# IT41 - Practical Session #2  The RSA Cryptosystem 

The goal of this session is to discover in practice the RSA cryptosystem (https://en.wikipedia.org/wiki/RSA_(cryptosystem)). This system was discovered in 1977 by Rivest, Shamir et Adelman.

<table style="background: white;">
    <tr style="background: white;">
        <td> <img src='RSA.jpeg'  width="440px" />    
    </tr>
</table>

It is a public-key protocol based on skew-symmetric keys, i.e. the key used for encryption (public key) is not the same as the key used for decryption (private key). It means that everyone is allowed to encode a message, but only the person that have the private key (the recipient) can decypher it:

<table style="background: white;">
    <tr style="background: white;">
        <td> <img src='RSA.png'  width="440px" />    
    </tr>
</table>

The security of this system relies on the fact that is is extremely difficult (in terms of complexity of algorithms) to recover the private key from the public key.

### Generation of the keys

1- Choose two large prime numbers $p$ and $q$.

2- Compute $N=p\times q$.

3- Choose $e$ such that $e$ is prime with $\phi(N)=(p-1)(q-1)$.

4- Compute $d$ such that $de=1$ mod $\phi(N)$.

5- The public key is $(N,e)$, the private key is  $(p,q,d)$

### RSA protocol

Let's assume Bob wants to send a message $x$ to Alice. Bob has the public key $(N,e)$ and Alice possesses the private key $(p,q,d)$.  The message Bob wants to send is an integer $x<N$.

1- Bob encodes his message by computing $y=x^e \text{ mod }N$.

2- Bob sends the encrypted message $y$ to Alice

3- Alice decypher the message $y$ by computing $y^d \text{ mod }N=x^{ed} \text{ mod } N=x \text{ mod } N$. 

### Validity of the protocol

The validity of step 3 relies on Fermat little Theorem: If $p$ is prime and $p$ does not divide $a$, then


$$ a^{p-1}=1 \text{ mod } p.$$




Using little Fermat's Theorem show that $x^{k(p-1)(q-1)}-1$, for $k\in \mathbb{N}^*$, is divisible by $p$ and by $q$. Deduce that $y^d=x \text{ mod } n$.

### Proof : if $p$ is prime and $p \nmid a$, then $a^{p-1} = 1 \mod p$

Let's assume $p \nmid x$ 

$ \iff x^{p-1} = 1 \mod p $

$ \iff x^{(p-1)k} = 1^{k} \mod p = 1 \mod p $

$ x^{(p-1)k} - 1 = 1 \mod{p} -1 = 0$

So $p \mid x^{k(p-1)} - 1$



##### Now, for $q$ we have the same reasoning :

Let's assume $q \nmid x$ 

$ \iff x^{q-1} = 1 \mod q $

$ \iff x^{(q-1)k} = 1^{k} \mod q = 1 \mod q $

$ x^{(q-1)k} - 1 = 1 \mod{q} -1 = 0$

So $q \mid x^{k(q-1)} - 1$


### Conclusion :

$p \mid x^{k(p-1)(q-1)}$

$q \mid x^{k(p-1)(q-1)}$

### Proof : $y^d = x \mod{n}$

$y = x^e \mod{n} $

$ d \cdot e = 1 \mod{\phi(N)}$




$ \iff $ there exists a number $k \in \mathbb N^*$ such that $d \cdot e = 1 + k \cdot \phi(N)$

### First Implementation

We now create the keys of the protocol. Choose $p$ and $q$ two prime number and calculate $N=p\times q$.

In [None]:
p = 65537
q = 3121

N = p * q

To find $e$ prime with $(p-1)(q-1)$, we will use Euclid's algorithm.

Code Euclide's algorithm. Find $e$.

In [None]:
def euclid(a, b):
    while b != 0:
        t = b
        b = a % b
        a = t
    return a


def find_e(phiN):
    for e in range(3, phiN, 2):
        if euclid(e,phiN) == 1:
            return e
    return None

print("GCD(p,q)=",euclid(p,q),"\n")
print("GCD(1124,567)=",euclid(1124,567),"\n")

phiN = (p-1)*(q-1)

print("phi(n) : ",find_e(phiN))



    

GCD(p,q)= 1 

GCD(1124,567)= 1 

phi(n) :  7


To find $d$ the inverse of $e$, you will need the extended Euclid's algorithm. Propose a function that compute the inverse of $e$ modulo $\phi(N)$.

