This is notebooks from http://illustratedtheoryofnumbers.com/

#  Part 1.  Computing with Python 3.x

What is the difference between *Python* and a calculator?  We begin this first lesson by showing how Python can be used **as** a calculator, and we move into some of the basic programming language constructs:  data types, variables, lists, and loops.

This programming lesson complements Chapter 0 (Foundations) in [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105/).

## Table of Contents

- [Python as a calculator](#calculator)
- [Calculating with booleans](#booleans)
- [Declaring variables](#variables)
- [Lists and Ranges](#ranges)
- [Iterating over a range](#iterating)

<a id='calculator'></a>

## Python as a calculator

Different kinds of data are stored as different *types* in Python.  For example, if you wish to work with integers, your data is typically stored as an *int*.  A real number might be stored as a *float*.  There are types for booleans (True/False data), strings (like "Hello World!"), and many more we will see.  

A more complete reference for Python's numerical types and arithmetic operations can be found in the [official Python documentation](https://docs.python.org/2/library/stdtypes.html#numeric-types-int-float-long-complex).  The [official Python tutorial](https://docs.python.org/2/tutorial/introduction.html) is also a great place to start.

Python allows you to perform arithmetic operations:  addition, subtraction, multiplication, and division, on numerical types.  The operation symbols are `+`, `-`, `*`, and `/`.   Evaluate each of the following cells to see how Python performs operations on *integers*.  To evaluate the cell, click anywhere within the cell to select it (a selected cell will probably have a thick <span style="color:green">green</span> line on its left side) and use the keyboard shortcut *Shift-Enter* to evaluate.  As you go through this and later lessons, try to *predict* what will happen when you evaluate the cell before you hit Shift-Enter.  

In [None]:
2 + 3

In [None]:
2 * 3

In [None]:
5 - 11

In [None]:
5.0 - 11

In [None]:
5 / 11

In [None]:
6 / 3

In [None]:
5 // 11

In [None]:
6 // 3

The results are probably not too surprising, though the last two require a bit of explanation.  Python *interprets* the input number 5 as an *int* (integer) and 5.0 as a *float*.  "Float" stands for "floating point number," which are decimal approximations to real numbers.  The word "float" refers to the fact that the decimal (or binary, for computers) point can float around (as in 1.2345 or 12.345 or 123.45 or 1234.5 or 0.00012345).  There are deep computational issues related to how computers handle decimal approximations, and you can [read about the IEEE standards](https://en.wikipedia.org/wiki/IEEE_754) if you're interested.

Python enables different kinds of division.  The single-slash division in Python 3.x gives a floating point approximation of the quotient.  That's why `5 / 11` and `6 / 3` both output floats.  On the other hand, `5 // 11` and `6 // 3` yield integer outputs (rounding down) -- this is useful, but one has to be careful!

In fact the designers of Python changed their mind.  **This tutorial assumes that you are using Python 3.x.**  If you are using Python 2.x, the command `5 / 11` would output zero.

In [None]:
-12 // 5

Why use integer division `//` and why use floating point division?  In practice, integer division is typically a faster operation.  So if you only need the rounded result (and that will often be the case), use integer division.  It will run much faster than carrying out floating point division then manually rounding down.

Observe that floating point operations involve approximation.  The result of `5.0/11.0` might not be what you expect in the last digit.  Over time, especially with repeated operations, *floating point approximation* errors can add up!

Python allows you to group expressions with parentheses, and follows the order of operations that you learn in school.

In [None]:
(3 + 4) * 5

In [None]:
3 + (4 * 5)

In [None]:
3 + 4 * 5   #  What do you think will be the result?  Remember PEMDAS?

Now is a good time to try a few computations of your own, in the empty cell below.  You can type any Python commands you want in the empty cell.  If you want to insert a new cell into this notebook, it takes two steps:
1.  Click to the left of any existing cell.  This should make a <span style="color:blue">blue</span> bar appear to the left of the cell.
2.  Use the keyboard shortcut **a** to insert a new cell **above** the blue-selected cell or **b** to insert a new cell **below** the blue-selected cell.
You can also use the keyboard shortcut **x** do delete a blue-selected cell... be careful!

In [None]:
#  An empty cell.  Have fun!


For number theory, *division with remainder* is an operation of central importance.  Integer division provides the quotient, and the operation `%` provides the remainder.  It's a bit strange that the percent symbol is used for the remainder, but this [dates at least to the early 1970s](https://softwareengineering.stackexchange.com/questions/294297/in-what-programming-language-did-the-use-of-the-percent-sign-to-mean-modulo) and has become standard across computer languages.

In [None]:
23 // 5  # Integer division

In [None]:
23 % 5  # The remainder after division

Note in the code above, there are little "comments".  To place a short comment on a line of code, just put a hashtag `#` at the end of the line of code, followed by your comment.

Python gives a single command for division with remainder.  Its output is a *tuple*.

In [None]:
divmod(23,5)

In [None]:
type(divmod(23,5))

All data in Python has a type, but a common complaint about Python is that types are a bit concealed "under the hood".  But they are not far under the hood.  Anyone can find out the type of some data with a single command.

In [None]:
type(3)

In [None]:
type(3.0)

In [None]:
type('Hello')

In [None]:
type([1,2,3])

The key to careful computation in Python is always being *aware of the type* of your data, and *knowing* how Python operates differently on data of different types.

In [None]:
3 + 3

In [None]:
3.0 + 3.0

In [None]:
'Hello' + 'World!'

In [None]:
[1,2,3] + [4,5,6]

In [None]:
3 + 3.0

In [None]:
3 + 'Hello!'

In [None]:
#  An empty cell.  Have fun!


As you can see, addition (the `+` operator) is interpreted differently in the contexts of numbers, strings, and lists.  The designers of Python allowed us to add *numbers* of different types:  if you try to operate on an *int* and a *float*, the *int* will typically be *coerced* into a float in order to perform the operation.  But the designers of Python did not give meaning to the addition of a number with a string, for example.  That's why you probably received a *TypeError* after trying the above line. 

On the other hand, Python does interpret *multiplication* of a natural number with a string or a list.

In [None]:
3 * 'Hello!'

In [None]:
0 * 'Hello!'

In [None]:
2 * [1,2,3]

Can you create a string with 100 A's (like `AAA...`)?  Use an appropriate operation in the cell below.

In [None]:
#  Practice cell


Exponents in Python are given by the `**` operator.  The following lines compute 2 to the 1000th power, in two different ways.

In [None]:
2**1000

In [None]:
2.0**1000

As before, Python interprets an operation (`**`) differently in different contexts.  When given integer input, Python evaluates `2**1000` **exactly**.  The result is a large integer.  A nice fact about Python, for number theorists, is that it handles exact integers of arbitrary length!  Many other programming languages (like C++) will give an error message if integers get too large in the midst of a computation.  

New in version 3.x, Python implements long integers without giving signals to the programmer or changing types.  In Python 2.x, there were two types: *int* for somewhat small integers (e.g., up to $2^{31}$) and *long* type for all larger integers.  Python 2.x would signal which type of integer was being used, by placing the letter "L" at the end of a long integer.  Now, in Python 3.x, the programmer doesn't really see the difference.  There is only the *int* type.  But Python still optimizes computations, using hardware functionality for arithmetic of small integers and custom routines for large integers.  The programmer doesn't have to worry about it most of the time.

For scientific applications, one often wants to keep track of only a certain number of significant digits.  If one computes the floating point exponent `2.0**1000`, the result is a decimal approximation.  It is still a float.  The expression "e+301" stands for "multiplied by 10 to the 301st power", i.e., Python uses *scientific notation* for large floats.

In [None]:
type(2**1000)

In [None]:
type(2.0**1000)

In [None]:
#  An empty cell.  Have fun!


Now is a good time for reflection.  Double-click in the cell below to answer the given questions.  Cells like this one are used for text rather than Python code.  Text is entered using *markdown*, but you can typically just enter text as you would in any text editor without problems.  Press *shift-Enter* after editing a markdown cell to complete the editing process.  

Note that a dropdown menu in the toolbar above the notebook allows you to choose whether a cell is Markdown or Code (or a few other things), if you want to add or remove markdown/code cells.

### Exercises

1.  What data types have you seen, and what kinds of data are they used for?  Can you remember them without looking back?

2.  How is division `/` interpreted differently for different types of data?

3.  How is multiplication `*` interpreted differently for different types of data?

4.  What is the difference between 100 and 100.0, for Python?

Double-click this markdown cell to edit it, and answer the exercises.

<a id='booleans'></a>

## Calculating with booleans

A *boolean* (type *bool*) is the smallest possible piece of data.  While an *int* can be any integer, positive or negative, a *boolean* can only be one of two things:  *True* or *False*.  In this way, booleans are useful for storing the answers to yes/no questions.  

Questions about (in)equality of numbers are answered in Python by *operations* with numerical input and boolean output.  Here are some examples.  A more complete reference is [in the official Python documentation](https://docs.python.org/2/library/stdtypes.html#boolean-operations-and-or-not).

In [None]:
3 > 2

In [None]:
type(3 > 2)

In [None]:
10 < 3

In [None]:
2.4 < 2.4000001

In [None]:
32 >= 32

In [None]:
32 >= 31

In [None]:
2 + 2 == 4

Which number is bigger:  $23^{32}$ or $32^{23}$?  Use the cell below to answer the question!

In [None]:
#  Write your code here.


The expressions `<`, `>`, `<=`, `>=` are interpreted here as **operations** with numerical input and boolean output.  The symbol `==` (two equal symbols!) gives a True result if the numbers are equal, and False if the numbers are not equal.  An extremely common typo is to confuse `=` with `==`.  But the single equality symbol `=` has an entirely different meaning, as we shall see.

Using the remainder operator `%` and equality, we obtain a divisibility test.

In [None]:
63 % 7 == 0  # Is 63 divisible by 7?

In [None]:
101 % 2 == 0  # Is 101 even?

Use the cell below to determine whether 1234567890 is divisible by 3.

In [None]:
# Your code goes here.


Booleans can be operated on by the standard logical operations and, or, not.  In ordinary English usage, "and" and "or" are conjunctions, while here in *Boolean algebra*, "and" and "or" are operations with Boolean inputs and Boolean output.  The precise meanings of "and" and "or" are given by the following **truth tables**.

| and || True | False |
|-----||------|-------|
|||||
| **True** || True | False |
| **False** || False | False|

| or || True | False |
|-----||------|-------|
|||||
| **True** || True | True |
| **False** || True | False|


In [None]:
True and False

In [None]:
True or False

In [None]:
True or True

In [None]:
not True

Use the truth tables to predict the result (True or False) of each of the following, before evaluating the code.

In [None]:
(2 > 3) and (3 > 2)

In [None]:
(1 + 1 == 2) or (1 + 1 == 3)

In [None]:
not (-1 + 1 >= 0)

In [None]:
2 + 2 == 4

In [None]:
2 + 2 != 4  # For "not equal", Python uses the operation `!=`.

In [None]:
2 + 2 != 5  # Is 2+2 *not* equal to 5?

In [None]:
not (2 + 2 == 5)  # The same as above, but a bit longer to write.

Experiment below to see how Python handles a double or triple negative, i.e., something with a `not` `not`.

In [None]:
# Experiment here.


Python does give an interpretation to arithmetic operations with booleans and numbers.  Try to guess this interpretation with the following examples.  Change the examples to experiment!

In [None]:
False * 100

In [None]:
True + 13

This ability of Python to interpret operations based on context is a mixed blessing.  On one hand, it leads to handy shortcuts -- quick ways of writing complicated programs.  On the other hand, it can lead to code that is harder to read, especially for a Python novice.  Good programmers aim for code that is easy to read, not just short!

The [Zen of Python](https://www.python.org/dev/peps/pep-0020/) is a series of 20 aphorisms for Python programmers.  The first seven are below.

> Beautiful is better than ugly.

> Explicit is better than implicit.

> Simple is better than complex.

> Complex is better than complicated.

> Flat is better than nested.

> Sparse is better than dense.

> Readability counts.

### Exercises

1.  Did you look at the truth tables closely?  Can you remember, from memory, what `True or False` equals, or what `True and False` equals?  

2.  How might you easily remember the truth tables?  How do they resemble the standard English usage of the words "and" and "or"?

3.  If you wanted to know whether a number, like 2349872348723, is a multiple of 7 but **not** a multiple of 11, how might you write this in one line of Python code?

4.  You can chain together `and` commands, e.g., with an expression like `True and True and True` (which would evaluate to `True`).  You can also group booleans, e.g., with `True and (True or False)`.  Experiment to figure out the order of operations (`and`, `or`, `not`) for booleans.

6.  The operation `xor` means "exclusive or".  Its truth table is: `True xor True = False` and `False xor False = False` and `True xor False = True` and `False xor True = True`.  How might you implement `xor` in terms of the usual `and`, `or`, and `not`?



In [None]:
#  Use this space to work on the exercises


<a id='variables'></a>

## Declaring variables

A central feature of programming is the declaration of variables.  When you declare a variable, you are *storing* data in the computer's *memory* and you are assigning a *name* to that data.  Both storage and name-assignment are carried out with the *single* equality symbol =.

In [None]:
e = 2.71828

With this command, the float 2.71828 is stored somewhere inside your computer, and Python can access this stored number by the name "e" thereafter.  So if you want to compute "e squared", a single command will do.

In [None]:
e * e

In [None]:
type(e)

You can use just about any name you want for a variable, but your name *must* start with a letter, *must* not contain spaces, and your name *must* not be an existing Python word.  Characters in a variable name can include letters (uppercase and lowercase) and numbers and underscores `_`.  

So `e` is a valid name for a variable, but `type` is a bad name.  It is very tempting for beginners to use very short abbreviation-style names for variables (like `dx` or `vbn`).  But resist that temptation and use more descriptive names for variables, like `difference_x` or `very_big_number`.  This will make your code readable by you and others!

There are different style conventions for variable names.  We use lowercase names, with underscores separating words,  roughly following [Google's style conventions](https://google.github.io/styleguide/pyguide.html#Python_Style_Rules) for Python code.

In [None]:
my_number = 17

In [None]:
my_number < 23

After you declare a variable, its value remains the same until it is changed.  You can change the value of a variable with a simple assignment.  After the above lines, the value of my_number is 17.

In [None]:
my_number = 3.14

This command reassigns the value of my_number to 3.14.  Note that it changes the type too!  It effectively overrides the previous value and replaces it with the new value.

Often it is useful to change the value of a variable *incrementally* or *recursively*.  Python, like many programming languages, allows one to assign variables in a self-referential way.  What do you think the value of S will be after the following four lines?

In [None]:
S = 0
S = S + 1
S = S + 2
S = S + 3
print(S)

The first line `S = 0` is the initial declaration:  the value 0 is stored in memory, and the name S is assigned to this value.

The next line `S = S + 1` looks like nonsense, as an algebraic sentence.  But reading = as **assignment** rather than **equality**, you should read the line `S = S + 1` as assigning the *value* `S + 1` to the *name* `S`.  When Python interprets `S = S + 1`, it carries out the following steps.

1.  Compute the value of the right side, `S+1`.  (The value is 1, since `S` was assigned the value 0 in the previous line.)
2.  Assign this value to the left side, `S`.  (Now `S` has the value 1.)

Well, this is a slight lie.  Python probably does something more efficient, when given the command `S = S + 1`, since such operations are hard-wired in the computer and the Python interpreter is smart enough to take the most efficient route.  But at this level, it is most useful to think of a self-referential assignment of the form `X = expression(X)` as a two step process as above.

1.  Compute the value of `expression(X)`.
2.  Assign this value to `X`.

Now consider the following three commands.

In [None]:
my_number = 17
new_number = my_number + 1
my_number = 3.14

What are the values of the variables my_number and new_number, after the execution of these three lines?

To access these values, you can use the *print* function.

In [None]:
print(my_number)
print(new_number)

Python is an *interpreted* language, which means (roughly) that Python carries out commands line-by-line from top to bottom.  So consider the three lines

``` python
my_number = 17
new_number = my_number + 1
my_number = 3.14
```

Line 1 sets the value of my_number to 17.  Line 2 sets the value of new_number to 18.  Line 3 sets the value of my_number to 3.14.  But Line 3 does *not* change the value of new_number at all.

(This will become confusing and complicated later, as we study mutable and immutable types.)

### Exercises

1.  What is the difference between `=` and `==` in the Python language?

2.  If the variable `x` has value `3`, and you then evaluate the Python command `x = x * x`, what will be the value of `x` after evaluation?

3.  Imagine you have two variables `a` and `b`, and you want to switch their values.  How could you do this in Python?

In [None]:
#  Use this space to work on the exercises.


<a id='ranges'></a>

## Lists and ranges

Python stands out for the central role played by *lists*.  A *list* is what it sounds like -- a list of data.  Data within a list can be of any type.  Multiple types are possible within the same list!  The basic syntax for a list is to use brackets to enclose the list items and commas to separate the list items.

In [None]:
type([1,2,3])

In [None]:
type(['Hello',17])

There is another type called a *tuple* that we will rarely use.  Tuples use parentheses for enclosure instead of brackets.

In [None]:
type((1,2,3))

There's another list-like type in Python 3, called the `range` type.  Ranges are kind of like lists, but instead of plunking every item into a slot of memory, ranges just have to remember three integers:  their *start*, their *stop*, and their *step*.    

The `range` command creates a range with a given start, stop, and step.  If you only input one number, the range will ***start at zero*** and use ***steps of one*** and will stop ***just before*** the given stop-number.

One can create a list from a range (plunking every term in the range into a slot of memory), by using the `list` command.  Here are a few examples.

In [None]:
type(range(10)) # Ranges are their own type, in Python 3.x.  Not in Python 2.x!

In [None]:
list(range(10)) # Let's see what's in the range.  Note it starts at zero!  Where does it stop?

A more complicated two-input form of the range command produces a range of integers **starting at** a given number, and **terminating before** another given number.

In [None]:
list(range(3,10))

In [None]:
list(range(-4,5))

This is a common source of difficulty for Python beginners.  While the first parameter (-4) is the starting point of the list, the list ends just before the second parameter (5).  This takes some getting used to, but experienced Python programmers grow to like this convention.

The *length* of a list can be accessed by the len command.

In [None]:
len([2,4,6])

In [None]:
len(range(10))  # The len command can deal with lists and ranges.  No need to convert.

In [None]:
len(range(10,100)) # Can you figure out the length, before evaluating?

The final variant of the range command (for now) is the *three-parameter* command of the form `range(a,b,s)`.  This produces a list like `range(a,b)`, but with a "step size" of `s`.  In other words, it produces a list of integers, beginning at `a`, increasing by `s` from one entry to the next, and going up to (but not including) `b`.  It is best to experiment a bit to get the feel for it!

In [None]:
list(range(1,10,2))

In [None]:
list(range(11,30,2))

In [None]:
list(range(-4,5,3))

In [None]:
list(range(10,100,17))

This can be used for descending ranges too, and observe that the final number b in range(a,b,s) is not included.

In [None]:
list(range(10,0,-1))

How many multiples of 7 are between 10 and 100?  We can find out pretty quickly with the range command and the len command (to count).

In [None]:
list(range(10,100,7))  # What list will this create?  It won't answer the question...

In [None]:
list(range(14,100,7))  # Starting at 14 gives the multiples of 7.

In [None]:
len(range(14,100,7))  # Gives the length of the list, and answers the question!

### Exercises

1.  If `a` and `b` are integers, what is the length of `range(a,b)`?

2.  Use a list and range command to produce the list `[1,2,3,4,5,6,7,8,9,10]`.

3.  Create the list [1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5] with a single list and range command and another operation.

4.  How many multiples of 3 are there between 300 and 3000?

In [None]:
#  Use this space to work on the exercises.


<a id='iterating'></a>

## Iterating over a range

Computers are excellent at repetitive reliable tasks.  If we wish to perform a similar computation, many times over, a computer a great tool.  Here we look at a common and simple way to carry out a repetetive computation:  the "for loop".  The "for loop" *iterates* through items in a list or range, carrying out some action for each item.  Two examples will illustrate.

In [None]:
for n in [1,2,3,4,5]:
    print(n*n)

In [None]:
for s in ['I','Am','Python']:
    print(s + "!")

The first loop, **unraveled**, carries out the following sequence of commands.

In [None]:
n = 1
print(n*n)
n = 2
print(n*n)
n = 3
print(n*n)
n = 4
print(n*n)
n = 5
print(n*n)

But the "for loop" is more efficient *and* more readable to programmers.  Indeed, it saves the repetition of writing the same command `print n*n` over and over again.  It also makes transparent, from the beginning, the range of values that `n` is assigned to.  

When you read and write "for loops", you should consider how they look unravelled -- that is how Python will carry out the loop.  And when you find yourself faced with a repetetive task, you might consider whether it may be wrapped up in a for loop.

Try to unravel the loop below, and predict the result, before evaluating the code.

In [None]:
P = 1
for n in range(1,6):
    P = P * n
print(P)

This might have been difficult!  So what if you want to trace through the loop, as it goes?  Sometimes, especially when debugging, it's useful to inspect every step of the loop to see what Python is doing.  We can inspect the loop above, by inserting a print command within the *scope* of the loop.

In [None]:
P = 1
for n in range(1,6):
    P = P * n
    print("n is",n,"and P is",P)
print(P)

Here we have used the *print* command with strings and numbers together.  In Python 3.x, you can print multiple things on the same line by separating them by commas.  The "things" can be strings (enclosed by single or double-quotes) and numbers (int, float, etc.).

In [None]:
print("My favorite number is",17)

If we unravel the loop above, the linear sequence of commands interpreted by Python is the following.

In [None]:
P = 1
n = 1
P = P * n
print("n is",n,"and P is",P)
n = 2
P = P * n
print("n is",n,"and P is",P)
n = 3
P = P * n
print("n is",n,"and P is",P)
n = 4
P = P * n
print("n is",n,"and P is",P)
n = 5
P = P * n
print("n is",n,"and P is",P)
print (P)

Let's analyze the loop syntax in more detail.  
```python
P = 1
for n in range(1,6):
    P = P * n  # this command is in the scope of the loop.
    print("n is",n,"and P is",P)  # this command is in the scope of the loop too!
print(P)
```
The "for" command ends with a colon `:`, and the **next two** lines are indented.  The colon and indentation are indicators of **scope**.  The *scope* of the for loop begins after the colon, and includes all indented lines.  The *scope* of the for loop is what is repeated in every step of the loop (in addition to the reassignment of `n`).  

In [None]:
P = 1
for n in range(1,6):
    P = P * n  # this command is in the scope of the loop.
    print("n is",n,"and P is",P)  # this command is in the scope of the loop too!
print(P)

If we change the indentation, it changes the scope of the for loop.  Predict what the following loop will do, by unraveling, before evaluating it.

In [None]:
P = 1
for n in range(1,6):
    P = P * n
print("n is",n,"and P is",P)
print(P)

Scopes can be nested by nesting indentation.  What do you think the following loop will do?  Can you unravel it?

In [None]:
for x in [1,2,3]:
    for y in ['a', 'b']:
        print(x,y)

How might you create a nested loop which prints `1 a` then `2 a` then `3 a` then `1 b` then `2 b` then `3 b`?  Try it below.

In [None]:
# Insert your loop here.

Among popular programming languages, Python is particular about indentation.  Other languages indicate scope with open/close braces, for example, and indentation is just a matter of style.  By requiring indentation to indicate scope, Python effectively removes the need for open/close braces, and enforces a readable style.

We have now encountered data types, operations, variables, and loops.  Taken together, these are powerful tools for computation!  Try the following exercises for more practice.  You can also try the exercises at the end of Chapter 0 of [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105/) -- some can be done easily by writing a few lines of Python code.

## Exercises

1.  Describe how Python interprets division with remainder when the divisor and/or dividend is negative.
2.  What is the remainder when $2^{90}$ is divided by $91$?
3.  How many multiples of 13 are there between 1 and 1000?
4.  How many *odd* multiples of 13 are there between 1 and 1000?
5.  What is the sum of the numbers from 1 to 1000?
6.  What is the sum of the squares, from $1 \cdot 1$ to $1000 \cdot 1000$?

# Part 2:  Functions in Python 3.x

A distinguishing property of *programming* languages is that the programmer can create their own *functions*.  Creating a *function* is like teaching the computer a new trick.  Typically a function will receive some data as *input*, will perform an *algorithm* involving the input data, and will *output* data when the algorithm terminates.  

In this part, we explore Python functions.  We also explore control statements, which allow a program to behave in different ways for different inputs.  We also introduce the *while loop*, a loop whose repetition can be more carefully controlled than a for loop.  As an application of these techniques, we implement the Euclidean algorithm as a Python function in a few ways, to effectively find the GCD of integers and solve linear Diophantine equations.  This complements **Chapter 1** of An Illustrated Theory of Numbers.

## Table of Contents

- [Getting started with Python functions](#functions)
- [Control statements](#controls)
- [While loops and implementation of the Eucidean algorithm](#while)
- [Solving the linear Diophantine equation](#solving)


<a id='functions'></a>

## Getting started with Python functions

A *function* in Python is a construction which takes input data, performs some actions, and outputs data.  It is best to start with a few examples and break down the code.  Here is a function `square`.  Run the code as usual by pressing *shift-Enter* when the code block is selected.

