Sage note 11.3.1. Another reminder to evaluate definitions.
Don’t forget to evaluate the commands below so we can use words as messages instead of just numbers.
Section 11.3 A Modular Exponentiation Cipher
To prepare for discussion of a famous public-key system, we will first discuss a (symmetric) system that leads to it. This system needs yet another invertible number theory procedure, one that we have used enough to be quite comfortable with.
That procedure is modular exponentiation as cipher. Recall that we have methods to solve modular exponential congruences (such as using primitive roots). That gives us tools sufficient to implement these subtle techniques.
Subsection 11.3.1 The Diffie-Hellman method
In the cell below, we will pick a few numbers relevant to this method. To use it, we will need a prime number \(p\text{,}\) and some legitimate exponent \(e\) that won’t mess things up too badly. (Also, suppose our secret is still that math is cool.)
What do I mean by ‘won’t mess things up too badly?’ Recall from Subsection 10.5.1 that when we solved
\begin{equation*}
x^{3}\equiv 5 \text{ (mod }17\text{) as }3^{3i}\equiv 3^{5}\text{ (mod }17\text{)}
\end{equation*}
we ended up in the world of \(\phi(17)=16\) and solved
\begin{equation*}
3i\equiv 5 \text{ (mod }16\text{)}\text{.}
\end{equation*}
This required a solution \(i\) to exist, which wouldn’t happen for all possible choices of numbers in a congruence!
In order to keep using these ideas easily, we will pick an exponent coprime to \(\phi(p)\text{.}\)
Now, here is the algorithm (see also Algorithm 11.3.3). I just take my message (as a number) and raise it to the \(e\) power modulo \(p\text{.}\) It’s as simple as that!
In the cell below, we pick a convenient \(e\) and \(p\text{.}\)
Here I picked \(p=29\) since it’s close to \(26\text{,}\) and more or less arbitrarily picked an exponent \(e=9\) (though it does have to be coprime to \(28=\phi(29)\)).
Note the steps. I first had to encode “MathIsCool” to numbers. Then I exponentiated each number in the coded version, modulo 29. To be precise, I sent each number
\begin{equation*}
a\mapsto a^9\text{ (mod }29)\text{.}
\end{equation*}
Remark 11.3.2.
Notice that decoding the secret message code is not so useful anymore! (What would we do with the number \(28\) as an output, for instance?) So we usually just stick with the numbers.
Leaving aside for the moment that the letter A will now have the unfortunate property that it always stays 1, and hence basically unencrypted (this is because we are doing a toy example), how on earth would we ever decrypt this? Do we have a way to invert
\begin{equation*}
a^9\text{ (mod }29)
\end{equation*}
in any way?
Naturally, we do! We will use exponentiation again to do so. We just need something that solves
\begin{equation*}
\left(a^9\right)^f\equiv a\text{ (mod }29)\text{,}
\end{equation*}
or more concisely
\begin{equation*}
a^{9f}\equiv a^1\text{ (mod }29)\text{.}
\end{equation*}
(We can think of \(f\) as a power that inverts the original power \(9\text{.}\)).
From our discussion in Section 10.5, solving this congruence is tantamount to solving
\begin{equation*}
9f\equiv 1\text{ (mod }28)
\end{equation*}
and we know we can find this. In the cell below, we do it computationally, but you could do this one ‘by hand’.
This method of encryption is known as the Diffie-Hellman method (named after its originators, who proposed it in the mid-70’s); see Historical remark 11.4.1 and Historical remark 11.3.5.
Subsection 11.3.2 A bigger example
Now we will do a more real example of this. Notice how important it was that we chose an initial exponent \(e\) that was coprime to \(\phi(p)=p-1\text{.}\)
For convenience, I’ll just take the next prime bigger than my message.
Next, I pick an exponent. Not every exponent will work! Beforehand I factored \(p-1\) so I could find something coprime to it.
The encrypted message is now just one number. Now we need the decryption key. Luckily, that’s just as easy as taking an inverse modulo \(p-1\text{:}\)
Here is one more extended Sage example; why not try your own message? Here, the interesting point is that I allow Sage to pick a prime for me using
next_prime(). (If it fails, try changing e to something coprime to \(p-1\text{.}\))Subsection 11.3.3 Recap
Here is the formal explanation of our first awesome encryption scheme.
Algorithm 11.3.3. Diffie-Hellman Encryption.
To encrypt using this method, do the following.
- Turn your message into a number \(x\text{.}\)
- Pick a prime \(p\) (presumably greater than \(x\)).
- Pick an exponent \(e\) such that \(\gcd(e,p-1)=1\text{.}\)
- Encrypt to a secret message by taking\begin{equation*} m=x^e\text{ (mod }p)\text{.} \end{equation*}
Here are the steps for decryption.
- Find an inverse modulo \(p-1\) to \(e\text{,}\) and call it \(f\text{.}\)
- Decrypt (if you want) by taking\begin{equation*} m^f\equiv x\text{ (mod }p) \end{equation*}
- Celebrate in your opponent’s destruction.
Proof.
Why does this work? First, note that our condition on \(f\) is equivalent to
\begin{equation*}
ef\equiv 1\text{ (mod }p-1)\text{.}
\end{equation*}
Then we can simply compute that
\begin{equation*}
m^f\equiv \left(x^e\right)^f\equiv x^{ef}\equiv x^1\equiv x\text{ (mod }p)
\end{equation*}
which verifies that we get the original message back.
Feel free to use the following Sage cells to see what happens with your own short messages.
Or you can choose a prime on your own.
Sage note 11.3.4. Compute what you need.
Remember, you can always compute anything you need. For instance, if you for some reason didn’t pick a big enough prime, you can use the following command to find one.
Historical remark 11.3.5. Diffie and Hellman.
In 2015, Whitfield Diffie and Martin Hellman won the Turing Award for their contribution, the highest award in computer science.
Subsection 11.3.4 A brief warning
Remember, the key that makes it all work (thanks to Fermat’s Little Theorem/Euler’s Theorem) is that exponents of congruences mod \(n\) live in the world of congruences mod \(\phi(n)\text{,}\) as long as they are numbers coprime to \(\phi(n)\text{.}\) That’s why \(\gcd(e,p-1)=1\) is important.
Here’s an example of how not choosing your exponent wisely can go wrong.
Sage note 11.3.6. Change values right in the code.
Some Sage cells have little text boxes or sliders for interacting. But you can use any of them to change the values we are playing with; try changing the variable
message in the preceding cell to encode your own secret.Assuming you followed along, so far, so good; it got encrypted. But what happens when we try to decrypt?
You should have gotten an error (in fact, a
ZeroDivisionError, which should sound relevant). It turns out not even to be possible to go backwards. Be warned that you must know the mathematics to use cryptography wisely.
