math cryptography number-theory computer-science

Cryptography: The Mathematics of Secrets

Every time you type a password, tap "pay" on your phone, or open a private message, mathematics is working invisibly to keep your secrets safe. Not in a vague, metaphorical sense — actual equations, proven theorems, and number-theoretic properties that would have amazed the greatest minds of antiquity. Cryptography is the ancient art of hiding information, and over thousands of years it evolved from children's puzzles to the bedrock of civilization's digital infrastructure. The story of how we got here is one of the most fascinating in all of mathematics.

The Concept

At its heart, cryptography solves a deceptively simple problem: how do you send a message so that only the intended recipient can read it?

The oldest approach is symmetric encryption: both the sender and receiver share a secret key — a pattern or rule for scrambling and unscrambling the message. Julius Caesar famously used a shift cipher, replacing each letter with the letter three positions later in the alphabet. A becomes D, B becomes E, and so on. It was adequate for his era, but barely: with only 25 possible shifts, anyone who intercepted a message could crack it by trying all options in minutes.

The fundamental challenge of symmetric encryption is key exchange: how do you share that secret key with someone without a spy reading it in transit? For most of human history, this meant couriers, codebooks, and elaborate pre-shared secrets. Armies had to distribute physical books of codes to every unit. If the codebook was captured, the entire system collapsed.

The modern era of cryptography began with a single radical insight: what if you could send a message securely without ever sharing a secret key?

Why It Matters

To understand how much this matters, consider what happens when you visit your bank's website. Your browser and the bank's server need to agree on a secret encryption key — right now, over the public internet, with potentially millions of people able to see every packet that passes between you. If any one of them can see the key exchange, they can read your account number, your password, your transfers. For most of human history, this would have been simply impossible. Today it happens automatically, invisibly, in milliseconds.

The mathematics that makes this possible protects not just banking but essentially all of modern digital life: private messages, medical records, election systems, cryptocurrency, software updates, and the certificates that prove a website is who it claims to be. The global digital economy runs on cryptographic guarantees — and those guarantees are mathematical theorems, not engineering assumptions.

The Details

A 9th-Century Breakthrough

Before we reach the modern era, one pivotal historical figure deserves mention. In the 9th century, the Arab polymath al-Kindi wrote a manuscript describing frequency analysis — the art of cracking substitution ciphers by exploiting the fact that some letters appear more often than others. In English, "e" is the most common letter; in an encrypted message, the most common symbol is probably "e." This single insight made most classical ciphers fundamentally vulnerable, and cryptographers spent the next thousand years designing systems that tried to defeat frequency analysis.

The cat-and-mouse game reached its apex in World War II with the German Enigma machine. Developed by Arthur Scherbius in 1918, the Enigma used a system of rotating electromechanical rotors to create a polyalphabetic cipher so complex that each letter's substitution changed with every keypress. At Bletchley Park, Alan Turing and his colleagues applied probability theory and early computing to crack it — an effort that historians estimate shortened the war by two years and saved millions of lives. The mathematics behind both the Enigma's design and its undoing was the same: permutation groups and statistical reasoning.

The Key Exchange Problem: Solved

The modern revolution arrived in 1976, when Whitfield Diffie and Martin Hellman published "New Directions in Cryptography," one of the most consequential papers in the history of computer science.

Their insight was elegant and seemingly paradoxical. Suppose you and a friend each choose a private secret number. You combine your secret with a publicly known number and share the result openly. Your friend does the same. You can then each combine the other's public result with your own private secret — and astonishingly, you both arrive at the same shared secret, without ever transmitting it. An eavesdropper who sees both public results cannot figure out the shared secret without solving a problem so computationally hard that no known algorithm can crack it in any reasonable timeframe.

The math behind this uses modular exponentiation. Given a large prime p and a generator g, computing g^a mod p is fast (even for enormous numbers — exponentiation by squaring keeps it tractable). But given only the result g^a mod p, recovering a — the "discrete logarithm" — is believed to be computationally intractable for large enough p. The asymmetry between the easy direction and the hard direction is the mathematical engine of all modern public-key cryptography.

RSA: When an Idea Becomes an Algorithm

The year after Diffie and Hellman published their framework, three MIT mathematicians filled in the practical details. Ron Rivest, Adi Shamir, and Leonard Adleman spent months trying to find a mathematical function easy to compute but hard to reverse. Adleman served as the skeptic, poking holes in each candidate that Rivest and Shamir proposed.

The story of RSA's discovery has become legend. One night in April 1977 — after a Passover seder — Rivest couldn't sleep. He lay on a couch with a math textbook, and by morning had written most of what would become the RSA algorithm.

RSA's core insight: multiplying two large prime numbers is trivial, but factoring their product back into the original primes is extraordinarily difficult. Choose primes p and q; publish their product n = pq as part of your public key. Anyone can encrypt a message using n and a second public number e. But to decrypt, you need to know p and q individually — and factoring n when it is hundreds of digits long would take the world's fastest classical computers longer than the age of the universe.