In [None]:
def square(x):
    answer = x * x
    return answer

When you run the code block, you probably didn't see anything happen.  But you have effectively taught your computer a new trick, increasing the vocabulary of commands it understands through the Python interpreter.  Now you can use the `square` command as you wish.

In [None]:
square(12)

In [None]:
square(1.5)

Let's break down the syntax of the *function declaration*, line by line.

```python
def square(x):
    answer = x * x
    return answer
```

The first line begins with the Python reserved word `def`.  (So don't use `def` as a variable name!).  The word `def` stands for "define" and it defines a function called `square`.  After the function name `square` comes parentheses `(x)` containing the **argument** `x`.  The *arguments* or *parameters* of a function refer to the input data.  Even if your function has no arguments, you need parentheses.  The argument `x` is used to name whatever number is input into the `square` function.  

At the end of the function declaration line is a colon `:` and the following two lines are indented.  As in the case of for loops, the colon and indentation are signals of *scope*.  Everything on the indented lines is considered the *scope of the function* and is carried out when the function is used later.

The second line `answer = x * x` is the beginning of the scope of the function.  It declares a variable `answer` and sets the value to be `x * x`.  So if the argument `x` is 12, then `answer` will be set to 144.  The variable `answer`, being declared within the scope of the function, will not be accessible outside the scope of the function.  It is called a **local variable**.

The last line `return answer` contains the Python reserved word `return`, which terminates the function and outputs the value of the variable `answer`.  So when you apply the function with the command `square(1.5)`, the number `1.5` is the argument `x`, and `answer` is `2.25`, and that number `2.25` becomes the output.

A function does not have to return a value.  Some functions might just provide some information.  Here is a function which displays the result of division with remainder as a sentence with addition and multiplication.

In [None]:
def display_divmod(a,b):
    quotient = a // b # Integer division
    remainder = a % b #
    print("{} = {} ({}) + {}".format(a,quotient,b,remainder))

In [None]:
display_divmod(23,5)

Notice that this function has no `return` line.  The function terminates automatically at the end of its scope.

The function also uses Python's **string formatting**.  This has changed between Python 2.x and 3.x, and this notebook uses Python 3.x syntax.

String formatting allows you to insert placeholders like `{}` within a string, and later fill those places with a list of things.  

In [None]:
print("My favorite number is {}".format(17))  # The .format "method" substitutes 17 for {}

In [None]:
print("{} + {} = {}".format(13,12,13+12))

The `format` command is an example of a **string method**.  It has the effect of replacing all placeholders `{}` by the its inputs, in sequence.  There is an intricate syntax for these placeholders, to allow one to match placeholders with values in different orders, and to format different kinds of values.  Here is the [official reference for string formatting in Python 3.x](https://docs.python.org/3/library/string.html#formatstrings).  We will only use the most basic features, exhibited below.

In [None]:
print ("The number {} comes before {}.".format(1,2)) # This should be familiar.
print ("The number {1} comes before {0}.".format(1,2)) # What happens?
print ("The number {1} comes before {1}.".format(1,2)) # Got it now?



By placing a number in the placeholder, like `{1}`, one can fill in the placeholders with the values in a different order, or repeat the same value.  The format method takes multiple parameters, and they are numbered:  parameter 0, parameter 1, parameter 2, etc..  So the placeholder `{1}` will be replaced by the second parameter (parameter 1).  It's confusing at first, but Python almost always starts counting at zero.

In [None]:
print("pi is approximately {0}".format(3.14159265))
print("pi is approximately {0:f}".format(3.14159265)) # The "f" in "0:f" formats the float.
print("pi is approximately {0:0.3f}".format(3.14159265)) # Choose 3 digits of precision.


If you give some information about how the placeholder is being used, the format method will format things more nicely for printing.  The placeholder `{0:f}` will be replaced by parameter 0, and it will be formatted in a way that is nice for floats (hence the `f`).  Don't try formatting things outside of their type!

In [None]:
print("{:d} is a pretty big integer.".format(2**100)) # d is the formatting code for integers.
print("{:f} is an integer, formatted like a float.".format(2**100))
print("{:f} is a float, of course.".format(1/7))
print("{:s} is a string.".format('Hi there!')) # s is the formatting code for strings.
print("{:d} will give us an error message.".format(1/7))


In [None]:
from math import sqrt  # Make sure the square root function is loaded.
print("The square root of {0:d} is about {1:f}.".format(1000, sqrt(1000)))

### Exercises

1.  What are the signals of scope in Python?

2.  Write a function called area_circle, which takes one argument radius. The function should return the area of the circle, as a floating point number. Then add one line to the function, using string formatting, so that it additionally prints a helpful sentence of the form "The area of a circle of radius 1.0 is 3.14159." (depending on the radius and the area it computes).

3. `format` is an example of a method.  Another neat one is `replace`.  Try `"Python".replace("yth","arag")` to see what it does.  

4.  Try the formatting codes `%` and `E` (instead of `f`) for a floating point number.  What do they do?

5. Can you think of a reason you might want to have a function with *no* arguments?

In [None]:
#  Use this space to work on the Exercises.  
#  Remember that you can add a new cell above/below by clicking to the left of a cell,
#  (the cell will have a blue bar at the left) and then pressing "a" or "b" on the keyboard.


<a id='controls'></a>

## Control statements

It is important for a computer program to behave differently under different circumstances.  The simplest control statements, `if` and its relative `else`, can be used to tell Python to carry out different actions depending on the value of a boolean variable.  The following function exhibits the syntax.

In [None]:
def is_even(n):
    if n%2 == 0:
        print("{} is even.".format(n))
        return True
    else:
        print("{} is odd.".format(n))
        return False

In [None]:
is_even(17)

In [None]:
is_even(1000)

The broad syntax of the function should be familiar.  We have created a function called `is_even` with one argument called `n`.  The body of the function uses the **control statement** `if n%2 == 0:`.  Recall that `n%2` gives the remainder after dividing `n` by `2`.  Thus `n%2` is 0 or 1, depending on whether `n` is even or odd.  Therefore the **boolean** `n%2 == 0` is `True` if `n` is even, and `False` if `n` is odd.

The next two lines (the first `print` and `return` statements) are within the **scope** of the `if <boolean>:` statement, as indicated by the colon and the indentation.  The `if <boolean>:` statement tells the Python interpreter to perform the statements within the scope if the boolean is `True`, and to ignore the statements within the scope if the boolean is `False`.

Putting it together, we can analyze the code.
```python
    if n%2 == 0:
        print("{} is even.".format(n))
        return True
```
If `n` is even, then the Python interpreter will print a sentence of the form `n is even`.  Then the interpreter will return (output) the value `True` and the function will terminate.  If `n` is odd, the Python interpreter will ignore the two lines of scope.

Often we don't just want Python to *do nothing* when a condition is not satisfied.  In the case above, we would rather Python tell us that the number is odd.  The `else:` control statement tells Python what to do in case the `if <boolean>:` control statement receives a `False` boolean.  We analyze the code
```python
    else:
        print("{} is odd.".format(n))
        return False
```
The `print` and `return` commands are within the scope of the `else:` control statement.  So when the `if` statement receives a false signal (the number `n` is odd), the program prints a sentence of the form `n is odd.` and then returns the value `False` and terminates the function.

The function `is_even` is a verbose, or "talkative" sort of function.  Such a function is sometimes useful in an interactive setting, where the programmer wants to understand everything that's going on.  But if the function had to be called a million times, the screen would fill with printed sentences!  In practice, an efficient and silent function `is_even` might look like the following.

In [None]:
def is_even(n):
    return (n%2 == 0)

In [None]:
is_even(17)

A `for` loop and an `if` control statement, used together, allow us to carry out a **brute force** search.  We can search for factors in order to check whether a number is prime.  Or we can look for solutions to an equation until we find one.

One thing to note:  the function below begins with a block of text between a triple-quote (three single-quotes when typing).  That text is called a **docstring** and it is meant to document what the function does.  Writing clear docstrings becomes more important as you write longer programs, collaborate with other programmers, and when you want to return months or years later to use a program again.  There are different style conventions for docstrings; for example, here are [Google's docstring conventions](https://google.github.io/styleguide/pyguide.html?showone=Comments#Comments).  We take a less formal approach.

In [None]:
def is_prime(n):
    '''
    Checks whether the argument n is a prime number.
    Uses a brute force search for factors between 1 and n.
    '''
    for j in range(2,n):  # the list of numbers 2,3,...,n-1.
        if n%j == 0:  # is n divisible by j?
            print("{} is a factor of {}.".format(j,n))
            return False
    return True

An important note:  the `return` keyword **terminates** the function.  So as soon as a factor is found, the function terminates and outputs `False`.  If no factor is found, then the function execution survives past the loop, and the line `return True` is executed to terminate the function.

In [None]:
is_prime(91)

In [None]:
is_prime(101)

Try the `is_prime` function on bigger numbers -- try numbers with 4 digits, 5 digits, 6 digits.  Where does it start to slow down?  Do you get any errors when the numbers are large?  Make sure to save your work first, just in case this crashes your computer!  



In [None]:
# Experiment with is_prime here.


There are two limiting factors, which we study in more detail in the next lesson.  These are **time** and **space** (your computer's memory space).  As the loop of `is_prime` goes on and on, it might take your computer a long time!  If each step of the loop takes only a nanosecond (1 billionth of a second), the loop would take about a second when executing `is_prime(1000000001)`.  If you tried `is_prime` on a much larger number, like `is_prime(2**101 - 1)`, the loop would take longer than the lifetime of the Earth.

The other issue that can arise is a problem with *space*.  In Python 3.x, the `range(2,n)` cleverly *avoids* storing all the numbers between `2` and `n-1` in memory.  It just remembers the endpoints, and how to proceed from one number to the next.  In the older version, Python 2.x, the range command `range(2,n)` would have tried to store the entire list of numbers `[2,3,4,...,n-1]` in the memory of your computer.  Your computer has some (4 or 8 or 16, perhaps) gigabytes of memory (RAM).  A gigabyte is a billion bytes, and a byte is enough memory to store a number between 0 and 255.  (More detail about this later!).  So a gigabyte will not even hold a billion numbers.  So our `is_prime` function would have led to memory problems in Python 2.x, but in Python 3.x we don't have to worry (for now) about space.

### Exercises

1.  Create a function `my_abs(x)` which outputs the absolute value of the argument `x`.  (Note that Python already has a built-in `abs(x)` function).  

2.  Modify the `is_prime` function so that it prints a message `Number too big` and returns `None` if the input argument is bigger than one million.  (Note that `None` is a Python reserved word.  You can use the one-line statement `return None`.)  

3.  Write a Python function `thrarity` which takes an argument `n`, and outputs the string `threeven` if `n` is a multiple of three, or `throdd` is `n` is one more than a multiple of three, or `thrugly` if `n` is one less than a multiple of three.  Example:  `thrarity(31)` should output `throdd` and `thrarity(44)` should output `thrugly`.  Hint:  study the `if`/`elif` syntax at [the official Python tutorial](https://docs.python.org/2/tutorial/controlflow.html#if-statements)

4.  Write a Python function `sum_of_squares(n)` which finds and prints a pair of natural numbers $x$, $y$, such that $x^2 + y^2 = n$.  The function should use a brute force search and return `None` if no such pair of numbers $x,y$ exists. 

In [None]:
#  Use this space for your solutions to the questions.


<a id='while'></a>

## While loops and implementation of the Eucidean algorithm

We *almost* have all the tools we need to implement the Euclidean algorithm.  The last tool we will need is the **while loop**.  We have seen the *for loop* already, which is very useful for iterating over a range of numbers.  The Euclidean algorithm involves repetition, but there is no way to know in advance how many steps it will take.  The while loop allows us to repeat a process as long as a boolean value (sometimes called a **flag**) is True.  The following countdown example illustrates the structure of a while loop.

In [None]:
def countdown(n):
    current_value = n
    while current_value > 0:  # The condition (current_value > 0) is checked before every instance of the scope!
        print(current_value)
        current_value = current_value - 1

In [None]:
countdown(10)

The while loop syntax begins with `while <boolean>:` and the following indented lines comprise the scope of the loop.  If the boolean is `True`, then the scope of the loop is executed.  If the boolean is `True` again afterwards, then the scope of the loop is executed again.  And again and again and so on.

This can be a **dangerous process**!  For example, what would happen if you made a little typo and the last line of the while loop read `current_value = current_value + 1`?  The numbers would increase and increase... and the boolean `current_value > 0` would **always** be `True`.  Therefore the loop would never end.  Bigger and bigger numbers would scroll down your computer screen.  

You might panic under such a circumstance, and maybe turn your computer off to stop the loop.  Here is some advice for when your computer gets stuck in such a neverending loop:

1.  Back up your work often.  When you're programming, make sure everything else is saved just in case.
2.  Save your programming work (use "Save and checkpoint" under the "File" menu) often, especially before running a cell with a loop for the first time.
3.  If you *do* get stuck in a neverending loop, click on "Kernel... Interrupt".  This will often unstick the loop and allow you to pick up where you left off.  
4.  On a Mac, you might try a "Force Quit" of the Python process, using the Activity Manager.

Now, if you're feeling brave, save your work, change the while loop so that it never ends, and try to recover where you left off.  But be aware that this could cause your computer to freeze or behave erratically, crashing your browser, etc.  Don't panic... it won't break your computer permanently.

The neverending loop causes two problems here.  One is with your computer processor, which will be essentially spinning its wheels.  This is called [busy waiting](https://en.wikipedia.org/wiki/Busy_waiting), and your computer will essentially be busy waiting forever.  The other problem is that your loop is printing more and more lines of text into the notebook.  This could easily crash your web browser, which is trying to store and display zillions of lines of numbers.  So be ready for problems!  

### The Euclidean algorithm with a while loop

The **Euclidean Algorithm** is a process of repeated division with remainder.  Beginning with two integers `a` (dividend) and `b` (divisor), one computes quotient `q` and remainder `q` to express `a = qb + r`.  Then `b` becomes the dividend and `r` becomes the divisor, and one repeats.  The repetition continues, and the **last nonzero** remainder is the greatest common divisor of `a` and `b`.  It is the subject of Chapter 1 of [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105).

We implement the Euclidean algorithm in a few variations.  The first will be a verbose version, to show the user what happens at every step.  We use a while loop to take care of the repetition.

In [None]:
def Euclidean_algorithm(a,b):
    dividend = a
    divisor = b
    while divisor != 0:   # Recall that != means "is not equal to".
        quotient = dividend // divisor
        remainder = dividend % divisor
        print("{} = {} ({}) + {}".format(dividend, quotient, divisor, remainder))
        dividend = divisor  
        divisor = remainder

In [None]:
Euclidean_algorithm(133, 58)

In [None]:
Euclidean_algorithm(1312331323, 58123123)

This is excellent if we want to know every step of the Euclidean algorithm.  If we just want to know the GCD of two numbers, we can be less verbose.  We carefully return the last nonzero remainder after the while loop is concluded.  This last nonzero remainder becomes the divisor when the remainder becomes zero, and then it would become the dividend in the next (unprinted) line.  That is why we return the (absolute value) of the dividend after the loop is concluded.  You might insert a line at the end of the loop, like `print dividend, divisor, remainder` to help you track the variables.

In [None]:
def GCD(a,b):
    dividend = a # The first dividend is a.
    divisor = b # The first divisor is b.
    while divisor != 0:   # Recall that != means "not equal to".
        quotient = dividend // divisor
        remainder = dividend % divisor
        dividend = divisor  
        divisor = remainder
    return abs(dividend)  #  abs() is used, since we like our GCDs to be positive.

Note that the `return dividend` statement occurs *after* the scope of the while loop.  So as soon as the *divisor* variable equals zero, the funtion `GCD` returns the *dividend* variable and terminates.

In [None]:
GCD(111,27)

In [None]:
GCD(111,-27)

We can refine our code in a few ways.  First, note that the `quotient` variable is never used!  It was nice in the verbose version of the Euclidean algorithm, but plays no role in finding the GCD.  Our refined code reads
```python
def GCD(a,b):
    dividend = a  
    divisor = b  
    while divisor != 0:   # Recall that != means "not equal to".
        remainder = dividend % divisor
        dividend = divisor  
        divisor = remainder
    return abs(dividend) 
```

Now there are two slick Python tricks we can use to shorten the code.  The first is called **multiple assignment**.  It is possible to set the values of two variables in a single line of code, with a syntax like below.

In [None]:
x,y = 2,3  # Sets x to 2 and y to 3.

This is particular useful for self-referential assignments, because as for ordinary assignment, the right side is evaluated first and then bound to the variables on the left side.  For example, after the line above, try the line below.  Use print statements to see what the values of the variables are afterwards!

In [None]:
x,y = y,x #  Guess what this does!

In [None]:
print("x =",x) # One could use "x = {}".format(x) too.
print("y =",y)

Now we can use multiple assignment to turn three lines of code into one line of code.  For the `remainder` variable is only used temporarily before its value is given to the `divisor` variable.  Using multiple assignment, the three lines
```python
    remainder = dividend % divisor
    dividend = divisor  
    divisor = remainder
```
can be written in one line,
```python
    dividend, divisor = divisor, dividend % divisor # Evaluations on the right occur before any assignments!
```

Our newly shortened GCD function looks like this.
```python
def GCD(a,b):
    dividend = a  
    divisor = b  
    while divisor != 0:   # Recall that != means "not equal to".
        dividend, divisor = divisor, dividend % divisor
    return abs(dividend)
```

The next trick involves the while loop.  The usual syntax has the form `while <boolean>:`.  But if `while` is followed by a numerical type, e.g. `while <int>:`, then the scope of the while loop will execute as long as the number is nonzero!  Therefore, the line
```python
while divisor != 0:
```
can be replaced by the shorter line
```python
while divisor:
```

This is truly a trick.  It probably won't speed anything up, and it does not make your program easier to read for beginners.  So use it if you prefer communicating with experienced Python programmers!  Here is the whole function again.
```python
def GCD(a,b):
    dividend = a  
    divisor = b  
    while divisor:   # Executes the scope if divisor is nonzero.
        dividend, divisor = divisor, dividend % divisor
    return abs(dividend)
```

The next optimization is a bit more dangerous for beginners, but it works here.  In general, it can be dangerous to operate directly on the arguments to a function.  But in this setting, it is safe, and makes no real difference to the Python interpreter.  Instead of creating new variables called `dividend` and `divisor`, one can manipulate `a` and `b` directly within the function.  If you do this, the GCD function can be shortened to the following.

In [None]:
def GCD(a,b):
    while b:   # Recall that != means "not equal to".
        a, b = b, a % b
    return abs(a)

In [None]:
# Try it out.  Try it on some big numbers and see how quick it runs!


This code is essentially optimal, if one wishes to execute the Euclidean algorithm to find the GCD of two integers.  It almost [matches the GCD code in a standard Python library](https://stackoverflow.com/a/18944210).  It might be slightly faster than our original code -- but there is a tradeoff here between execution speed and readability of code.  In this and the following lessons, we often optimize enough for everyday purposes, but not so much that readability is lost.

### Exercises

1.  Modify the `is_prime` function by using a while loop instead of `for j in range(2,n):`.  Hint:  the function should contain the lines `j = 2` and `while j < n:` and `j = j + 1` in various places.  Why might this be an improvement from the for loop?

2.  Modify the `Euclidean_algorithm` function to create a function which returns the *number of steps* that the Euclidean algorithm requires, i.e., the number of divisions-with-remainder. 

3.  Create a function which carries out division with minimal remainder.  In other words, given integers a,b, the function expresses a = q(b) + r, where r is a *positive or negative* integer of magnitude bounded by b/2.  Use such a function to create a new Euclidean algorithm function which uses minimal remainder.

4.  What `GCD(a,b)` function do you think strikes the best balance between efficiency and readability?

In [None]:
# Use this space to work on the exercises.


<a id='solving'></a>

## Solving the linear Diophantine equation

In Chapter 1 of [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105), we not only used the Euclidean algorithm to find the GCD of two integers, but also to solve the linear Diophantine equation $ax + by = c$.  On paper, this required us to perform the Euclidean algorithm, then "work backwards" to carefully solve a series of linear equations.  This process is repetetive and error-prone... perfect for a computer.  

So here we develop a function `solve_LDE(a,b,c)` which will describe all integer solutions $x,y$ to the equation $ax + by = c$.

The idea of the algorithm is to keep track of "hops" and "skips" throughout the Euclidean algorithm.  A general step in the Euclidean algorithm looks like `u = q(v) + r`.  The remainder can then be expressed by the formula `r = u - q(v)`.  If `u` and `v` can be built from hops and skips, then `r` can be built from hops and skips.  How many?  Just tally the hops and skips to find: 

<p style="text-align: center;">`r_hops = u_hops - q (v_hops)` and `r_skips = u_skips - q (v_skips)`.</p>

This sort of tallying is what makes the algorithm below work.  The function below does not introduce any new programming concepts, but it assembles many ideas together.


In [None]:
def hop_and_skip(a,b):
    '''
    Takes two integer arguments a,b, and prints a sentence of the form
    GCD(a,b) = x(a) + y(b).  The method is the Euclidean algorithm,
    tallying hops (units of a) and skips (units of b) along the way.
    '''
    u = a # We use u instead of dividend.
    v = b # We use v instead of divisor.
    u_hops, u_skips = 1,0 # u is built from one hop (a) and no skips, for now.
    v_hops, v_skips = 0,1 # v is built from no hops and one skip (b), for now.
    while v != 0:   # We could just write "while v:"
        q = u // v  # q stands for quotient.
        r = u % v  # r stands for remainder.  So u = q(v) + r.
        
        r_hops = u_hops - q * v_hops  # Tally hops
        r_skips = u_skips - q * v_skips  # Tally skips
        
        u,v = v,r  # The new dividend,divisor is the old divisor,remainder.
        u_hops, v_hops = v_hops, r_hops # The new u_hops, v_hops is the old v_hops, r_hops
        u_skips, v_skips = v_skips, r_skips # The new u_skips, v_skips is the old v_skips, r_skips
    
    print("{} = {}({}) + {}({})".format(u,u_hops,a,u_skips,b))

In [None]:
hop_and_skip(102,45)

Try out the hop_and_skip code on some integers of your choice.  Does it behave correctly?  Check the results, using Python as a calculator.  Does it run quickly for large integers?

In [None]:
#  Experimentation space here.


To conclude this lesson, we put everything together to create a long(ish) function to solve linear Diophantine equations.  We want this function to be smart enough to respond when an equation has no solutions, and to describe *all* solutions when they exist.  

The first part of the function `solve_LDE` is the same as the hop and skip function above.  But rather than expressing $GCD(a,b)$ as $ax + by$, the function uses the GCD to determine the existence and the general form of a solution to $ax + by = c$.  The formula for the general form comes from [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105), Chapter 1, Corollary 1.25.

In [None]:
def solve_LDE(a,b,c):
    '''
    Describes all of the solutions to the linear Diophantine equation
    ax + by = c.  There are either no solutions or infinitely many solutions.
    Prints a description of the solution set, and returns None if there are no solutions
    or returns a single solution if one exists.
    '''  
    u = a # We use u instead of dividend.
    v = b # We use v instead of divisor.
    u_hops, u_skips = 1,0 # u is built from one hop (a) and no skips.
    v_hops, v_skips = 0,1 # v is built from no hops and one skip (b).
    while v != 0:   # We could just write while v:
        q = u // v  # q stands for quotient.
        r = u % v  # r stands for remainder.  So u = q(v) + r.
        
        r_hops = u_hops - q * v_hops  # Tally hops
        r_skips = u_skips - q * v_skips  # Tally skips
        
        u,v = v,r  # The new dividend,divisor is the old divisor,remainder.
        u_hops, v_hops = v_hops, r_hops # The new u_hops, v_hops is the old v_hops, r_hops
        u_skips, v_skips = v_skips, r_skips # The new u_skips, v_skips is the old v_skips, r_skips
    
    g = u # The variable g now describes the GCD of a and b.
    
    if c%g == 0:  # When GCD(a,b) divides c...
        d = c//g
        x = d * u_hops
        y = d * u_skips  # Now ax + by = c is a specific solution!
        print("{} x + {} y = {} if and only if ".format(a, b, c))
        print("x = {} + {} n and y = {} - {} n, for some integer n.".format(x,b//g,y,-a//g))
        return x,y
    else:  # When GCD(a,b) does not divide c...
        print("There are no solutions to {} x + {} y = {},".format(a,b,c))
        print("because GCD({}, {}) = {}, which does not divide {}.".format(a,b,g,c))
        return None

In [None]:
solve_LDE(102,45,3)

In [None]:
solve_LDE(72,100,17)

### Exercises

1.  Solve problems 4-7 of Chapter 1 of [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105) using the `solve_LDE` function.

2.  Write an `LCM` function, using the previous `GCD` function and the GCD-LCM product formula, Theorem 1.23 of [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105).

3.  Sometimes it is important to find not the integer solutions, but the *positive* integer solutions to a Diophantine equation.  Modify the `solve_LDE` function to create a `solve_LDE_positive(a,b,c)` function.  The output of the function should be all pairs of *positive* integers $x$, $y$, such that $ax + by = c$ (if any pairs exist), and a helpful message if no pairs exist (and a `return None` should be used in this case).

