# Cryptography

## Public key cryptography

### Number theory - part 1

Formuation of propositions, lemmas, definitions comes from:
**Introduction to modern cryptography** by *Jonathan Katz* and *Yehuda Lindell*

To see the notebook as a slide-show, use [RISE](https://rise.readthedocs.io/en/stable/)

In [None]:
import math
import random
from sympy import randprime, isprime, Mod

**Proposition 7.1** Let $a$ be an integer and $b$ a positive integer. Then there exists unique integers $q, r$ for which $a = q b  + r$ and $0 \leq r < b$.

In [None]:
a = 44
b = 13

In [None]:
r = a % b
print(r)

In [None]:
q = a // b
print(q)

In [None]:
print(q * b  + r)
print(a, "=", q, "*", b, "+", r)

**Proposition 7.2** Let $a, b$ be positive integers. Then there exists integers $X, Y$ such that $Xa + Yb = \gcd(a, b)$. 

Furthermore, $\gcd(a, b)$ is the smallest positive integer that can be expressed in this way.

In [None]:
def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
    gcd = b
    return gcd, x, y

In [None]:
a = 10
b = 21

gcd, x, y = egcd(a, b)

In [None]:
print(a, "*", x, "+", b, "*", y, "=", math.gcd(a,b))
a * x + b * y

**Proposition 7.3** If $c | ab$ and $\gcd(a, c) = 1$, then $c | b$. In particular, if $p$ is prime and $p | ab$ then either $p | a$ or $p | b$.

In [None]:
a = 12
b = 15
a * b

In [None]:
c = 5
print(math.gcd(a, c))
print(a*b % c)
print(b % c)

**Proposition 7.4** If $p | N$, $q | N$, and $\gcd(p, q) = 1$, then $pq | N$.

In [None]:
p1 = 69
q1 = 10
N1 = 690
print(math.gcd(p1, q1))
print(N1 % p1)
print(N1 % q1)
print(N1 % (p1 * q1))

In [None]:
p2 = 46
q2 = 10
N2 = 690
print(math.gcd(p2, q2))
print(N2 % p2)
print(N2 % q2)
print(N2 % (p2 * q2))

In [None]:
print(N1 / (p1 * q1))
print(N1 % (p1 * q1))

In [None]:
print(N2 / (p2 * q2))
print(N2 % (p2 * q2))

**Example 7.5** (multiplication)

$1230123012301 \cdot 567567567 \bmod 100 = ?$

$1230123012301 \bmod 100 = 1$

$567567567 \bmod 100 = 67$

$1230123012301 \cdot 567567567 \bmod 100 =$ 

$[1230123012301 \bmod 100] \cdot [567567567 \bmod 100] = 1 \cdot 67 \bmod 100 = 67 $

If for $b$ there exists an integer $b^{-1}$ such that $b b^{-1} = 1 \bmod N$ then we call:

* $b$ invertible

* $b^{-1}$ modular inverse of $b$ modulo $N$

$a \cdot b = c \cdot b \bmod N$

$(a b) \cdot b^{-1} = (c b) \cdot b^{-1} \bmod N \rightarrow a = c \bmod N$


**Example 7.6** (division)

$N = 36$. Then $ 5 \cdot 4 = 20 = 23 \cdot 4 \bmod 36$

But $5 \neq 23 \bmod 36$.

Problem: $4 | 36$. $4$ is not invertible

In [None]:
for i in range(1,36):
    print(str(i) + " " + str(Mod(4 * i, 36) ))

**Proposition 7.7** Let $a, N$ be integers, with $N > 1$. Then $a$ is invertible modulo $N$ if and only if $\gcd(a, N) = 1$.

$a X + N Y = \gcd(a, N) = 1$

$a X = 1 \bmod N$

$X = a^{-1} \bmod N$

In [None]:
N = 37
a = 4

In [None]:
gcd, x, y = egcd(a, N)
print(a, " *", x, " + ", N, " * ", y, " = ", gcd)

In [None]:
Mod(a * x, N)

In [None]:
Mod(a * (N - 9), N)
print(x, N+x)

**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if

* for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$(\mathbb{Z}, +)$ - abelian group

* closure

* identity 0

* inverse to $g$ is $h = -g$

* associativity

* abelian

**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if

* for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$(\mathbb{Z}\setminus \{0\}, \cdot)$ - abelian group?

