528019231631182721709716605399370 49 1
30827734457032782560656325123559307506678580489841 74 J
120420837722784306877563770013903544947963205038 113 q
470393897354626198740483476616810722452981269 174 ®
1837476161541508588830013580534416884581958 21 
7177641256021517925117240548962565955398 70 F
28037661156334054394989220894385023263 70 F

In [4]:
d2700/16

675/4