### Challenge 38: Implement RSA

[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)

In [1]:
from Crypto.Util import number
from Crypto.Random import random
from Crypto.Hash.SHA256 import SHA256Hash

import cryptopals as cp

<div class="alert alert-block alert-info">

There are two annoying things about implementing RSA. Both of them involve key generation; the actual encryption/decryption in RSA is trivial.

First, you need to generate random primes. You can't just agree on a prime ahead of time, like you do in DH. You can write this algorithm yourself, but I just cheat and use OpenSSL's BN library to do the work.

The second is that you need an "invmod" operation (the multiplicative inverse), which is not an operation that is wired into your language. The algorithm is just a couple lines, but I always lose an hour getting it to work.

I recommend you not bother with primegen, but do take the time to get your own EGCD and invmod algorithm working.

Now:

- Generate 2 random primes. We'll use small numbers to start, so you can just pick them out of a prime table. Call them "`p`" and "`q`".
- Let `n` be `p * q`. Your RSA math is `modulo n`.
- Let `et` be `(p-1)*(q-1)` (the "totient"). You need this value only for keygen.
- Let `e` be `3`.
- Compute `d = invmod(e, et)`. `invmod(17, 3120)` is `2753`.
- Your public key is `[e, n]`. Your private key is `[d, n]`.
- To encrypt: `c = m**e (mod n)`. To decrypt: `m = c**d (mod n)`
- Test this out with a number, like "`42`".
- Repeat with bignum primes (keep `e=3`).

Finally, to encrypt a string, do something cheesy, like convert the string to hex and put "0x" on the front of it to turn it into a number. The math cares not how stupidly you feed it strings.

</div>

---
<div class="alert alert-block alert-info">

First, you need to generate random primes. You can't just agree on a prime ahead of time, like you do in DH. You can write this algorithm yourself, but I just cheat and use OpenSSL's BN library to do the work.
    
</div>
    
---

Python has a package that makes generating good quality random primes easy--the same one I used to generate the large prime I used for Challenges 36-38.  Look up **Crypto.Util.number.getStrongPrime**:

---

In [2]:
?number.getStrongPrime

[1;31mSignature:[0m [0mnumber[0m[1;33m.[0m[0mgetStrongPrime[0m[1;33m([0m[0mN[0m[1;33m,[0m [0me[0m[1;33m=[0m[1;36m0[0m[1;33m,[0m [0mfalse_positive_prob[0m[1;33m=[0m[1;36m1e-06[0m[1;33m,[0m [0mrandfunc[0m[1;33m=[0m[1;32mNone[0m[1;33m)[0m[1;33m[0m[1;33m[0m[0m
[1;31mDocstring:[0m
getStrongPrime(N:int, e:int, false_positive_prob:float, randfunc:callable):long
Return a random strong N-bit prime number.
In this context p is a strong prime if p-1 and p+1 have at
least one large prime factor.
N should be a multiple of 128 and > 512.

If e is provided the returned prime p-1 will be coprime to e
and thus suitable for RSA where e is the public exponent.

The optional false_positive_prob is the statistical probability
that true is returned even though it is not (pseudo-prime).
It defaults to 1e-6 (less than 1:1000000).
Note that the real probability of a false-positive is far less. This is
just the mathematically provable limit.

randfunc should take a s

---


In [3]:
# Use getStrongPrime to choose a largish strong random prime suitable for RSA (e=3).  

N_bits = 1024
e=3

N = number.getStrongPrime(N_bits, e)
print(hex(N))

0xe5acdc22a39e2a0b4f7591ab8d8e3c8e2f8f95e33c5d4083eb2bd0e3cdc7e1121fac9174203309c81be3b99036a95eb308467899a86a3a1bc1c15c50b5ccb84f9d858af8b33b8cf35e8b89c74059a4c8beb27c340c373ce7254ceb268d9a679c0f879899b6f7b0197b03c579a1a63f34c210d11ead52503b6e3b63d1ea325355


---

<div class="alert alert-block alert-info">

The second is that you need an "invmod" operation (the multiplicative inverse), which is not an operation that is wired into your language. The algorithm is just a couple lines, but I always lose an hour getting it to work.

