Cryptography: theory

In this material, the study of cryptography is primarily intended to take place in the module Applied cryptography. Largely the same topics are presented in CyBOK v1.1 at a theoretical level at this point (Chapter 10), but this course material does not include that content. Instead, it only provides some general explanation and motivation, as well as an example serving as one kind of introduction, which is likely to be useful. On the other hand, students are encouraged to consult the source work as they progress to later courses, several of which are offered at Tampere University specifically in the field of cryptology.

Recommendation: The applied cryptography module is extensive, and especially the basic material (algorithms) is abundant. Your studies will likely proceed most smoothly if, after the background theory presented here, you take a look there and at least familiarise yourself with symmetric-key algorithms and briefly review the concept map in the section Diversity of cryptography. The presentation of mathematical structures below (as well as the post-quantum topic) mainly introduces the nature of asymmetric algorithms. The aforementioned applied cryptography page also provides information on these, from which you can get an initial overview now so that they will be easier to understand once you have otherwise progressed to that point.

In the theory of cryptography, emphasis is placed on mathematics and on modelling security through the properties of an abstract attacker. Modelling likewise requires mathematical competence, as it involves probabilities, uses logic, and often results in rather complex notation. After seeing a few such presentations, for example security proofs, one may notice that there is considerable regularity in the notation and probability expressions, which makes further learning easier.

Mathematical structures

The mathematics of cryptographic algorithms requires understanding the concept of algebraic structure. The integers with operations +, −, and × already form a structure, but initially this must be refined into one where division is also defined between all elements (although division by zero is still not possible and must not be allowed). For this purpose, we restrict ourselves to the integers 0, 1, 2, …, p−1, where p is a prime number. These are modular integers, for which +, −, ×, and ÷ are defined. All operations except ÷ proceed “in the usual way”, provided that the result is reduced modulo p, in other words by adding p or −p as many times as needed to obtain a value in the range 0,…,p−1.

For example, if p=11, then 5+6=0, 4−7=8, 3×5=4, and 10×10=1. The last result means that 10 is its own multiplicative inverse modulo 11. A similar property always holds for q−1 when q is a prime: (q-1)×(q-1) = q²- 2q + 1 = 0-0+1 = 1 modulo q.

For the operation ÷, a new algorithm is required, but this is no different from how division had to be learned earlier in school. Progress here is made via multiplicative inverses. When p is prime, the inverse of a number a, denoted a^-1, can be computed as a^p-2 modulo p. Try calculating 10⁹ mod 11 with a calculator. The Euclidean algorithm is much faster for large numbers.

Applying the above example, we observe that modulo 11, 4÷5=3, 1÷10=10, and 2÷10 = 2×10=9. What we have here is a structure called a finite field. In cryptology, there are also finite fields not consisting of numbers. (They consist of vectors whose elements are coefficients of polynomials, but we will not go into these now; instead we turn to certain pairs of numbers.)

The next step in cryptographic mathematics leads to structures consisting of pairs of modular integers. Operations + and −, as well as multiplication by a scalar (an integer), are defined for them. This would otherwise resemble the analytic geometry familiar from school, but the new step is to restrict the points (x,y) to those satisfying the equation y² = x³+1 (or a similar equation where y is squared and x is cubed). It turns out that the operation between two points produces a new point that satisfies the same equation (provided that one point is imagined at infinity). The points form an algebraic structure called an elliptic curve. These too are finite, although the ones used in cryptography contain more points than there are atoms in the universe, as far as is known. Large numbers and sets are necessary in cryptology to prevent exhaustive search. Quantum cryptography uses different techniques and different mathematics. This will be discussed shortly, but even quantum computing is not overly difficult, if one is to believe the Canadian university high school quantum summer course (QSYS) background material (feel free to order it! It begins with complex numbers, revisits vector spaces, and then introduces quantum states and gates, tensor products, measurements, and probabilities).

Post-quantum

Post-quantum cryptography (PQC) refers to encryption methods designed to be secure even against quantum computing. They can, however, be implemented on traditional computers, and there is no need to understand qubits or tensor products. From the perspective of the user or application developer, they function like traditional encryption or signature methods. PQC algorithms are already available in many browsers and operating systems.

From the theory of computation it is known (though not yet in practice as of 2026) that quantum computers can solve certain mathematical problems easily while others remain difficult even for them. Quantum computers are effective at factoring integers, which breaks algorithms such as RSA. In addition, quantum computers can break elliptic curve cryptography, meaning that the most common public-key encryption and signature methods of the 2020s are vulnerable. Attacks on symmetric encryption and hash functions (AES, SHA) using quantum computers are less effective.

The first PQC methods to be deployed are based on lattice and coding theory. A lattice resembles a multidimensional vector space but is a discrete subset of one, much like integers are a discrete subset of real numbers (a 3D analogy can be formed from the atomic lattice of a crystal). Among the new lattice-based algorithms, the most important are ML-DSA for digital signatures and the public-key encryption and key exchange method ML-KEM. Both have the status of international standards.

