🔐 The Postcard Paradox — How Strangers Share Secrets

Ages: 11–15 · Duration: 105 minutes · Topics: Modular arithmetic, Prime numbers, One-way functions, Diffie-Hellman key exchange, RSA encryption, Post-quantum cryptography

Part 0 — The Impossible Problem (10 min)

The Big Idea

"You need to send a secret message to someone you've never met. The only way to communicate is by writing on postcards — and every postcard passes through a nosy mail carrier who reads everything. No meeting in advance. No shared password. No secret handshake. Can you do it?"

Let the class argue. Most will say "impossible!" — and that intuition is exactly right for classical codes. Caesar ciphers, Enigma machines, even modern AES all require both sides to share a secret key first.

But in 1976, three mathematicians showed it is possible, and their trick protects every password, every credit card number, every https:// you've ever used.

The secret ingredient? A math problem that's easy in one direction and impossibly hard in reverse.

Quick Warm-Up: One-Way Functions

🗣️ "I'm thinking of two numbers. Their product is 437. What are the numbers?"

This takes a while. (It's $19 \times 23$.) But if I told you my two numbers are 19 and 23, you'd check the product in two seconds.

Direction	Operation	Difficulty
Forward	$19 \times 23 = ?$	Easy (one step)
Reverse	$437 = ? \times ?$	Hard (trial and error)

This asymmetry — easy forward, hard backward — is the foundation of all public-key cryptography.

One-Way Function: A function that's fast to compute but practically impossible to reverse.
Multiplying two large primes is easy. Factoring their product back into the original primes? With numbers that are hundreds of digits long, it would take all the world's computers longer than the age of the universe.

Part 1 — Clock Arithmetic: The Language of Secrets (≈ 15 min)

Modular Arithmetic

Before we can crack the code, we need a special kind of arithmetic — modular arithmetic, or "clock arithmetic."

On a 12-hour clock: $10 + 5 = 3$ (not 15). We "wrap around" after 12. In math notation:

$$10 + 5 \equiv 3 \pmod{12}$$

The number after mod is the modulus — the size of our clock. In cryptography, we use prime-number-sized clocks.

Powers on a Clock

Here's where it gets magical. Pick a base $g = 5$ and a prime modulus $p = 23$. Compute successive powers:

$k$	$5^k$	$5^k \bmod 23$
1	5	5
2	25	2
3	125	10
4	625	4
5	3125	20
6	15625	8
7	78125	17
8	390625	16

The powers jump around unpredictably. Given $5^k \bmod 23 = 17$, can you figure out $k$? You'd have to try them all. This is called the discrete logarithm problem, and for large numbers it's essentially unsolvable.

The Discrete Log Trap Door:

Easy: Given $g$, $k$, $p$ → compute $g^k \bmod p$ (fast with repeated squaring).

Hard: Given $g$, $p$, and the result → find $k$ (no shortcut known for large primes).

Part 2 — Diffie-Hellman: Mixing Paint on a Postcard ⭐ (≈ 15 min)

Whitfield Diffie and Martin Hellman (1976) solved the postcard paradox. Their trick is so elegant it can be explained with paint.

The Paint-Mixing Analogy

Imagine a world where:

Mixing two paint colours is easy.
Un-mixing a colour back into its components is impossible.

Alice and Bob agree (in public!) on a starting colour — say, yellow. Then:

Alice picks a secret colour (🔴 red) and mixes it with yellow → gets orange. Sends the orange postcard.
Bob picks a secret colour (🔵 blue) and mixes it with yellow → gets green. Sends the green postcard.
Alice takes Bob's green, mixes in her secret red → gets brown.
Bob takes Alice's orange, mixes in his secret blue → gets the same brown!

Eve the eavesdropper sees yellow, orange, and green — but can't un-mix them to recover red or blue, so she can never produce the final brown.

The Real Diffie-Hellman (With Numbers)

Replace "paint" with modular exponentiation on a prime-number clock:

Step	Who	Action	Public?
1	Both	Agree on prime $p$ and base $g$	✅ Yes
2	Alice	Pick secret $a$; compute $A = g^a \bmod p$; send $A$	$A$ is public, $a$ is secret
3	Bob	Pick secret $b$; compute $B = g^b \bmod p$; send $B$	$B$ is public, $b$ is secret
4	Alice	Compute $s = B^a \bmod p$	🔒 Secret
5	Bob	Compute $s = A^b \bmod p$	🔒 Secret

Why do they get the same $s$?

$$B^a = (g^b)^a = g^{ab} = (g^a)^b = A^b \pmod{p}$$

Both arrive at $g^{ab} \bmod p$ — the shared secret — without ever transmitting $a$ or $b$!

