# Modular arithmetic

## The greatest common divisor of two integers

An integer $k$ is said to divide another $n$ (written $k\mid n$) if there is some third integer $m$ such that $n = km$. A great property of the integers is that for any two integers $a, b$, there is some number $d$ called the greatest common divisor of $a$ and $b$ that divides both $d\mid a$ and $d\mid b$, as well as for any other $e$ with $e\mid a$ and $e\mid b$, we have $e\mid d$; this is what we mean by the "greatest" common divisor: any common divisor of $a$ and $b$ must also divide $d$.

Although the definition seems terse and convoluted, there is a very simple way of computing the greatest common divisor of two numbers! It is no complicated than the "long division" you've used all your life, it just extends the observations made about division a bit further.

### The Division algorithm and computing GCDs

The standard way of performing long division has a special name, the "Euclidean Division algorithm", and it is a way of obtaining the following result:

**Theorem**: Given two integers $a, b$ with $b \neq 0$, there are unique (!) integers $q$ and $r$, with $0 \leq r < |b|$, such that
$$
a = qb + r
$$

Then, note for any $a$ and $b$, any common divisor $d$ of $a$ and $b$ also necessarily divides $r$, as $a - qb = r$ and $d\mid a, d\mid b$. Furthermore, since $d\mid b$ and $d\mid r$, we further observe $d\mid \gcd(b, r)$.
Then, we can keep repeating this process:
$$
\begin{align}
a &= q_1b + r_1\\
b &= q_2r_1 + r_2\\
r_1 &= q_3r_2 + r_3\\
\dots
\end{align}
$$

### ... ad infinitum?
Although there's a formal proof on why this terminates, you don't need a mathematical proof to justify yourself that 1 is a common divisor of every pair of numbers, and so this process stops at some point, i.e., we get that for some $r_n$
$$
r_{n-1} = q_{n-3}r_{n} + 0
$$
and $r_n$ is the greatest common divisor of $r_n$ and $q_{n-3}r_n$. Notice that since every common divisor of $a$ and $b$ was a common divisor of $r_k$ and $r_{k+1}$, every common divisor of $a$ and $b$ divides $r_n$, and $r_n$ is also a common divisor of $a$ and $b$. In other words, we have obtained a recursive algorithm for computing the greatest common divisor of two numbers!

In [12]:
def extendedGCD(x, y):
    if x < y:
        x, y = y, x
    div = lambda x, y: (x//y, x%y)
    factors = []

    # this is totally unnecessary, it just felt appropriate to relabel
    # the variables in a form similar to the DA: n = pq + r
    n, q = x, y

    while q > 0:
        fac, rem = div(n, q)
        factors.append(fac)
        n = q
        q = rem

    return n, factors
    

## The "ring"? of modular arithmetic
For some positive $n$, the integers modulo $n$ form what's called a _ring_, a mathematical abstraction specifically conceived to capture addition and multiplication together. We provide a friendly version of it here:

**Definition**: A ring is a tuple $(R, +, \cdot, 0, 1)$, where $R$ is a set, $0\neq 1 \in R$ special elements, and $+:R\times R\to R$ and $\cdot: R\times R \to R$ functions, which satisfy the following:
1. For every $r\in R$, $r + 0 = r = 0 + r$
1. For every $r, s, t\in R$, $(r + s) + t = r + (s + t)$
1. For every $r, s, t\in R$, $(r + s) \cdot t = rt + st$ and $t \cdot (r + s) = tr + ts$
1. For every $r, s\in R$, $r + s = s + r$
1. For every $r, s\in R$, $rs = sr$ (commutativity)
1. For every $r\in R$, $r \cdot 1 = r = 1 \cdot r$ (unity)

We use the notation $a + b = +(a, b)$ and $ab = a\cdot b = \cdot(a, b)$ for readability.