In [None]:
#  Use this space to work on the exercises.


# Part 3:  Lists and the sieve of Eratosthenes in Python 3.x

Python provides a powerful set of tools to create and manipulate lists of data.  In this part, we take a deep dive into the Python list type.  We use Python lists to implement and optimize the Sieve of Eratosthenes, which will produce a list of all prime numbers up to a big number (like 10 million) in a snap.  Along the way, we introduce some Python techniques for mathematical functions and data analysis.  This programming lesson is meant to complement **Chapter 2** of An Illustrated Theory of Numbers, and mathematical background can be found there.

## Table of Contents

- [Primality test](#primetest)
- [List manipulation](#lists)
- [The sieve](#sieve)
- [Data analysis](#analysis)


<a id='primetest'></a>

## Primality testing

Before diving into lists, we recall the **brute force** primality test that we created in the last lesson.  To test whether a number `n` is prime, we can simply check for factors.  This yields the following primality test.

In [None]:
def is_prime(n):
    '''
    Checks whether the argument n is a prime number.
    Uses a brute force search for factors between 1 and n.
    '''
    for j in range(2,n):  # the range of numbers 2,3,...,n-1.
        if n%j == 0:  # is n divisible by j?
            print("{} is a factor of {}.".format(j,n))
            return False
    return True

We can also implement this test with a **while loop** instead of a for loop.  This doesn't make much of a difference, in Python 3.x.  (In Python 2.x, this would save memory).

In [None]:
def is_prime(n):
    '''
    Checks whether the argument n is a prime number.
    Uses a brute force search for factors between 1 and n.
    '''
    j = 2
    while j < n:  # j will proceed through the list of numbers 2,3,...,n-1.
        if n%j == 0:  # is n divisible by j?
            print("{} is a factor of {}.".format(j,n))
            return False
        j = j + 1  # There's a Python abbreviation for this:  j += 1.
    return True

In [None]:
is_prime(10001)

In [None]:
is_prime(101)

If $n$ is a prime number, then the `is_prime(n)` function will iterate through all the numbers between $2$ and $n-1$.  But this is overkill!  Indeed, if $n$ is not prime, it will have a factor between $2$ and the square root of $n$.  This is because factors come in pairs:  if $ab = n$, then one of the factors, $a$ or $b$, must be less than or equal to the square root of $n$.  So it suffices to search for factors up to (and including) the square root of $n$.

We haven't worked with square roots in Python yet.  But Python comes with a [standard math package](https://docs.python.org/2/library/math.html) which enables square roots, trig functions, logs, and more.  Click the previous link for documentation.  This package doesn't load automatically when you start Python, so you have to load it with a little Python code.

In [None]:
from math import sqrt

This command **imports** the square root function (`sqrt`) from the **package** called `math`.  Now you can find square roots.

In [None]:
sqrt(1000)

There are a few different ways to import functions from packages.  The above syntax is a good starting point, but sometimes problems can arise if different packages have functions with the same name.  Here are a few methods of importing the `sqrt` function and how they differ.

`from math import sqrt`:  After this command, `sqrt` will refer to the function from the `math` package (overriding any previous definition).

`import math`:  After this command, all the functions from the `math` package will be imported.  But to call `sqrt`, you would type a command like `math.sqrt(1000)`.  This is convenient if there are potential conflicts with other packages.

`from math import *`:  After this command, all the functions from the `math` package will be imported.  To call them, you can access them directly with a command like `sqrt(1000)`.  This can easily cause conflicts with other packages, since packages can have hundreds of functions in them!

`import math as mth`:  Some people like abbreviations.  This imports all the functions from the `math` package.  To call one, you type a command like `mth.sqrt(1000)`. 

In [None]:
import math

In [None]:
math.sqrt(1000)

In [None]:
factorial(10)  # This will cause an error!

In [None]:
math.factorial(10)  # This is ok, since the math package comes with a function called factorial.

Now let's improve our `is_prime(n)` function by searching for factors only up to the square root of the number `n`.  We consider two options.

In [None]:
def is_prime_slow(n):
    '''
    Checks whether the argument n is a prime number.
    Uses a brute force search for factors between 1 and n.
    '''
    j = 2
    while j <= sqrt(n):  # j will proceed through the list of numbers 2,3,... up to sqrt(n).
        if n%j == 0:  # is n divisible by j?
            print("{} is a factor of {}.".format(j,n))
            return False
        j = j + 1  # There's a Python abbreviation for this:  j += 1.
    return True

In [None]:
def is_prime_fast(n):
    '''
    Checks whether the argument n is a prime number.
    Uses a brute force search for factors between 1 and n.
    '''
    j = 2
    root_n = sqrt(n)
    while j <= root_n:  # j will proceed through the list of numbers 2,3,... up to sqrt(n).
        if n%j == 0:  # is n divisible by j?
            print("{} is a factor of {}.".format(j,n))
            return False
        j = j + 1  # There's a Python abbreviation for this:  j += 1.
    return True

In [None]:
is_prime_fast(1000003)

In [None]:
is_prime_slow(1000003)

I've chosen function names with "fast" and "slow" in them.  But what makes them faster or slower?  Are they faster than the original?  And how can we tell?

Python comes with a great set of tools for these questions.  The simplest (for the user) are the time utilities.  By placing the **magic** `%timeit` before a command, Python does something like the following:

1.  Python makes a little container in your computer devoted to the computations, to avoid interference from other running programs if possible.
2.  Python executes the command lots and lots of times.
3.  Python averages the amount of time taken for each execution.  

Give it a try below, to compare the speed of the functions `is_prime` (the original) with the new `is_prime_fast` and `is_prime_slow`.  Note that the `%timeit` commands might take a little while.

In [None]:
%timeit is_prime_fast(1000003)

In [None]:
%timeit is_prime_slow(1000003)

In [None]:
%timeit is_prime(1000003)

Time is measured in seconds, milliseconds (1 ms = 1/1000 second), microseconds (1 µs = 1/1,000,000 second), and nanoseconds (1 ns = 1/1,000,000,000 second).  So it might appear at first that `is_prime` is the fastest, or about the same speed.  But check the units!  The other two approaches are about a thousand times faster!  How much faster were they on your computer?

In [None]:
is_prime_fast(10000000000037)  # Don't try this with `is_prime` unless you want to wait for a long time!

Indeed, the `is_prime_fast(n)` function will go through a loop of length about `sqrt(n)` when `n` is prime.  But `is_prime(n)` will go through a loop of length about `n`.  Since `sqrt(n)` is much less than `n`, especially when `n` is large, the `is_prime_fast(n)` function is much faster.

Between `is_prime_fast` and `is_prime_slow`, the difference is that the `fast` version **precomputes** the square root `sqrt(n)` before going through the loop, where the `slow` version repeats the `sqrt(n)` every time the loop is repeated.  Indeed, writing `while j <= sqrt(n):` suggests that Python might execute `sqrt(n)` every time to check.  This *might* lead to Python computing the same square root a million times... unnecessarily!  

A basic principle of programming is to **avoid repetition**.  If you have the memory space, just compute once and store the result.  It will probably be faster to pull the result out of memory than to compute it again.

Python does tend to be pretty smart, however.  It's possible that Python **is precomputing** `sqrt(n)` even in the slow loop, just because it's clever enough to tell in advance that the same thing is being computed over and over again.  This depends on your Python version and takes place behind the scenes.  If you want to figure it out, there's a whole set of tools (for advanced programmers) like the [disassembler](https://docs.python.org/2.7/library/dis.html) to figure out what Python is doing.

In [None]:
is_prime_fast(10**14 + 37) # This might get a bit of delay.

Now we have a function `is_prime_fast(n)` that is speedy for numbers `n` in the trillions!  You'll probably start to hit a delay around $10^{15}$ or so, and the delays will become intolerable if you add too many more digits.  In a future lesson, we will see a different primality test that will be essentially instant even for numbers around $10^{1000}$!  

### Exercises

1.  To check whether a number `n` is prime, you can first check whether `n` is even, and then check whether `n` has any odd factors.  Change the `is_prime_fast` function by implementing this improvement.  How much of a speedup did you get?

2.  Use the `%timeit` tool to study the speed of `is_prime_fast` for various sizes of `n`.  Using 10-20 data points, make a graph relating the size of `n` to the time taken by the `is_prime_fast` function.

3.  Write a function `is_square(n)` to test whether a given integer `n` is a perfect square (like 0, 1, 4, 9, 16, etc.).  How fast can you make it run?  Describe the different approaches you try and which are fastest.

<a id='lists'></a>

## List manipulation

We have already (briefly) encountered the `list` type in Python.  Recall that the `range` command produces a range, which can be used to produce a list.  For example, `list(range(10))` produces the list `[0,1,2,3,4,5,6,7,8,9]`.  You can also create your own list by a writing out its terms, e.g. `L = [4,7,10]`.

Here we work with lists, and a very Pythonic approach to list manipulation.  With practice, this can be a powerful tool to write fast algorithms, exploiting the hard-wired capability of your computer to shift and slice large chunks of data.  Our application will be to implement the Sieve of Eratosthenes, producing a long list of prime numbers (without using any `is_prime` test along the way).

We begin by creating two lists to play with.

In [None]:
L = [0,'one',2,'three',4,'five',6,'seven',8,'nine',10]

### List terms and indices

Notice that the entries in a list can be of any type.  The above list `L` has some integer entries and some string entries.  Lists are **ordered** in Python, **starting at zero**.  One can access the $n^{th}$ entry in a list with a command like `L[n]`.  

In [None]:
L[3]

In [None]:
print(L[3])  # Note that Python has slightly different approaches to the print-function, and the output above.

In [None]:
print(L[4])  # We will use the print function, because it makes our printing intentions clear.

In [None]:
print(L[0])

The location of an entry is called its **index**.  So *at* the index 3, the list `L` stores the entry `three`.  Note that the same entry can occur in many places in a list.  E.g. `[7,7,7]` is a list with 7 at the zeroth, first, and second index.

In [None]:
print(L[-1])
print(L[-2])

The last bit of code demonstrates a cool Python trick.  The "-1st" entry in a list refers to the last entry. The "-2nd entry" refers to the second-to-last entry, and so on.  It gives a convenient way to access both sides of the list, even if you don't know how long it is.

Of course, you can use Python to find out how long a list is.

In [None]:
len(L)

You can also use Python to find the sum of a list of numbers.

In [None]:
sum([1,2,3,4,5])

In [None]:
sum(range(100))  # Be careful.  This is the sum of which numbers?  # The sum function can take lists or ranges.

### List slicing

**Slicing** lists allows us to create new lists (or ranges) from old lists (or ranges), by chopping off one end or the other, or even slicing out entries at a fixed interval.  The simplest syntax has the form `L[a:b]` where `a` denotes the index of the starting entry and index of the final entry is one less than `b`.  It is best to try a few examples to get a feel for it.

Slicing a list with a command like `L[a:b]` doesn't actually *change* the original list `L`.  It just extracts some terms from the list and outputs those terms.  Soon enough, we will change the list `L` using a list assignment.

In [None]:
L[0:5]

In [None]:
L[5:11]  # Notice that L[0:5] and L[5:11] together recover the whole list.

In [None]:
L[3:7]

This continues the strange (for beginners) Python convention of starting at the first number and ending just before the last number.  Compare to `range(3,7)`, for example.  

The command `L[0:5]` can be replaced by `L[:5]` to abbreviate.  The empty opening index tells Python to start at the beginning.  Similarly, the command `L[5:11]` can be replaced by `L[5:]`.  The empty closing index tells Python to end the slice and the end.  This is helpful if one doesn't know where the list ends.

In [None]:
L[:5]

In [None]:
L[3:]

Just like the `range` command, list slicing can take an optional third argument to give a step size.  To understand this, try the command below.

In [None]:
L[2:10]

In [None]:
L[2:10:3]

If, in this three-argument syntax, the first or second argument is absent, then the slice starts at the beginning of the list or ends at the end of the list accordingly.

In [None]:
L  # Just a reminder.  We haven't modified the original list!

In [None]:
L[:9:3]  # Start at zero, go up to (but not including) 9, by steps of 3.

In [None]:
L[2: :3] # Start at two, go up through the end of the list, by steps of 3.

In [None]:
L[::3]  # Start at zero, go up through the end of the list, by steps of 3.

### Changing list slices

Not only can we extract and study terms or slices of a list, we can change them by assignment.  The simplest case would be changing a single term of a list.

In [None]:
print(L) # Start with the list L.

In [None]:
L[5] = 'Bacon!'

In [None]:
print(L)  # What do you think L is now?

In [None]:
print(L[2::3]) # What do you think this will do?

We can change an entire slice of a list with a single assignment.  Let's change the first two terms of `L` in one line.

In [None]:
L[:2] = ['Pancakes', 'Ham']  # What was L[:2] before?

In [None]:
print(L) # Oh... what have we done!

In [None]:
L[0]

In [None]:
L[1]

In [None]:
L[2]

We can change a slice of a list with a single assignment, even when that slice does not consist of consecutive terms.  Try to predict what the following commands will do.

In [None]:
print(L)  # Let's see what the list looks like before.

In [None]:
L[::2] = ['A','B','C','D','E','F']  # What was L[::2] before this assignment? 

In [None]:
print(L)  # What do you predict?

### Exercises

1.  Create a list L with L = [1,2,3,...,100] (all the numbers from 1 to 100).  What is L[50]?

2.  Take the same list L, and extract a slice of the form [5,10,15,...,95] with a command of the form L[a:b:c].

3.  Take the same list L, and change all the even numbers to zeros, so that L looks like [1,0,3,0,5,0,...,99,0].  Hint:  You might wish to use the list [0]*50.

4.  Try the command `L[-1::-1]` on a list.  What does it do?  Can you guess before executing it?  Can you understand why?  In fact, strings are lists too.  Try setting `L = 'Hello'` and the previous command.

<a id='sieve'></a>

## Sieve of Eratosthenes

The **Sieve of Eratosthenes** (hereafter called "the sieve") is a very fast way of producing long lists of primes, without doing repeated primality checking.  It is described in more detail in Chapter 2 of [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105).  The basic idea is to start with all of the natural numbers, and successively filter out, or [**sieve**](https://en.wikipedia.org/wiki/Sieve), the multiples of 2, then the multiples of 3, then the multiples of 5, etc., until only primes are left.

Using list slicing, we can carry out this sieving process efficiently.  And with a few more tricks we encounter here, we can carry out the Sieve **very** efficiently. 

### The basic sieve

The first approach we introduce is a bit naive, but is a good starting place.  We will begin with a list of numbers up to 100, and sieve out the appropriate multiples of 2,3,5,7.

In [None]:
primes = list(range(100)) # Let's start with the numbers 0...99.

Now, to "filter", i.e., to say that a number is *not* prime, let's just change the number to the value `None`.  

In [None]:
primes[0] = None # Zero is not prime.
primes[1] = None # One is not prime.
print(primes) # What have we done?

Now let's filter out the multiples of 2, starting at 4.  This is the slice `primes[4::2]`

In [None]:
primes[4::2] = [None] * len(primes[4::2])  # The right side is a list of Nones, of the necessary length.
print(primes) # What have we done?

Now we filter out the multiples of 3, starting at 9.

In [None]:
primes[9::3] = [None] * len(primes[9::3])  # The right side is a list of Nones, of the necessary length.
print(primes) # What have we done?

Next the multiples of 5, starting at 25 (the first multiple of 5 greater than 5 that's left!)

In [None]:
primes[25::5] = [None] * len(primes[25::5])  # The right side is a list of Nones, of the necessary length.
print(primes) # What have we done?

Finally, the multiples of 7, starting at 49 (the first multiple of 7 greater than 7 that's left!)

In [None]:
primes[49::7] = [None] * len(primes[49::7])  # The right side is a list of Nones, of the necessary length.
print(primes) # What have we done?

What's left?  A lot of `None`s and the prime numbers up to 100.  We have successfully sieved out all the nonprime numbers in the list, using just four sieving steps (and setting 0 and 1 to `None` manually).  

But there's a lot of room for improvement, from beginning to end!

1.  The format of the end result is not so nice.
2.  We had to sieve each step manually.  It would be much better to have a function `prime_list(n)` which would output a list of primes up to `n` without so much supervision.
3.  The memory usage will be large, if we need to store all the numbers up to a large `n` at the beginning.

We solve these problems in the following way.

1.  We will use a list of **booleans** rather than a list of numbers.  The ending list will have a `True` value at prime indices and a `False` value at composite indices.  This reduces the memory usage and increases the speed.  
2.  A `which` function (explained soon) will make the desired list of primes after everything else is done.
3.  We will proceed through the sieving steps algorithmically rather than entering each step manually.

Here is a somewhat efficient implementation of the Sieve in Python.

In [None]:
def isprime_list(n):
    ''' 
    Return a list of length n+1
    with Trues at prime indices and Falses at composite indices.
    '''
    flags = [True] * (n+1)  # A list [True, True, True,...] to start.
    flags[0] = False  # Zero is not prime.  So its flag is set to False.
    flags[1] = False  # One is not prime.  So its flag is set to False.
    p = 2  # The first prime is 2.  And we start sieving by multiples of 2.
    
    while p <= sqrt(n):  # We only need to sieve by p is p <= sqrt(n).
        if flags[p]:  # We sieve the multiples of p if flags[p]=True.
            flags[p*p::p] = [False] * len(flags[p*p::p]) # Sieves out multiples of p, starting at p*p.
        p = p + 1 # Try the next value of p.
        
    return flags

In [None]:
print(isprime_list(100))

If you look carefully at the list of booleans, you will notice a `True` value at the 2nd index, the 3rd index, the 5th index, the 7th index, etc..  The indices where the values are `True` are precisely the **prime** indices.  Since booleans take the smallest amount of memory of any data type (one **bit** of memory per boolean), your computer can carry out the `isprime_list(n)` function even when `n` is very large.

To be more precise, there are 8 bits in a **byte**.  There are 1024 bytes (about 1000) in a kilobyte.  There are 1024 kilobytes in a megabyte.  There are 1024 megabytes in a gigabyte.  Therefore, a gigabyte of memory is enough to store about 8 billion bits.  That's enough to store the result of `isprime_list(n)` when `n` is about 8 billion.  Not bad!  And your computer probably has 4 or 8 or 12 or 16 gigabytes of memory to use.



To transform the list of booleans into a list of prime numbers, we create a function called `where`.  This function uses another Python technique called **list comprehension**.  We discuss this technique later in this lesson, so just use the `where` function as a tool for now, or [read about list comprehension](https://docs.python.org/2/tutorial/datastructures.html#list-comprehensions) if you're curious.

In [None]:
def where(L):
    '''
    Take a list of booleans as input and
    outputs the list of indices where True occurs.
    '''
    return [n for n in range(len(L)) if L[n]]
    

Combined with the `isprime_list` function, we can produce long lists of primes.

In [None]:
print(where(isprime_list(100)))

Let's push it a bit further.  How many primes are there between 1 and 1 million?  We can figure this out in three steps:

1.  Create the isprime_list.
2.  Use where to get the list of primes.
3.  Find the length of the list of primes.

But it's better to do it in two steps.

1.  Create the isprime_list.
2.  Sum the list!  (Note that `True` is 1, for the purpose of summation!)

In [None]:
sum(isprime_list(1000000))  # The number of primes up to a million!

In [None]:
%timeit isprime_list(10**6)  # 1000 ms = 1 second.

In [None]:
%timeit sum(isprime_list(10**6))

This isn't too bad!  It takes a fraction of a second to identify the primes up to a million, and a smaller fraction of a second to count them!  But we can do a little better.  

The first improvement is to take care of the even numbers first.  If we count carefully, then the sequence 4,6,8,...,n (ending at n-1 if n is odd) has the floor of (n-2)/2 terms.  Thus the line `flags[4::2] = [False] * ((n-2)//2)` will set all the flags to False in the sequence 4,6,8,10,...  From there, we can begin sieving by *odd* primes starting with 3.

The next improvement is that, since we've already sieved out all the even numbers (except 2), we don't have to sieve out again by *even multiples*.  So when sieving by multiples of 3, we don't have to sieve out 9,12,15,18,21,etc..  We can just sieve out 9,15,21,etc..  When `p` is an odd prime, this can be taken care of with the code `flags[p*p::2*p] = [False] * len(flags[p*p::2*p])`.  

In [None]:
def isprime_list(n):
    ''' 
    Return a list of length n+1
    with Trues at prime indices and Falses at composite indices.
    '''
    flags = [True] * (n+1)  # A list [True, True, True,...] to start.
    flags[0] = False  # Zero is not prime.  So its flag is set to False.
    flags[1] = False  # One is not prime.  So its flag is set to False.
    flags[4::2] = [False] * ((n-2)//2)
    p = 3
    while p <= sqrt(n):  # We only need to sieve by p is p <= sqrt(n).
        if flags[p]:  # We sieve the multiples of p if flags[p]=True.
            flags[p*p::2*p] = [False] * len(flags[p*p::2*p]) # Sieves out multiples of p, starting at p*p.
        p = p + 2 # Try the next value of p.  Note that we can proceed only through odd p!
        
    return flags

In [None]:
%timeit sum(isprime_list(10**6))  # How much did this speed it up?

Another modest improvement is the following.  In the code above, the program *counts* the terms in sequences like 9,15,21,27,..., in order to set them to `False`.  This is accomplished with the length command `len(flags[p*p::2*p])`.  But that length computation is a bit too intensive.  A bit of algebraic work shows that the length is given formulaically in terms of `p` and `n` by the formula:  

$$len = \lfloor \frac{n - p^2 - 1}{2p} \rfloor + 1$$

(Here $\lfloor x \rfloor$ denotes the floor function, i.e., the result of rounding down.)  Putting this into the code yields the following.

In [None]:
def isprime_list(n):
    ''' 
    Return a list of length n+1
    with Trues at prime indices and Falses at composite indices.
    '''
    flags = [True] * (n+1)  # A list [True, True, True,...] to start.
    flags[0] = False  # Zero is not prime.  So its flag is set to False.
    flags[1] = False  # One is not prime.  So its flag is set to False.
    flags[4::2] = [False] * ((n-2)//2)
    p = 3
    while p <= sqrt(n):  # We only need to sieve by p is p <= sqrt(n).
        if flags[p]:  # We sieve the multiples of p if flags[p]=True.
            flags[p*p::2*p] = [False] * ((n-p*p-1)//(2*p)+1) # Sieves out multiples of p, starting at p*p.
        p = p + 2 # Try the next value of p.
        
    return flags

In [None]:
%timeit sum(isprime_list(10**6))  # How much did this speed it up?

That should be pretty fast!  It should be under 100 ms (one tenth of one second!) to determine the primes up to a million, and on a newer computer it should be under 50ms.  We have gotten pretty close to the fastest algorithms that you can find in Python, without using external packages (like SAGE or sympy).  See the related [discussion on StackOverflow](https://stackoverflow.com/questions/2068372/fastest-way-to-list-all-primes-below-n)... the code in this lesson was influenced by the code presented there.

### Exercises

1.  Prove that the length of `range(p*p, n, 2*p)` equals $\lfloor \frac{n - p^2 - 1}{2p} \rfloor + 1$.

2.  A natural number $n$ is called squarefree if it has no perfect square divides $n$ except for 1.  Write a function `squarefree_list(n)` which outputs a list of booleans:  `True` if the index is squarefree and `False` if the index is not squarefree.  For example, if you execute `squarefree_list(12)`, the output should be `[False, True, True, True, False, True, True, True, False, False, True, True, False]`.  Note that the `False` entries are located the indices 0, 4, 8, 9, 12.  These natural numbers have perfect square divisors besides 1.  

3.  Your DNA contains about 3 billion base pairs.  Each "base pair" can be thought of as a letter, A, T, G, or C.  How many bits would be required to store a single base pair?  In other words, how might you convert a sequence of booleans into a letter A,T,G, or C?  Given this, how many megabytes or gigabytes are required to store your DNA?  How many people's DNA would fit on a thumb-drive?

<a id='analysis'></a>

## Data analysis

Now that we can produce a list of prime numbers quickly, we can do some data analysis:  some experimental number theory to look for trends or patterns in the sequence of prime numbers.  Since Euclid (about 300 BCE), we have known that there are infinitely many prime numbers.  But how are they distributed?  What proportion of numbers are prime, and how does this proportion change over different ranges?  As theoretical questions, these belong the the field of analytic number theory.  But it is hard to know what to prove without doing a bit of experimentation.  And so, at least since Gauss [(read Tschinkel's article about Gauss's tables)](http://www.ams.org/journals/bull/2006-43-01/S0273-0979-05-01096-7/S0273-0979-05-01096-7.pdf) started examining his extensive tables of prime numbers, mathematicians have been carrying out experimental number theory.

### Analyzing the list of primes

Let's begin by creating our data set:  the prime numbers up to 1 million.

In [None]:
primes = where(isprime_list(1000000))

In [None]:
len(primes) # Our population size.  A statistician might call it N.

In [None]:
primes[-1]  # The last prime in our list, just before one million.

In [None]:
type(primes) # What type is this data?

In [None]:
print(primes[:100]) # The first hundred prime numbers.