Diffie-Hellman (1976): Two strangers create a shared secret in plain sight. Eve sees $g$, $p$, $A$, $B$ but needs the discrete logarithm to recover $a$ or $b$ — computationally infeasible for large primes.

☕ Break (5 min)

Part 3 — RSA: Encrypt Without Sharing a Key (≈ 20 min)

Diffie-Hellman lets Alice and Bob agree on a shared secret. But what if Alice wants to receive encrypted messages from anyone — even people she's never talked to?

In 1977, Ron Rivest, Adi Shamir, and Leonard Adleman invented a system where Alice publishes a public key (like a padlock) that anyone can use to lock a message, but only Alice has the private key to unlock it.

The Padlock Analogy

Alice sends open padlocks to everyone. Bob puts his message in a box, snaps the padlock shut, and mails it. Only Alice has the key. Even Bob can't reopen it. Eve sees a locked box and is helpless.

RSA Step by Step

Step 1 — Pick two primes. Alice chooses secret primes $p$ and $q$.

Step 2 — Compute $n = p \times q$. This is the modulus. Alice publishes $n$.

Step 3 — Compute $\phi(n) = (p-1)(q-1)$. This is Euler's totient — the count of numbers less than $n$ that share no factors with $n$. Alice keeps this secret.

Step 4 — Choose $e$. Pick a public exponent $e$ that shares no factors with $\phi(n)$. Common choice: $e = 65537$. For small examples, $e = 3$ or $e = 7$ works.

Step 5 — Compute $d$. Find the number $d$ such that $e \cdot d \equiv 1 \pmod{\phi(n)}$. This is the private key.

Step 6 — Publish. Public key = $(n, e)$. Private key = $d$.

Encryption & Decryption

$$\text{Encrypt: } c = m^e \bmod n \qquad\qquad \text{Decrypt: } m = c^d \bmod n$$

Where $m$ is the message (as a number) and $c$ is the ciphertext.

Why does this work? Euler's theorem guarantees that $m^{e \cdot d} \equiv m \pmod{n}$ when $\gcd(m, n) = 1$.
Since $e \cdot d \equiv 1 \pmod{\phi(n)}$, raising $m$ to the $e$th power and then to the $d$th power brings you right back to $m$.

Worked Example: RSA with Tiny Primes

Let $p = 11$, $q = 13$.

$n = 11 \times 13 = 143$
$\phi(n) = 10 \times 12 = 120$
Choose $e = 7$ (check: $\gcd(7, 120) = 1$ ✓)
Find $d$: we need $7d \equiv 1 \pmod{120}$ → $d = 103$ (because $7 \times 103 = 721 = 6 \times 120 + 1$)

Public key: $(143, 7)$. Private key: $103$.

Encrypt the letter 'B' (ASCII 66):

$$c = 66^7 \bmod 143$$

Using repeated squaring:

Step	Computation	Value mod 143
$66^1$	$66$	$66$
$66^2$	$66 \times 66 = 4356$	$4356 \bmod 143 = 62$
$66^4$	$62 \times 62 = 3844$	$3844 \bmod 143 = 126$
$66^7 = 66^4 \cdot 66^2 \cdot 66^1$	$126 \times 62 \times 66$	$= 77$

Ciphertext: $c = 77$. Send it on the postcard!

Decrypt:

$$m = 77^{103} \bmod 143 = 66 \;\; ✓$$

(The interactive widget below will verify this instantly.)

Why Is RSA Secure?

Eve sees the public key $(n, e)$ and the ciphertext $c$. To decrypt, she needs $d$. To find $d$, she needs $\phi(n)$. To find $\phi(n)$, she needs to factor $n = p \times q$.

$n$ size	Digits	Best factoring time
Our toy example	3	Instant
RSA-100	100	~2 weeks (in 1991)
RSA-250	250	~2700 CPU-years (done 2020)
RSA-2048 (standard today)	617	Estimated: billions of years

The One-Way Door: Multiplying two 300-digit primes takes a millisecond. Factoring their 600-digit product back? The best classical algorithms would take longer than the lifetime of the universe. This is the door that RSA locks behind your data.

Part 4 — The Quantum Threat: Why Everything Changes (≈ 15 min)

"Every lock we've built today rests on one assumption: factoring big numbers is hard. What if that assumption breaks?"

Enter the Quantum Computer

Classical computers try one thing at a time (or a few in parallel). A quantum computer exploits superposition — qubits can be 0, 1, or both at once — and entanglement to explore many possibilities simultaneously.