* closure

* identity 1

* inverse to $g$ is $h = 1/g$

but $1/2 \not\in \mathbb{Z} \setminus \{0\}$

$(\mathbb{R} \setminus \{0\}, \cdot)$ is abelian group with identity $1$

**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if

* for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$G = \left\{A^n | n \in \mathbb{Z}\right\} = \left\{\begin{pmatrix} 1 & 2 n \\ 0 & 1 \end{pmatrix}: n \in \mathbb{Z} \right\}$

In [None]:
from sympy.matrices import Matrix
A = Matrix([[1,2], [0,1]]); A

In [None]:
A.inv()

In [None]:
A.inv() * A * A * A 

(Z, +) <-> G
f(x) = Matrix([[1, 2x], [0, 1]])
f(0) = Matrix([[1, 0], [0,1]])
f(x + y) = f(x) * f(y)

**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if

* for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$Z^+_n = (Z_n, +) = (\{0, 1, \ldots, n-1\}, +_{ \bmod n})$ for $n \geq 2$ is an abelian group of order $|Z_n^+| = n$

$a + b := [a + b \bmod n]$

* closure

* identity: 0

* inverse of $a$: $a^{-1} = n - a$

In [None]:
N = 7
a = 3
b = 4
(a + b) % N

**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if

* for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$Z_n^* = (\{a: \gcd(a, n) = 1\}, \cdot_{ \bmod n})$. If $n$ is prime:
$Z_p^* = (Z_p, \cdot) = (\{1, \ldots, p-1\}, \cdot_{ \bmod p})$ for $p$ prime is an abelian group of order $|Z_p^*| = p - 1$

$a \cdot b := [a \cdot b \bmod n]$

* closure

* identity: 1

* inverse of $a$?

In [None]:
p = 17
a = 8
gcd, x, y = egcd(a, p)
print(x)
x = 17 + x
print(x)
print(Mod(x * a, p))

**Definition 7.9** A group is a set $\mathbf{G}$ along with a binary operation $\oplus$ for which the following conditions hold:

* (Closure:) For all $g, h \in \mathbf{G}$, $g \oplus h \in \mathbf{G}$

* (Existance of an Identity:) There exists an **identity** $e \in \mathbf{G}$ such that for all $g \in \mathcal{G}$, $e \oplus g = g = g \oplus e$.

* (Existence of Inverses:) For all $g \in \mathbf{G}$ there exists an element $h \in \mathbf G$

* (Associativity:) For all $g_1, g_2, g_3 \in \mathbf{G}$, $(g_1 \oplus g_2) \oplus g_3 = g_1 \oplus (g_2 \oplus g_3)$.

If $\mathbf{G}$ has finite number of elements $\rightarrow \mathbf{G}$ is a *finite group*

$|\mathbf{G}|$ - order of the group - number of elements in $\mathbf{G}$

$\mathbf{G}$ is **abelian** if

* for all $g, h \in \mathbf{G}, g \oplus h = h \oplus g$

$Z_n^* = (\{a: \gcd(a, n) = 1\}, \cdot_{ \bmod n})$. 

Let $n = p \cdot q$, $\qquad p, q$ are primes -- an abelian group of order $|Z_{pq}^*| = (p - 1)(q-1)$

In [None]:
p = randprime(1000, 2000)
q = randprime(p+1, 2 * p)
n = p * q
print(p, q, n)
order = 0
for a in range(n):
    if math.gcd(a, n) == 1:
        #print(a)
        order = order + 1
print("Order", order)
print(p-1, q-1, (p-1)*(q-1))

**Lemma 7.13** Let $\mathbf{G}$ be a group and $a, b, c \in \mathbf{G}$. If $ac = bc$ then $a = b$.
In particular , if $ac = c$ then $a$ is the identity in $\mathbf{G}$.

**Theorem 7.14** Let $\mathbf{G}$ be finite group with $m = |\mathbf{G}|$ with $m = |\mathbf{G}|$, the order of the group. Then for any element $g \in \mathbf{G}$, $g^m = 1$.

In [None]:
n = 17
m = n
for g in range(n):
    print(g * m % n)

In [None]:
p = randprime(10, 100)
print(p)
m = p - 1
for g in range(1, p):
    print(g ** m % p)

**Corollary 7.15** Let $\mathbf{G}$ be a finite group with $m = |\mathbf{G}| > 1$. Then for any $g \in \mathbf{G}$ and any integer $i$, we have $g^i = g^{[i \bmod m]}$.

In [None]:
p = randprime(2, 100)
m = p - 1
print("p = ",p, " m = ", m)
i = random.randint(p+1, 10 * p)
a = random.randint(1, p-1)
print(a," ** ", i, " = ",
      a, " ** (", i, " % ", m, ") = \n",
      a, " ** ", i % m, " (mod ",
      p, ")")
print(a ** i % p)
print(a ** (i % m) % p)

In [None]:
p = random.randint(2, 100)
m = p
i = random.randint(p, 10 * p)
a = random.randint(0, p-1)
print(a, " * ", i, " = ", 
      a, " * (", i, " % ", m, ") = ",
      a, " * ", i % m, " (mod ", p, ")")
print(a * i % p)
print(a * (i % m) % p)

**Corollary 7.17** Let $\mathbf{G}$ be a finite group with $m = |G| > 1$. Let $e > 0$ be an integer, and define the function $f_e: \mathbf{G} \rightarrow \mathbf{G}$ by
$$f_e(g) = g^e.$$

If $\gcd(e, m) = 1$, then $f_e$ is a permutation (i.e., a bijection). Moreover, if 
$$d = [e^{-1} \bmod m]$$ then $f_d$ is the inverse of $f_e$.