Some examples of rings include $\mathbb Z, \mathbb Q, \mathbb R, \mathbb C$ with the usual addition and multiplication and $\mathbb Z /n$ with the modulo addition and multiplication. If we were to relax some of the conditions (like commutativity or the existence of the element 1, we can get more examples, like the set of all square matrices with normal addition and matrix multiplication)

### An unfamiliar example
Note that since we have addition and (repeated) multiplication in a ring $R$, we can form expressions of the form
$$
r_n x^n + r_{n-1} x^{n-1} + \dots + r_1 x + r_0
$$
These expressions are called the polynomials over $R$. They are not functions, but rather the expressions themselves that are the polynomials. The set of all such polynomials, with the addition and multiplication as defined in $R$ is called the polynomial ring $R[x]$, where $x$ is called an indeterminate, and can be thought of as a variable.

In [17]:
# Since we can work with integers already, we can also form Z/n!
class FiniteIntegerRing:
    def __init__(self, n):
        if n == 0:
            raise ValueError("Do not specify 0! Use normal operations instead!")
        elif n < 0:
            n = -n

        self._n = n
    
    def add(self, a, b):
        return (a + b) % self._n

    def sub(self, a, b):
        return self.add(a, -b)

    def id(self, a):
        return self.add(a, 0)

    def add_inv(self, a):
        return self.sub(0, a)

    def mult(self, a, b):
        return (a * b) % self._n

    def pow(self, b, e):
        c = 1
        for f in range(e):
            f += 1
            c = self.mult(b, c)
        return c

### Modular inverses
If you play around enough with various different rings $\mathbb Z /n$, you can see that $3\cdot 5 \equiv 1 \mod 7$, or $3\cdot 11 \equiv 1 \mod 16$, or $66\cdot 102 \equiv 1 \mod 127$ if you're really into playing around with numbers :o

So, just motivated by algebraic curiosity for now, for a given $x$, how can we find $a$ such that $ax \equiv 1 \mod n$ for n? In a more simplified language, how can we find inverses for elements in modular rings? Spend some time to answer this question.

**Hint**: Spend some time considering what's in common with the examples above, and also try solving the following:

1. What is the multiplicative inverse of $5$ in $\mathbb Z / 11$?
1. What is the multiplicative inverse of $5$ in $\mathbb Z / 10$?
1. More generally, when does an integer $k$ satisfy $k \equiv 0 \mod n$?

### Answers

1. $9\cdot 5 \equiv 44 + 1 \equiv 1 \mod 11$
1. If there were some inverse $a$ of $5$, then $5a \equiv 1 \mod 10$ would also result in
$$
2 \equiv 2\cdot 1 \equiv 2\cdot 5a \equiv 10a \equiv 0 \mod 10
$$
even though 10 does not divide 2, giving a contradiction.
1. Note that this question was just to entice a reaction after question 2; $k \equiv 0 \mod n$ exactly means $n \mid k$.

Now, it seems that not every number gets to have an inverse all the time. It seems that for $x$ to have an inverse in $\mathbb Z /n$, it needs to satisfy
$$
\begin{align*}
ax \equiv 1 \mod n \iff ax - 1 \equiv 0 \mod n\\
\text{Which also means}\ n \mid ax - 1 \iff ax - 1 = -bn \iff ax + bn = 1
\end{align*}
$$
Now then, notice that it is also sufficient that there be integers $a, b$ that satisfy this relation, as
$$
1 \equiv ax + bn \equiv ax \mod n
$$
Then, the problem reduces to finding two integers $a, b$ that satisfy the equation of that form. But what exactly does that equation tell us?

