๐ The Postcard Paradox โ How Strangers Share Secrets
Ages: 11โ15 ยท Duration: 105 minutes ยท Topics: Modular arithmetic, Prime numbers, One-way functions, Diffie-Hellman key exchange, RSA encryption, Post-quantum cryptography
Part 0 โ The Impossible Problem (10 min)
The Big Idea
"You need to send a secret message to someone you've never met.
The only way to communicate is by writing on postcards โ and every postcard passes through a nosy mail carrier who reads everything.
No meeting in advance. No shared password. No secret handshake.
Can you do it?"
Let the class argue. Most will say "impossible!" โ and that intuition is exactly right for classical codes. Caesar ciphers, Enigma machines, even modern AES all require both sides to share a secret key first.
But in 1976, three mathematicians showed it is possible, and their trick protects every password, every credit card number, every https:// you've ever used.
The secret ingredient? A math problem that's easy in one direction and impossibly hard in reverse.
Quick Warm-Up: One-Way Functions
๐ฃ๏ธ "I'm thinking of two numbers. Their product is 437. What are the numbers?"
This takes a while. (It's $19 \times 23$.) But if I told you my two numbers are 19 and 23, you'd check the product in two seconds.
| Direction | Operation | Difficulty |
| Forward | $19 \times 23 = ?$ | Easy (one step) |
| Reverse | $437 = ? \times ?$ | Hard (trial and error) |
This asymmetry โ easy forward, hard backward โ is the foundation of all public-key cryptography.
One-Way Function: A function that's fast to compute but practically impossible to reverse.
Multiplying two large primes is easy. Factoring their product back into the original primes? With numbers that are hundreds of digits long, it would take all the world's computers longer than the age of the universe.
Part 1 โ Clock Arithmetic: The Language of Secrets (โ 15 min)
Modular Arithmetic
Before we can crack the code, we need a special kind of arithmetic โ modular arithmetic, or "clock arithmetic."
On a 12-hour clock: $10 + 5 = 3$ (not 15). We "wrap around" after 12. In math notation:
$$10 + 5 \equiv 3 \pmod{12}$$
The number after mod is the modulus โ the size of our clock. In cryptography, we use prime-number-sized clocks.
Powers on a Clock
Here's where it gets magical. Pick a base $g = 5$ and a prime modulus $p = 23$. Compute successive powers:
| $k$ | $5^k$ | $5^k \bmod 23$ |
| 1 | 5 | 5 |
| 2 | 25 | 2 |
| 3 | 125 | 10 |
| 4 | 625 | 4 |
| 5 | 3125 | 20 |
| 6 | 15625 | 8 |
| 7 | 78125 | 17 |
| 8 | 390625 | 16 |
The powers jump around unpredictably. Given $5^k \bmod 23 = 17$, can you figure out $k$? You'd have to try them all. This is called the discrete logarithm problem, and for large numbers it's essentially unsolvable.
The Discrete Log Trap Door:
Easy: Given $g$, $k$, $p$ โ compute $g^k \bmod p$ (fast with repeated squaring).
Hard: Given $g$, $p$, and the result โ find $k$ (no shortcut known for large primes).
Part 2 โ Diffie-Hellman: Mixing Paint on a Postcard โญ (โ 15 min)
Whitfield Diffie and Martin Hellman (1976) solved the postcard paradox. Their trick is so elegant it can be explained with paint.
The Paint-Mixing Analogy
Imagine a world where:
- Mixing two paint colours is easy.
- Un-mixing a colour back into its components is impossible.
Alice and Bob agree (in public!) on a starting colour โ say, yellow. Then:
- Alice picks a secret colour (๐ด red) and mixes it with yellow โ gets orange. Sends the orange postcard.
- Bob picks a secret colour (๐ต blue) and mixes it with yellow โ gets green. Sends the green postcard.
- Alice takes Bob's green, mixes in her secret red โ gets brown.