To carry out serious analysis, we will use the method of **list comprehension** to place our population into "bins" for statistical analysis.  Our first type of list comprehension has the form `[x for x in LIST if CONDITION]`.  This produces the list of all elements of LIST satisfying CONDITION.  It is similar to list slicing, except we pull out terms from the list according to whether a condition is true or false.

For example, let's divide the (odd) primes into two classes.  Red primes will be those of the form 4n+1.  Blue primes will be those of the form 4n+3.  In other words, a prime `p` is red if `p%4 == 1` and blue if `p%4 == 3`.  And the prime 2 is neither red nor blue.

In [None]:
redprimes = [p for p in primes if p%4 == 1] # Note the [x for x in LIST if CONDITION] syntax.
blueprimes = [p for p in primes if p%4 == 3]

print('Red primes:',redprimes[:20]) # The first 20 red primes.
print('Blue primes:',blueprimes[:20]) # The first 20 blue primes.

In [None]:
print("There are {} red primes and {} blue primes, up to 1 million.".format(len(redprimes), len(blueprimes)))

This is pretty close!  It seems like prime numbers are about evenly distributed between red and blue.  Their remainder after division by 4 is about as likely to be 1 as it is to be 3.  In fact, it is proven that *asymptotically* the ratio between the number of red primes and the number of blue primes approaches 1.  However, Chebyshev noticed a persistent slight bias towards blue primes along the way.

Some of the deepest conjectures in mathematics relate to the [prime counting function](https://en.wikipedia.org/wiki/Prime-counting_function) $\pi(x)$.  Here $\pi(x)$ is the **number of primes** between 1 and $x$ (inclusive).  So $\pi(2) = 1$ and $\pi(3) = 2$ and $\pi(4) = 2$ and $\pi(5) = 3$.  One can compute a value of $\pi(x)$ pretty easily using a list comprehension.



In [None]:
def primes_upto(x):
    return len([p for p in primes if p <= x]) # List comprehension recovers the primes up to x.

In [None]:
primes_upto(1000)  # There are 168 primes between 1 and 1000.

Now we graph the prime counting function.  To do this, we use a list comprehension, and the visualization library called matplotlib.  For graphing a function, the basic idea is to create a list of x-values, a list of corresponding y-values (so the lists have to be the same length!), and then we feed the two lists into matplotlib to make the graph.

We begin by loading the necessary packages.

In [None]:
import matplotlib  #  A powerful graphics package.
import numpy  #  A math package
import matplotlib.pyplot as plt  # A plotting subpackage in matplotlib.

Now let's graph the function $y = x^2$ over the domain $-2 \leq x \leq 2$ for practice.  As a first step, we use numpy's `linspace` function to create an evenly spaced set of 11 x-values between -2 and 2.

In [None]:
x_values = numpy.linspace(-2,2,11)  # The argument 11 is the *number* of terms, not the step size!
print(x_values)
type(x_values)

You might notice that the format looks a bit different from a list.  Indeed, if you check `type(x_values)`, it's not a list but something else called a numpy array.  Numpy is a package that excels with computations on large arrays of data.  On the surface, it's not so different from a list.  The `numpy.linspace` command is a convenient way of producing an evenly spaced list of inputs.

The big difference is that operations on numpy arrays are interpreted differently than operations on ordinary Python lists.  Try the two commands for comparison.

In [None]:
[1,2,3] + [1,2,3]

In [None]:
x_values + x_values

In [None]:
y_values = x_values * x_values  # How is multiplication interpreted on numpy arrays?
print(y_values)

Now we use matplotlib to create a simple line graph.

In [None]:
%matplotlib inline
plt.plot(x_values, y_values)
plt.title('The graph of $y = x^2$')  # The dollar signs surround the formula, in LaTeX format.
plt.ylabel('y')
plt.xlabel('x')
plt.grid(True)
plt.show()


Let's analyze the graphing code a bit more.  See the [official pyplot tutorial](https://matplotlib.org/users/pyplot_tutorial.html) for more details.  
```python
%matplotlib inline
plt.plot(x_values, y_values)
plt.title('The graph of $y = x^2$')  # The dollar signs surround the formula, in LaTeX format.
plt.ylabel('y')
plt.xlabel('x')
plt.grid(True)
plt.show()
```
The first line contains the **magic** `%matplotlib inline`.  We have seen a magic word before, in `%timeit`.  [Magic words](http://ipython.readthedocs.io/en/stable/interactive/magics.html) can call another program to assist.  So here, the magic `%matplotlib inline` calls matplotlib for help, and places the resulting figure within the notebook.

The next line `plt.plot(x_values, y_values)` creates a `plot object` based on the data of the x-values and y-values.  It is an abstract sort of object, behind the scenes, in a format that matplotlib understands.  The following lines set the title of the plot, the axis labels, and turns a grid on.  The last line `plt.show` renders the plot as an image in your notebook.  There's an infinite variety of graphs that matplotlib can produce -- see [the gallery](https://matplotlib.org/gallery.html) for more!  Other graphics packages include [bokeh](http://bokeh.pydata.org/en/latest/) and [seaborn](http://seaborn.pydata.org/), which extends matplotlib.

### Analysis of the prime counting function

Now, to analyze the prime counting function, let's graph it.  To make a graph, we will first need a list of many values of x and many corresponding values of $\pi(x)$.  We do this with two commands.  The first might take a minute to compute.

In [None]:
x_values = numpy.linspace(0,1000000,1001) # The numpy array [0,1000,2000,3000,...,1000000]
pix_values = numpy.array([primes_upto(x) for x in x_values])  # [FUNCTION(x) for x in LIST] syntax

We created an array of x-values as before.  But the creation of an array of y-values (here, called `pix_values` to stand for $\pi(x)$) probably looks strange.  We have done two new things!

1.  We have used a list comprehension `[primes_upto(x) for x in x_values]` to create a **list** of y-values.
2.  We have used numpy.array(LIST) syntax to convert a Python list into a numpy array.

First, we explain the list comprehension.  Instead of pulling out values of a list according to a condition, with `[x for x in LIST if CONDITION]`, we have created a new list based on performing a function each element of a list.  The syntax, used above, is `[FUNCTION(x) for x in LIST]`.  These two methods of list comprehension can be combined, in fact.  The most general syntax for list comprehension is `[FUNCTION(x) for x in LIST if CONDITION]`.

Second, a list comprehension can be carried out on a numpy array, but the result is a plain Python list.  It will be better to have a numpy array instead for what follows, so we use the `numpy.array()` function to convert the list into a numpy array.

In [None]:
type(numpy.array([1,2,3]))  # For example.

Now we have two numpy arrays:  the array of x-values and the array of y-values.  We can make a plot with matplotlib.

In [None]:
len(x_values) == len(pix_values)  # These better be the same, or else matplotlib will be unhappy.

In [None]:
%matplotlib inline
plt.plot(x_values, pix_values)
plt.title('The prime counting function')
plt.ylabel('$\pi(x)$')
plt.xlabel('x')
plt.grid(True)
plt.show()

In this range, the prime counting function might look nearly linear.  But if you look closely, there's a subtle downward bend.  This is more pronounced in smaller ranges.  For example, let's look at the first 10 x-values and y-values only.

In [None]:
%matplotlib inline
plt.plot(x_values[:10], pix_values[:10])  # Look closer to 0.
plt.title('The prime counting function')
plt.ylabel('$\pi(x)$')
plt.xlabel('x')
plt.grid(True)
plt.show()

It still looks almost linear, but there's a visible downward bend here.  How can we see this bend more clearly?  If the graph were linear, its equation would have the form $\pi(x) = mx$ for some fixed slope $m$ (since the graph *does* pass through the origin).  Therefore, the quantity $\pi(x)/x$ would be *constant* if the graph were linear.  

Hence, if we graph $\pi(x) / x$ on the y-axis and $x$ on the x-axis, and the result is nonconstant, then the function $\pi(x)$ is nonlinear.

In [None]:
m_values = pix_values[1:] / x_values[1:]  # We start at 1, to avoid a division by zero error.

In [None]:
%matplotlib inline
plt.plot(x_values[1:], m_values)
plt.title('The ratio $\pi(x) / x$ as $x$ varies.')
plt.xlabel('x')
plt.ylabel('$\pi(x) / x$')
plt.grid(True)
plt.show()

That is certainly not constant!  The decay of $\pi(x) / x$ is not so different from $1 / \log(x)$, in fact.  To see this, let's overlay the graphs.  We use the `numpy.log` function, which computes the natural logarithm of its input (and allows an entire array as input).

In [None]:
%matplotlib inline
plt.plot(x_values[1:], m_values, label='$\pi(x)/x$')  # The same as the plot above.
plt.plot(x_values[1:], 1 / numpy.log(x_values[1:]), label='$1 / \log(x)$')  # Overlay the graph of 1 / log(x)
plt.title('The ratio of $\pi(x) / x$ as $x$ varies.')
plt.xlabel('x')
plt.ylabel('$\pi(x) / x$')
plt.grid(True)
plt.legend()  # Turn on the legend.
plt.show()

The shape of the decay of $\pi(x) / x$ is very close to $1 / \log(x)$, but it looks like there is an offset.  In fact, there is, and it is pretty close to $1 / \log(x)^2$.  And that is close, but again there's another little offset, this time proportional to $2 / \log(x)^3$.  This goes on forever, if one wishes to approximate $\pi(x) / x$ by an "asymptotic expansion" (not a good idea, it turns out).

The closeness of $\pi(x) / x$ to $1 / \log(x)$ is expressed in the **prime number theorem**:
$$\lim_{x \rightarrow \infty} \frac{\pi(x)}{x / \log(x)} = 1.$$

In [None]:
%matplotlib inline
plt.plot(x_values[1:], m_values * numpy.log(x_values[1:])  )  # Should get closer to 1.
plt.title('The ratio $\pi(x) / (x / \log(x))$ approaches 1... slowly')
plt.xlabel('x')
plt.ylabel('$\pi(x) / (x / \log(x)) $')
plt.ylim(0.8,1.2)
plt.grid(True)
plt.show()

Comparing the graph to the theoretical result, we find that the ratio $\pi(x) / (x / \log(x))$ approaches $1$ (the theoretical result) but very slowly (see the graph above!).

A much stronger result relates $\pi(x)$ to the "logarithmic integral" $li(x)$.  The [Riemann hypothesis](http://www.claymath.org/millennium-problems/riemann-hypothesis) is equivalent to the statement
$$\left\vert \pi(x) - li(x) \right\vert = O(\sqrt{x} \log(x)).$$
In other words, the error if one approximates $\pi(x)$ by $li(x)$ is bounded by a constant times $\sqrt{x} \log(x)$.  The logarithmic integral function isn't part of Python or numpy, but it is in the mpmath package.  If you have this package installed, then you can try the following.

In [None]:
from mpmath import li

In [None]:
print(primes_upto(1000000))  # The number of primes up to 1 million.
print(li(1000000))  # The logarithmic integral of 1 million.

Not too shabby!

### Prime gaps

As a last bit of data analysis, we consider the **prime gaps**.  These are the numbers that occur as differences between consecutive primes.  Since all primes except 2 are odd, all prime gaps are even except for the 1-unit gap between 2 and 3.  There are many unsolved problems about prime gaps; the most famous might be that a gap of 2 occurs infinitely often (as in the gaps between 3,5 and between 11,13 and between 41,43, etc.).

Once we have our data set of prime numbers, it is not hard to create a data set of prime gaps.  Recall that `primes` is our list of prime numbers up to 1 million.

In [None]:
len(primes) # The number of primes up to 1 million.

In [None]:
primes_allbutlast = primes[:-1]  # This excludes the last prime in the list.
primes_allbutfirst = primes[1:]  # This excludes the first (i.e., with index 0) prime in the list.

In [None]:
primegaps = numpy.array(primes_allbutfirst) - numpy.array(primes_allbutlast) # Numpy is fast!

In [None]:
print(primegaps[:100])  # The first hundred prime gaps!

What have we done?  It is useful to try out this method on a short list.  

In [None]:
L = [1,3,7,20]  # A nice short list.

In [None]:
print(L[:-1])
print(L[1:])

Now we have two lists of the same length.  The gaps in the original list `L` are the differences between terms of the *same* index in the two new lists.  One might be tempted to just subtract, e.g., with the command `L[1:] - L[:-1]`, but subtraction is not defined for lists.

Fortunately, by converting the lists to numpy arrays, we can use numpy's term-by-term subtraction operation.

In [None]:
L[1:] - L[:-1]  # This will give a TypeError.  You can't subtract lists!

In [None]:
numpy.array(L[1:]) - numpy.array(L[:-1])  # That's better.  See the gaps in the list [1,3,7,20] in the output.

Now let's return to our primegaps data set.  It contains all the gap-sizes for primes up to 1 million.  

In [None]:
print(len(primes))
print(len(primegaps))  # This should be one less than the number of primes.

As a last example of data visualization, we use matplotlib to produce a histogram of the prime gaps.

In [None]:
max(primegaps)  # The largest prime gap that appears!

In [None]:
%matplotlib inline
plt.figure(figsize=(12, 5))  #  Makes the resulting figure 12in by 5in.
plt.hist(primegaps, bins=range(1,115)) #  Makes a histogram with one bin for each possible gap from 1 to 114.
plt.ylabel('Frequency')
plt.xlabel('Gap size')
plt.grid(True)
plt.title('The frequency of prime gaps, for primes up to 1 million')
plt.show()

Observe that gaps of 2 (twin primes) are pretty frequent.  There are over 8000 of them, and about the same number of 4-unit gaps!  But gaps of 6 are most frequent in the population, and there are some interesting peaks at 6, 12, 18, 24, 30.  What else do you observe?

### Exercises

1.  Create functions `redprimes_upto(x)` and `blueprimes_upto(x)` which count the number of red/blue primes up to a given number `x`.  Recall that we defined red/blue primes to be those of the form 4n+1 or 4n+3, respectively.  Graph the relative proportion of red/blue primes as `x` varies from 1 to 1 million.  E.g., are the proportions 50%/50% or 70%/30%, and how do these proportions change?  Note:  this is also visualized in [An Illustrated Theory of Numbers](http://bookstore.ams.org/mbk-105) and you can read [an article by Rubinstein and Sarnak](https://projecteuclid.org/euclid.em/1048515870) for more.

2.  Does there seem to be a bias in the last digits of primes?  Note that, except for 2 and 5, every prime ends in 1,3,7, or 9.  Note: the last digit of a number `n` is obtained from `n % 10`.  

3.  Read about the ["Prime Conspiracy"](https://www.quantamagazine.org/mathematicians-discover-prime-conspiracy-20160313), recently discovered by Lemke Oliver and Soundararajan.  Can you detect their conspiracy in our data set of primes?

# Part 4:  Dictionaries, factorization, and multiplicative functions in Python 3.x

The *list type* is perfect for keeping track of ordered data.  Here we introduce the *dict* (dictionary) type, which can be used for *key-value pairs*.  This data structure is well suited for storing the prime decomposition of integers, in which each prime (*key*) is given an exponent (*value*).  As we introduce the *dict* type, we also discuss some broader issues of *objects* and *methods* in Python programming.

We apply these programming concepts to prime decomposition and multiplicative functions (e.g., the divisor sum function).  This material accompanies Chapter 2 of [An Illustrated Theory of Numbers](http://illustratedtheoryofnumbers.com/index.html).

## Table of Contents

- [Dictionaries and factorization](#dictfact)
- [Multiplicative functions](#multfunc)


<a id='dictfact'></a>

## Dictionaries and factorization

### Lists, dictionaries, objects and methods

Lists, like `[2,3,5,7]` are data structures built for sequentially ordered data.  The **items** of a list (in this case, the numbers 2,3,5,7) are *indexed* by natural numbers (in this case, the **indices** are 0,1,2,3).  Python allows you to access the items of a list through their index.

In [None]:
L = [2,3,5,7]
type(L)

In [None]:
print(L[0])  # What is the output?

In [None]:
print(L[3])  # What is the output?

In [None]:
print(L[5])  # This should give an IndexError.

Python **dictionaries** are structures built for data that have a *key-value* structure.  The **keys** are like indices.  But instead of numerical indices (0,1,2,etc.), the keys can be any numbers or strings (technically, any hashable type)!  Each key in the dictionary references a **value**, in the same way that each index of a list references an item.  The syntax for defining a dictionary is `{key1:value1, key2:value2, key3:value3, ...}`.  A first example is below.  You can also read the [official tutorial](https://docs.python.org/3/tutorial/datastructures.html#dictionaries) for more on dictionaries.

In [None]:
nemo = {'species':'clownfish', 'color':'orange', 'age':6}

In [None]:
nemo['color']  # The key 'color' references the value 'orange'.

In [None]:
nemo['age']  # Predict the result.  Notice the quotes are necessary.  The *string* 'age' is the key.

In [None]:
nemo[1]  # This yields a KeyError, since 1 is not a key in the dictionary.

Dictionaries can have values of any type, and their keys can be numbers or strings.  In this case, the keys are all strings, while the values include strings and integers.  In this way, dictionaries are useful for storing properties of different kinds -- they can be used to store [records](https://en.wikipedia.org/wiki/Record_(computer_science%29 ), as they are called in other programming languages.

### An interlude on Python objects

We have discussed how Python stores data of various *types*:  int, bool, str, list, dict, among others.  But now seems like a good time to discuss the fundamental "units" which are stored:  these are called Python **objects**.  If you have executed the cells above, Python is currently storing a lot of objects in your computer's memory.  These objects include `nemo` and `L`.  Also `L[0]` is an object and `nemo['age']` is an object.  Each of these objects are occupying a little space in memory.



We reference these objects by the names we created, like `nemo` and `L`.  But for internal purposes, Python assigns every object a unique ID number.  You can see an object's ID number with the `id` function.

In [None]:
id(L)

In [None]:
id(nemo)

In [None]:
id(L[0])

It is sometimes useful to check the ID numbers of objects, to look "under the hood" a bit.  For example, consider the following.

In [None]:
x = 3
y = 3
print(x == y)  # This should be true!

In [None]:
id(x)

In [None]:
id(y)

What happened?  You probably noticed that both variables `x` and `y` have the same id number.  That means that Python is being efficient, and not filling up two different slots of memory with the same number (3).  Instead, it puts the number in one memory slot, and uses `x` and `y` as alternative names for this slot.

But what happens if we change a value of one variable?

In [None]:
x = 5

In [None]:
id(x)

In [None]:
id(y)

Python won't be confused by this.  When we assigned `x = 5`, Python opened up a new memory slot for the number 5, and assigned `x` to refer to the number in this new slot.  Note that `y` still "points" at the old slot.  Python tries to be smart about memory, remembering where numbers are stored, and putting numbers into slots "under the hood" as it sees fit.

In [None]:
id(3)  # Does Python remember where it put 3?

In [None]:
id(5)  # Does Python remember where it put 5?

In [None]:
id(4)  #  4 was probably not in memory before.  But now it is!

In [None]:
y = 5

In [None]:
id(y)  #  Did Python change the number in a slot?  Or did it point `y` at another slot?

In [None]:
id(L[2]) #  Python doesn't like to waste space.

This sort of memory management can be helpful to avoid repetetion.  For example, consider a list with repetition.

In [None]:
R = [19,19,19]

In [None]:
id(R)  # The list itself is an object.

In [None]:
id(R[0])  # The 0th item in the list is an object.

In [None]:
id(R[1])  # The 1st item in the list is an object.

In [None]:
id(R[2])  # The 2nd item in the list is an object.

By having each list entry point to the same location in memory, Python avoids having to fill three blocks of memory with the same number 19.   

Python *objects* can have **methods** attached to them.  Methods are functions which can utilize and change the data within an object.  The basic syntax for using methods is `<object>.<method>()`.  Here are two examples to get started:  The keys and values of a dictionary can be recovered using the `keys()` and `values()` methods.

In [None]:
nemo.keys()  # What are the keys of nemo?

In [None]:
nemo.values()  # What are the values of nemo?

The output of the `keys()` and `values()` methods are list-like.  As such, they are convenient for iteration and membership-testing.

In [None]:
'color' in nemo.keys()

In [None]:
'taste' in nemo.keys()

In [None]:
'orange' in nemo.keys()  # Is 'orange' a key in the dictionary?

In [None]:
for k in nemo.keys():  # Iterates through the keys.
    print('Nemo\'s {} is {}.'.format(k,nemo[k]))  # \' is used to get a single-quote in a string.

In fact, Python provides a simpler syntax for iterating over keys or testing membership in keys.  The syntax `for k in <dictionary>:` iterates the variable `k` through the keys of the `<dictionary>`.  Similarly the syntax `k in <dictionary>` is shorthand for `k in <dictionary>.keys()`.

In [None]:
for k in nemo:  # This will iterate through the *keys* of the dictionary nemo.
    print('Nemo\'s {} is {}.'.format(k,nemo[k]))

Sometimes we'll want to change a dictionary.  Perhaps we learn that nemo has gotten lost.

In [None]:
nemo['status'] = 'lost'

In [None]:
id(nemo)

In [None]:
id('status')

In [None]:
print(nemo)

The command `nemo['status'] = 'lost'` creates a *new key* in the dictionary called `'status'` and assigns the value `'lost'` to the key.  If we find nemo, then we can change the value.

In [None]:
nemo['status'] = 'found'
print(nemo)

Since `'status'` is already among the keys of `nemo`, the command `nemo['status'] = 'found'` does not create a new key this time.  It just changes the associated value from `'lost'` to `'found'`.

In [None]:
nemo.keys()  # What are the keys of nemo now?

In [None]:
nemo.values()  # What are the values of nemo now?

We mentioned earlier that `keys()` and `values()` are **methods** attached to the object `nemo`, and methods are functions which are attached to Python objects. 

Python objects often (and often by default!) have methods attached to them.  Every dictionary and every list in Python comes with attached methods.  Methods can be used to extract properties of objects or change them.  Here are examples of some list methods.

In [None]:
L = [2,3,5,7]
print(L) # Let's remember what the list L is.

In [None]:
L[0] # What is this?

In [None]:
id(L[0]) # What is the ID number of the 0th item in the list?

In [None]:
L.reverse() # The reverse() method changes L!
print(L)

In [None]:
L[0]  # We have definitely changed L.

In [None]:
L[3]  # The last item in the list L.

In [None]:
id(L[3]) # The ID number of the last item in the list L.

Observe that Python changed the order of the items in the list.  But it didn't move them around in memory!  The object `2` maintains the same ID number, and stays in the same place in memory.  But the list item `L[0]` points at `2` before reversing while `L[3]` points at `2` after reversing.  This kind of thing is confusing at first, but the general framework is `<variable> points at <memory location>`.  You choose the name of the variable and work with the variable directly.  Python labels each memory location with an ID number, and puts stuff in memory and retrieves values from memory according to your wishes.

In [None]:
L.append(11) # Let's add another term to the list with the append(*) method.
print(L)

In [None]:
L.sort()  # Let's get this list back in order.
print(L)

Some more useful list methods can be found at the [official Python tutorial](https://docs.python.org/3/tutorial/datastructures.html#more-on-lists).  

### Prime decomposition dictionaries

If $N$ is a positive integer, then $N$ can be uniquely decomposed into a product of primes.  Here "uniquely" means that $N$ has a unique expression of the form
$$N = 2^{e_2} 3^{e_3} 5^{e_5} \cdots$$
in which the exponents $e_2, e_3, e_5$, etc., are natural numbers (and only finitely many are nonzero).

A Python dictionary is well-suited to store the resulting prime decomposition.  For example, we might store the prime decomposition $2^3 3^2 7$ with the dictionary `{2:3, 3:2, 7:1}`.  The primes which occur in the decomposition become the *keys* of the dictionary, and the natural number exponents becomes the *values* of the dictionary.

The functions below decompose a positive integer `N` into primes, storing the result in a dictionary.  The strategy is to repeatedly strip off (divide by) the smallest prime factor of a number, adjusting the dictionary along the way, until the number is reduced to 1.  The first function below finds the smallest prime factor of a number.  

In [None]:
from math import sqrt  # We'll want to use the square root.

def smallest_factor(n):
    '''
    Gives the smallest prime factor of n.
    '''
    if n < 2:
        return None # No prime factors!
    
    test_factor = 2 # The smallest possible prime factor.
    max_factor = sqrt(n) # we don't have to search past sqrt(n).
    
    while test_factor <= max_factor:
        if n%test_factor == 0:
            return test_factor
        test_factor = test_factor + 1  # This could be sped up.
    
    return n  # If we didn't find a factor up to sqrt(n), n itself is prime!
        

In [None]:
smallest_factor(105)

In [None]:
smallest_factor(1999**2)  # 1999 might be called the Prince of primes.

In [None]:
smallest_factor(11**3 * 13**9) # The result should be 11.

In [None]:
def decompose(N):
    '''
    Gives the unique prime decomposition of a positive integer N,
    as a dictionary with primes as keys and exponents as values.
    '''
    current_number = N  # We'll divide out factors from current_number until we get 1.
    decomp = {} # An empty dictionary to start.
    while current_number > 1:
        p = smallest_factor(current_number) # The smallest prime factor of the current number.
        if p in decomp.keys():  # Is p already in the list of keys?
            decomp[p] = decomp[p] + 1 # Increase the exponent (value with key p) by 1.
        else:  # "else" here means "if p is not in decomp.keys()".
            decomp[p] = 1  # Creates a new entry in the dictionary, with key p and value 1.
        current_number = current_number // p # Factor out p.  Integer division!
    return decomp

In [None]:
decompose(100) # What is the prime decomposition of 100?