In 1994, mathematician Peter Shor designed an algorithm that can factor large numbers in polynomial time on a quantum computer. Specifically:

$$\text{Classical best: } \sim e^{n^{1/3}} \qquad \text{Shor's algorithm: } \sim n^3$$

Where $n$ is the number of digits. For RSA-2048:

Method	Operations (approx.)	Time
Classical (NFS)	$\sim 2^{112}$	Billions of years
Shor's algorithm	$\sim 617^3 \approx 3 \times 10^8$	Hours (on a large enough quantum computer)

The Quantum Apocalypse (Q-Day): When a sufficiently powerful quantum computer is built, RSA, Diffie-Hellman, and elliptic curve cryptography all break. Every encrypted message ever intercepted becomes readable. This isn't science fiction — intelligence agencies are already stockpiling encrypted traffic to decrypt later. The threat has a name: "Harvest Now, Decrypt Later."

How Does Shor's Algorithm Work? (Simplified)

Shor's brilliant insight: factoring $n$ reduces to finding the period of a function.

Pick a random number $a < n$.
Consider the function $f(x) = a^x \bmod n$. This function is periodic — it repeats after some period $r$.
A quantum computer can find $r$ exponentially faster than a classical computer using the Quantum Fourier Transform.
Once you know $r$, some algebra gives you the factors of $n$.

Example: Factor $n = 15$ with $a = 7$.

$x$	0	1	2	3	4	5	6
$7^x \bmod 15$	1	7	4	13	1	7	4

The sequence repeats with period $r = 4$. Now compute: $\gcd(7^{4/2} - 1, \; 15) = \gcd(48, 15) = 3$ and $\gcd(7^{4/2} + 1, \; 15) = \gcd(50, 15) = 5$.

The factors are 3 and 5. A quantum computer does the period-finding step in polynomial time — that's the game changer.

Part 5 — Post-Quantum Cryptography: Building Locks That Survive (≈ 15 min)

"If quantum computers break multiplication-based locks, we need locks based on problems that quantum computers ALSO find hard."

What Survives a Quantum Computer?

Not all mathematical problems yield to Shor's algorithm. The cryptography community has been racing to find quantum-resistant alternatives. In 2024, NIST (the U.S. standards agency) finalised the first post-quantum standards. The leading approach: lattice-based cryptography.

Lattices: A New Kind of Hard Problem

A lattice is a regular grid of points in space, like the corners of floor tiles extending infinitely in all directions.

In 2D, a lattice is defined by two basis vectors $\mathbf{v}_1$ and $\mathbf{v}_2$. Every lattice point is a combination $a\,\mathbf{v}_1 + b\,\mathbf{v}_2$ where $a$ and $b$ are integers.

The hard problems on lattices:

Problem	Description	Difficulty
Shortest Vector (SVP)	Find the shortest nonzero vector in the lattice	Hard (even for quantum computers!)
Closest Vector (CVP)	Given a point near the lattice, find the nearest lattice point	Hard
Learning With Errors (LWE)	Solve a noisy system of linear equations mod $q$	Hard — basis of ML-KEM

Learning With Errors (LWE) — The New Trap Door

Here's the idea behind the post-quantum standard ML-KEM (formerly called Kyber, now FIPS 203):

Alice generates a secret vector $\mathbf{s}$ and a random matrix $\mathbf{A}$ (modular arithmetic, mod a prime $q$).
She computes $\mathbf{b} = \mathbf{A} \cdot \mathbf{s} + \mathbf{e}$, where $\mathbf{e}$ is a small random error.
She publishes $(\mathbf{A}, \mathbf{b})$ as her public key. Keeps $\mathbf{s}$ private.
Without knowing $\mathbf{s}$, the small error makes the system of equations unsolvable — even for a quantum computer.

It's like trying to solve a jigsaw puzzle where every piece has been trimmed by a random millimetre. Close enough to fit, but impossible to solve exactly without knowing the original template.

The LWE Cheat Sheet:

• Public key: a noisy system of linear equations (matrix + fuzzy answers)

• Private key: the secret vector that explains the noise

• Security: no known quantum algorithm can efficiently solve LWE

• Standard: ML-KEM (FIPS 203), adopted by NIST in 2024

The Cryptographic Timeline

Era	Year	System	Hard Problem	Quantum-Safe?
Ancient	~50 BC	Caesar cipher	Secrecy of shift	—
Classical	1976	Diffie-Hellman	Discrete logarithm	❌
Classical	1977	RSA	Integer factoring	❌
Modern	1985	ECC	Elliptic curve discrete log	❌
Post-Quantum	2024	ML-KEM (Kyber)	Learning With Errors	✅
Post-Quantum	2024	ML-DSA (Dilithium)	Module LWE	✅

The race is on: Companies and governments worldwide are migrating to post-quantum algorithms now — before large quantum computers exist. Google Chrome, Apple iMessage, and Signal already use hybrid classical + post-quantum encryption. Your phone might already be sending lattice-encrypted messages.