- Bob takes Alice's orange, mixes in his secret blue โ gets the same brown!
Eve the eavesdropper sees yellow, orange, and green โ but can't un-mix them to recover red or blue, so she can never produce the final brown.
The Real Diffie-Hellman (With Numbers)
Replace "paint" with modular exponentiation on a prime-number clock:
| Step | Who | Action | Public? |
| 1 | Both | Agree on prime $p$ and base $g$ | โ
Yes |
| 2 | Alice | Pick secret $a$; compute $A = g^a \bmod p$; send $A$ | $A$ is public, $a$ is secret |
| 3 | Bob | Pick secret $b$; compute $B = g^b \bmod p$; send $B$ | $B$ is public, $b$ is secret |
| 4 | Alice | Compute $s = B^a \bmod p$ | ๐ Secret |
| 5 | Bob | Compute $s = A^b \bmod p$ | ๐ Secret |
Why do they get the same $s$?
$$B^a = (g^b)^a = g^{ab} = (g^a)^b = A^b \pmod{p}$$
Both arrive at $g^{ab} \bmod p$ โ the shared secret โ without ever transmitting $a$ or $b$!
Diffie-Hellman (1976): Two strangers create a shared secret in plain sight. Eve sees $g$, $p$, $A$, $B$ but needs the discrete logarithm to recover $a$ or $b$ โ computationally infeasible for large primes.
โ Break (5 min)
Part 3 โ RSA: Encrypt Without Sharing a Key (โ 20 min)
Diffie-Hellman lets Alice and Bob agree on a shared secret. But what if Alice wants to receive encrypted messages from anyone โ even people she's never talked to?
In 1977, Ron Rivest, Adi Shamir, and Leonard Adleman invented a system where Alice publishes a public key (like a padlock) that anyone can use to lock a message, but only Alice has the private key to unlock it.
The Padlock Analogy
Alice sends open padlocks to everyone. Bob puts his message in a box, snaps the padlock shut, and mails it.
Only Alice has the key. Even Bob can't reopen it. Eve sees a locked box and is helpless.
RSA Step by Step
Step 1 โ Pick two primes. Alice chooses secret primes $p$ and $q$.
Step 2 โ Compute $n = p \times q$. This is the modulus. Alice publishes $n$.
Step 3 โ Compute $\phi(n) = (p-1)(q-1)$. This is Euler's totient โ the count of numbers less than $n$ that share no factors with $n$. Alice keeps this secret.
Step 4 โ Choose $e$. Pick a public exponent $e$ that shares no factors with $\phi(n)$. Common choice: $e = 65537$. For small examples, $e = 3$ or $e = 7$ works.
Step 5 โ Compute $d$. Find the number $d$ such that $e \cdot d \equiv 1 \pmod{\phi(n)}$. This is the private key.
Step 6 โ Publish. Public key = $(n, e)$. Private key = $d$.
Encryption & Decryption
$$\text{Encrypt: } c = m^e \bmod n \qquad\qquad \text{Decrypt: } m = c^d \bmod n$$
Where $m$ is the message (as a number) and $c$ is the ciphertext.
Why does this work? Euler's theorem guarantees that $m^{e \cdot d} \equiv m \pmod{n}$ when $\gcd(m, n) = 1$.
Since $e \cdot d \equiv 1 \pmod{\phi(n)}$, raising $m$ to the $e$th power and then to the $d$th power brings you right back to $m$.
Worked Example: RSA with Tiny Primes
Let $p = 11$, $q = 13$.
- $n = 11 \times 13 = 143$
- $\phi(n) = 10 \times 12 = 120$
- Choose $e = 7$ (check: $\gcd(7, 120) = 1$ โ)
- Find $d$: we need $7d \equiv 1 \pmod{120}$ โ $d = 103$ (because $7 \times 103 = 721 = 6 \times 120 + 1$)
Public key: $(143, 7)$. Private key: $103$.