In [None]:
decompose(56401910421778813463) # This should be quick.

In [None]:
decompose(1)  # Good to test the base case!

In [None]:
#  Use this space to experiment a bit with the decompose function.


Now that we have a function to compute the prime decomposition of a positive integer, we write a function to recover a positive integer from such a prime decomposition.  The function is deceptively simple, since Python makes it easy to iterate through the keys of a dictionary.  Make sure that you understand every line.

In [None]:
def recompose(D):
    '''
    If D is a dictionary with prime keys and natural values,
    this function outputs the product of terms of the form
    key^value.  In this way, it recovers a single number from a
    prime decomposition.
    '''
    N = 1
    for p in D.keys():  # iterate p through all the keys of D.
        N = N * (p ** D[p])  # Note that D[p] refers to the value (exponent) for the key p.
    return N

In [None]:
D = decompose(1000)
print(D)

In [None]:
recompose(D)  # This should recover 1000.

In [None]:
recompose({2:1, 3:1, 5:1, 7:1})  # What will this give?

In [None]:
# Use this space to experiment with decompose and recompose.


### Exercises

1.  Create the list [1,100,2,99,3,98,4,97,...,50,51] with as few list commands as you can.

2.  If you try the commands `x = 7`, `y = 11`, then `x,y = y,x`, what do you expect happens with `id(x)` and `id(y)` along the way?

3.  How might you adapt the decompose function to work with all integers (positive and negative)?  Note that zero does not have a prime decomposition, but negative numbers have an associated sign.

4.  Write a function `multiply(A,B)`, in which the parameters `A` and `B` are prime decomposition dictionaries and the output is the prime decomposition of their product. 

5.  Write a function `divides(A,B)`, in which the parameters `A` and `B` are prime decomposition dictionaries and the output is a boolean:  True if `A` divides `B` and false otherwise.

6.  The *radical* of a positive integer `N` is the positive integer whose prime factors are the same as `N`, but in which every prime occurs with exponent 1.  For example, $rad(500) = 2 \cdot 5 = 10$.  Write a function `radical(N)` which computes the radical of `N`.  You can use the `decompose(N)` and `recompose(N)` functions along the way.

In [None]:
# Use this space for the exercises.


<a id='multfunc'></a>

## Multiplicative functions

A *multiplicative function* is a function $f(n)$ which takes positive integer input $n$, and which satisfies $f(1) = 1$ and $f(ab) = f(a) f(b)$ whenever $a$ and $b$ are *coprime*.  A good example is the divisor-sum function, implemented below.

In [None]:
def divisor_sum(n):
    S = 0 # Start the sum at zero.
    for d in range(1,n+1):  # potential divisors between 1 and n.
        if n%d == 0:
            S = S + d
    return S

In [None]:
divisor_sum(100)  # The sum 1 + 2 + 4 + 5 + 10 + 20 + 25 + 50 + 100

In [None]:
%timeit divisor_sum(730) # Let's see how quickly this runs.

A perfect number is a positive integer which equals the sum of its proper factors (its positive factors, not including itself).  Thus a number $n$ is perfect if its divisor sum equals $2n$.  This can be implemented in a very short function.

In [None]:
def is_perfect(n):
    return divisor_sum(n) == 2*n

In [None]:
is_perfect(10)

In [None]:
is_perfect(28)

Let's find the perfect numbers up to 10000.  It might take a few seconds.

In [None]:
for j in range(1,10000):
    if is_perfect(j):
        print("{} is perfect!".format(j))

Multiplicative functions like the divisor sum function can be computed via prime decomposition.  Indeed, if $f$ is a multiplicative function, and $$n = 2^{e_2} 3^{e_3} 5^{e_5} \cdots,$$ then the value $f(n)$ satisfies
$$f(n) = f(2^{e_2}) \cdot f(3^{e_3}) \cdot f(5^{e_5}) \cdots.$$

So if we can compute the values of $f$ on prime powers, we can compute the values of $f$ for all positive integers.

The following function computes the divisor sum function, for a prime power $p^e$.

In [None]:
def divisor_sum_pp(p,e):  # pp stands for prime power
    '''
    Computes the divisor sum of the prime power p**e,
    when p is prime and e is a positive integer.
    This is just 1 + p^2 + p^3 + ... + p^e,
    simplified using a geometric series formula.
    '''
    return (p**(e+1) - 1) // (p - 1)

In [None]:
divisor_sum_pp(2,3)  # Should equal 1 + 2 + 4 + 8

In [None]:
divisor_sum_pp(3,1)  # Should equal 1 + 3

Now let's re-implement the divisor sum function, using prime decomposition and the divisor_sum_pp function for prime powers.

In [None]:
def divisor_sum(n):
    '''
    Computes the sum of the positive divisors of a 
    positive integer n.
    '''
    D = decompose(n)  # We require the decompose function from before!
    result = 1
    for p in D.keys():
        result = result * divisor_sum_pp(p,D[p])
    return result
    

In [None]:
divisor_sum(15)

In [None]:
% timeit(divisor_sum(730)) # this probably runs faster than the previous version.

There are a lot of interesting multiplicative functions.  We could implement each one by a two-step process as above:  implementing the function for prime powers, then defining a version for positive integers by using the decompose function.  But there's a shortcut for the second step, which brings in a very cool aspect of Python.

In Python, **functions are Python objects**.  



In [None]:
type(divisor_sum_pp) # Every object has a type.

In [None]:
id(divisor_sum_pp) # Yes, every object gets an ID number.

Since functions are Python objects, it is possible to define a function which takes a function as input and outputs a function too!  You can pass a function as an input parameter to another function, just as if it were any other variable.  You can output a function with the `return` keyword, just as if it were another variable.  And you can define a new function within the scope of a function!

Here's a basic example as a warmup.

In [None]:
def addone(x):  # Let's make a simple function.
    return x + 1  # It's not a very interesting function, is it.

In [None]:
addone(10) # Predict the result.

In [None]:
def do_twice(f):
    '''
    If a function f is input, then the output is the function
    "f composed with f."
    '''
    def ff(x):  # Defines a new function ff!
        return f(f(x)) # This is what ff does.
    
    return ff

In [None]:
addtwo = do_twice(addone)  # addtwo is a function!

In [None]:
addtwo(10)  # What is the result?

Now we exploit this function-as-object approach to create a Python function called `mult_function`.  Given a function `f_pp(p,e)`, the function `mult_function` outputs the *multiplicative function* which coincides with `f_pp` on prime powers.  In other words, if `f = mult_function(f_pp)`, then `f(p**e)` will equal `f_pp(p,e)`.

In [None]:
def mult_function(f_pp):
    '''
    When a function f_pp(p,e) of two arguments is input,
    this outputs a multiplicative function obtained from f_pp
    via prime decomposition.
    '''
    def f(n):
        D = decompose(n)
        result = 1
        for p in D:
            result = result * f_pp(p, D[p])
        return result
    
    return f

Let's see how this works for the *divisor-counting* function.  This is the function $\sigma_0(n)$ whose value is the *number* of positive divisors of $n$.  For prime powers, it is easy to count divisors, $$\sigma_0(p^e) = e + 1.$$  

In [None]:
def sigma0_pp(p,e):
    return e+1

Since the divisor-counting function is multiplicative, we can implement it by applying `mult_function` to `sigma0_pp`.  

In [None]:
sigma0 = mult_function(sigma0_pp)

In [None]:
sigma0(100)  # How many divisors does 100 have?

### Exercises

1.  A positive integer $n$ is called deficient/perfect/abundant according to whether the sum of its proper divisors is less than/equal to/greater than $n$ itself.  Among the numbers up to 10000, how many are deficient, perfect, and abundant?

2.  If $f(n)$ is a function with natural number input and real output, define $F(n)$ to be the function given by the formula $F(n) = \sum_{i=0}^n f(i)$.  Create a function `sumfun(f)` which takes as input a function `f` and outputs the function `F` as described above.

3.  Consider the function $f(n)$ which counts the number of positive divisors of $n$ which *are not* divisible by 4.  Verify that this is a multiplicative function, and implement it using `mult_function`.

4.  Write a function `foursquare(n)` which counts the number of ways that a positive integer `n` can be expressed as `a*a + b*b + c*c + d*d` for integers `a`, `b`, `c`, `d`.  Hint:  loop the variables through integers between $-\sqrt{n}$ and $\sqrt{n}$.  Compare the values of `foursquare(n)` to the multiplicative function in the previous problem.

5.  A positive integer is "square-free" if it has no square factors besides 1.  The **Mobius** function $\mu(n)$ is defined by $\mu(n) = 0$ if $n$ is not square-free, and otherwise $\mu(n) = 1$ or $\mu(n) = -1$ according to whether $n$ has an even or odd number of prime factors.  Verify that the Mobius function is multiplicative and implement it.  Try to reproduce the graph of the Mertens function $M(n)$ as described at [Wikipedia's article on the Mertens conjecture](https://en.wikipedia.org/wiki/Mertens_conjecture).  (See the previous Python notebook for an introduction to matplotlib for creating graphs.)



# Part 5:  Modular arithmetic and primality testing with Python 3.x

Python, like most programming languages, comes with a "mod operation" `%` to compute remainders.  This makes basic modular arithmetic straightforward.  The more interesting aspects -- from the standpoint of programming and number theory -- arise in **algorithms** related to modular arithmetic.  Here we focus on Pingala's algorithm, a method for computing exponents based on an ancient method for enumerating poetic meters.  We analyze the **expected performance** of this algorithm using Python's `timeit` function for timing and `randint` function to randomize input parameters.  We also see how the performance depends on the number of **bits** of the input parameters.  In this way, we gently introduce some practical and theoretical issues in computer science.

We apply this algorithm to implement the Miller-Rabin primality test.  This test can very quickly determine (probabilistically) whether a large (hundreds or thousands of digits!) number is prime.  Our implementation is deterministic for smaller (under 64 bits) numbers.  This programming tutorial complements **Chapters 5 and 6** of An Illustrated Theory of Numbers.  


## Table of Contents

- [Calculations in modular arithmetic](#modcalc)
- [The Miller-Rabin Primality Test](#millerrabin)

<a id='modcalc'></a>

## Calculations in modular arithmetic

### The mod (%) operator

For basic modular arithmetic, one can use Python's "mod operator" `%` to obtain remainders.  There is a conceptual difference between the "mod" of computer programming and the "mod" of number theorists.  In computer programming, "mod" is typically the operator which outputs the remainder after division.  So for a computer scientist, "23 mod 5 = 3", because 3 is the remainder after dividing 23 by 5.

Number theorists (starting with Gauss) take a radical conceptual shift.  A number theorist would write $23 \equiv 3$ mod $5$, to say that 23 is **congruent** to 3 modulo 5.  In this sense "mod 5" (standing for "modulo 5") is a [prepositional phrase](https://www.economist.com/blogs/johnson/2012/08/grammar), describing the "modular world" in which 23 is the same as ("congruent to") 3.

To connect these perspectives, we would say that the computer scientist's statement "23 mod 5 = 3" gives the **natural representative** 3 for the number 23 in the mathematician's "ring of integers mod 5".  (Here "ring" is a term from abstract algebra.)

In [None]:
23 % 5  # What is the remainder after dividing 23 by 5?  What is the natural representative of 23 modulo 5?

The miracle that makes modular arithmetic work is that the end-result of a computation "mod m" is not changed if one works "mod m" along the way.  At least this is true if the computation only involves **addition, subtraction, and multiplication**.

In [None]:
((17 + 38) * (105 - 193)) % 13  # Do a bunch of stuff, then take the representative modulo 13.

In [None]:
(((17%13) + (38%13)) * ((105%13) - (193%13)) ) % 13 # Working modulo 13 along the way.

It might seem tedious to carry out this "reduction mod m" at every step along the way.  But the advantage is that you never have to work with numbers much bigger than the modulus (m) if you can reduce modulo m at each step.

For example, consider the following computation.

In [None]:
3**999 # A very large integer.

In [None]:
(3**999) % 1000  # What are the last 3 digits of 3 raised to the 999 power?

To compute the last three digits of $3^{999}$, Python works with some very large integers along the way.  But what if we could reduce modulo 1000 at every step?  Then, as Python multiplies terms, it will never have to multiply numbers bigger than 1000.  Here is a brute-force implementation.

In [None]:
P = 1  # The "running product" starts at 1.
for i in range(999):  # We repeat the following line 999 times, as i traverses the list [0,1,...,998].
    P = (P * 3)%1000  # We reduce modulo 1000 along the way!
print(P)

In this computation, Python never has to work with long integers.  Computations with long integers are time-consuming, and unnecessary if you only care about the result of a computation modulo a small number m.

### Performance analysis

The above loop works quickly, but it is far from optimal.  Let's carry out some **performance analysis** by writing two `powermod` functions.

In [None]:
def powermod_1(base, exponent, modulus):  # The naive approach.
    return (base**exponent) % modulus 

In [None]:
def powermod_2(base, exponent, modulus):
    P = 1 # Start the running product at 1.
    e = 0
    for i in range(exponent):
        P = (P * base) % modulus
    return P

Now let's compare the performance of these two functions.  It's also good to double check the code in `powermod_2` and run it to check the results.  The reason is that loops like this are classic sources of [Off by One Errors](https://en.wikipedia.org/wiki/Off-by-one_error).  One has to unravel the loop carefully to be completely certain, and testing is a necessity to avoid bugs!

We can compare the performance of the two functions with identical input parameters below.

In [None]:
%timeit powermod_1(3,999,1000)

In [None]:
%timeit powermod_2(3,999,1000)

The second `powermod` function was probably much slower, even though we reduced the size of the numbers along the way.  But perhaps we just chose some input parameters (3,999,1000) which were inconvenient for the second function.  To compare the performance of the two functions, it would be useful to try many different inputs.

For this, we use Python's timeit features in a different way.  Above we used the "magic" `%timeit` to time a line of code.  The magic command `%timeit` is convenient but limited in flexibility.  Here we use a larger Python `timeit` package which we import (as `TI`) and demonstrate below.

In [None]:
import timeit as TI

In [None]:
TI.timeit('powermod_1(3,999,1000)', "from __main__ import powermod_1", number=10000)

In [None]:
TI.timeit('powermod_2(3,999,1000)', "from __main__ import powermod_2", number=10000)

The syntax of the timeit *function* is a bit challenging.  The first parameter is the Python code which we are timing (as a string), in this case `powermod_*(3,999,1000)`.  The second parameter probably looks strange.  It exists because the timeit function sets up a little isolation chamber to run the code -- within this isolation chamber, it only knows standard Python commands and not the new functions you've created.  So you have to *import* your functions (`powermod_1` or `powermod_2`) into its isolation box.  Where are these imported from?  They are contained in `__main__` which is the location of all of your other code.  Finally, the third parameter `number` is the number of times the timeit function will repeat the code (by default, this might be a large number like 1000000).  

The output of the timeit function is a *float*, which represents the number of seconds taken for *all* of the repetitions.  Contrast this with the timeit magic, which found the average.  So you need to divide by the `number` parameter (10000 in the above examples) to find the average time taken.

Using the timeit *function*, we can compare the performance of the two `powermod` functions on multiple inputs, wrapping the whole comparison process in a bigger function.  We choose our inputs *randomly* in order to estimate the **expected performance** of our functions.  To choose random inputs, Python has a package aptly called random.

In [None]:
from random import randint # randint chooses random integers.

In [None]:
print("My number is {}".format(randint(1,10))) # Run this line many times over to see what happens!

The `randint(a,b)` command chooses a random integer between `a` and `b`, inclusive!  Unlike the `range(a,b)` command which iterates from `a` to `b-1`, the `randint` command includes both `a` and `b` as possibilities.  The following lines iterate the `randint(1,10)` and keep track of how often each output occurs.  The resulting *frequency distribution* should be nearly flat, i.e., each number between 1 and 10 should occur about 10% of the time.

In [None]:
Freq = {1:0, 2:0, 3:0, 4:0, 5:0, 6:0, 7:0, 8:0, 9:0, 10:0}  # We like to use a dictionary here.
for t in range(10000):
    n = randint(1,10) # Choose a random number between 1 and 10.
    Freq[n] = Freq[n] + 1

print(Freq)

For fun, and as a template for other explorations, we plot the frequencies in a histogram.  

In [None]:
%matplotlib inline
import matplotlib.pyplot as plt
plt.bar(Freq.keys(), Freq.values()) # The keys 1,...,10 are used as bins.  The values are used as bar heights.
plt.show()

Putting together the `randint` function and the `timeit` function, we can compare the performance of `powermod_1` and `powermod_2` when given random inputs.

In [None]:
time_1 = 0 # Tracking the time taken by the powermod_1 function.
time_2 = 0 # Tracking the time taken by the powermod_2 function.
for t in range(1000): # One thousand samples are taken!
    base = randint(10,99) # A random 2-digit base.
    exponent = randint(1000,1999) # A random 3-digit exponent.
    modulus = randint(1000,1999) # A random 3-digit modulus.
    
    # Note in the lines below that we have to import the functions powermod_1, powermod_2 and 
    # the variables base, exponent, modulus, into the isolation chamber used by timeit.
    # We set number=10 to allow 10 trials of each function on each sample input.
    # We do a head-to-head comparison of the two functions on the same inputs!
    # Note that when the lines get too long in Python, you can press <enter>/<return> to start a new line.
    # Python will ignore the line break.  Just keep things indented for clarity.
    
    time_1 = time_1 + TI.timeit('powermod_1(base,exponent,modulus)', 
                              "from __main__ import powermod_1, base, exponent, modulus", number=10)
    time_2 = time_2 + TI.timeit('powermod_2(base,exponent,modulus)', 
                              "from __main__ import powermod_2, base, exponent, modulus", number=10)
    
print("powermod_1 took {} seconds.".format(time_1))
print("powermod_2 took {} seconds.".format(time_2)) # Which is faster?

Now we can be pretty sure that the `powermod_1` function is faster (perhaps by a factor of 8-10) than the `powermod_2` function we designed.  At least, this is the case for inputs in the 2-3 digit range that we sampled.  But why?  We reduced the complexity of the calculation by using the mod operation `%` throughout.  Here are a few issues one might suspect.

1.  The mod operation itself takes a bit of time.  Maybe that time added up in `powermod_2`?
2.  The Python power operation `**` is highly optimized already, and outperforms our while loop.
3.  We used more multiplications than necessary.

It turns out that the mod operation is extremely fast... as in *nanoseconds* (billionths of a second) fast.

In [None]:
%timeit 1238712 % 1237

So the speed difference is not due to the number of mod operations.  But the other issues are relevant.  The Python developers have worked hard to make Python run fast -- built-in operations like `**` will almost certainly be faster than any function that you write with a loop in Python.  The developers have written programs in the **C programming language** (typically) to implement operations like `**` (see the [CPython implementation](https://hg.python.org/cpython/file/c7163a7f7cd2/Python/bltinmodule.c#l1505), if you wish); their programs have been **compiled** into **machine code** -- the basic sets of instructions that your computer understands (and that are not meant for people to understand).  When you call a built-in operation like `**`, Python just tells your computer to run the developers' optimized and **precompiled** machine code... this is very fast!  When you run your own loop, Python is basically converting the code to machine code "on the fly" and this is slower.

Still, it is unfortunate to use long integers if you ask Python to compute `(3**999) % 1000`.  The good news is that such modular exponents are so frequently used that the Python developers have a built-in operation:  the `pow` function.

The `pow` function has two versions.  The simplest version `pow(b,e)` raises `b` to the `e` power.  It is the same as computing `b ** e`.  But it also has a modular version!  The command `pow(b,e,m)` raises `b` to the `e` modulo `m`, efficiently reducing modulo `m` along the way.

In [None]:
pow(3,999)  # A long number.

In [None]:
pow(3,999,1000) # The result, modulo 1000.  

In [None]:
pow(3,999) % 1000 # The old way

In [None]:
%timeit pow(3,999,1000)

In [None]:
%timeit pow(3,999) % 1000

The `pow(b,e,m)` command should give a significant speedup, as compared to the `pow(b,e)` command.  Remember that ns stands for nanoseconds (billionths of a second) and µs stands for microseconds (millionths of a second).

Exponentiation runs so quickly because not only is Python reducing modulo `m` along the way, it is performing a surprisingly small number of multiplications.  In our loop approach, we computed $3^{999}$ by multiplying repeatedly.  There were 999 multiplications!  But consider this carefully -- did we need to perform so many multiplications?  Can you compute $3^{999}$ with far fewer multiplications?  What if you can place results in memory along the way?  

In the next section, we study a very efficient **algorithm** for computing such exponents.  The goal in designing a good algorithm is to create something which runs **quickly**, minimizes the need for **memory**, and runs reliably for all the necessary input values.  Often there are trade-offs between speed and memory usage, but our exponentiation algorithm will be excellent in both respects.  The ideas go back to [Pingala](https://en.wikipedia.org/wiki/Pingala), an Indian mathematician of the 2nd or 3rd century BCE, who developed his ideas to enumerate possible poetic meters (arrangements of long and short syllables into verses of a given length).  

You may wonder why it is necessary to learn the algorithm at all, if Python has an optimized algorithm built into its `pow` command.  First, it is interesting!  But also, we will need to understand the algorithm in finer detail to implement the Miller-Rabin test:  a way of quickly testing whether very large numbers are prime.

### Exercises

1.  Adapt the `solve_LDE` function from [PwNT Notebook 2](http://illustratedtheoryofnumbers.com/prog.html#notebooks), in order to write a function `modular_inverse(a,m)` which computes the multiplicative inverse of `a` modulo `m` (if they are coprime).

2.  Use the `timeit` and `randint` functions to investigate how the speed of the command `pow(a,e,m)` depends on how many digits the numbers `a`, `e`, and `m` have.  Note that `randint(10**(d-1), 10**d - 1)` will produce a random integer with `d` digits.  If you hold two of these variables fixed, consider how the time changes as the third variable is changed.  

3.  Imagine that you are going to compute $3^{100}$ by multiplying positive integers together.  If each multiplication operation costs 1 dollar, how much money do you need to spend?  You can assume that **remembering** previously computed numbers is free.  What if it costs 1 dollar each time you need to place a number into memory or recover a number from memory?  What is the cheapest way to compute $3^{100}$?

<a id='millerrabin'></a>

## The Miller-Rabin primality test

### Fermat's Little Theorem and the ROO property of primes

Fermat's Little Theorem states that if $p$ is a prime number, and $GCD(a,p) = 1$, then $$a^{p-1} \equiv 1 \text{ mod } p.$$
Under the assumptions above, if we ask Python to compute `(a**(p-1))%p`, or even better, `pow(a,p-1,p)`, the result should be 1.  We use and refine this idea to develop a powerful and practical primality test.  Let's begin with a few checks of Fermat's Little Theorem.

In [None]:
pow(3,36,37)  # a = 3, p = 37, p-1 = 36

In [None]:
pow(17,100,101) # 101 is prime.

In [None]:
pow(303, 100, 101)  # Why won't we get 1?

In [None]:
pow(5,90,91) # What's the answer?

In [None]:
pow(7,12318, 12319) # What's the answer?

We can learn something from the previous two examples.  Namely, 91 and 12319 are **not** prime numbers.  We say that 7 **witnesses** the non-primality of 12319.  Moreover, we learned this fact without actually finding a factor of 12319!  Indeed, the factors of 12319 are 97 and 127, which have no relationship to the "witness" 7.

In this way, Fermat's Little Theorem -- a statement about prime numbers -- can be turned into a way of discovering that numbers are not prime.  After all, if $p$ is not prime, then what are the chances that $a^{p-1} \equiv 1$ mod $p$ by coincidence?  

In [None]:
pow(3,90,91)

Well, ok.  Sometimes coincidences happen.  We say that 3 is a **bad witness** for 91, since 91 is not prime, but $3^{90} \equiv 1$ mod $91$.  But we could try multiple bases (witnesses).  We can expect that someone (some base) will witness the nonprimality.  Indeed, for the non-prime 91 there are many good witnesses (ones that detect the nonprimality).

In [None]:
for witness in range(1,20):
    flt = pow(witness, 90, 91)
    if flt == 1:
        print("{} is a bad witness.".format(witness))
    else:
        print("{} raised to the 90th power equals {}, mod 91".format(witness, flt))

For some numbers -- the [Carmichael numbers](https://en.wikipedia.org/wiki/Carmichael_number) -- there are more bad witnesses than good witnesses.  For example, take the Carmichael number 41041, which is not prime ($41041 = 7 \cdot 11 \cdot 13 \cdot 41$).  

In [None]:
for witness in range(1,20):
    flt = pow(witness, 41040, 41041)
    if flt == 1:
        print("{} is a bad witness.".format(witness))
    else:
        print("{} raised to the 41040th power equals {}, mod 41041".format(witness, flt))

For Carmichael numbers, it turns out that finding a good witness is just as difficult as finding a factor.  Although Carmichael numbers are rare, they demonstrate that Fermat's Little Theorem by itself is not a great way to be certain of primality.  Effectively, Fermat's Little Theorem can often be used to quickly prove that a number **is not prime**... but it is not so good if we want to be sure that a number **is prime**.

