This is an extract from The Music of the Primes: Why an Unsolved Problem in Mathematics Matters by Marcus du Sautoy Chapter 10 “Cracking Numbers and Codes”
In 1903, Frank Nelson Cole, a professor of mathematics at Columbia University in New York, gave a
rather curious talk of a meeting of the American Mathematical Society. Without saying a word, he wrote one of the Mersenne's
numbers on one blackboard, and on the next blackboard wrote and multiplied together the two smaller numbers. In the middle
he placed an equals sign, and then sat down. 267 - 1 = 193,707,721 x 761,838,257,287 The audience rose to its feet and applauded - a rare outburst for a roomful of
mathematicians at the turn of the century? In fact, Cole had done the opposite. It had been known since 1876 that 267 - 1,
a twenty-digit Mersenne number, was not itself prime but the product of two smaller numbers. However, no one knew which ones.
It had taken Cole three years of Sunday afternoons to "crack" this number into its two prime components.
It was not only Cole's 1903 audience who appreciated his feat. In 2000 an esoteric off-Broadway
show called The Five Hysterical Girls Theorem paid homage to his calculation by having one of the girls crack Cole's number.
Prime numbers are a recurrent theme in this play about a mathematical family's trip to the seaside. The father laments
his daughter's coming of age, not because she will be old enough to run off with her lover but because 17 is a prime number,
whereas 18 can be divided by four other numbers! Over two thousand years ago the Greeks proved that every number can be written
as a product of prime numbers. A fast and efficient way to find which prime numbers have been used to build up other numbers
has eluded mathematicians ever since. What we are missing is a mathematical counterpart of chemical spectroscopy, which tells
chemists which elements of the Periodic Table make up a chemical compound. A discovery of a mathematical analogue that would
crack numbers into their constituent primes would earn its creator more than just academic acclaim. In 1903, Cole's calculation was
regarded as an interesting mathematical curiosity - the standing ovation he received was in recognition of his extraordinary
hard labour rather than any intrinsic importance the problem had. Such number-cracking is no longer a Sunday afternoon pastime
but lies at the heart of modern code-breaking. Mathematicians have devised a way to wire this difficult problem of cracking
numbers into the codes that protect the world's finances on the Internet. This innocent sounding task is sufficiently
tough for numbers with 100 digits that banks and e-commerce are prepared to stake the security of their financial transactions
on the impossible long time it takes - at present - to find the prime factors. At the same time, these new mathematical codes
have been used to solve a problem that dogged the world of cryptography.
The
Birth of Internet cryptography
For as long as we have been able to communicate, we have needed to deliver secret
messages. To prevent important information from falling into the wrong hands, our ancestors devised ever more intriguing ways
of disguising the content of a message. One of the first methods used to hide messages was devised by the Spartan army over
two and a half thousand years ago. The sender and recipient each had a cylinder of exactly the same dimensions, called a scytale.
To encode a message, the sender would first wrap a narrow strip of parchment around the scytale so that it spiralled down
the cylinder. He would then write his message on the parchment, along the length of the scytale. Once the parchment was unwound,
the text looked meaningless. Only when it was wrapped around an identical cylinder would the message reappear. Since then,
successive generations have concocted ever more sophisticated cryptographic methods. The ultimate mechanical encoding device
was the German Enigma machine used by the German forces in the Second World War. Before 1977, anyone who wanted to send a secret message
faced an inherent problem. Before the message was transmitted, sender and receiver would have to meet in advance to decide
which cipher - the method of encryption - to use. The Spartan generals, for example, would have needed to agree on the dimensions
of the scytale cylinder. Even with the mass-produced Enigma machine, Berlin would still have to despatch agents to deliver
to U-boat captains and tank commanders the books detailing the machine settings for encoding each day's messages. Of course,
if an enemy got their hands on the codebook, the game was up. Imagine the logistics of using such a system of cryptography to do business on
the Internet. Before we could send our banking details safely, Was it possible to analyse how fast that program would take to solve the problem?
This was obviously important if the program was going to be implemented. The question demanded highly theoretical analysis
but was nevertheless rooted in the real world. It was this combination that made the challenge for Rivest. He left his robots
at Stanford and moved to MIT to pursue the burgeoning subject of computational complexity. 'One day a graduate student handed
me this article and said, "You might be interested in this",' Rivest recalls. It was Diffie and Hellman's
paper, and immediately he was captivated. 'It laid out this broad vision of what cryptography was and what it might be.
If only you could come up with an idea.' The challenge of the paper brought together all of Rivest's mind. 'What
you care about in cryptography is distinguishing between the problems that are easy and the problems that are hard,' he
explained. 'That was what the computer science was all about.' If a code was going to be hard break, it had to be
based on a mathematical problem whose solution was difficult to calculate. Rivest started his attempt to build a public-key cryptography
by plundering the wealth of problems he knew computers would take a long time to solve. He also needed someone to bounce ideas
off. MIT was already beginning to break the mould of a traditional university, loosening the boundaries between departments
in the hope of encouraging interdisciplinary interactions. Rivest, a computer scientist, worked on the same floor as members
of the mathematics department. In the offices nearby were two mathematicians, Leonard Adleman and Adi Shamir. Adleman was a more
gregarious character than Rivest but still a classic academic with wild and wonderful ideas about things that seemed to have
nothing much to do with reality. Adleman recalls coming into Rivest's office one morning: 'Ron is sitting there with
this manuscript. "Did you see this thing from Stanford about this crypto, secret code, scrambling, blah, blah, blah..."