Encrypt the letter 'B' (ASCII 66):
$$c = 66^7 \bmod 143$$
Using repeated squaring:
| Step | Computation | Value mod 143 |
| $66^1$ | $66$ | $66$ |
| $66^2$ | $66 \times 66 = 4356$ | $4356 \bmod 143 = 62$ |
| $66^4$ | $62 \times 62 = 3844$ | $3844 \bmod 143 = 126$ |
| $66^7 = 66^4 \cdot 66^2 \cdot 66^1$ | $126 \times 62 \times 66$ | $= 77$ |
Ciphertext: $c = 77$. Send it on the postcard!
Decrypt:
$$m = 77^{103} \bmod 143 = 66 \;\; โ$$
(The interactive widget below will verify this instantly.)
Why Is RSA Secure?
Eve sees the public key $(n, e)$ and the ciphertext $c$. To decrypt, she needs $d$. To find $d$, she needs $\phi(n)$. To find $\phi(n)$, she needs to factor $n = p \times q$.
| $n$ size | Digits | Best factoring time |
| Our toy example | 3 | Instant |
| RSA-100 | 100 | ~2 weeks (in 1991) |
| RSA-250 | 250 | ~2700 CPU-years (done 2020) |
| RSA-2048 (standard today) | 617 | Estimated: billions of years |
The One-Way Door: Multiplying two 300-digit primes takes a millisecond. Factoring their 600-digit product back? The best classical algorithms would take longer than the lifetime of the universe. This is the door that RSA locks behind your data.
Part 4 โ The Quantum Threat: Why Everything Changes (โ 15 min)
"Every lock we've built today rests on one assumption: factoring big numbers is hard.
What if that assumption breaks?"
Enter the Quantum Computer
Classical computers try one thing at a time (or a few in parallel). A quantum computer exploits superposition โ qubits can be 0, 1, or both at once โ and entanglement to explore many possibilities simultaneously.
In 1994, mathematician Peter Shor designed an algorithm that can factor large numbers in polynomial time on a quantum computer. Specifically:
$$\text{Classical best: } \sim e^{n^{1/3}} \qquad \text{Shor's algorithm: } \sim n^3$$
Where $n$ is the number of digits. For RSA-2048:
| Method | Operations (approx.) | Time |
| Classical (NFS) | $\sim 2^{112}$ | Billions of years |
| Shor's algorithm | $\sim 617^3 \approx 3 \times 10^8$ | Hours (on a large enough quantum computer) |
The Quantum Apocalypse (Q-Day): When a sufficiently powerful quantum computer is built, RSA, Diffie-Hellman, and elliptic curve cryptography all break. Every encrypted message ever intercepted becomes readable. This isn't science fiction โ intelligence agencies are already stockpiling encrypted traffic to decrypt later. The threat has a name: "Harvest Now, Decrypt Later."
How Does Shor's Algorithm Work? (Simplified)
Shor's brilliant insight: factoring $n$ reduces to finding the period of a function.
- Pick a random number $a < n$.
- Consider the function $f(x) = a^x \bmod n$. This function is periodic โ it repeats after some period $r$.
- A quantum computer can find $r$ exponentially faster than a classical computer using the Quantum Fourier Transform.
- Once you know $r$, some algebra gives you the factors of $n$.
Example: Factor $n = 15$ with $a = 7$.
| $x$ | 0 | 1 | 2 | 3 | 4 | 5 | 6 |
| $7^x \bmod 15$ | 1 | 7 | 4 | 13 | 1 | 7 | 4 |
The sequence repeats with period $r = 4$. Now compute: $\gcd(7^{4/2} - 1, \; 15) = \gcd(48, 15) = 3$ and $\gcd(7^{4/2} + 1, \; 15) = \gcd(50, 15) = 5$.
The factors are 3 and 5. A quantum computer does the period-finding step in polynomial time โ that's the game changer.
