Lecture 18

Public Key Cryptography

In this section, we’ll show off a major modern application of all the ideas above. The aim is to talk about (one small but key part of) modern cryptography.

Cryptography is the study of how to send messages in a form which cannot be read except by the intended recipients. To encrypt the messages is to put them in a form which cannot be read easily; to decrypt the messages is to take such messages and recover them in readable form.

The literature of cryptography usually talks about three people:

Alice and Bob are of course named so that the message goes from AA to BB. Eve is so named because she is an eavesdropper, or perhaps because she is evil.

In the olden days, Alice and Bob would have come up with some kind of system depending on a shared secret key with which you could encrypt and decrypt a message. Perhaps you’ve seen many of these techniques already! For example, you could substitute the letters of the alphabet according to some agreed system: then the key would describe that system and would be a list of facts like AQA\mapsto Q, BJB\mapsto J, etc.

The big disadvantage with that is that Alice and Bob have to exchange the key somehow at the beginning: if Eve can spy on that conversation, she has the key and can decrypt Alice’s message just as easily as Bob can.

The problem with this old-time approach is that the same secret is used to encrypt and decrypt the message, so needs exchanging.

Suppose instead there was a type of encryption with a key for encryption and another key for decryption, such that, even if you know exactly how to encrypt a message, it is very hard indeed to work out how to decrypt it.

That suggests the following plan:

  1. Bob comes up with a system of encrypting and decrypting of that sort.

  2. Bob takes the key which tells you how to decrypt messages, the private key, and keeps it to himself, never telling anyone.

  3. Bob takes the key which tells you how to encrypt messages, the public key, and shares it with everyone who wants it, with no secrecy whatsoever. In particular, he sends Alice a postcard telling her his public key. Of course Eve finds it out quickly, but Bob doesn’t care.

  4. Alice uses Bob’s public key to encrypt a message for Bob.

  5. Alice sends Bob the encrypted message.

  6. Bob uses his private key to decrypt it, and read Alice’s message.

So the only question is, how can we come up with such a system, where being able to encrypt things doesn’t help you decrypt things very much?

The approach we’ll describe was the first one to be thought of, in the 1970s. It is known as RSA after its American inventors Rivest, Shamir and Adleman. (A British mathematician, Cocks, invented it a few years earlier, but he was working in secret for the government, so this was not known for many years). RSA is still in very widespread use on the internet.

The secret of RSA is to work modulo pqpq, where pp and qq are (different) primes. We’re going to need to do modular arithmetic mod pqpq, including exponentiation. So we’ll need to see what Fermat-Euler says:


Let pp and qq be different primes. Then the number φ(pq)\varphi(pq), of integers from 11 to pqpq coprime to pqpq, is given by φ(pq)=(p1)(q1).\varphi(pq) = (p-1)(q-1).


There are pqpq integers aa between 11 and pqpq. Those that are not coprime to pqpq are either multiples of pp or of qq.

Of these, qq of them are multiples of pp (namely p,2p,,pqp,2p,\ldots,pq).

Also, pp of them are multiples of qq (namely q,2q,,pqq,2q,\ldots,pq).

Lastly, one of them (namely pqpq) is a multiple of pp and of qq.

Hence q+p1q+p-1 are not coprime to pqpq, and so φ(pq)=pqqp+1=(p1)(q1).\varphi(pq) = pq-q-p+1 = (p-1)(q-1).

As a result of that, we know (from the Fermat-Euler Theorem that, for all aa coprime to pqpq, we have a(p1)(q1)1(modpq),a^{(p-1)(q-1)} \equiv 1 \pmod{pq}, and indeed ak(p1)(q1)1(modpq).a^{k(p-1)(q-1)} \equiv 1 \pmod{pq}. for all kk.

So, Bob chooses two fairly large primes pp and qq, and keeps them secret. He also chooses a number ee which is coprime to (p1)(q1)(p-1)(q-1).

He also calculates the inverse dd to ee, modulo (p1)(q1)(p-1)(q-1), by using Euclid’s algorithm.

His public key consists of pqpq and ee, so he sends that to Alice (and Eve); his private key consists of pqpq and dd. He shreds any evidence of what pp and qq are.

Alice represents her message as a number mm between 11 and pqpq. It is overwhelmingly likely that her choice will be coprime to pqpq. She calculates me(modpq)m^e\pmod{pq} and sends it on to Bob.

Bob receives this number mem^e from Alice, and raises it to the power dd modulo pqpq. He thus obtains something congruent to (me)d=mde.(m^e)^d = m^{de}.

Now, because de1(modφ(pq))de\equiv 1\pmod{\varphi(pq)}, we have de=1+kφ(pq)de=1+k\varphi(pq) for some kk. As a result, (me)d=mde=m1+kφ(pq)=m(mφ(pq))km1km(modpq).(m^e)^d {}= m^{de} {}= m^{1+k\varphi(pq)} {}= m(m^{\varphi(pq)})^k {}\equiv m1^k {}\equiv m\pmod{pq}.

Hence, using his private key, Bob can recover what mm was from being told mem^e.

The idea is that it should be very hard for anyone else to work out dd from pqpq and ee; we did this using Euclid’s algorithm, but we needed to know more than just pqpq: we needed to know (p1)(q1)(p-1)(q-1).