## The Bézout identity
For such integers $x$ and $n$, the Bézout identity is of the form $ax + bn = d$ for integers $a, b, d$. You can immediately make the observation that any common divisor of $x$ and $n$ necessarily divides $d$. The fascinating result that we can obtain is that there exists unique $s$ and $t$ such that the following also holds:
$$
sx + tn = \gcd(x, n)
$$
We have seen a bit of the proof already in [computing the GCD through the division algorithm](#the-division-algorithm-and-computing-gcds), namely the fact that we can obtain the gcd through repeated application of the division algorithm
$$
\begin{align}
a &= q_1b + r_1\\
b &= q_2r_1 + r_2\\
r_1 &= q_3r_2 + r_3\\
&\dots\\
r_{n-1} &= q_{n+1}r_n + 0
\end{align}
$$
Now, notice that each line can be rewritten as follows (we also rename $a := r_{-1}$ and $b := r_0$)
$$
\begin{align}
r_{-1} - q_1r_0 &= r_1\\
r_0 - q_2r_1 &= r_2\\
r_1 - q_3r_2 &= r_3\\
&\dots\\
r_{n-2} - q_nr_{n-1} &= r_n = \gcd(a, b)\\
r_{n-1} - q_{n+1}r_n &= 0
\end{align}
$$
The proof now boils down to a simple proof by induction: we claim that for every $k = -1, \dots, n-2$, we can form the expression $\lambda r_{k} + \gamma r_{k+1} = \gcd(a,b)$ for some integers $\lambda, \gamma$.

For $k = n-2$, this is obvious.

Suppose it holds for $k$; then, notice that we can make the rewrite
$$
\begin{align}
\lambda r_k &+ \gamma r_{k+1} = \gcd(a,b)\\
\lambda r_k &+ \gamma (r_{k-1} - q_{k+1}r_k) = \gcd(a,b)\\
\gamma r_{k-1} &+ (\lambda - q_{k+1})r_k = \gcd(a,b)
\end{align}
$$
and we obtain the desired result. One thing to note is that this simplifies the implementation significantly: if we keep track of all the $q_k$s involved in the GCD computation process, we can compute the integer coefficients of the Bézout identity just by applying the transformation
$$
(\lambda, \gamma) \mapsto (\gamma, \lambda - q_k)
$$
going backwards. (We can start with the expression $0 r_{n+1} + r_n = r_n$, i.e. $(\lambda, \gamma) = (0, 1)$.)

In [14]:
def pairBezout(x, y):
    coef = lambda P, c: (P[1], P[0] - P[1] * c)
    maxSorted = x < y
    d, factors = extendedGCD(x, y)

    # we throw out the last factor as we do not need it for divisibility
    factors = factors[::-1][1:]

    bezout = (0, 1)
    for fac in factors:
        bezout = coef(bezout, fac)

    if maxSorted:
        bezout = (bezout[1], bezout[0])

    return bezout

def testValidBezout(x, y):
    d, _ = extendedGCD(x, y)
    p, q = pairBezout(x, y)
    left = (p == 0) or (p * x % y == d)
    right = (q == 0) or (q * y % x == d)
    return all([left, right])


We can immediately infer two things:

1. $x$ has an inverse in $\mathbb Z/n$ if and only if $\gcd (x, n) = 1$, or weakly, for every $y$, there is an $a$ such that $ay \equiv \gcd(y, n) \mod n$,
1. Since for every prime number $p$, we have $\gcd(x, p) = 1$ for $0 \leq x < p$, every non-zero element of $\mathbb Z /p$ has an inverse.

**Note**: Structures with addition and multiplication defined so that every element has an additive inverse and every non-zero element has a multiplicative inverse, with both operations commutative and multiplication distributive over addition is called a _field_; fields are a natural setting for Linear Algebra!

All this note says is that $\mathbb Z /p$ is a structure that behaves like $\mathbb Q$, $\mathbb R$, $\mathbb C$!

In [3]:
def is_prime(n):
    from math import sqrt, ceil
    # we only need to check whether primes up to faclimit divide n, as some
    # factor needs to be smaller than faclimit (can be proven by
    # contradiction!) in fact, we can check whether any number in this range
    # divides n: this is way more expensive but for small numbers we don't have
    # to worry about finding primes inside the range 
    faclimit = ceil(sqrt(n))

    # we can divide the search in half just by testing for 2 and
    # limiting ourselves to odd primes
    if n % 2 == 0:
        return False
    for q in range(3, faclimit + 1, 2):
        if n % q == 0:
            return False

    return True

# find the closest prime sitting on top of low_seed
def generatePrime(low_seed):
    candidate = low_seed
    while True:
        if is_prime(candidate):
            return candidate
        else:
            candidate += 1

Given how every non-zero element in $\mathbb Z /p$ can have an inverse, we can specialize our rings to fields in the case of prime $p$. Play around with the following definition!

