Skip to main content

Section 11.3 A Modular Exponentiation Cipher

To prepare for discussion of a famous public-key system, we will first discuss a (symmetric) system that leads to it. This system needs yet another invertible number theory procedure, one that we have used enough to be quite comfortable with.

That procedure is modular exponentiation as cipher. Recall that we have methods to solve modular exponential congruences (such as using primitive roots). That gives us tools sufficient to implement these subtle techniques.

Sage note 11.3.1. Another reminder to evaluate definitions.

Don't forget to evaluate the commands below so we can use words as messages instead of just numbers.

Subsection 11.3.1 The Diffie-Hellman method

In the cell below, we will pick a few numbers relevant to this method. To use it, we will need a prime number p, and some legitimate exponent e that won't mess things up too badly. (Also, suppose our secret is still that math is cool.)

What do I mean by ‘won't mess things up too badly?’ Recall from Subsection 10.5.1 that when we solved

x35 (mod 17) as 33i35 (mod 17)

we ended up in the world of ϕ(17)=16 and solved

3i5 (mod 16).

This required a solution i to exist, which wouldn't happen for all possible choices of numbers in a congruence!

In order to keep using these ideas easily, we will pick an exponent coprime to ϕ(p).

Now, here is the algorithm (see also Algorithm 11.3.3). I just take my message (as a number) and raise it to the e power modulo p. It's as simple as that!

In the cell below, we pick a convenient e and p.

Here I picked p=29 since it's close to 26, and more or less arbitrarily picked an exponent e=9 (though it does have to be coprime to 28=ϕ(29)).

Note the steps. I first had to encode “MathIsCool” to numbers. Then I exponentiated each number in the coded version, modulo 29. To be precise, I sent each number

aa9 (mod 29).
Remark 11.3.2.

Notice that decoding the secret message code is not so useful anymore! (What would we do with the number 28 as an output, for instance?) So we usually just stick with the numbers.

Leaving aside for the moment that the letter A will now have the unfortunate property that it always stays 1, and hence basically unencrypted (this is because we are doing a toy example), how on earth would we ever decrypt this? Do we have a way to invert

a9 (mod 29)

in any way?

Naturally, we do! We will use exponentiation again to do so. We just need something that solves

(a9)fa (mod 29),

or more concisely

a9fa1 (mod 29).

(We can think of f as a power that inverts the original power 9.).

From our discussion in Section 10.5, solving this congruence is tantamount to solving

9f1 (mod 28)

and we know we can find this. In the cell below, we do it computationally, but you could do this one ‘by hand’.

This method of encryption is known as the Diffie-Hellman method (named after its originators, who proposed it in the mid-70's); see Historical remark 11.4.1 and Historical remark 11.3.5.

Subsection 11.3.2 A bigger example

Now we will do a more real example of this. Notice how important it was that we chose an initial exponent e that was coprime to ϕ(p)=p1.

For convenience, I'll just take the next prime bigger than my message.

Next, I pick an exponent. Not every exponent will work! Beforehand I factored p1 so I could find something coprime to it.

The encrypted message is now just one number. Now we need the decryption key. Luckily, that's just as easy as taking an inverse modulo p1:

Here is one more extended Sage example; why not try your own message? Here, the interesting point is that I allow Sage to pick a prime for me using next_prime(). (If it fails, try changing e to something coprime to p1.)

Subsection 11.3.3 Recap

Here is the formal explanation of our first awesome encryption scheme.

Why does this work? First, note that our condition on \(f\) is equivalent to

\begin{equation*} ef\equiv 1\text{ (mod }p-1)\text{.} \end{equation*}

Then we can simply compute that

\begin{equation*} m^f\equiv \left(x^e\right)^f\equiv x^{ef}\equiv x^1\equiv x\text{ (mod }p) \end{equation*}

which verifies that we get the original message back.

Feel free to use the following Sage cells to see what happens with your own short messages.

Or you can choose a prime on your own.

Sage note 11.3.4. Compute what you need.

Remember, you can always compute anything you need. For instance, if you for some reason didn't pick a big enough prime, you can use the following command to find one.

Historical remark 11.3.5. Diffie and Hellman.

In 2015, Whitfield Diffie and Martin Hellman won the Turing Award for their contribution, the highest award in computer science.

Subsection 11.3.4 A brief warning

Remember, the key that makes it all work (thanks to Fermat's Little Theorem/Euler's Theorem) is that exponents of congruences mod n live in the world of congruences mod ϕ(n), as long as they are numbers coprime to ϕ(n). That's why gcd(e,p1)=1 is important.

Here's an example of how not choosing your exponent wisely can go wrong.

Sage note 11.3.6. Change values right in the code.

Some Sage cells have little text boxes or sliders for interacting. But you can use any of them to change the values we are playing with; try changing the variable message in the preceding cell to encode your own secret.

Assuming you followed along, so far, so good; it got encrypted. But what happens when we try to decrypt?

You should have gotten an error (in fact, a ZeroDivisionError, which should sound relevant). It turns out not even to be possible to go backwards. Be warned that you must know the mathematics to use cryptography wisely.