Summary

The Encryption Chain

$$\text{Message} \xrightarrow{\text{Public Key}} \text{Encrypt} \xrightarrow{\text{Postcard}} \text{Ciphertext} \xrightarrow{\text{Private Key}} \text{Decrypt} \xrightarrow{} \text{Message}$$

Method Comparison

System	Based on	Key Sizes	Quantum-Safe
Diffie-Hellman	Discrete log	~256 bytes	❌ Broken by Shor
RSA-2048	Factoring	~256 bytes	❌ Broken by Shor
ECC (P-256)	Elliptic curve DLP	~32 bytes	❌ Broken by Shor
ML-KEM (Kyber)	Lattice / LWE	~1.5 KB	✅
ML-DSA (Dilithium)	Lattice / LWE	~2.5 KB	✅

What You Learned Today:

Modular arithmetic — clock-style maths where numbers wrap around

One-way functions — easy forward, impossible backward

Diffie-Hellman — two strangers build a shared secret in public

RSA — encrypt for anyone using their public key; only they can decrypt

Shor's algorithm — quantum computers shatter the one-way door

Post-quantum crypto — lattices and noisy equations: the new locks for a quantum world

Extensions & Challenge Problems 🧩

🥉 Bronze

Compute $3^4 \bmod 7$ by hand. Check with the modular calculator.
In Diffie-Hellman with $p=23$, $g=5$, $a=4$, $b=3$: what is the shared secret?
RSA with $p=3$, $q=11$, $e=7$. Find $n$, $\phi(n)$, and $d$.

🥈 Silver

Why must $p$ and $q$ be kept secret in RSA? If Eve knows one of them, show how she breaks the system.
Find the period of $2^x \bmod 21$. Use it to factor 21.
In the paint analogy, what would it mean if Eve could un-mix paint? Write this in mathematical terms.

🥇 Gold

Prove that $a^{\phi(n)} \equiv 1 \pmod{n}$ when $\gcd(a,n)=1$ (Euler's theorem). Why does this make RSA decryption work?
RSA is deterministic — encrypting the same message twice gives the same ciphertext. Why is this a security problem? How does OAEP padding fix it?

🎓 Diamond

Wiener's Attack: If the private exponent $d$ is small relative to $n^{1/4}$, RSA can be broken using continued fractions. For $n = 90581$, $e = 17993$, find $d$ and the factorisation.
Post-Quantum Deep Dive: In LWE with $n = 4$, $q = 23$, and secret $\mathbf{s} = (3, 1, 4, 1)$, generate a public key instance. Add small errors from $\{-1, 0, 1\}$ and show that recovering $\mathbf{s}$ requires checking all $23^4$ possibilities.

Answer Key

Bronze Answers

$3^4 = 81$; $81 = 11 \times 7 + 4$; answer: $4$.
$A = 5^4 \bmod 23 = 4$, $B = 5^3 \bmod 23 = 10$. $s = 10^4 \bmod 23 = 18$ and $s = 4^3 \bmod 23 = 18$. Shared secret: 18.
$n = 33$, $\phi(33) = 2 \times 10 = 20$, $7d \equiv 1 \pmod{20}$ → $d = 3$ (since $7 \times 3 = 21 = 20 + 1$).

Silver Answers

If Eve knows $p$, she computes $q = n/p$, then $\phi(n) = (p-1)(q-1)$, then $d \equiv e^{-1} \pmod{\phi(n)}$. She has the private key.
$2^x \bmod 21$: 1, 2, 4, 8, 16, 11, 1, 2, 4, … Period $r = 6$. $\gcd(2^3 - 1, 21) = \gcd(7, 21) = 7$; $\gcd(2^3 + 1, 21) = \gcd(9, 21) = 3$. Factors: $3 \times 7 = 21$.
"Un-mixing" = computing the discrete logarithm: given $g^a \bmod p$, recovering $a$. If Eve can do this, she recovers Alice's secret from the public value $A$.

Gold Answers

Euler's theorem follows from Lagrange's theorem in group theory: the multiplicative group mod $n$ has order $\phi(n)$, so $a^{\phi(n)} = 1$. For RSA: $m^{ed} = m^{k\phi(n)+1} = (m^{\phi(n)})^k \cdot m = 1^k \cdot m = m$.
If the attacker knows the message space is small (e.g., "YES" or "NO"), they can encrypt both and compare. OAEP adds randomness before encryption, making identical messages produce different ciphertexts.

← Back to all lectures