In [15]:
class FiniteField(FiniteIntegerRing):
    def __init__(self, p):
        if not is_prime(p):
            raise ValueError("Specified value {} should be prime!".format(p))
        self._n = p
        
        self._cached = False
        if (p < 1000):
            self._cached = True
            # there's nothing inherently special about any one instance
            # of this class, i.e. p = q implies FiniteField(p) = FiniteField(q),
            # so it's fine to just cache the multiplicative inverses
            self._mult_inv_cache = [-1]
            for x in range(1, p+1):
                b, _ = pairBezout(x, self._n)
                self._mult_inv_cache.append(self.add(b, 0))

    def mult_inv(self, a):
        if a == 0:
            raise ZeroDivisionError

        if self._cached:
            # we cached the results!
            return self._mult_inv_cache[self.id(a)]
        else:
            b, _ = pairBezout(a, self._n)
            return self.add(b, 0)

    def div(self, a, b):
        return self.mult(a, self.mult_inv(b))


# RSA Cryptography

Sections about the Chinese Remainder theorem and Euler Totient function? (maybe also its relation to RSA?)

Also some good-ol' group theory & ring theory!

How about Mersenne primes as a bit of trivia?

As a result, we have the public key $(n, e)$ and the private key $(n, d)$, which satisfies
$$
m^{ed} \equiv m \mod n
$$

## Chinese remainder to the rescue!

In [5]:
class RSAKey:
    def __init__(self, n, e):
        self._n = n
        self._key = e

        self._ring = FiniteIntegerRing(n)

    def encrypt(self, message):
        return self._ring.pow(message, self._key)

class RSASecretKey(RSAKey):
    def __init__(self, n, d, p, q):
        RSAKey.__init__(self, n, d)
        self._p = p
        self._q = q

        self._dp = d % (p - 1)
        self._dq = d % (q - 1)
        
        self._fp = FiniteField(p)
        self._fq = FiniteField(q)

    def decrypt(self, ciphertext):
        m1 = self._fp.pow(ciphertext, self._dp)
        m2 = self._fq.pow(ciphertext, self._dq)
        h = self._fp.mult(self._fp.mult_inv(self._q), m1 - m2)

        return m2 + h * q

In [6]:
def generateRSAKeyPair(p, q) -> (RSAKey, RSASecretKey):
    from math import lcm, gcd
    from numpy.random import choice
    n = p * q
    totient = lcm(p-1, q-1)

    # hardcoded limit; do it differently!
    coprimes = [x for x in range(2, min(totient, 1000))
                if gcd(x, totient) == 1]

    e = choice(coprimes)
    d, _ = pairBezout(e, totient)
    # getting rid of the negative
    d = d + totient

    pub = RSAKey(n, e)
    sec = RSASecretKey(n, d, p, q)
    return (pub, sec)

Let's encrypt a message and send it to ourselves :)

We generate primes in the range of $[768, 1024]$ so that we have somewhat large primes to work on without the computation taking ages.

In [7]:
from numpy.random import randint
p = generatePrime(randint(2**16, 2**17))
q = generatePrime(randint(2**16, 2**17))
print(p, q)

pub, sec = generateRSAKeyPair(p, q)

119617 122953


In [8]:
message = 0xbeef
ciphertext = pub.encrypt(message)
print(hex(ciphertext))

0x17d14305b


In [9]:
decrypted_message = sec.decrypt(ciphertext)
print(hex(decrypted_message))

0xbeef


In [10]:
from math import log
# a given n can uniquely encode log_2(n) bits of information
int(log(p * q, 2))

33