</div>

There's a good description of the Euclidean algorithm for finding GCD of two numbers here:  [https://www.math.cmu.edu/~bkell/21110-2010s/numbers.html#euclidean](https://www.math.cmu.edu/~bkell/21110-2010s/numbers.html#euclidean).  This algorithm just finds the Greatest Common Divisor of two #'s:

In [4]:
def gcd(a, b):
    
    c = max([a,b])
    d = min([a,b])
    
    while True:
        
        r = c % d
        if (r==0):
            return(d)

        
        c = d
        d = r

In [5]:
# Try it (answer should be 21):

print(gcd(357, 462))

21


---
The **extended** Euclidean algorithm is what we actually need for this challenge.  The steps for that are (from [here](https://www.di-mgt.com.au/euclidean.html)):

INPUT: Two non-negative integers a and b with a ≥ b.  
OUTPUT: d = gcd(a, b) and integers x and y satifying ax + by = d.

1. If b = 0 then set d = a, x = 1, y = 0, and return(d, x, y).
2. Set x2 = 1, x1 = 0, y2 = 0, y1 = 1
3. While b > 0, do:
    q = floor(a/b), r = a - qb, x = x2 - qx1, y = y2 - q y1.
    a = b, b = r, x2 = x1, x1 = x, y2 = y1, y1 = y.
4. Set d = a, x = x2, y = y2, and return(d, x, y).


My implementation:

In [6]:
def egcd(a,b):
    
    s, old_s = 0, 1
    t, old_t = 1, 0
    r, old_r = b, a
    
    while r != 0:
        
        q = old_r // r
        old_r, r = r, (old_r - q*r)
        old_s, s = s, (old_s - q*s)
            
    return(old_r, old_s, old_t)

In [7]:
[g, x, y] = egcd(4864, 3458)
print(f"g={g}, x={x}, y={y}")

[g, x, y] = egcd(357, 462)
print(f"g={g}, x={x}, y={y}")

g=38, x=32, y=0
g=21, x=-9, y=0


In [8]:
def invmod(a, m):
    
    g,x,y = egcd(a,m)
    
    while x < 0:
        x += m
        
    return(x % m)

<div class="alert alert-block alert-info">
Generate 2 random primes. We'll use small numbers to start, so you can just pick them out of a prime table. Call them "`p`" and "`q`".
</div>

In [9]:
p = 17
q = 23

<div class="alert alert-block alert-info">
Let `n` be `p * q`. Your RSA math is `modulo n`.
</div>

In [10]:
n = (p * q)
print(n)

391


<div class="alert alert-block alert-info">
    
Let `et` be `(p-1)*(q-1)` (the "totient"). You need this value only for keygen.

</div>

In [11]:
et = (p-1) * (q-1)
print(et)

352


<div class="alert alert-block alert-info">Let `e` be `3`.</div>

In [12]:
e=3

<div class="alert alert-block alert-info">Compute `d = invmod(e, et)`. `invmod(17, 3120)` is `2753`</div>

In [13]:
d = invmod(e, et)
print(d)

235


<div class="alert alert-block alert-info">Your public key is `[e, n]`. Your private key is `[d, n]`.</div>

In [14]:
K_pub = [e, n]
K_priv = [d, n]

<div class="alert alert-block alert-info">
    
To encrypt: `c = m**e (mod n)`. To decrypt: `m = c**d (mod n)`

Test this out with a number, like "`42`".

</div>

In [15]:
m = 42
c = pow(m, e, n)
pt = pow(c, d, n)

print(pt)

42


<div class="alert alert-block alert-info">Repeat with bignum primes (keep `e=3`).</div>

In [16]:
p = number.getStrongPrime(1024, e=3)
q = number.getStrongPrime(1024, e=3)

n = (p * q)

et = (p-1) * (q-1)
e = 3

d = invmod(e, et)

In [17]:
# Simple message
m = 42
c = pow(m, e, n)
pt = pow(c, d, n)

print(pt)

42


In [18]:
# Example of encrypting a string:
m = int(b'Help me -- help me now!'.hex(), 16)
c = pow(m, e, n)
print(f"Encrypted Message:  {hex(c)}")
pt = pow(c, d, n)
print(f"Decrypted Message:  {bytes.fromhex(hex(pt)[2:]).decode()}")

Encrypted Message:  0x5ca3372f7d07a27909cf99babff9e714c3ecccc9eb6c9e0a32fc150750bbcc035eb28470953f69243392b6061ef71d1c00aae694c1ea9fff2660a569f46064701b9cf3161
Decrypted Message:  Help me -- help me now!


[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)