The Miller-Rabin primality test will refine the Fermat's Little Theorem test, by cleverly taking advantage of another property of prime numbers.  We call this the ROO (Roots Of One) property:  if $p$ is a prime number, and $x^2 \equiv 1$ mod $p$, then $x \equiv 1$ or $x \equiv -1$ mod $p$.

In [None]:
for x in range(41):  
    if x*x % 41 == 1:
        print("{} squared is congruent to 1, mod 41.".format(x))  # What numbers do you think will be printed?

Note that we use "natural representatives" when doing modular arithmetic in Python.  So the only numbers whose square is 1 mod 41 are 1 and 40.  (Note that 40 is the natural representative of -1, mod 41).  If we consider the "square roots of 1" with a composite modulus, we find more (as long as the modulus has at least two odd prime factors).

In [None]:
for x in range(91):
    if x*x % 91 == 1:
        print("{} squared is congruent to 1, mod 91.".format(x))  # What numbers do you think will be printed?

We have described two properties of prime numbers, and therefore two possible indicators that a number is not prime.

1.  If $p$ is a number which violates Fermat's Little Theorem, then $p$ is not prime.

2.  If $p$ is a number which violates the ROO property, then $p$ is not prime.

The Miller Rabin test will combine these indicators.  But first we have to introduce an ancient algorithm for exponentiation.

### Pingala's exponentiation algorithm

If we wish to compute $5^{90}$ mod $91$, without the `pow` command, we don't have to carry out 90 multiplications.  Instead, we carry out **Pingala's algorithm**.  To understand this algorithm, we begin with the desired exponent (e.g. $e=90$), and carry out a series of steps:  replace $e$ by $e/2$ if $e$ is even, and replace $e$ by $(e-1) / 2$ if $e$ is odd.  Repeat this until the exponent is decreased to zero.  The following function carries out this process on any input $e$.

In [None]:
def Pingala(e):
    current_number = e
    while current_number > 0:
        if current_number%2 == 0:
            current_number = current_number // 2
            print("Exponent {} BIT 0".format(current_number))
        if current_number%2 == 1:
            current_number = (current_number - 1) // 2
            print("Exponent {} BIT 1".format(current_number))

In [None]:
Pingala(90)

The codes "BIT 1" and "BIT 0" tell us what happened at each step, and allow the process to be reversed.  In a line with BIT 0, the exponent gets **doubled** as one goes **up** one line (e.g., from 11 to 22).  In a line with BIT 1, the exponent gets **doubled then increased by 1** as one goes **up** one line (e.g., from 2 to 5).

We can use these BIT codes in order to compute an exponent.  Below, we follow the BIT codes to compute $5^{90}$.

In [None]:
n = 1  # This is where we start.
n = n*n * 5 # BIT 1 is interpreted as square-then-multiply-by-5, since the exponent is doubled then increased by 1.
n = n*n  # BIT 0 is interpreted as squaring, since the exponent is doubled.
n = n*n * 5 # BIT 1
n = n*n * 5 # BIT 1 again.
n = n*n # BIT 0
n = n*n * 5 # BIT 1
n = n*n # BIT 0

In [None]:
print(n)  # What we just computed.
print(5**90) # I hope these match!!

Note that along the way, we carried out 11 multiplications (count the `*` symbols), and didn't have to remember too many numbers along the way.  So this process was efficient in both time and memory.  We just followed the BIT code.  The number of multiplications is bounded by twice the number of BITs, since each BIT requires at most two multiplications (squaring then multiplication by 5) to execute.

Why did we call the code a BIT code?  It's because the code consists precisely of the bits (binary digits) of the exponent 90!  Since computers store numbers in binary, the computer "knows" the BIT code as soon as it knows the exponent.  In Python, the `bin` command recovers the binary expansion of a number.

In [None]:
bin(90)  # Compare this to the sequence of bits, from bottom up.

Python outputs binary expansions as strings, beginning with `'0b'`.  To summarize, we can compute an exponent like $b^e$ by the following process:

**Pingala's Exponentiation Algorithm**

1.  Set the number to 1.

2.  Read the bits of $e$, from left to right.  
    a. When the bit is zero, square the number.   
    b. When the bit is one, square the number, then multiply by $b$.
    
3.  Output the resulting number.

In [None]:
def pow_Pingala(base,exponent):
    result = 1
    bitstring = bin(exponent)[2:] # Chop off the '0b' part of the binary expansion of exponent
    for bit in bitstring: # Iterates through the "letters" of the string.  Here the letters are '0' or '1'.
        if bit == '0':
            result = result*result
        if bit == '1':
            result = result*result * base
    return result

In [None]:
pow_Pingala(5,90)

It is straightforward to modify Pingala's algorithm to compute exponents in modular arithmetic.  Just reduce along the way.

In [None]:
def powmod_Pingala(base,exponent,modulus):
    result = 1
    bitstring = bin(exponent)[2:] # Chop off the '0b' part of the binary expansion of exponent
    for bit in bitstring: # Iterates through the "letters" of the string.  Here the letters are '0' or '1'.
        if bit == '0':
            result = (result*result) % modulus 
        if bit == '1':
            result = (result*result * base) % modulus
    return result

In [None]:
powmod_Pingala(5,90,91)

Let's compare the performance of our new modular exponentiation algorithm.

In [None]:
%timeit powmod_Pingala(3,999,1000)  # Pingala's algorithm, modding along the way.

In [None]:
%timeit powermod_1(3,999,1000)  # Raise to the power, then mod, using Python built-in exponents.

In [None]:
%timeit powermod_2(3,999,1000)  #  Multiply 999 times, modding along the way.

In [None]:
%timeit pow(3,999,1000)  #  Use the Python built-in modular exponent.

The fully built-in modular exponentiation `pow(b,e,m)` command is probably the fastest.  But our implementation of Pingala's algorithm isn't bad -- it probably beats the simple `(b**e) % m` command (in the `powermod_1` function), and it's certainly faster than our naive loop in `powermod_2`.  

One can quantify the efficiency of these algorithms by analyzing how the **time** depends on the **size** of the input parameters.  For the sake of exposition, let us keep the base and modulus constant, and consider how the time varies with the size of the exponent.

As a function of the exponent $e$, our `powmod_Pingala` algorithm required some number of multiplications, bounded by twice the number of bits of $e$.  The number of bits of $e$ is approximately $\log_2(e)$.  The size of the numbers multiplied is bounded by the size of the (constant) modulus.  In this way, the time taken by the `powmod_Pingala` algorithm should be $O(\log(e))$, meaning bounded by a constant times the logarithm of the exponent.

Contrast this with the slow `powermod_2` algorithm, which performs $e$ multiplications, and has thus has runtime $O(e)$.

### The Miller-Rabin test

Pingala's algorithm is effective for computing exponents, in ordinary arithmetic or in modular arithmetic.  In this way, we can look for violations of Fermat's Little Theorem as before, to find witnesses to non-primality.  But if we look more closely at the algorithm... we can sometimes find violations of the ROO property of primes.  This strengthens the primality test.

To see this, we create out a "verbose" version of Pingala's algorithm for modular exponentiation.

In [None]:
def powmod_verbose(base, exponent, modulus):
    result = 1
    print("Computing {} raised to {}, modulo {}.".format(base, exponent, modulus))
    print("The current number is {}".format(result))
    bitstring = bin(exponent)[2:] # Chop off the '0b' part of the binary expansion of exponent
    for bit in bitstring: # Iterates through the "letters" of the string.  Here the letters are '0' or '1'.
        sq_result = result*result % modulus  # We need to compute this in any case.
        if bit == '0':
            print("BIT 0:  {} squared is congruent to {}, mod {}".format(result, sq_result, modulus))
            result = sq_result 
        if bit == '1':
            newresult = (sq_result * base) % modulus
            print("BIT 1:  {} squared times {} is congruent to {}, mod {}".format(result, base, newresult, modulus))
            result = newresult
    return result

In [None]:
powmod_verbose(2,560,561)  # 561 is a Carmichael number.

The function has displayed every step in Pingala's algorithm.  The final result is that $2^{560} \equiv 1$ mod $561$.  So in this sense, $2$ is a bad witness.  For $561$ is not prime (3 is a factor), but it does not violate Fermat's Little Theorem when $2$ is the base.

But within the verbose output above, there is a violation of the ROO property.  The penultimate line states that "67 squared is congruent to 1, mod 561".  But if 561 were prime, only 1 and 560 are square roots of 1.  Hence this penultimate line implies that 561 is not prime (again, without finding a factor!).  

This underlies the Miller-Rabin test.  We carry out Pingala's exponentiation algorithm to compute $b^{p-1}$ modulo $p$.  If we find a violation of ROO along the way, then the test number $p$ is not prime.  And if, at the end, the computation does not yield $1$, we have found a Fermat's Little Theorem (FLT) violation, and the test number $p$ is not prime.

The function below implements the Miller-Rabin test on a number $p$, using a given base.

In [None]:
def Miller_Rabin(p, base):
    '''
    Tests whether p is prime, using the given base.
    The result False implies that p is definitely not prime.
    The result True implies that p **might** be prime.
    It is not a perfect test!
    '''
    result = 1
    exponent = p-1
    modulus = p
    bitstring = bin(exponent)[2:] # Chop off the '0b' part of the binary expansion of exponent
    for bit in bitstring: # Iterates through the "letters" of the string.  Here the letters are '0' or '1'.
        sq_result = result*result % modulus  # We need to compute this in any case.
        if sq_result == 1:
            if (result != 1) and (result != exponent):  # Note that exponent is congruent to -1, mod p.
                return False  # a ROO violation occurred, so p is not prime
        if bit == '0':
            result = sq_result 
        if bit == '1':
            result = (sq_result * base) % modulus
    if result != 1:
        return False  # a FLT violation occurred, so p is not prime.
    
    return True  # If we made it this far, no violation occurred and p might be prime.

In [None]:
 Miller_Rabin(101,6)

How good is the Miller-Rabin test?  Will this modest improvement (looking for ROO violations) improve the reliability of witnesses?  Let's see how many witnesses observe the nonprimality of 41041.

In [None]:
for witness in range(2,20):
    MR = Miller_Rabin(41041, witness) # 
    if MR: 
        print("{} is a bad witness.".format(witness))
    else:
        print("{} detects that 41041 is not prime.".format(witness))

In fact, one can prove that at least 3/4 of the witnesses will detect the non-primality of any non-prime.  Thus, if you keep on asking witnesses at random, your chances of detecting non-primality increase exponentially!  In fact, the witness 2 suffices to check whether any number is prime or not up to 2047.  In other words, if $p < 2047$, then $p$ is prime if and only if `Miller_Rabin(p,2)` is `True`.  Just using the witnesses 2 and 3 suffice to check primality for numbers up to a million (1373653, to be precise, according to [Wikipedia](https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test).)

The general strategy behind the Miller-Rabin test then is to use just a few witnesses for smallish potential primes (say, up to $2^{64}$).  For larger numbers, try some number $x$ (like 20 or 50) random bases.  If the tested number **is** composite, then the probability of all witnesses reporting `True` is is less than $1 / 4^x$.  With 50 random witnesses, the chance that a composite number tests as prime is less than $10^{-30}$.  

Note that these are statements about **conditional probability**.  In more formal language,
$$\text{Prob} \left( \text{tests prime} \ \vert \ \text{ is composite} \right) < \frac{1}{4^{\# \text{witnesses} } }.$$
As those who study medical testing know, this probability differs from the probability that most people care about:  the probability that a number is prime, given that it tests prime.  The relationship between the two probabilities is given by Bayes Theorem, and depends on the **prevalence** of primes among the sample.  If our sample consists of numbers of absolute value about $N$, then the prevalence of primes will be about $1 / \log(N)$, and the probability of primality given a positive test result can be approximated. 
$$\text{Prob} \left( \text{ is prime } \ \vert \ \text{ tests prime } \right) > 1 - \frac{\log(N) - 1}{4^{\# \text{witnesses}}}.$$
As one chooses more witnesses, this probability becomes extremely close to $1$.

In [None]:
from mpmath import *
# The mpmath package allows us to compute with arbitrary precision!
# It has specialized functions for log, sin, exp, etc.., with arbitrary precision.
# It is probably installed with your version of Python.

def prob_prime(N, witnesses):
    '''
    Conservatively estimates the probability of primality, given a positive test result.
    N is an approximation of the size of the tested number.
    witnesses is the number of witnesses.
    '''
    mp.dps = witnesses # mp.dps is the number of digits of precision.  We adapt this as needed for input.
    prob_prime = 1 - (log(N) - 1) / (4**witnesses)
    print(str(100*prob_prime)+"% chance of primality") # Use str to convert mpmath float to string for printing.

In [None]:
prob_prime(10**100, 50) # Chance of primality with 50 witnesses, if a 100-digit number is tested.

We implement the Miller-Rabin test for primality in the `is_prime` function below.

In [None]:
def is_prime(p, witnesses=50):  # witnesses is a parameter with a default value.
    '''
    Tests whether a positive integer p is prime.
    For p < 2^64, the test is deterministic, using known good witnesses.
    Good witnesses come from a table at Wikipedia's article on the Miller-Rabin test,
    based on research by Pomerance, Selfridge and Wagstaff, Jaeschke, Jiang and Deng.
    For larger p, a number (by default, 50) of witnesses are chosen at random.
    '''
    if (p%2 == 0): # Might as well take care of even numbers at the outset!
        if p == 2:
            return True
        else:
            return False 
    
    if p > 2**64:  # We use the probabilistic test for large p.
        trial = 0
        while trial < witnesses:
            trial = trial + 1
            witness = randint(2,p-2) # A good range for possible witnesses
            if Miller_Rabin(p,witness) == False:
                return False
        return True
    
    else:  # We use a determinisic test for p <= 2**64.
        verdict = Miller_Rabin(p,2)
        if p < 2047:
            return verdict # The witness 2 suffices.
        verdict = verdict and Miller_Rabin(p,3)
        if p < 1373653:
            return verdict # The witnesses 2 and 3 suffice.
        verdict = verdict and Miller_Rabin(p,5)
        if p < 25326001:
            return verdict # The witnesses 2,3,5 suffice.
        verdict = verdict and Miller_Rabin(p,7)
        if p < 3215031751:
            return verdict # The witnesses 2,3,5,7 suffice.
        verdict = verdict and Miller_Rabin(p,11)
        if p < 2152302898747:
            return verdict # The witnesses 2,3,5,7,11 suffice.
        verdict = verdict and Miller_Rabin(p,13)
        if p < 3474749660383:
            return verdict # The witnesses 2,3,5,7,11,13 suffice.
        verdict = verdict and Miller_Rabin(p,17)
        if p < 341550071728321:
            return verdict # The witnesses 2,3,5,7,11,17 suffice.
        verdict = verdict and Miller_Rabin(p,19) and Miller_Rabin(p,23)
        if p < 3825123056546413051:
            return verdict # The witnesses 2,3,5,7,11,17,19,23 suffice.
        verdict = verdict and Miller_Rabin(p,29) and Miller_Rabin(p,31) and Miller_Rabin(p,37)
        return verdict # The witnesses 2,3,5,7,11,17,19,23,29,31,37 suffice for testing up to 2^64. 
    

In [None]:
is_prime(1000000000000066600000000000001)  # This is Belphegor's prime.

How fast is our new `is_prime` function?  Let's give it a try.

In [None]:
%timeit is_prime(234987928347928347928347928734987398792837491)

In [None]:
%timeit is_prime(1000000000000066600000000000001)

The results will probably on the order of a millisecond, perhaps even a tenth of a millisecond ($10^{-4}$ seconds) for non-primes!  That's much faster than looking for factors, for numbers of this size.  In this way, we can test primality of numbers of hundreds of digits!

For an application, let's find some Mersenne primes.  Recall that a Mersenne prime is a prime of the form $2^p - 1$.  Note that when $2^p - 1$ is prime, it must be the case that $p$ is a prime too.  We will quickly find the Mersenne primes with $p$ up to 1000 below!

In [None]:
for p in range(1,1000):
    if is_prime(p):  # We only need to check these p.
        M = 2**p - 1 # A candidate for a Mersenne prime.
        if is_prime(M):
            print("2^{} - 1 = {} is a Mersenne prime.".format(p,M))

### Exercises

1.  Recall that if $2^p - 1$ is a Mersenne prime, then Euclid proved that $(2^p - 1) \cdot 2^{p-1}$ is a perfect number.  Find all the (even) perfect numbers up to $2^{1000}$.  (Note:  nobody has ever found an odd perfect number.  All even perfect numbers arise from Mersenne primes by Euclid's recipe.)

2.  The Fermat sequence is the sequence of numbers 3, 5, 257, 65537, etc., of the form $2^{2^n} + 1$ for $n \geq 0$.  Test the primality of these numbers for $n$ up to 10.

3.  Why does the is_prime function (using Miller-Rabin) runs more quickly on non-primes than it does on primes?

4.  Compare the performance of the new `is_prime` function to "trial division" (looking for factors up to the square root of the test number).  Which is faster for small numbers (1-digit, 2-digits, 3-digits, etc.)?  Adapt the `is_prime` function to perform trial division for small numbers in order to optimize performance.  

5.  Estimate the probability that a randomly chosen 10-digit number is prime, by running is_prime on a large number of samples.  How does this probability vary as the number of digits increases (e.g., from 10 digits to 11 digits to 12 digits, etc., onto 20 digits)?  

# Part 6:  Ciphers and Key exchange in Python 3.x

In this notebook, we introduce cryptography -- how to communicate securely over insecure channels.  We begin with a study of two basic ciphers, the Caesar cipher and its fancier variant, the Vigenère cipher.  The Vigenère cipher uses a **key** to turn **plaintext** (i.e., the  message) into **ciphertext** (the coded message), and uses the same key to turn the ciphertext back into plaintext.  Therefore, two parties can communicate securely if they -- and only they -- possess the key.  

If the security of communication rests on possession of a common key, then we're left with a new problem:  how do the two parties agree on a common key, especially if they are far apart and communicating over an insecure channel?  

A clever solution to this problem was published in 1976 by Whitfield Diffie and Martin Hellman, and so it's called Diffie-Hellman key exchange.  It takes advantage of modular arithmetic:  the existence of a primitive root (modulo a prime) and the difficulty of solving the **discrete logarithm** problem.  

This part complements **Chapter 6** of An Illustrated Theory of Numbers.

## Table of Contents

- [Ciphers](#cipher)
- [Key exchange](#keyexchange)


<a id='cipher'></a>

## Ciphers

A cipher is a way of transforming a message, called the **plaintext** into a different form, the **ciphertext**, which conceals the meaning to all but the intended recipient(s).  A cipher is a *code*, and can take many forms.  A **substitution cipher** might simply change every letter to a different letter in the alphabet.  This is the idea behind "Cryptoquip" puzzles.  These are not too hard for people to solve, and are easy for computers to solve, using frequency analysis (understanding how often different letters or letter-combinations occur).



### ASCII code and the Caesar cipher

Even though substitution ciphers are easy to break, they are a good starting point.  To implement substitution ciphers in Python, we need to study the *string* type in a bit more detail.  To declare a string variable, just put your string in quotes.  You can use any letters, numbers, spaces, and many symbols inside a string.  You can enclose your string by single quotes, like `'Hello'` or double-quotes, like `"Hello"`.  This flexibility is convenient, if you want to *use* quotes within your string.  For example, the string *Prince's favorite prime is 1999* should be described in Python with double-quotes `"Prince's favorite prime is 1999"` so that the apostrophe doesn't confuse things. 

Strings are indexed, and their letters can be retrieved as if the string were a *list* of letters.  Python experts will note that strings are *immutable* while lists are *mutable* objects, but we aren't going to worry about that here.

In [None]:
W = "Hello"
print(W)
for j in range(len(W)):  # len(W) is the length of the string W.
    print(W[j])  # Access the jth character of the string.

Each "letter" of a string again belongs to the string type.  A string of length one is called a **character**.  

In [None]:
print(type(W))
print(type(W[0]))  # W[0] is a character.

Since computers store data in binary, the designers of early computers (1960s) created a code called [**ASCII**](https://en.wikipedia.org/wiki/ASCII) (American Standard Code for Information Interchange) to associate to each character a number between 0 and 127.  Every number between 0 and 127 is represented in binary by 7 bits (between 0000000 and 1111111), and so each character is stored with 7 bits of memory.  Later, ASCII was extended with another 128 characters, so that codes between 0 and 255 were used, requiring 8 bits.  8 bits of memory is called a **byte**.  One byte of memory suffices to store one (extended ASCII) character.

You might notice that there are 256 ASCII codes available, but there are fewer than 256 characters available on your keyboard, even once you include symbols like `#` and `;`.  Some of these "extra" codes are for accented letters, and others are relics of old computers.  For example, ASCII code 7 (0000111) stands for the "bell", and readers born in the 1970s or earlier might remember making the Apple II computer beep by pressing Control-G on the keyboard ("G" is the 7th letter).  You can look up a [full ASCII table](http://www.asciitable.com/) if you're curious.  

Nowadays, the global community of computer users requires far more than 256 "letters" -- there are many alphabets around the world!  So instead of ASCII, we can access over 100 thousand **unicode** characters.  Scroll through a [unicode table](https://unicode-table.com/en/) to see what is possible.  With emoji, unicode tables have entered [unexpected territory](https://xkcd.com/1813/).  Python version 3.x fully supports Unicode in all strings.

But here we stay within old-fashioned ASCII codes, since they will suffice for basic English messages.  Python has built-in commands `chr` and `ord` for converting from code-number (0--255) to character and back again.

In [None]:
chr(65)

In [None]:
ord('A')

The following code will produce a table of the ASCII characters with codes between 32 and 126.  This is a good range which includes all the most common English characters and symbols on a U.S. keyboard.  Note that ASCII code 32 corresponds to an empty space (an important character for long messages!)

In [None]:
for a in range(32,127):
    c = chr(a)
    print("ASCII {} is {}".format(a, c))

Since we only work with the ASCII range between 32 and 126, it will be useful to "cycle" other numbers into this range.  For example, we will interpret 127 as 32, 128 as 33, etc., when we convert out-of-range numbers into characters.

The following function forces a number into a given range, using the mod operator.  It's a common trick, to make lists loop around cyclically.

In [None]:
def inrange(n,range_min, range_max):
    '''
    The input number n can be any integer.
    The output number will be between range_min and range_max (inclusive)
    If the input number is already within range, it will not change.
    '''
    range_len = range_max - range_min + 1
    a = n % range_len
    if a < range_min:
        a = a + range_len
    return a

In [None]:
inrange(13,1,10)

In [None]:
inrange(17,5,50)

Now we can implement a **substitution cipher** by converting characters to their ASCII codes, shuffling the codes, and converting back.  One of the simplest substitution ciphers is called a **Caesar cipher**, in which each character is shifted -- by a fixed amount -- down the list.  For example, a Caesar cipher of shift 3 would send 'A' to 'D' and 'B' to 'E', etc..  Near the end of the list, characters are shifted back to the beginning -- the list is considered cyclicly, using our `inrange` function. 

Here is an implementation of the Caesar cipher, using the ASCII range between 32 and 126.  We begin with a function to shift a single character.

In [None]:
def Caesar_shift(c, shift):
    '''
    Shifts the character c by shift units
    within the ASCII table between 32 and 126. 
    The shift parameter can be any integer!
    '''
    ascii = ord(c)
    a = ascii + shift # Now we have a number between 32+shift and 126+shift.
    a = inrange(a,32,126) # Put the number back in range.
    return chr(a)

Let's see the effect of the Caesar cipher on our ASCII table.

In [None]:
for a in range(32,127):
    c = chr(a)
    print("ASCII {} is {}, which shifts to {}".format(a, c, Caesar_shift(c,5))) # Shift by 5.

Now we can use the Caesar cipher to encrypt *strings*.

In [None]:
def Caesar_cipher(plaintext, shift):
    ciphertext = ''
    for c in plaintext:  # Iterate through the characters of a string.
        ciphertext = ciphertext + Caesar_shift(c,shift)  
    return ciphertext

In [None]:
print(Caesar_cipher('Hello!  Can you read this?', 5))  # Shift forward 5 units in ASCII.

As designed, the Caesar cipher turns *plaintext* into *ciphertext* by using a shift of the ASCII table.  To *decipher* the ciphertext, one can just use the Caesar cipher again, with the negative shift.

In [None]:
print(Caesar_cipher('Mjqqt&%%Hfs%~tz%wjfi%ymnxD', -5))  # Shift back 5 units in ASCII.

### The Vigenère cipher

The Caesar cipher is pretty easy to break, by a brute force attack (shift by all possible values) or a frequency analysis (compare the frequency of characters in a message to the frequency of characters in typical English messages, to make a guess).  

The Vigenère cipher is a variant of the Caesar cipher which uses an **ecryption key** to vary the shift-parameter throughout the encryption process.  For example, to encrypt the message "This is very secret" using the key "Key", you line up the characters of the message above repeated copies of the key.