So the security of this approach depends (among other things) on it being difficult to factorise the number pqpq: if factorising large numbers were easy, we could get pp and qq for ourselves from Bob’s public key. Currently, we know of no way to do this fast enough: we know how to generate primes that are hundreds of digits long, but not to factorise a product of two of them.

Let’s see an example.

Suppose Bob has low opinions of Eve’s calculational skills, and chooses to use the (unrealistically small) primes p=101p=101 and q=103q=103. Then pq=10403pq = 10403. Suppose also that Bob chooses e=71e=71 for the exponent used for encryption.

Bob advertises that his public key is pq=10403pq = 10403, e=71e=71. He must work out his private key, by inverting 7171 modulo (p1)(q1)=10200(p-1)(q-1)=10200. A quick use of Euclid’s algorithm will do this for him, and he gets that 71143171^{-1}\equiv 431. Indeed, 71×431=30601=3×10200+1.71\times 431 = 30601 = 3\times 10200+1. Thus his private key is pq=10403pq = 10403, d=431d = 431.

Suppose Alice decides she needs to send Bob message 12451245, which they’ve agreed in advance should mean “please meet me after this lecture”.

Then Alice has to calculate 1245711245^{71} modulo 1040310403. This sounds scary, but she can do it fairly quickly if she’s careful: 12457112451245701245(12452)351245103813512451038110381343819(103812)173819484173819484484167065(4842)87065539087065(53902)47065692447065(69242)2706547522706569948763.\begin{aligned} 1245^{71} {}\equiv 1245\cdot 1245^{70} {}\equiv 1245\cdot (1245^2)^{35}\\ {}\equiv 1245\cdot 10381^{35} {}\equiv 1245\cdot 10381\cdot 10381^{34} {}\equiv 3819\cdot (10381^2)^{17}\\ {}\equiv 3819\cdot 484^{17} {}\equiv 3819\cdot 484\cdot 484^{16} {}\equiv 7065\cdot (484^2)^8\\ {}\equiv 7065\cdot 5390^8 {}\equiv 7065\cdot (5390^2)^4 {}\equiv 7065\cdot 6924^4\\ {}\equiv 7065\cdot (6924^2)^2 {}\equiv 7065\cdot 4752^2\\ {}\equiv 7065\cdot 6994 {}\equiv 8763.\end{aligned}

So she sends Bob 87638763.

Bob receives this, and his task then is to calculate 87634318763^{431} modulo 1040310403. A similar strategy makes this possible, too, and he finds that 87634311245(mod10403),8763^{431}\equiv 1245\pmod{10403}, so he has reconstructed Alice’s message.

The real numbers

Irrational numbers

We’ve spent nine lectures now talking about N\mathbb{N}, Z\mathbb{Z} and Q\mathbb{Q}, laying the foundations of number theory. The rest of this course will be about R\mathbb{R}. Perhaps sensibly enough, the study of R\mathbb{R} is called real analysis.

Let’s set ourselves back to a time before R\mathbb{R} was invented, and ask: why was it necessary to invent it? Why should we feel that Q\mathbb{Q} is not enough?

The result that set the ancient Greeks thinking was this:


We’ll prove this by contradiction; suppose there is such a number xQx\in\mathbb{Q}. Because it’s in Q\mathbb{Q}, it takes the form x=p/qx = p/q for some integers pp and qq with q0q\neq 0.

We may as well take pp and qq to be coprime (“in lowest terms”).

Then we have p2/q2=x2=2p^2/q^2 = x^2 = 2, so p2=2q2p^2 = 2q^2 with pp and qq coprime.

Now, the right-hand side is even (it’s given as a multiple of 22, so the left-hand side, p2p^2 must be even too. That means that pp itself must be even: so we can write p=2rp = 2r.

Then we have (2r)2=2q2(2r)^2 = 2q^2, which simplifies to 4r2=2q24r^2 = 2q^2, or 2r2=q22r^2 = q^2. Here the left-hand side is even, so q2q^2 must be even. Hence qq itself must be even.

This is a contradiction: pp and qq can’t both be even. So our initial assumption is absurd, and there is no rational xx with x2=2x^2 = 2.

I felt obliged to word the statement of that theorem fairly carefully.

What I wanted to say, of course, was:

The number 2\sqrt{2} is not in Q\mathbb{Q}.

But I want to flag that up as being possibly inappropriate: our aim in this section is to define the reals. We shouldn’t even be confident that 2\sqrt{2} exists yet.

However, thanks to this theorem, we can be confident at least that there’s no number inside Q\mathbb{Q} which deserves to be called 2\sqrt{2}.

This, to the Greeks, was evidence that there was a world beyond Q\mathbb{Q}; a world of irrational numbers (numbers not in Q\mathbb{Q}). They needed a number called 2\sqrt{2}, so they could talk about the diagonal of a unit square:

Over the years, more and more examples were found of numbers which one might want to talk about, but which cannot be in Q\mathbb{Q}: various powers, logarithms, sines, cosines, and other constructions besides.

One high point includes the proof by Lambert in 1761 that π\pi and ee are irrational.

On the other hand, modern mathematics is still not particularly good, in general, at proving that numbers are irrational. For example, if you want to become famous, simply prove (please…) that any one of the following numbers are irrational: π+e,πe,πe,π/e,lnπ,ee,eee.\pi+e,{}\quad \pi-e,{}\quad \pi e,{}\quad \pi/e,{}\quad \ln\pi,{}\quad e^e,{}\quad e^{e^e}.