In [None]:
def extended_euclidV1(a ,b):
    mod = b
    if b > a :
        a,b=b,a
    t1 = 0
    t2 = 1
    r = a % b
    q = a // b
    t = t1 - q * t2 
    print({"q":q,"a":a,"b":b,"r":r,"t1":t1,"t2":t2,"t":t})
    while b > 0 and r > 0:
        a = b
        b = r
        t1 = t2
        t2 = t
        q = a // b
        r = a % b
        t = t1 - q * t2
        print({"q":q,"a":a,"b":b,"r":r,"t1":t1,"t2":t2,"t":t})
    if b != 1 :
        raise ValueError("After all these calculations, I can assure you that the a and the b you chose are NOT coprimes...")
    return t2 % mod

print(extended_euclidV1(3, 5),"is the inverse of your input.\n")
# print(extended_euclid(65536,3120),"is the inverse of your input.\n")
print(extended_euclidV1(3120, 65537),"is the inverse of your input.\n")
print(extended_euclidV1(65537, 3120))



{'q': 1, 'a': 5, 'b': 3, 'r': 2, 't1': 0, 't2': 1, 't': -1}
{'q': 1, 'a': 3, 'b': 2, 'r': 1, 't1': 1, 't2': -1, 't': 2}
{'q': 2, 'a': 2, 'b': 1, 'r': 0, 't1': -1, 't2': 2, 't': -5}
2 is the inverse of your input.

{'q': 21, 'a': 65537, 'b': 3120, 'r': 17, 't1': 0, 't2': 1, 't': -21}
{'q': 183, 'a': 3120, 'b': 17, 'r': 9, 't1': 1, 't2': -21, 't': 3844}
{'q': 1, 'a': 17, 'b': 9, 'r': 8, 't1': -21, 't2': 3844, 't': -3865}
{'q': 1, 'a': 9, 'b': 8, 'r': 1, 't1': 3844, 't2': -3865, 't': 7709}
{'q': 8, 'a': 8, 'b': 1, 'r': 0, 't1': -3865, 't2': 7709, 't': -65537}
7709 is the inverse of your input.

{'q': 21, 'a': 65537, 'b': 3120, 'r': 17, 't1': 0, 't2': 1, 't': -21}
{'q': 183, 'a': 3120, 'b': 17, 'r': 9, 't1': 1, 't2': -21, 't': 3844}
{'q': 1, 'a': 17, 'b': 9, 'r': 8, 't1': -21, 't2': 3844, 't': -3865}
{'q': 1, 'a': 9, 'b': 8, 'r': 1, 't1': 3844, 't2': -3865, 't': 7709}
{'q': 8, 'a': 8, 'b': 1, 'r': 0, 't1': -3865, 't2': 7709, 't': -65537}
1469


In [None]:
def extended_euclidV2(a, b):
    mod = b  
    t1 = 1
    t2 = 0 
    temp = 0
    while b != 0:
        q = a // b
        temp = b
        b = a - q * b
        a = temp
        temp = t2
        t2 = t1 - q * t2
        t1 = temp
    if a != 1:
        print("(GCD ≠ 1)")
        return
    
    return t1 % mod

In [None]:
print(extended_euclidV2(3, 5),"is the inverse of your input.\n")
# print(extended_euclid(65536,3120),"is the inverse of your input.\n")
print(extended_euclidV2(3120, 65537), "is the inverse of your input.\n")
print(extended_euclidV2(65537, 3120), "is the inverse of your input.\n")

2 is the inverse of your input.

7709 is the inverse of your input.

2753 is the inverse of your input.



To encode and decode the message, we will need to compute $x^e \text{ mod }N$ and $y^d \text{ mod } N$. When $e$ and $d$ are large, the naive exponentiation could be time consuming. In order to avoid that issue we will use the fast powering algorithm (recitaton 2, practical session 1). Implement this algorithm to encode and decode the message.