T | h | i | s |   | i | s |   | v | e | r | y |   | s | e | c | r | e | t
--|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|--
K | e | y | K | e | y | K | e | y | K | e | y | K | e | y | K | e | y | K

Then, you turn everything into ASCII (or your preferred numerical system), and use the bottom row to shift the top row.

ASCII message | 84 | 104 | 105 | 115 | 32 | 105 | 115 | 32 | 118 | 101 | 114 | 121 | 32 | 115 | 101 | 99 | 114 | 101 | 116 
---|-----|-----
Shift | 75 | 101 | 121 | 75 | 101 | 121 | 75 | 101 | 121 | 75 | 101 | 121 | 75 | 101 | 121 | 75 | 101 | 121 | 75 
ASCII shifted | 159 | 205 | 226 | 190 | 133 | 226 | 190 | 133 | 239 | 176 | 215 | 242 | 107 | 216 | 222 | 174 | 215 | 222 | 191 
ASCII shifted in range |   64 | 110 | 36 | 95 | 38 | 36 | 95 | 38 | 49 | 81 | 120 | 52 | 107 | 121 | 32 | 79 | 120 | 32 | 96 

Finally, the shifted ASCII codes are converted back into characters for transmission.  In this case, the codes 64,110,36,95, etc., are converted to the ciphertext ``"@n$_&$_&1Qx4ky Ox \`"``

The Vigenère cipher is much harder to crack than the Caesar cipher, if you don't have the key.  Indeed, the varying shifts make frequency analysis more difficult.  The Vigenère cipher is weak by today's standards (see [Wikipedia](https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher#Cryptanalysis) for a description of 19th century attacks), but illustrates the basic actors in a **symmetric key** cryptosystem: the plaintext, ciphertext, and a single key.  Today, symmetric key cryptosystems like [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) and [3DES](https://en.wikipedia.org/wiki/Triple_DES) are used all the time for secure communication.

Below, we implement the Vigenère cipher.

In [None]:
def Vigenere_cipher(plaintext, key):
    ciphertext = '' # Start with an empty string
    for j in range(len(plaintext)): 
        c = plaintext[j] # the jth letter of the plaintext
        key_index = j % len(key) # Cycle through letters of the key.
        shift = ord(key[key_index]) # How much we shift c by.
        ciphertext = ciphertext + Caesar_shift(c,shift) # Add new letter to ciphertext
    return ciphertext

In [None]:
print(Vigenere_cipher('This is very secret', 'Key')) # 'Key' is probably a bad key!!

The Vigenère cipher is called a **symmetric** cryptosystem, because the same key that is used to encrypt the plaintext can be used to decrypt the ciphertext.  All we do is *subtract* the shift at each stage.

In [None]:
def Vigenere_decipher(ciphertext, key):
    plaintext = '' # Start with an empty string
    for j in range(len(ciphertext)): 
        c = ciphertext[j] # the jth letter of the ciphertext
        key_index = j % len(key) # Cycle through letters of the key.
        shift = - ord(key[key_index]) # Note the negative sign to decipher!
        plaintext = plaintext + Caesar_shift(c,shift) # Add new letter to plaintext
    return plaintext

In [None]:
print(Vigenere_decipher('@n$_&$_&1Qx4ky Ox `', 'Key'))

In [None]:
# Try a few cipher/deciphers yourself to get used to the Vigenere system.


The Vigenère cipher becomes an effective way for two parties to communicate securely, as long as they **share a secret key**.  In the 19th century, this often meant that the parties would require an initial in-person meeting to agree upon a key, or a well-guarded messenger would carry the key from one party to the other.  

Today, as we wish to communicate securely over long distances on a regular basis, the process of agreeing on a key is more difficult.  It seems like a chicken-and-egg problem, where we need a shared secret to communicate securely, but we can't share a secret without communicating securely in the first place!  

Remarkably, this secret-sharing problem can be solved with some modular arithmetic tricks.  This is the subject of the next section.

### Exercises

1.  A Caesar cipher was used to encode a message, with the resulting ciphertext:  `'j!\'1r$v1"$v&&+1t}v(v$2'`.  Use a loop (brute force attack) to figure out the original message. 

2.  Imagine that you encrypt a long message (e.g., 1000 words of standard English) with a Vigenère cipher.  How might you detect the *length* of the key, if it is short (e.g. 3 or 4 characters)?

3.  Consider running a plaintext message through a Vigenère cipher with a 3-character key, and then running the ciphertext through a Vigenère cipher with a 4-character key.  Explain how this is equivalent to running the original message through a single cipher with a 12-character key.

<a id='keyexchange'></a>

## Key exchange

Now we study Diffie-Hellman **key exchange**, a remarkable way for two parties to share a secret without ever needing to directly communicate the secret with each other.  Their method is based on properties of modular exponentiation and the existence of a **primitive root** modulo prime numbers.   

### Primitive roots and Sophie Germain primes

If $p$ is a prime number, and $GCD(a,p) = 1$, then recall Fermat's Little Theorem:  $$a^{p-1} \equiv 1 \text{ mod } p.$$
It may be the case that $a^\ell \equiv 1$ mod $p$ for some smaller (positive) value of $\ell$ however.  The smallest such positive value of $\ell$ is called the **order** (multiplicative order, to be precise) of $a$ modulo $p$, and it is always a divisor of $p-1$.

The following code determines the order of a number, mod $p$, with a brute force approach.

In [None]:
def mult_order(a,p):
    '''
    Determines the (multiplicative) order of an integer
    a, modulo p.  Here p is prime, and GCD(a,p) = 1.
    If bad inputs are used, this might lead to a 
    never-ending loop!
    '''
    current_number = a % p
    current_exponent = 1
    while current_number != 1:
        current_number = (current_number * a)%p
        current_exponent = current_exponent + 1
    return current_exponent
    

In [None]:
for j in range(1,37):
    print("The multiplicative order of {} modulo 37 is {}".format(j,mult_order(j,37)))
    # These orders should all be divisors of 36.

A theorem of Gauss states that, if $p$ is prime, there exists an integer $b$ whose order is precisely $p-1$ (as big as possible!).  Such an integer is called a **primitive root** modulo $p$.  For example, the previous computation found 12 primitive roots modulo $37$:  they are 2,5,13,15,17,18,19,20,22,24,32,35.  To see these illustrated (mod 37), check out [this poster](https://fineartamerica.com/featured/epicycles-modulo-37-martin-weissman.html) (yes, that is blatant self-promotion!)

For everything that follows, suppose that $p$ is a prime number.  Not only do primitive roots *exist* mod $p$, but they are pretty common.  In fact, the number of primitive roots mod $p$ equals $\phi(p-1)$, where $\phi$ denotes Euler's totient.  On average, $\phi(n)$ is about $6 / \pi^2$ times $n$ (for positive integers $n$).  While numbers of the form $p-1$ are not "average", one still expects that $\phi(p-1)$ is a not-very-small fraction of $p-1$.  You should not have to look very far if you want to *find* a primitive root.

The more difficult part, in practice, is determining whether a number $b$ is or is not a primitive root modulo $p$.  When $p$ is very large (like hundreds or thousands of digits), $p-1$ is also very large.  It is certainly not practical to cycle all the powers (from $1$ to $p-1$) of $b$ to determine whether $b$ is a primitive root!

The better approach, sometimes, is to use the fact that the multiplicative order of $b$ must be a **divisor** of $p-1$.  If one can find all the divisors of $p-1$, then one can just check whether $b^d \equiv 1$ mod $p$ for each divisor $d$.  This makes the problem of determining whether $b$ is a primitive root just about as hard as the problem of factoring $p-1$.  This is a hard problem, in general!

But, for the application we're interested in, we will want to have a large prime number $p$ **and** a primitive root mod $p$.  The easiest way to do this is to use a **Sophie Germain** prime $q$.  A Sophie Germain prime is a prime number $q$ such that $2q + 1$ is also prime.  When $q$ is a Sophie Germain prime, the resulting prime $p = 2q + 1$ is called a **safe prime**.

Observe that when $p$ is a safe prime, the prime decomposition of $p-1$ is 
$$p-1 = 2 \cdot q.$$
That's it.  So the possible multiplicative orders of an element $b$, mod $p$, are the divisors of $2q$, which are
$$1, 2, q, \text{ or } 2q.$$
In order to check whether $b$ is a primitive root, modulo a safe prime $p = 2q + 1$, we must check just three things:  is $b \equiv 1$, is $b^2 \equiv 1$, or is $b^q \equiv 1$, mod $p$?  If the answer to these three questions is NO, then $b$ is a primitive root mod $p$.

In [None]:
def is_primroot_safe(b,p):
    '''
    Checks whether b is a primitive root modulo p,
    when p is a safe prime.  If p is not safe,
    the results will not be good!
    '''
    q = (p-1) // 2   # q is the Sophie Germain prime
    if b%p == 1:  # Is the multiplicative order 1?
        return False
    if (b*b)%p == 1:  # Is the multiplicative order 2?
        return False
    if pow(b,q,p) == 1:  # Is the multiplicative order q?
        return False
    return True  # If not, then b is a primitive root mod p.

This would not be very useful if we couldn't find Sophie Germain primes.  Fortunately, they are not so rare.  The first few are 2, 3, 5, 11, 23, 29, 41, 53, 83, 89.  It is expected, but unproven that there are infinitely many Sophie Germain primes.  In practice, they occur fairly often.  If we consider numbers of magnitude $N$, about $1 / \log(N)$ of them are prime.  Among such primes, we expect about $1.3 / \log(N)$ to be Sophie Germain primes.  In this way, we can expect to stumble upon Sophie Germain primes if we search for a bit (and if $\log(N)^2$ is not too large).

The code below tests whether a number $p$ is a Sophie Germain prime.  We construct it by simply testing whether $p$ and $2p+1$ are both prime.  We use the Miller-Rabin test (the code from the previous Python notebook) in order to test whether each is prime.

In [None]:
from random import randint # randint chooses random integers.

def Miller_Rabin(p, base):
    '''
    Tests whether p is prime, using the given base.
    The result False implies that p is definitely not prime.
    The result True implies that p **might** be prime.
    It is not a perfect test!
    '''
    result = 1
    exponent = p-1
    modulus = p
    bitstring = bin(exponent)[2:] # Chop off the '0b' part of the binary expansion of exponent
    for bit in bitstring: # Iterates through the "letters" of the string.  Here the letters are '0' or '1'.
        sq_result = result*result % modulus  # We need to compute this in any case.
        if sq_result == 1:
            if (result != 1) and (result != exponent):  # Note that exponent is congruent to -1, mod p.
                return False  # a ROO violation occurred, so p is not prime
        if bit == '0':
            result = sq_result 
        if bit == '1':
            result = (sq_result * base) % modulus
    if result != 1:
        return False  # a FLT violation occurred, so p is not prime.
    
    return True  # If we made it this far, no violation occurred and p might be prime.

def is_prime(p, witnesses=50):  # witnesses is a parameter with a default value.
    '''
    Tests whether a positive integer p is prime.
    For p < 2^64, the test is deterministic, using known good witnesses.
    Good witnesses come from a table at Wikipedia's article on the Miller-Rabin test,
    based on research by Pomerance, Selfridge and Wagstaff, Jaeschke, Jiang and Deng.
    For larger p, a number (by default, 50) of witnesses are chosen at random.
    '''
    if (p%2 == 0): # Might as well take care of even numbers at the outset!
        if p == 2:
            return True
        else:
            return False 
    
    if p > 2**64:  # We use the probabilistic test for large p.
        trial = 0
        while trial < witnesses:
            trial = trial + 1
            witness = randint(2,p-2) # A good range for possible witnesses
            if Miller_Rabin(p,witness) == False:
                return False
        return True
    
    else:  # We use a determinisic test for p <= 2**64.
        verdict = Miller_Rabin(p,2)
        if p < 2047:
            return verdict # The witness 2 suffices.
        verdict = verdict and Miller_Rabin(p,3)
        if p < 1373653:
            return verdict # The witnesses 2 and 3 suffice.
        verdict = verdict and Miller_Rabin(p,5)
        if p < 25326001:
            return verdict # The witnesses 2,3,5 suffice.
        verdict = verdict and Miller_Rabin(p,7)
        if p < 3215031751:
            return verdict # The witnesses 2,3,5,7 suffice.
        verdict = verdict and Miller_Rabin(p,11)
        if p < 2152302898747:
            return verdict # The witnesses 2,3,5,7,11 suffice.
        verdict = verdict and Miller_Rabin(p,13)
        if p < 3474749660383:
            return verdict # The witnesses 2,3,5,7,11,13 suffice.
        verdict = verdict and Miller_Rabin(p,17)
        if p < 341550071728321:
            return verdict # The witnesses 2,3,5,7,11,17 suffice.
        verdict = verdict and Miller_Rabin(p,19) and Miller_Rabin(p,23)
        if p < 3825123056546413051:
            return verdict # The witnesses 2,3,5,7,11,17,19,23 suffice.
        verdict = verdict and Miller_Rabin(p,29) and Miller_Rabin(p,31) and Miller_Rabin(p,37)
        return verdict # The witnesses 2,3,5,7,11,17,19,23,29,31,37 suffice for testing up to 2^64. 
    

In [None]:
def is_SGprime(p):
    '''
    Tests whether p is a Sophie Germain prime
    '''
    if is_prime(p):  # A bit faster to check whether p is prime first.
        if is_prime(2*p + 1):  # and *then* check whether 2p+1 is prime.
            return True
    return False

Let's test this out by finding the Sophie Germain primes up to 100, and their associated safe primes.

In [None]:
for j in range(1,100):
    if is_SGprime(j):
        print(j, 2*j+1)

Next, we find the first 100-digit Sophie Germain prime!  This might take a minute!

In [None]:
test_number = 10**99 # Start looking at the first 100-digit number, which is 10^99.
while not is_SGprime(test_number):
    test_number = test_number + 1
print(test_number)

In the seconds or minutes your computer was running, it checked the primality of almost 90 thousand numbers, each with 100 digits.  Not bad!

### The Diffie-Hellman protocol

When we study protocols for secure communication, we must keep track of the communicating parties (often called Alice and Bob), and **who** has knowledge of **what** information.  We assume at all times that the "wire" between Alice and Bob is tapped -- anything they say to each other is actively monitored, and is therefore **public** knowledge.  We also assume that what happens on Alice's private computer is private to Alice, and what happens on Bob's private computer is private to Bob.  Of course, these last two assumptions are big assumptions -- they point towards the danger of computer viruses which infect computers and can violate such privacy!

The goal of the Diffie-Hellman protocol is -- at the end of the process -- for Alice and Bob to **share a secret** without ever having communicated the secret with each other.  The process involves a series of modular arithmetic calculations performed on each of Alice and Bob's computers.

The process begins when Alice or Bob creates and publicizes a **large prime number** `p` and a **primitive root** `g` modulo `p`.  It is best, for efficiency and security, to choose a **safe** prime `p`.  Alice and Bob can create their own safe prime, or choose one from a public list online, e.g., from the [RFC 3526 memo](https://tools.ietf.org/html/rfc3526).  Nowadays, it's common to take `p` with 2048 bits, i.e., a prime which is between $2^{2046}$ and $2^{2047}$ (a number with 617 decimal digits!).

For the purposes of this introduction, we use a smaller safe prime, with about 256 bits.  We use the `SystemRandom` functionality of the `random` package to create a good random prime.  It is not so much of an issue here, but in general one must be very careful in cryptography that one's "random" numbers are really "random"!  The `SystemRandom` function uses chaotic properties of your computer's innards in order to initialize a random number generator, and is considered cryptographically secure.

In [None]:
from random import SystemRandom # Import the necessary package.

r = SystemRandom().getrandbits(256)
print("The random integer is {}".format(r))
print("with binary expansion {}".format(bin(r)))  #  r is an integer constructed from 256 random bits.
print("with bit-length {}.".format(len(bin(r)) - 2))  # In case you want to check.  Remember '0b' is at the beginning.

In [None]:
def getrandSGprime(bitlength):
    '''
    Creates a random Sophie Germain prime p with about 
    bitlength bits.
    '''
    while True:
        p = SystemRandom().getrandbits(bitlength) # Choose a really random number.
        if is_SGprime(p):
            return p    

The function above searches and searches among random numbers until it finds a Sophie Germain prime.  The (possibly endless!) search is performed with a `while True:` loop that may look strange.  The idea is to stay in the loop until such a prime is found.  Then the `return p` command returns the found prime as output and halts the loop.  One must be careful with `while True` loops, since they are structured to run forever -- if there's not a loop-breaking command like `return` or `break` inside the loop, your computer will be spinning for a long time.

In [None]:
q = getrandSGprime(256) # A random ~256 bit Sophie Germain prime
p = 2*q + 1 # And its associated safe prime

print("p is ",p)  # Just to see what we're working with.
print("q is ",q)

Next we find a primitive root, modulo the safe prime `p`.

In [None]:
def findprimroot_safe(p):
    '''
    Finds a primitive root, 
    modulo a safe prime p.
    '''
    b = 2  # Start trying with 2.
    while True:  # We just keep on looking.
        if is_primroot_safe(b,p):
            return b
        b = b + 1 # Try the next base.  Shouldn't take too long to find one!

In [None]:
g = findprimroot_safe(p)
print(g)

The pair of numbers $(g, p)$, the primitive root and the safe prime, chosen by either Alice or Bob, is now made public.  They can post their $g$ and $p$ on a public website or shout it in the streets.  It doesn't matter.  They are just tools for their secret-creation algorithm below.

### Alice and Bob's private secrets

Next, Alice and Bob invent **private** secret numbers $a$ and $b$.  They do not tell *anyone* these numbers.  Not each other.  Not their family.  Nobody.  They don't write them on a chalkboard, or leave them on a thumbdrive that they lose.  These are really secret.

But they don't use their phone numbers, or social security numbers.  It's best for Alice and Bob to use a secure random number generator on their separate private computers to create $a$ and $b$.  They are often 256 bit numbers in practice, so that's what we use below.

In [None]:
a = SystemRandom().getrandbits(256)  # Alice's secret number
b = SystemRandom().getrandbits(256)  # Bob's secret number

print("Only Alice should know that a = {}".format(a))
print("Only Bob should know that b = {}".format(b))

print("But everyone can know p = {} and g = {}".format(p,g))

Now Alice and Bob use their secrets to generate new numbers.  Alice computes the number 
$$A = g^a \text{ mod } p,$$
and Bob computes the number
$$B = g^b \text{ mod } p.$$


In [None]:
A = pow(g,a,p)  # This would be computed on Alice's computer.
B = pow(g,b,p)  # This would be computed on Bob's computer.

Now Alice and Bob do something that seems very strange at first.  Alice sends Bob her new number $A$ and Bob sends Alice his new number $B$.  Since they are far apart, and the channel is insecure, we can assume everyone in the world now knows $A$ and $B$.

In [None]:
print("Everyone knows A = {} and B = {}.".format(A,B))

Now Alice, on her private computer, computes $B^a$ mod $p$.  She can do that because everyone knows $B$ and $p$, and she knows $a$ too.

Similarly, Bob, on his private computer, computes $A^b$ mod $p$.  He can do that because everyone knows $A$ and $p$, and he knows $b$ too.

Alice and Bob **do not** share the results of their computations!

In [None]:
print(pow(B,a,p))  # This is what Alice computes.

In [None]:
print(pow(A,b,p))  # This is what Bob computes.

Woah!  What happened?  In terms of exponents, it's elementary.  For
$$B^a = (g^{b})^a = g^{ba} = g^{ab} = (g^a)^b = A^b.$$
So these two computations yield the same result (mod $p$, the whole way through).

In the end, we find that Alice and Bob **share a secret**.  We call this secret number $S$.
$$S = B^a = A^b.$$

In [None]:
S = pow(B,a,p)  # Or we could have used pow(A,b,p)
print(S)

This common secret $S$ can be used as a key for Alice and Bob to communicate hereafter.  For example, they might use $S$ (converted to a string, if needed) as the key for a Vigenère cipher, and chat with each other knowing that only they have the secret key to encrypt and decrypt their messages.

In [None]:
#  We use the triple-quotes for a long string, that occupies multiple lines.
#  The backslash at the end of the line tells Python to ignore the newline character.
#  Imagine that Alice has a secret message she wants to send to Bob.  
#  She writes the plaintext on her computer. 

plaintext = '''Did you hear that the American Mathematical Society has an annual textbook sale? \
            It's 40 percent off for members and 25 percent off for everyone else.'''

In [None]:
# Now Alice uses the secret S (as a string) to encrypt.  
ciphertext = Vigenere_cipher(plaintext, str(S))
print(ciphertext)
# Alice sends the following ciphertext to Bob, over an insecure channel.

In [None]:
# When Bob receives the ciphertext, he decodes it with the secret S again.
print(Vigenere_decipher(ciphertext, str(S)))

To have confidence in this protocol, one needs to be convinced that their secret is truly secret!  The public has a lot of information:  they know 
1.  the prime $p$, 
2.  the primitive root $g$, 
3.  the number $A = g^a$ (mod $p$), and 
4.  the number $B = g^b$ (mod $p$).  

If the public could **figure out** either $a$ or $b$, they could figure out the secret (by raising $A^b$ or $B^a$ like Alice and Bob did).  

This is the essence of the **discrete logarithm problem**.  If we know the value of $g^a$ mod $p$, can we figure out the possible value(s) of $a$?  If this were ordinary arithmetic, we would say that $a = \log_g(A)$.  But this is modular arithmetic, and there's no easy way to figure out such logarithms.  The values of $g^a$ tend to bounce all over the place, mod $p$, especially since we chose $a$ to be pretty large (256 bits!).  

The security of the Diffie-Hellman protocol, i.e., the security of Alice and Bob's shared secret, depends on the *difficulty* of the discrete logarithm problem.  When $p$ is a large (e.g. 2048 bits) safe prime, and $a$ and $b$ are suitably large (roughly 256 bits), there seems to be no way to solve the discrete logarithm problem mod $p$ in any reasonable amount of time.  Someday we might have quantum computers to quickly solve discrete logarithm problems, and the Diffie-Hellman protocol will not be secure.  But for now, Alice and Bob's secret key seems safe.

### Exercises

1.  How many Sophie Germain primes are there between 1 and 1000000?  What proportion of primes in this range are Sophie Germain primes?

2.  [It is expected](https://en.wikipedia.org/wiki/Artin%27s_conjecture_on_primitive_roots) that there are infinitely primes $p$ such that 2 is a primitive root mod $p$.  Study the density of such primes.  For example, among the primes up to 1000, how often is $2$ a primitive root?  Does this density seem to change?  

3.  Adapt Diffie-Hellman to work with a group of *three* parties who wish to share a common secret.  Hint:  the common secret will have the form $g^{abc}$, and other exponents like $g^a$, $g^b$, $g^c$, $g^{ab}$, $g^{bc}$, $g^{ac}$ will be public information.

4.  Sadly, Alice and Bob have agreed to use the primitive root $g = 3$ and the prime $p = 65537$.  Listening into their conversation, you intercept the following: $A = 40360$ and $B = 21002$ and the ciphertext is `$;6HWD;P5LVJ99W+EH9JVx=I:V7ESpGC^`.  If you know that they use a protocol with a Vigenère cipher, with key equal the string associated to their secret $S$, what is the plaintext message?  Hint:  you should be able to solve the discrete logarithm problem with a brute force attack.



# Part 7:  The RSA Cryptosystem in Python 3.x

In the previous notebook, we studied a few basic ciphers together with Diffie-Hellman key exchange.  The Vigenère cipher we studied uses a **secret key** for encrypting and decrypting messages.  The same key is used for both encryption and decryption, so we say it is a **symmetric key** cipher.  In order for two parties to share the same secret key, we studied the Diffie-Hellman protocol, whose security rests on the difficulty of the discrete logarithm problem.

Although this represents progress towards secure communication, it is particularly vulnerable to problems of authentication.  For example, imagine a "man-in-the-middle attack":  Alice and Bob wish to communicate securely, and begin the Diffie-Hellman protocol over an insecure line.  But **Eve** has intercepted the line.  To Alice, she pretends to be Bob, and to Bob, she pretends to be Alice.  She goes through the Diffie-Hellman protocol with each, obtaining two secret keys, and decrypting/encrypting messages as they pass through her computer.  In this way, Alice and Bob think they are talking to each other, but Eve is just passing (and understanding) their messages the whole time!

To thwart such an attack, we need some type of authentication.  We need something **asymmetric** -- something one person can do that no other person can do, like a verifiable signature, so that we can be sure we're communicating with the intended person.  For such a purpose, we introduce the RSA cryptosystem.  Computationally based on modular exponentiation, its security rests on the difficulty of factoring large numbers.

The material in this notebook complements **Chapter 7** of An Illustrated Theory of Numbers

## Table of Contents

- [Euler's theorem and modular roots](#euler)
- [The RSA protocol](#RSA)

<a id='euler'></a>

## Euler's Theorem and Modular Roots

Recall Fermat's Little Theorem:  if $p$ is prime and $GCD(a,p) = 1$, then $a^{p-1} \equiv 1$ mod $p$.  This is a special case of Euler's theorem, which holds for any modulus $m$.