Preparing for the development of quantum computing is necessary even before practical attacks materialise, as encrypted communications can be collected now and broken later (“harvest now, decrypt later”). For this reason, migration to PQC—especially for key exchange—has been accelerated and is already widely used in TLS encryption, whereas the transition to ML-DSA certificates has been slower. In the EU, the transition to PQC is required to be completed by 2035. Similar security guidance applies in the United States and other Western countries, making the transition global.

Question 1

Why is Post-Quantum Crypto important already today?

Quantum computers have already succeeded in breaking real cryptosystems based on the difficulty of factorisation.

Traditional protocol messages used to agree on symmetric encryption keys may be broken by quantum methods later, revealing the encryption key.

Crypto algorithms intended for quantum computers must be ready as soon as the machines themselves are.

A state secret encrypted today with AES may already be stored by an attacker, who will later easily break AES with a quantum computer.

Protocol

Finally, we consider an example that complements the presentation in the module on applied cryptography. The figure shows a cryptographic protocol, that is, an exchange of messages between the parties Alice and Bob. It produces for them, that is, for A and B (cf. also the subscripts of symbols), a shared symmetric key K such that each can be sure of with whom it has been established. The name of this protocol is Station-to-Station, and it is a basic case of authenticated key exchange. Here, the aim is primarily to clarify the notation used in cryptographic presentations. There is no need to worry even if the explanation following the figure does not fully clarify everything. After all, encryption and signature schemes will only be studied later.

From the centre of the figure, you can see that A and B send a total of three messages to each other, of which B’s message to A contains two data elements (separated by a comma). The rest describes the computation. The longest line on each side is signature verification, where the ? above the equality sign indicates the question of whether the verification succeeds, that is, whether equality holds. The diagram does not indicate that A would terminate if verification failed. This is typical of protocol descriptions; in an implementation, this cannot be ignored.

Next, locate the second longest line on each side and compare them with the previous ones. You will notice that the Sign-function outputs a signature denoted by σ (sigma), which is then provided as input to the Verify function on the opposite side. The symbols sk and pk, written in a distinctive font, refer to the parties’ (as indicated by the subscript) private and public keys (secret key and public key). What is signed is not completely symmetrical on both sides, since B does not yet have as much information at its stage as A, which computes its signature also based on B’s signature σ_B. On the preceding line, A has decrypted it from the ciphertext c_B using the key K, which A has just determined on the line before that. B learned this slightly earlier. You should be able to find the line where this occurs. B applies the key in the Enc_K function, i.e. encryption, while A uses the Dec_K function, i.e. decryption. Later, the roles are reversed when A sends its signature (σ_A) encrypted as c_A, and B decrypts it for verification.

Signature verification is the part that ensures the authenticity of the parties. Let us still examine how the shared key K is formed. Initially, each party generates a random element (the numbers a and b) from the set Z/Z_q, which is a finite field with q elements (sometimes denoted GF(q)). On the following lines, each computes a multiplication in which P is a publicly known point of an elliptic curve—and the curve itself is of course known, as is the large prime q. The numbers a and b are shown in brackets in the multiplication to emphasise that here they are ordinary integers, whereas earlier they are elements of the field (and the field could be more complex). In any case, by following the computation, you can see that both ultimately compute K as the same element [a]·[b]·P. The fact that an eavesdropping attacker cannot determine K is the key insight of this part of the protocol, dating back to the 1970s. See more in the section Diffie–Hellman–Merkle key exchange.

Secret codes

For many, the first experience of cryptography is a secret language or cipher shared with siblings or friends in childhood. These children’s secret codes are not cryptographically secure and are usually based on the idea of security through obscurity or implement simple and trivially breakable substitution ciphers, where a given letter is replaced by another. An example of this is the classical ROT-13.

In contrast, the “language” of modern cryptography is the mathematics presented in this module. There is nothing secret in it itself, but it can be used to construct secure communication algorithms. Note, however, that even the insecure ROT-13 is based on modular arithmetic (mod 26). The modulo operation is an essential part of the mathematics of cryptography, but modulo alone, even with large integers, does not guarantee security.

As stated in the text, the intention here is not to internalise the entire nature of discrete mathematics, but it is explored further in a later module and in more detail in the advanced course Cryptography Engineering.

There are no summary exercises in this module, and you will properly delve into cryptology in a later module. At this stage, however, you should already be able to answer the following.

Question 1

All the branches of mathematics listed in the options are needed in cryptology, but only one is referred to in this module as part of cryptography. Which one is it?

Complex numbers

Matrix algebra

Discrete mathematics

Isogenies

Question 2

Which unusual branch of mathematics appeared here?

Field theory

State science

Universal arithmetic

Cosmology

Question 3

Which of the following calculations are correct?

4+6=5 mod 7

4-6=5 mod 7

4-6=5 mod 13

4*6=3 mod 7

2*7=1 mod 13

14*123456=0 mod 7

14*14=0 mod 13

Question 4

The STS protocol diagram contains several arrows. They represent two types of activity: the transmission of messages from one side to the other and the assignment of a value to a variable. The data elements mentioned in messages are also assigned to variables on the receiving side, so there is no contradiction. The determination of a value is expressed in different ways. Which of the following is not a formula for calculation?

\(Z/qZ\)

\([a]\cdot P\)

\(Dec_K(c_B)\)

\(Sign(\{Q_A, Q_B\}, sk_A)\)

Posting submission...