In [None]:
def fast_pow(a, n, mod):
    A = a % mod
    N = n
    R = 1
    while N > 0 :
        if (N%2==0):
            A = (A * A) % mod
            N = N//2
        else:
            R = (R * A) % mod
            N-=1
    return R

In [None]:
fast_pow(2, 8, 2**8+1)

256

In [None]:
def encode(p, q, m):
    N = p * q
    phi = (p-1)*(q-1)
    e = find_e(phi)
    d = extended_euclidV2(e, phi)
    print("d = ", d)
    return (fast_pow(m, e, N), d, N)
    

def decode(private_key):
    return fast_pow(private_key[0], private_key[1], private_key[2]) 



Test and illustrate on some examples the validity of the protocol with the functions you wrote.

In [None]:
# "Real world" example
p = 65537
q = 3121

N = p * q

message = 32
print("Message :", message)

c = encode(p, q, message)
print(f"Encoded message : {c[0]}")

m = decode(c)
print(f"Decoded message : {m}")

Message : 32
d =  58420663
Encoded message : 201395209
Decoded message : 32


In [None]:
# Small values for later (attacks)
p = 2
q = 5

N = p * q
e = find_e((p-1)*(q-1))

print(f"Public key : ({N}, {e})")

message = 5
print("Message :", message)

c = encode(p, q, message)
print(f"Encoded message : {c[0]}")

m = decode(c)
print(f"Decoded message : {m}")

Public key : (10, 3)
Message : 5
d =  3
Encoded message : 5
Decoded message : 5


### Security of the protocol

How can we try to break the protocol base on the public data $(N,e)$ ?

#### Factoring

If $p$ and $q$ are known, it is easy to find $d$ by computing the inverse of $e \text{ mod }(p-1)(q-1)$.

What is the moste naive way to find $p$ and $q$ from $N$ ?

What is the complexity of this method in terms of $k$ the binary length of $N$ ?

Implement this naive factoring algorithm and perform numerical test to illustrate the problem.

In [None]:
def naive_factoring(N):
    for i in range(1, N):
        for j in range(1, i+1):
            if i*j == N:
                return i,j

In [None]:
naive_factoring(15)

(5, 3)

### Complexity of the naive algorithm (N):


* `i` loop : $N-1$

Total : 

$$ 
T(N) = \displaystyle\sum_{k=1}^{N-1}k

= \frac{(N-1)N}{2}

= \frac{N^2 - N}{2} = O(N^2)
$$

### Complexity of the naive algorithm (k):

Let k be the binary length of N.
$\iff N \leq 2^k $

Since $T(N) = O(N^2)$, we have : 
$$ 
T(k) = O((2^k)^2) = O(4^k) 
$$

In [None]:
from math import sqrt
def faster_factoring(N):
    for i in range(2, int(sqrt(N))+1):
        if N % i == 0 : return (i, N//i)

In [None]:
faster_factoring(15)

(3, 5)

### Complexity of the "faster" algorithm (N):

We only have one `for` loop that goes from 2 to $\sqrt{N}$ at most.
So we have 
$$
T(N) = O(\sqrt{N})
$$


### Complexity of the "faster" algorithm (k):
Let k be the binary length of N.

Since $T(N) = O(\sqrt{N})$, we have :

$$
T(k) = O(\sqrt{2^k}) = O((2^k)^\frac{1}{2}) = O(2^{k/2})
$$


#### Logarithm


Another possible attack is as follows. The attacker creates a message $y = x^e \mod N$ using the public key and calculates $y^k$, varying $k$ until finding the value such that $y^k = x \mod N$.

What is the complexity of this approach?

Implement this algorithm and illustrate it with numerical tests.