Proof: $f_d(f_e(g)) = f_d(g^e) = (g^e)^d = g^{e \cdot d \bmod m} = g^1 = g$

In [None]:
p = randprime(10, 50)
q, n, m = randprime(p+1, 2 * p), p * q, (p-1)*(q-1)
print(p, q, n, m)

In [None]:
e = 3; #random.randint(3,m)
gcd, d, y = egcd(e, m)
if d < 0:
    d = m + d
print(e, d)

In [None]:
def f(x, g, n):
    return g ** x % n

In [None]:
g = random.randint(1, n)
valid = math.gcd(g, n)
ct = f(e, g, n)
pt = f(d, ct, n)
print(g, valid, ct, pt)

**Theorem 7.19** Let $N = \prod_i p_i^{e_i}$, where  the $\{p_i\}$ are distinct primes and $e_i \geq 1$. Then $\phi(N) = \prod_i p_i^{e_i - 1}(p_i - 1)$.

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [None]:
def GenModulus(w):
    n = len(w)
    p = random.randint(2 ** n, 2 ** (n+1))
    q = random.randint(2 ** n, 2 ** (n+1))
    N = p * q
    return N

GenModulus("111111")

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [None]:
def GenModulus(w):
    n = len(w)
    p = random.randint(2 ** n, 2 ** (n+1))
    q = random.randint(2 ** n, 2 ** (n+1))
    N = p * q
    return N, p, q

GenModulus("111111")

In [None]:
def Factor(n):
    N, p, q = GenModulus("1" * n)
    pp, qq = A(N)
    if pp > 1 and qq > 1 and pp * qq == N:
        return 1
    else:
        return 0

In [None]:
def A(N):
    if N % 2 == 0:
        return 2, N // 2
    else:
        return 1, N

In [None]:
sec_param = 30
num_of_succ = 0
tries = 100

for i in range(tries):
    num_of_succ = num_of_succ + Factor(sec_param)

num_of_succ/tries

In [None]:
from sympy import primefactors

**The factoring experiment** $\textsf{Factor}_{\mathcal{A}, GenModulus}(n)$
1. $(N, p, q) := GenModulus(1^n)$

2. $(p', q') = \mathcal{A}(N)$

3. Output: 1 if $p' \cdot q' = N$ and $p', q' > 1$

**Definition 7.45** We say that factoring is hard relative to **GenModulus** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{Factor}_{\mathcal{A}, GenModulus}(n) = 1] \leq negl(n)$$

In [None]:
def GenModulus(w):
    n = len(w)
    p = randprime(2 ** n, 2 ** (n+1))
    q = randprime(2 ** n, 2 ** (n+1))
    N = p * q
    return N, p, q

GenModulus("111111")

In [None]:
def Factor(n):
    N, p, q = GenModulus("1" * n)
    pp, qq = A(N)
    if pp > 1 and qq > 1 and pp * qq == N:
        return 1
    else:
        return 0

In [None]:
def A(N):
    factors = primefactors(N)
    return factors[0], factors[1]

In [None]:
%%time
sec_param = 20
num_of_succ = 0
tries = 100

for i in range(tries):
    num_of_succ = num_of_succ + Factor(sec_param)

num_of_succ/tries

In [None]:
def GenRSA(w):
    n = len(w)
    N, p, q = GenModulus(w)
    m = (p-1) * (q-1)
    e = 3
    gcd, d, y = egcd(e, m)
    if d < 0:
        d = m + d
    return N, e, d

GenRSA("111111")

**The RSA experiment** $\textsf{RSA-inv}_{\mathcal{A}, GenRSA}(n)$
1. $(N, e, d) := GenRSA(1^n)$

2. choose $y \leftarrow Z_N^*$

2. $x = \mathcal{A}(N, e, y)$

3. Output: 1 if $x^e = y \bmod N$

**Definition 7.46** We say that RSA problem is hard relative to **GenRSA** if for all probabilistic polynomial-time algorithms $\mathsf{A}$ there exists a negligible function **negl** such that 
$$P[\textsf{RSA-inv}_{\mathcal{A}, GenRSA}(n) = 1] \leq negl(n)$$

In [None]:
def test():
    N = 