Part 5 โ Post-Quantum Cryptography: Building Locks That Survive (โ 15 min)
"If quantum computers break multiplication-based locks, we need locks based on problems that quantum computers ALSO find hard."
What Survives a Quantum Computer?
Not all mathematical problems yield to Shor's algorithm. The cryptography community has been racing to find quantum-resistant alternatives. In 2024, NIST (the U.S. standards agency) finalised the first post-quantum standards. The leading approach: lattice-based cryptography.
Lattices: A New Kind of Hard Problem
A lattice is a regular grid of points in space, like the corners of floor tiles extending infinitely in all directions.
In 2D, a lattice is defined by two basis vectors $\mathbf{v}_1$ and $\mathbf{v}_2$. Every lattice point is a combination $a\,\mathbf{v}_1 + b\,\mathbf{v}_2$ where $a$ and $b$ are integers.
The hard problems on lattices:
| Problem | Description | Difficulty |
| Shortest Vector (SVP) | Find the shortest nonzero vector in the lattice | Hard (even for quantum computers!) |
| Closest Vector (CVP) | Given a point near the lattice, find the nearest lattice point | Hard |
| Learning With Errors (LWE) | Solve a noisy system of linear equations mod $q$ | Hard โ basis of ML-KEM |
Learning With Errors (LWE) โ The New Trap Door
Here's the idea behind the post-quantum standard ML-KEM (formerly called Kyber, now FIPS 203):
- Alice generates a secret vector $\mathbf{s}$ and a random matrix $\mathbf{A}$ (modular arithmetic, mod a prime $q$).
- She computes $\mathbf{b} = \mathbf{A} \cdot \mathbf{s} + \mathbf{e}$, where $\mathbf{e}$ is a small random error.
- She publishes $(\mathbf{A}, \mathbf{b})$ as her public key. Keeps $\mathbf{s}$ private.
- Without knowing $\mathbf{s}$, the small error makes the system of equations unsolvable โ even for a quantum computer.
It's like trying to solve a jigsaw puzzle where every piece has been trimmed by a random millimetre. Close enough to fit, but impossible to solve exactly without knowing the original template.
The LWE Cheat Sheet:
โข Public key: a noisy system of linear equations (matrix + fuzzy answers)
โข Private key: the secret vector that explains the noise
โข Security: no known quantum algorithm can efficiently solve LWE
โข Standard: ML-KEM (FIPS 203), adopted by NIST in 2024
The Cryptographic Timeline
| Era | Year | System | Hard Problem | Quantum-Safe? |
| Ancient | ~50 BC | Caesar cipher | Secrecy of shift | โ |
| Classical | 1976 | Diffie-Hellman | Discrete logarithm | โ |
| Classical | 1977 | RSA | Integer factoring | โ |
| Modern | 1985 | ECC | Elliptic curve discrete log | โ |
| Post-Quantum | 2024 | ML-KEM (Kyber) | Learning With Errors | โ
|
| Post-Quantum | 2024 | ML-DSA (Dilithium) | Module LWE | โ
|
The race is on: Companies and governments worldwide are migrating to post-quantum algorithms now โ before large quantum computers exist. Google Chrome, Apple iMessage, and Signal already use hybrid classical + post-quantum encryption. Your phone might already be sending lattice-encrypted messages.
Summary
The Encryption Chain
$$\text{Message} \xrightarrow{\text{Public Key}} \text{Encrypt} \xrightarrow{\text{Postcard}} \text{Ciphertext} \xrightarrow{\text{Private Key}} \text{Decrypt} \xrightarrow{} \text{Message}$$
Method Comparison
| System | Based on | Key Sizes | Quantum-Safe |
| Diffie-Hellman | Discrete log | ~256 bytes | โ Broken by Shor |
| RSA-2048 | Factoring | ~256 bytes | โ Broken by Shor |
| ECC (P-256) | Elliptic curve DLP | ~32 bytes | โ Broken by Shor |
| ML-KEM (Kyber) | Lattice / LWE | ~1.5 KB | โ
|
| ML-DSA (Dilithium) | Lattice / LWE | ~2.5 KB | โ
|
What You Learned Today:
1. Modular arithmetic โ clock-style maths where numbers wrap around
2. One-way functions โ easy forward, impossible backward
3. Diffie-Hellman โ two strangers build a shared secret in public
4. RSA โ encrypt for anyone using their public key; only they can decrypt
5. Shor's algorithm โ quantum computers shatter the one-way door
6. Post-quantum crypto โ lattices and noisy equations: the new locks for a quantum world
Extensions & Challenge Problems ๐งฉ
๐ฅ Bronze
- Compute $3^4 \bmod 7$ by hand. Check with the modular calculator.