In [None]:
def logarithm_attack(N, e, x):
    k = 1
    y = fast_pow(x, e, N)
    while fast_pow(y, k, N) != x % N:
        k += 1
    return k

In [None]:
import random


## private key
p = 83
q = 67

## public key 
N = p * q
phiN = (p-1)*(q-1)
e = find_e(phiN)


target_d = extended_euclidV2(e, phiN)
print(f"target_d = {target_d}")
test_range = 1e3

possible_d = []
test_messages = []

## generating random messages, each message is coprime with N
while test_range > 0:
    r = random.randint(2, 1000)
    if euclid(N, r) == 1 and N%r !=0:
        test_messages.append(r)
        test_range -= 1

## finding the d candidates for each message
for msg in test_messages:
    possible_d.append(logarithm_attack(N, e, msg))

## testing if the target_d was found
def find_target_d(possible_d, target_d):
    for index in range(len(possible_d)):
        if possible_d[index] == target_d:
            print(f"correct d found at {index} : {possible_d[index]}")
            return possible_d[index]

find_target_d(possible_d, target_d)


target_d = 2165
correct d found at 0 : 2165


2165

#### Conclusion: 

We need to choose a good message `x`, otherwise we won't get the correct `d`.

### Complexity analysis:

The `while` loop iterates until we find the correct $d$.

For each iteration, we perform a `fast_pow` which has a complexity of $O(k)$, where $k$ is the binary length of $N$.

So $T(k) = O(d \cdot k)$

Since we know that $d = e^{-1} \mod \phi(N) \iff d \leq \phi(N) = O(N) = O(2^k)$ :

If we assemble both, we get :

$$
T(k) = O(2^k \cdot k) 
$$




### Primality test

For the RSA protocol to be efficient, large prime numbers $p$ and $q$ must be chosen. However, how can we know if a randomly chosen number is prime? We have seen that searching for its factorization is not efficient from an algorithmic point of view. Instead, we will use a heuristic.

Let $\pi(n)$ be the number of prime numbers less than or equal to $n$. What is the value of $\pi(10)$?



**Answer** :

The prime numbers less than or equal to 10 are : 2, 3, 5, 7

Thus $\pi(10) = 4$

The Prime Number Theorem is the following mathematical result:


$$\lim_{n\to \infty} \frac{\pi(n)}{n/\ln(n)}=1.$$

For large $n$, what is the probability that a randomly chosen number $n$ less than $n$ is prime?

If we want to generate a 512-bit prime number, how many numbers must we test to have a good chance of finding a prime?

**Answer** :

$\lim_{n\to \infty} \frac{\pi(n)}{n/\ln(n)}=1. $

$\iff \pi(n) \approx \frac{n}{\ln(n)}$

$\iff \frac{\pi(n)}{n} \approx \frac{1}{\ln(n)}$

So the probability of $n$ being prime is $\frac{1}{\ln(n)}$

---

A number of binary length 512 would be at the worst case : $2^{512}$

We can compute it by doing : $\frac{1}{\ln(2^{512})} \approx 354.891 \approx 355$

We will need approximativeley 355 tests to have a chance of finding a prime.

According to Fermat's Little Theorem, what can we say about $n$ if $a^{n-1} \neq 1 \mod n$?

A number $a$ is called a pseudo-prime if it is not prime and satisfies $a^{n-1} = 1 \mod n$. The number of pseudo-primes is "rare." For example, for $a=2$, there exist only $22$ pseudo-prime numbers less than or equal to $n=10000$. If we choose $k \leq 10000$ such that $a^{k-1} = 1 \mod k$, what is the probability that $k$ is prime?


* $a^{n-1} \neq 1 \mod{n} $  means $n$ isn't prime (the contrapositive of Fermat's Little theorem).

Deduce and implement an algorithm that allows to test and insure with a high probability that a given number is prime.

In [None]:
def is_prime(n, k=30):
    """
    Testing primality for k random numbers (default k=30) "a" 
    such that 2 < a < n-1, and a,n coprime.
    Returns False if a^(n-1) != 1 mod n, else returns True.
    The result has a high probability of being correct, but it's not guaranteed.
    """
    for i in range(k):
        a = random.randint(2, n-1)
        if euclid(a, n) == 1:
            if fast_pow(a, n-1, n) != 1:
                return False
    return True
    

In [None]:
# Let's test this for a list of known prime numbers :

primes = [701, 709, 719, 727, 941, 947, 953, 5, 17, 19, 23, 29, 31, 37, 983, 991, 997]

for prime in primes:
    print(f"{prime} is prime : {is_prime(prime)}")