What makes RSA magical is asymmetry: your public key (the numbers n and e) goes on the internet for anyone to see. Anyone can use it to lock a message. But only you — with your private key — can unlock it. It is as if you distributed millions of open padlocks, each uniquely yours, and kept the only key.

A remarkable footnote: in 1997, the British intelligence agency GCHQ declassified documents revealing that mathematician Clifford Cocks had independently discovered an equivalent algorithm in 1973 — four years before Rivest, Shamir, and Adleman published theirs. The British government had been using public-key cryptography in secret for years before the world knew it was possible.

Elliptic Curves: Better, Smaller, Faster

RSA has served the internet well, but it has a practical weakness: as computers grow faster, the keys must grow longer to stay secure. Modern security requires RSA keys of 3,072 bits or more — large numbers that slow down even powerful servers.

Since the mid-1990s, elliptic curve cryptography (ECC) has offered a more efficient alternative. An elliptic curve isn't the ellipse you remember from geometry class; it's a smooth curve defined by an equation of the form y² = x³ + ax + b. On such a curve over a finite field (arithmetic that wraps around, like a clock), you can define a kind of "addition" — combining two points on the curve produces a third point, also on the curve.

The security of ECC rests on the elliptic curve discrete logarithm problem: given a starting point G on the curve and the result of "adding" G to itself k times, recovering k is believed to be even harder than factoring large numbers. This means a 256-bit ECC key provides roughly the same security as a 3,072-bit RSA key. Your phone can do ECC operations in microseconds that would require a full server rack using RSA — which is why ECC now dominates in mobile devices, embedded systems, and anything battery-powered.

Bitcoin and Ethereum both use ECC with a specific curve called secp256k1. When you send cryptocurrency, you're signing your transaction with an elliptic curve private key, proving you authorized it without revealing the key itself. Every Bitcoin transaction is, at its mathematical core, a demonstration that you know a secret number — without ever saying what it is.

Hash Functions: The One-Way Lock

Another cryptographic primitive deserves mention: the hash function. A hash function takes any input — a word, a document, a billion-dollar transaction — and produces a fixed-length output (a "hash" or "digest") that appears completely random. Change a single character of the input and the hash changes completely and unpredictably. And critically, you cannot reverse the process: given a hash, there is no known way to find the input that produced it.

Hash functions underpin digital signatures (your private key signs a hash of the message, not the whole message), blockchain integrity (each block contains the hash of the previous block, so tampering with any historical record breaks all subsequent hashes), and password storage (websites store hashes of your password, not the password itself — which is why breached password databases are still "hashed," not immediately readable).

The SHA-256 hash function, used in Bitcoin and HTTPS, produces a 256-bit output. There are roughly 2^256 possible outputs — a number larger than the estimated number of atoms in the observable universe. Finding two different inputs that produce the same hash ("a collision") is considered computationally impossible, which is why the integrity guarantees of the entire internet depend on it.

The Quantum Threat on the Horizon

One looming challenge deserves mention: quantum computers, if sufficiently powerful, could solve the discrete logarithm and integer factorization problems exponentially faster than classical computers using an algorithm discovered by mathematician Peter Shor in 1994. This would theoretically break RSA and ECC as currently deployed.

The cryptographic community has been preparing for years. In 2024, the U.S. National Institute of Standards and Technology (NIST) finalized the first post-quantum cryptography standards, based on mathematical problems believed to resist quantum attacks — including lattice-based cryptography and hash-based signatures. The global transition to quantum-resistant algorithms is already underway, representing one of the largest coordinated changes in internet infrastructure in history. The mathematics of secrets keeps evolving.

Takeaways

  • Cryptography's power comes from mathematical asymmetry — operations that are easy in one direction and computationally intractable in reverse. Multiplying two large primes is instant; factoring their product would take longer than the age of the universe.
  • The key exchange problem seemed logically impossible until Diffie and Hellman cracked it in 1976, enabling two strangers to establish a shared secret in full view of any eavesdropper.
  • RSA was invented twice: by Clifford Cocks at GCHQ in 1973 (classified for 24 years) and by Rivest, Shamir, and Adleman at MIT in 1977. The world's most important algorithm was a secret before it was a standard.
  • Elliptic curve cryptography achieves equivalent security with dramatically smaller keys — a 256-bit ECC key matches a 3,072-bit RSA key — which is why it dominates in mobile devices, IoT hardware, and Bitcoin.
  • The quantum threat is real but managed: NIST finalized post-quantum standards in 2024, and the internet is already migrating toward algorithms that no quantum computer can crack.

Further reading: The 1976 Diffie-Hellman paper "New Directions in Cryptography" is freely available and surprisingly readable. Simon Singh's The Code Book covers the full sweep of cryptographic history from Caesar to modern public-key systems with exceptional clarity.

Originally published at travispickens.com

Back to posts