### Euler's theorem and the totient

Euler's theorem states:  if $m$ is a positive integer and $GCD(a,m) = 1$, then $a^{\phi(m)} \equiv 1$ mod $m$.  Here $\phi(m)$ denotes the **totient** of $m$, which is the number of elements of $\{ 1,...,m \}$ which are coprime to $m$.  We give a brute force implementation of the totient first, using our old Euclidean algorithm code for the GCD.

In [None]:
def GCD(a,b):
    while b:   # Recall that != means "not equal to".
        a, b = b, a % b
    return abs(a)

def totient(m):
    tot = 0 # The running total.
    j = 0
    while j < m:  # We go up to m, because the totient of 1 is 1 by convention.
        j = j + 1  # Last step of while loop:  j = m-1, and then j = j+1, so j = m.
        if GCD(j,m) == 1:
            tot = tot + 1
    return tot

In [None]:
totient(17)  # The totient of a prime p should be p-1.

In [None]:
totient(1000)

In [None]:
totient(1)  # Check a borderline case, to make sure we didn't make an off-by-one error.

In [None]:
17**totient(1000) % 1000 # Let's demonstrate Euler's theorem.  Note GCD(17,1000) = 1.

In [None]:
pow(17,totient(1000),1000) # A more efficient version, using the pow command.

In [None]:
%timeit totient(123456)

The totient is a **multiplicative function**, meaning that if $GCD(a,b) = 1$, then $\phi(ab) = \phi(a) \phi(b)$.  Therefore, the totient of number can be found quickly from the totient of the prime powers within its decomposition.  We can re-implement the totient using our functions for prime decomposition and multiplicative functions from [Notebook 4](http://illustratedtheoryofnumbers.com/prog.html#notebooks).

In [None]:
from math import sqrt  # We'll want to use the square root.

def smallest_factor(n):
    '''
    Gives the smallest prime factor of n.
    '''
    if n < 2:
        return None # No prime factors!
    
    test_factor = 2 # The smallest possible prime factor.
    max_factor = sqrt(n) # we don't have to search past sqrt(n).
    
    while test_factor <= max_factor:
        if n%test_factor == 0:
            return test_factor
        test_factor = test_factor + 1  # This could be sped up.
    
    return n  # If we didn't find a factor up to sqrt(n), n itself is prime!

def decompose(N):
    '''
    Gives the unique prime decomposition of a positive integer N,
    as a dictionary with primes as keys and exponents as values.
    '''
    current_number = N  # We'll divide out factors from current_number until we get 1.
    decomp = {} # An empty dictionary to start.
    while current_number > 1:
        p = smallest_factor(current_number) # The smallest prime factor of the current number.
        if p in decomp.keys():  # Is p already in the list of keys?
            decomp[p] = decomp[p] + 1 # Increase the exponent (value with key p) by 1.
        else:  # "else" here means "if p is not in decomp.keys()".
            decomp[p] = 1  # Creates a new entry in the dictionary, with key p and value 1.
        current_number = current_number // p # Factor out p.
    return decomp

def mult_function(f_pp):
    '''
    When a function f_pp(p,e) of two arguments is input,
    this outputs a multiplicative function obtained from f_pp
    via prime decomposition.
    '''
    def f(n):
        D = decompose(n)
        result = 1
        for p in D:
            result = result * f_pp(p, D[p])
        return result
    
    return f

When $p^e$ is a prime power, the numbers among $1, \ldots, p^e$ are coprime to $p^e$ precisely when they are **not** multiples of $p$.  Therefore, the totient of a prime power is pretty easy to compute:
$$\phi(p^e) = p^e - p^{e-1} = p^{e-1} (p-1).$$
We implement this, and use the multiplicative function code to complete the implementation of the totient.

In [None]:
def totient_pp(p,e):
    return (p**(e-1)) * (p-1)

Note that for efficiency, the computation of $p^{e-1}(p-1)$ is probably faster than the computation of $p^e - p^{e-1}$ (which relies on two exponents).  But Python is very smart about these sorts of things, and might do some optimization which makes the computation faster.  It should be very fast anyways, in the 10-20 nanosecond range!

In [None]:
totient = mult_function(totient_pp)

In [None]:
totient(1000)

In [None]:
%timeit totient(123456)

This should be **much** faster than the previous brute-force computation of the totient.

### Modular roots

A consequence of Euler's theorem is that -- depending on the modulus -- some exponentiation can be "reversed" by another exponentiation, a form of taking a "root" in modular arithmetic.  For example, if we work modulo $100$, and $GCD(a,100) = 1$, then Euler's theorem states that
$$a^{40} \equiv 1 \text{ mod } 100.$$
It follows that $a^{80} \equiv 1$ and $a^{81} \equiv a$, modulo $100$.  Expanding this, we find
$$a \equiv a^{81} = a^{3 \cdot 27} = (a^3)^{27} \text{ mod } 100.$$

What all this computation shows is that "raising to the 27th power" is like "taking the cube root", modulo 100 (and with appropriate bases).

In [None]:
for b in range(20):
    b_cubed = pow(b,3,100)
    bb = pow(b_cubed,27,100)
    print(b, b_cubed, bb, GCD(b,100) == 1)

In every line ending with `True`, the first and third numbers should match.  This will happen in some `False` lines too, but not reliably since Euler's theorem does not apply there.

We found the exponent 27 -- reversing the cubing operation -- by an ad hoc sort of procedure.  The relationship between 27 and 3, which made things work, is that
$$3 \cdot 27 \equiv 1 \text{ mod } 40.$$
In other words, $3 \cdot 27 = 1 + 40k$ for some (positive, in fact) integer $k$.

Recalling that $40 = \phi(100)$, this relationship and Euler's theorem imply that
$$a^{3 \cdot 27} = a^{1 + 40k} \equiv a^1 = a \text{ mod } 100.$$
By this argument, we have the following consequence of Euler's theorem.  

**Theorem: ** If $GCD(a,m) = 1$, and $ef \equiv 1$ mod $\phi(m)$, then
$$a^{ef} \equiv a \text{ mod } \phi(m).$$
In this way, "raising to the $f$ power" is like "taking the $e$-th root", modulo $m$. 

If we are given $f$, then $e$ is a **multiplicative inverse** of $f$ modulo $\phi(m)$.  In particular, such a multiplicative inverse exists if and only if $GCD(e,\phi(m)) = 1$.  The following function computes a multiplicative inverse, by adapting the `solve_LDE` function from [Notebook 2]().  After all, solving $ex \equiv 1$ mod $m$ is equivalent to solving the linear Diophantine equation $ex + my = 1$ (and only caring about the $x$-value). 


In [None]:
def mult_inverse(a,m):
    '''
    Finds the multiplicative inverse of a, mod m.
    If GCD(a,m) = 1, this is returned via its natural representative.
    Otherwise, None is returned.
    '''  
    u = a # We use u instead of dividend.
    v = m # We use v instead of divisor.
    u_hops, u_skips = 1,0 # u is built from one hop (a) and no skips.
    v_hops, v_skips = 0,1 # v is built from no hops and one skip (b).
    while v != 0:   # We could just write while v:
        q = u // v  # q stands for quotient.
        r = u % v  # r stands for remainder.  So u = q(v) + r.
        
        r_hops = u_hops - q * v_hops  # Tally hops
        r_skips = u_skips - q * v_skips  # Tally skips
        
        u,v = v,r  # The new dividend,divisor is the old divisor,remainder.
        u_hops, v_hops = v_hops, r_hops # The new u_hops, v_hops is the old v_hops, r_hops
        u_skips, v_skips = v_skips, r_skips # The new u_skips, v_skips is the old v_skips, r_skips
    
    g = u # The variable g now describes the GCD of a and b.
    if g == 1:
        return u_hops % m
    else:  # When GCD(a,m) is not 1...
        return None

In [None]:
mult_inverse(3,40)  # 3 times what is congruent to 1, mod 40?

In [None]:
mult_inverse(5,40)  # None should be returned.

Let's test this out on some bigger numbers.

In [None]:
from random import randint
while True:
    m = randint(1000000, 9999999) # a random 7-digit number
    e = randint(100,999) # a random 3-digit number
    a = randint(10,99) # a random 2-digit number
    if GCD(a,m) == 1:
        tot = totient(m)
        if GCD(e,tot) == 1:
            f = mult_inverse(e,tot)
            test_number = pow(a, e*f, m)
            print("Success!")
            print("{} ^ ({} * {}) = {}, mod {}".format(a,e,f,test_number,m))
            break # Escapes the loop once an example is found!

### Exercises

1.  What is the largest integer whose totient is 100?  Study this by a brute force search, i.e., looping through the integers up to 10000

2.  For which integers $n$ is it true that $\phi(n) = n/2$?  Study this by a brute force search in order to make a conjecture.  Then prove it if you can.

3.  Compute the totient of the numbers from 1 to 10000, and analyze the results.  The totient $\phi(n)$ is always less than $n$ when $n > 1$, but how does the ratio $\phi(n) / n$ behave? Create a graph.  What is the average value of the ratio?  

4.  If $a^{323} \equiv 802931$, mod $5342481$, and $GCD(a, 5342481) = 1$, and $0 < a < 5342481$, then what is $a$? 

5.  Challenge:  Create a function `superpow(x,y,z,m)` which computes $x^{y^z}$ modulo $m$ efficiently, when $GCD(x,m) = 1$ and $m$ is small enough to factor.

<a id='RSA'></a>

## The RSA protocol

Like Diffie-Hellman, the RSA protocol involves a series of computations in modular arithmetic, taking care to keep some numbers private while making others public.  RSA was published two years after Diffie-Hellman, in 1978 by Rivest, Shamir, and Adelman (hence its name).  The great advance of the RSA protocol was its **asymmetry**.  While Diffie-Hellman is used for symmetric key cryptography (using the same key to encrypt and decrypt), the RSA protocol has two keys:  a **public key** that can be used by anyone for encryption and a **private key** that can be used by its owner for decryption.  

In this way, if Alice publishes her public key online, anyone can send her an encrypted message.  But as long as she keeps her private key private, **only** Alice can decrypt the messages sent to her.  Such an asymmetry allows RSA to be used for authentication -- if the owner of a private key has an ability nobody else has, then this ability can be used to prove the owner's identity.  In practice, this is one of the most common applications of RSA, guaranteeing that we are communicating with the intended person.

In the RSA protocol, the **private key** is a pair of large (e.g. 512 bit) prime numbers, called $p$ and $q$.  The **public key** is the pair $(N, e)$, where $N$ is defined to be the product $N = pq$ and $e$ is an auxiliary number called the exponent.  The number $e$ is often (for computational efficiency and other reasons) taken to be 65537 -- the same number $e$ can be used over and over by different people.  But it is absolutely crucial that the same private keys $p$ and $q$ are not used by different individuals.  Individuals must create and safely keep their own private key.

We begin with the creation of a private key $(p,q)$.  We use the `SystemRandom` function (see the previous Python Notebook) to cook up cryptographically secure random numbers, and the Miller-Rabin test to certify primality.

In [None]:
from random import SystemRandom, randint

def Miller_Rabin(p, base):
    '''
    Tests whether p is prime, using the given base.
    The result False implies that p is definitely not prime.
    The result True implies that p **might** be prime.
    It is not a perfect test!
    '''
    result = 1
    exponent = p-1
    modulus = p
    bitstring = bin(exponent)[2:] # Chop off the '0b' part of the binary expansion of exponent
    for bit in bitstring: # Iterates through the "letters" of the string.  Here the letters are '0' or '1'.
        sq_result = result*result % modulus  # We need to compute this in any case.
        if sq_result == 1:
            if (result != 1) and (result != exponent):  # Note that exponent is congruent to -1, mod p.
                return False  # a ROO violation occurred, so p is not prime
        if bit == '0':
            result = sq_result 
        if bit == '1':
            result = (sq_result * base) % modulus
    if result != 1:
        return False  # a FLT violation occurred, so p is not prime.
    
    return True  # If we made it this far, no violation occurred and p might be prime.

def is_prime(p, witnesses=50):  # witnesses is a parameter with a default value.
    '''
    Tests whether a positive integer p is prime.
    For p < 2^64, the test is deterministic, using known good witnesses.
    Good witnesses come from a table at Wikipedia's article on the Miller-Rabin test,
    based on research by Pomerance, Selfridge and Wagstaff, Jaeschke, Jiang and Deng.
    For larger p, a number (by default, 50) of witnesses are chosen at random.
    '''
    if (p%2 == 0): # Might as well take care of even numbers at the outset!
        if p == 2:
            return True
        else:
            return False 
    
    if p > 2**64:  # We use the probabilistic test for large p.
        trial = 0
        while trial < witnesses:
            trial = trial + 1
            witness = randint(2,p-2) # A good range for possible witnesses
            if Miller_Rabin(p,witness) == False:
                return False
        return True
    
    else:  # We use a determinisic test for p <= 2**64.
        verdict = Miller_Rabin(p,2)
        if p < 2047:
            return verdict # The witness 2 suffices.
        verdict = verdict and Miller_Rabin(p,3)
        if p < 1373653:
            return verdict # The witnesses 2 and 3 suffice.
        verdict = verdict and Miller_Rabin(p,5)
        if p < 25326001:
            return verdict # The witnesses 2,3,5 suffice.
        verdict = verdict and Miller_Rabin(p,7)
        if p < 3215031751:
            return verdict # The witnesses 2,3,5,7 suffice.
        verdict = verdict and Miller_Rabin(p,11)
        if p < 2152302898747:
            return verdict # The witnesses 2,3,5,7,11 suffice.
        verdict = verdict and Miller_Rabin(p,13)
        if p < 3474749660383:
            return verdict # The witnesses 2,3,5,7,11,13 suffice.
        verdict = verdict and Miller_Rabin(p,17)
        if p < 341550071728321:
            return verdict # The witnesses 2,3,5,7,11,17 suffice.
        verdict = verdict and Miller_Rabin(p,19) and Miller_Rabin(p,23)
        if p < 3825123056546413051:
            return verdict # The witnesses 2,3,5,7,11,17,19,23 suffice.
        verdict = verdict and Miller_Rabin(p,29) and Miller_Rabin(p,31) and Miller_Rabin(p,37)
        return verdict # The witnesses 2,3,5,7,11,17,19,23,29,31,37 suffice for testing up to 2^64. 
    

def random_prime(bitlength):
    while True:
        p = SystemRandom().getrandbits(bitlength)  # A cryptographically secure random number.
        if is_prime(p):
            return p

In [None]:
random_prime(100) # A random 100-bit prime

In [None]:
random_prime(512) # A random 512-bit prime.  Should be quick, thanks to Miller-Rabin!

In [None]:
%timeit random_prime(1024)  # Even 1024-bit primes should be quick!

In [None]:
def RSA_privatekey(bitlength):
    '''
    Create private key for RSA, with given bitlength.
    Just a pair of big primes!
    '''
    p = random_prime(bitlength)
    q = random_prime(bitlength)
    return p,q # Returns both values, as a "tuple"

In [None]:
type(RSA_privatekey(8))  # When a function returns multiple values, the type is "tuple".

In [None]:
p,q = RSA_privatekey(512)  # If a function outputs two values, you can assign them to two variables.
print("Private key p = {}".format(p))
print("Private key q = {}".format(q))

In [None]:
def RSA_publickey(p,q, e = 65537):
    '''
    Makes the RSA public key out of 
    two prime numbers p,q (the private key), 
    and an auxiliary exponent e.  
    By default, e = 65537.
    '''
    N = p*q
    return N,e

In [None]:
N,e = RSA_publickey(p,q) # No value of e is input, so it will default to 65537

print("Public key N = {}".format(N)) # A big number!
print("Public key e = {}".format(e))

### Encryption and decryption

Now we explain how the public key $(N,e)$ and the private key $(p,q)$ are used to encrypt and decrypt a (numerical) message $m$.  If you wish to encrypt/decrypt a text message, one case use a numerical scheme like ASCII, of course.  The message should be significantly shorter than the modulus, $m < N$ (ideally, shorter than the private key primes), but big enough so that $m^e$ is much bigger than $N$ (not usually a problem if $e = 65537$).  

The encryption procedure is simple -- it requires just one line of Python code, using the message and public key.  The ciphertext $c$ is given by the formula
$$c = m^e \text{ mod } N,$$
where here we mean the "natural representative" of $m^e$ modulo $N$.  

In [None]:
def RSA_encrypt(message, N, e):
    '''
    Encrypts message, using the public keys N,e.
    '''
    return pow(message, e, N)

In [None]:
c = RSA_encrypt(17,N,e) # c is the ciphertext.
print("The ciphertext is {}".format(c)) # A very long number!

To decrypt the ciphertext, we need to "undo" the operation of raising to the $e$-th power modulo $N$.  We must, effectively, take the $e$-th root of the ciphertext, modulo $N$.  This is what we studied earlier in this notebook.  Namely, if $c \equiv m^e \text{ mod } N$ is the ciphertext, and $ef \equiv 1$ modulo $\phi(N)$, then
$$c^f \equiv m^{ef} \equiv m \text{ mod } N.$$

So we must raise the ciphertext to the $f$ power, where $f$ is the multiplicative inverse of $e$ modulo $\phi(N)$.  Given a giant number $N$, it is difficult to compute the totient $\phi(N)$.  But, with the **private key** $p$ and $q$ (primes), the fact that $N = pq$ implies
$$\phi(N) = (p-1) \cdot (q-1) = pq - p - q + 1 = N - p - q + 1.$$

Armed with the private key (and the public key, which everyone has), we can decrypt a message in just a few lines of Python code.

In [None]:
def RSA_decrypt(ciphertext, p,q,N,e):
    '''
    Decrypts message, using the private key (p,q) 
    and the public key (N,e).  We allow the public key N as
    an input parameter, to avoid recomputing it.
    '''
    tot = N - (p+q) + 1
    f = mult_inverse(e,tot)  # This uses the Euclidean algorithm... very quick!
    return pow(ciphertext,f,N)

In [None]:
RSA_decrypt(c,p,q,N,e)  # We decrypt the ciphertext... what is the result?

That's the entire process of encryption and decryption.  Encryption requires just the public key $(N,e)$ and decryption requires the private key $(p,q)$ too.  Everything else is modular arithmetic, using Euler's theorem and the Euclidean algorithm to find modular multiplicative inverses.

From a practical standpoint, there are many challenges, and we just mention a few here.

**Key generation:**  The person who constructs the private key $(p,q)$ needs to be careful.  The primes $p$ and $q$ need to be pretty large (512 bits, or 1024 bits perhaps), which is not so difficult.  They also need to be constructed **randomly**.  For imagine that Alice comes up with her private key $(p,q)$ and Anne comes up with her private key $(q,r)$, with the same prime $q$ in common.  Their public keys will include the numbers $N = pq$ and $M = qr$.  If someone like Arjen comes along and starts taking GCDs of all the public keys in a database, that person will stumble upon the fact that $GCD(N,M) = q$, from which the private keys $(p,q)$ and $(q,r)$ can be derived.  And this sort of disaster has happened!  Poorly generated keys were stored in a database, and [discovered by Arjen Lenstra et al.](https://eprint.iacr.org/2012/064.pdf).

**Security by difficulty of factoring:**  The security of RSA is based on the difficulty of obtaining the private key $(p,q)$ from the public key $(N,e)$.  Since $N = pq$, this is precisely the difficulty of factoring a large number $N$ into two primes (given the knowledge that it is the product of two primes).  Currently it seems very difficult to factor large numbers.  The RSA factoring challenges give monetary rewards for factoring such large $N$.  The record (2017) is factoring a [768-bit (232 digit) number, RSA-768](https://en.wikipedia.org/wiki/RSA_numbers#RSA-768).  For this reason, we may consider a 1024-bit number secure for now (i.e. $p$ and $q$ are 512-bit primes), or use a 2048-bit number if we are paranoid.  If quantum computers develop sufficiently, they could make factoring large numbers easy, and RSA will have to be replaced by a quantum-secure protocol. 

**Web of Trust:**  Trust needs to begin somewhere.  Every time Alice and Bob communicate, Alice should not come up with a new private key, and give Bob the new public key.  For if they are far apart, how does Bob know he's receiving Alice's public key and not talking to an eavesdropper Eve?  Instead, it is better for Alice to register (in person, perhaps) her public key at some time.  She can create her private key $(p,q)$ and register the resulting public key $(N,e)$ with some "key authority" who checks her identity at the time.  The key authority then stores everyone's public keys -- effectively they say "if you want to send a secure message to Alice, use the following public key:  (..., ...)"  Then Bob can consult the key authority when he wishes to communicate securely to Alice, and this private/public key combination can be used for years.

But, as one might guess, this kicks the trust question to another layer.  How does Bob know he's communicating with the key authority?  The key authorities need to have their own authentication mechanism, etc..  One way to avoid going down a rabbithole of mistrust is to *distribute* trust across a network of persons.  Instead of a centralized "key authority", one can distribute one's public keys across an entire network of communicators (read about [openPGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP)).  Then Bob, if he wishes, can double-check Alice's public keys against the records of numerous members of the network -- assuming that hackers haven't gotten to all of them!  

In practice, some implementations of RSA use a more centralized authority and others rely on a web of trust.  Cryptography requires a clever application of modular arithmetic (in Diffie-Hellman, RSA, and many other systems), but also a meticulous approach to implementation.  Often the challenges of implementation introduce new problems in number theory.

### Digital signatures

A variant of RSA is used to "digitally sign" a document.  Not worrying about keeping a message private for now, suppose that Alice wants to send Bob a message and **sign** the message in such a way that Bob can be confident it was sent by Alice.  

Alice can digitally sign her message by first **hashing** the message and then encrypting the hash using her **private key** (previously the *public key* was used for encryption -- this is different!).  Hashing a message is an irreversible process that turns a message of possibly long length into a nonsense-message of typically fixed length, in such a way that the original message cannot be recovered from the nonsense-message.  

There is a science to secure hashing, which we don't touch on here.  Instead, we import the `sha512` hashing function from the Python standard package `hashlib`.  The input to `sha512` is a string of arbitrary length, and the output is a sequence of 512 bits.  Here in Python 3, we also must specify the Unicode encoding (`utf-8`) for the string to be hashed.  One can convert the 512 bits of hash into 64 bytes (512/8 = 64) which can be viewed as a 64-character string via ASCII.  This 64-byte string is called the *digest* of the hash.  It's all very biological.  Note that many of the characters won't display very nicely, since they are out of the code range 32-126!

In [None]:
from hashlib import sha512

print(sha512("I like sweet potato hash.".encode('utf-8')).digest()) # A 64-character string of hash.

Hashes are designed to be irreversible.  Nobody should be able to reverse the hashing process and recover the original string ('I like sweet potato hash') from the output of sha512.  Moreover, hashes should avoid collisions -- although different input strings *can* yield the same hashed result, such "collisions" should be exceedingly rare in practice.  You can read more about [SHA-512 and others at Wikipedia](https://en.wikipedia.org/wiki/SHA-2).

Now, if Alice wishes to sign a message `m`, and send it to Bob, she goes through the following steps (in the RSA signature protocol).

1.  Alice hashes her message using a method such as SHA-512.  Let `h` be the resulting hash.

2.  Alice **encrypts** the hash by computing $s = h^f$ modulo $N$.  Here $f$ is the multiplicative inverse of $e$ modulo $\phi(N)$, just as it was in RSA encryption.  Note that this step requires knowledge of the private key $(p,q)$ to compute $\phi(N)$ to compute $f$.  Hence only Alice can encrypt the has in this way.

3.  Alice sends this encrypted hash along with her message to Bob, along with a note that she signed it using SHA-512 and her RSA key (without revealing her private keys, of course!).

When Bob receives the (plaintext) message $m$ and signature $s$, he carries out the following authentication process.

1.  Bob computes $s^e$ modulo $N$.  Since $s^e = h^{fe} = h$ modulo $N$, Bob now has the hash of the message $h$.  

2.  Bob also computes the SHA-512 hash of the received message $m$, and compares it to the has he computed in step 1.  If they match, then Alice indeed signed the message he received.

We leave implementation of this process to the exercises.

### Exercises

1.  Why might the exponent $e = 65537$ be a computationally convenient choice?  Consider Pingala's algorithm.

2.  What would happen if the message $m$ encrypted by RSA were *equal* to one of these primes of the private key?  How might such an occurrence be avoided, and is this something to be concerned about in practice?

3.  Look at the technical document [on OpenPGP](https://tools.ietf.org/html/rfc4880), and try to figure out how RSA and/or other cryptosystems are being used and implemented in practice.  Write a 1-2 paragraph nontechnical summary of your findings.

4.  Suppose that you choose $M$ prime numbers at random between $2^{b-1}$ and $2^{b}$.  Assuming that prime numbers near $x$ have a density $1 / \log(x)$, estimate the probability that there is a "collision" -- that at least two of the $M$ prime numbers are the same.  What is this probability when $b = 512$ and $M$ is two billion?  (E.g., if a billion people use a pair of 512-bit private keys).  Look up the "Birthday Problem" for some hints if you haven't seen this before.

5.  Create a function `sign(message, p,q,N,e)` to carry out the RSA signature protocol described above, based on a private key $(p,q)$ with public key $(N,e)$.  Create a function `verify(message, signature, N, e)` to verify a signed message.  Use the SHA-512 algorithm throughout, and check that your functions work.