701 is prime : True
709 is prime : True
719 is prime : True
727 is prime : True
941 is prime : True
947 is prime : True
953 is prime : True
5 is prime : True
17 is prime : True
19 is prime : True
23 is prime : True
29 is prime : True
31 is prime : True
37 is prime : True
983 is prime : True
991 is prime : True
997 is prime : True


In [None]:
# Now, let's test the algorithm for a list of known non-prime numbers :
not_primes = [2*x for x in primes]

for not_prime in not_primes:
    print(f"{not_prime} is prime : {is_prime(not_prime)}")

1402 is prime : False
1418 is prime : False
1438 is prime : False
1454 is prime : False
1882 is prime : False
1894 is prime : False
1906 is prime : False
10 is prime : False
34 is prime : False
38 is prime : False
46 is prime : False
58 is prime : False
62 is prime : False
74 is prime : False
1966 is prime : False
1982 is prime : False
1994 is prime : False


Use this primality test to generate large prime number and propose a new implementation of the RSA protocol with large prime number. Illustrate this new protocol with examples and numerical test.

In [None]:
def large_prime(bin_length = 512):
    """
    Generates a large prime number.
    Optional parameter `bin_length` defaults to 512.
    """
    p = random.randint(2**(bin_length-1), 2**bin_length)
    while not is_prime(p):
        p = random.randint(2**(bin_length-1), 2**bin_length)
    return p

p = large_prime()

p


6772252321797134358982215985734734925214360980364921973154839919307437778828457202975716552387066278346937040166788881292220870069088165020210967260766533

In [None]:
import math
def binary_size(n):
    return math.floor(math.log(n, 2))+1

print(f"binary size of p : {binary_size(p)}")

binary size of p : 512


# Final RSA protocol implementation

Bob sends a message to Alice.

In [None]:
def gen_keys(bin_length = 512):
    """
    Generates public and private keys for the RSA cryptosystem.
    Optional parameter `bin_length` defaults to 512.

    Returns a public key tuple : (N, e),
    And a private key tuple : (p, q, d).
    """
    p, q = large_prime(bin_length), large_prime(bin_length)
    N = p * q
    phiN = (p - 1) * (q - 1)
    e = find_e(phiN)
    d = extended_euclidV2(e, phiN)
    public_key = (N, e)
    private_key = (p, q, d)
    return public_key, private_key

def publish(key):
    """
    Simulates the publishing of the public key.
    """
    N, e = key[0]
    print(f"Publishing public key : ({N, e})\n")
    return N, e

def encrypt(public_key, message):
    """
    message**e mod N.
    """
    return fast_pow(message, public_key[1], public_key[0])

def send_message(message):
    """
    Simulates the sending of the message.
    """
    print(f"Sending message : {message}\n")
    return message

def decrypt(private_key, message):
    """
    message**d mod n
    """
    return fast_pow(message, private_key[2], private_key[0] * private_key[1]) 


def text_to_int(text):
    return int.from_bytes(text.encode('utf-8'), 'big')


def int_to_text(number):
    return number.to_bytes((number.bit_length() + 7) // 8, 'big').decode('utf-8')


In [None]:
# Alice's machine computes the public and private keys. She keeps the private and publishes the public key.

keys = gen_keys() ## gen
private_key = keys[1] ## stores the private key
public_key = publish(keys) ## publishes the public key

# Bob wants to send the following message to Alice : 
m = "Hello, Alice !"
message = text_to_int(m) #converting the message to an integer

# Bob then encrypts the message using Alice's public keys :
encrypted_message = encrypt(public_key, message)

# Bob then sends the encrypted message to Alice :
sent_message = send_message(encrypted_message)

# Alice receives the message and decrypts it using her private key :
decrypted_message = int_to_text(decrypt(private_key, sent_message))

print(f"Decrypted message : {decrypted_message}")

Publishing public key : ((63912380206153204042687024380604457832489759072323051979659533271662119167413696719210071407725868640871732895281531880848169767458909909518402989875578575327339689715760147560152229039051865181262683305251897758326342992652180326435923105765725024056675048778248704135183625216831007703938260923442031101253, 3))

Sending message : 3165962034132582593069230960599074487607158690602319419894761538448490133410543391854649361746619489

Decrypted message : Hello, Alice !