- In Diffie-Hellman with $p=23$, $g=5$, $a=4$, $b=3$: what is the shared secret?
- RSA with $p=3$, $q=11$, $e=7$. Find $n$, $\phi(n)$, and $d$.
๐ฅ Silver
- Why must $p$ and $q$ be kept secret in RSA? If Eve knows one of them, show how she breaks the system.
- Find the period of $2^x \bmod 21$. Use it to factor 21.
- In the paint analogy, what would it mean if Eve could un-mix paint? Write this in mathematical terms.
๐ฅ Gold
- Prove that $a^{\phi(n)} \equiv 1 \pmod{n}$ when $\gcd(a,n)=1$ (Euler's theorem). Why does this make RSA decryption work?
- RSA is deterministic โ encrypting the same message twice gives the same ciphertext. Why is this a security problem? How does OAEP padding fix it?
๐ Diamond
- Wiener's Attack: If the private exponent $d$ is small relative to $n^{1/4}$, RSA can be broken using continued fractions. For $n = 90581$, $e = 17993$, find $d$ and the factorisation.
- Post-Quantum Deep Dive: In LWE with $n = 4$, $q = 23$, and secret $\mathbf{s} = (3, 1, 4, 1)$, generate a public key instance. Add small errors from $\{-1, 0, 1\}$ and show that recovering $\mathbf{s}$ requires checking all $23^4$ possibilities.
Answer Key
Bronze Answers
- $3^4 = 81$; $81 = 11 \times 7 + 4$; answer: $4$.
- $A = 5^4 \bmod 23 = 4$, $B = 5^3 \bmod 23 = 10$. $s = 10^4 \bmod 23 = 18$ and $s = 4^3 \bmod 23 = 18$. Shared secret: 18.
- $n = 33$, $\phi(33) = 2 \times 10 = 20$, $7d \equiv 1 \pmod{20}$ โ $d = 3$ (since $7 \times 3 = 21 = 20 + 1$).
Silver Answers
- If Eve knows $p$, she computes $q = n/p$, then $\phi(n) = (p-1)(q-1)$, then $d \equiv e^{-1} \pmod{\phi(n)}$. She has the private key.
- $2^x \bmod 21$: 1, 2, 4, 8, 16, 11, 1, 2, 4, โฆ Period $r = 6$. $\gcd(2^3 - 1, 21) = \gcd(7, 21) = 7$; $\gcd(2^3 + 1, 21) = \gcd(9, 21) = 3$. Factors: $3 \times 7 = 21$.
- "Un-mixing" = computing the discrete logarithm: given $g^a \bmod p$, recovering $a$. If Eve can do this, she recovers Alice's secret from the public value $A$.
Gold Answers
- Euler's theorem follows from Lagrange's theorem in group theory: the multiplicative group mod $n$ has order $\phi(n)$, so $a^{\phi(n)} = 1$. For RSA: $m^{ed} = m^{k\phi(n)+1} = (m^{\phi(n)})^k \cdot m = 1^k \cdot m = m$.
- If the attacker knows the message space is small (e.g., "YES" or "NO"), they can encrypt both and compare. OAEP adds randomness before encryption, making identical messages produce different ciphertexts.
โ Back to all lectures