My reaction was, "Well, that's nice, Ron, but I have something to talk about. I couldn't care less." But
Ron got very interested in this.' What Adleman cared about was the abstract world of Gauss and Euler. Cracking Fermat's
Last Theorem was what mattered to him, not some trendy subject like cryptography. Rivest found more receptive ears down the corridor in
the office of Adi Shamir, an Israeli mathematician visiting MIT. Together, Shamir and Rivest began to search for some idea
they could use to implement Diffie and Hellman's dream. Though Adleman wasn't too interested, it was hard to ignore
Rivest and Shamir's obsession with this problem. 'Every time I'd go into their office they'd be talking about
it. Most of the systems they came up with sucked, and since I was there I would join in with their discussions to see if what
they were proposing today made sense.' As they explored the range of 'hard' mathematical problems, their embryonic
crypto-systems began to use more ideas from number theory. This was right up Adleman's street: 'Since that was my
area of expertise, I could be more useful in analysing their systems - and mostly dispensing with them.' He thought he'd
met his match when Rivest and Shamir proposed a very secure-looking system. But after a sleepless night spent working through
all the number theory he knew, he could see how to crack their latest code. 'This went on and on. We would go for a ski
trip, and on the ride up that's all we would talk about... Even as we headed to the top of the ski slopes in a gondola,
that's what we would talk about...' The breakthrough came one evening when all three had been invited to dine at a graduate's house
to celebrate the first night of Passover. Adleman doesn't drink, but he remembers Rivest knocking back the Seder wine.
Adleman
got home at midnight. Soon after, the phone rang, It was Rivest. 'I've got another idea...' Adleman listened carefully.
'Ron, I think this time you've got it. This one sounds right to me.' They had been thinking for a while about
the difficult problem of factorising numbers. There had been no clever proposals for programs, which could crack numbers into
their prime building blocks. This problem had the right flavour to it. Under the influence of the Seder wine. Rivest had seen
how to program this problem into his new code. Rivest recalls, 'It had a good feel to it at first. But we knew from experience
that things that have a good feel initially can still fall apart. So I put it aside till the morning.'
When Adleman arrived at the department in MIT late next morning Rivest greeted him with a handwritten manuscript with the
names Adlemans, Rivest and Shamir blazoned across the top. As Adleman read through it he recognised what Rivest had told him
the previous night on the telephone. ‘So I tell Ron, “Take my name off this, this is your stuff,” and we
proceed to have a fight about whether I should stay on the paper.’ Adleman agreed to think about it. At the time he
thought it probably didn’t matter wither way, as the paper would probably be the least read of all his publications.
But he did remember the early crypto-system that had kept him up all night. He had saved them from rushing into print with
an insecure code which would have left them with egg on their faces. ‘So I went back to Ron. “Make me third on
the list.” So that how it became RSA.’
Rivest decided that they had better find out how difficult factorising really
was. ‘The problem of factorising was an obscure art form at that time. There was little literature on it. It was difficult
to get good estimates on the time that the algorithms that has already been proposed to take.’ Someone who knew more
than most happened to be Martin Gardener, one of the world’s great popularisers of mathematics. Gardener was intrigued
by Rivest’s proposal and asked if it would be all right to run an article about the idea in his regular column for Scientific
American.
The reaction to Gardner’s article finally convinced Adleman that
they were on to something big:
That summer I was out at Berkeley in a bookstore. A customer and the man behind
the desk are discussing something and the customer’s saying, ‘Did you see that crypto thing in Scientific
American?’ So I go, ‘Hey, I was involved in that thing.’ And the guy turns to me and says, ‘Can
I get your autograph?’ How many times do we get asked for autographs? Zero. Wow, what is this . . . maybe something’s
going on here! Gardner had said in his article that the three mathematicians
would send a preprint of their paper to anyone who sent them a stamped addressed envelope. ‘When I get back to MIT there
are thousands, literally thousands, of these things from all over the world, including Bulgarian National Security blah, blah,
blah.’ People started telling the trio that they were going to be rich. Even in the 1970s, when e-commerce was hardly dreamt
of, people understood the potency of these ideas. Adleman thought the money would start to pour in within a few months, and
went straight out and got himself a little red sports car to celebrate. Bombieri was not the only mathematician for whom the
reward for mathematical success was a fast car. Adleman’s car was eventually paid off with instalments from his regular
income from MIT. It took a little time for security agencies and business to fully appreciate the security and the power of
RSA. While Adleman was speeding round in his sports car still thinking of Fermat, Rivest was the one whose head was tuned
to the real-world implications of their proposal: We thought there might be some business potential to the scheme.
We went through the MIT patent office, and then we tried to see if there might be some company that would be interested in
marketing the product. But there was really no market in the early eighties. There was really very little interest at this
stage. The world was not well networked. People didn’t have computers on their desks. The people who were interested were,
of course, the security agencies. ‘The security agencies became very concerned about the development of all this technology,’
say Rivest. ‘ They did their best to see that our proposal wouldn’t go very fast.’ It seems that the same
idea had been suggested behind the closed doors of the world of intelligence. But the security agencies weren’t too
sure whether to place their agents’ lives in the hands of a few mathematicians who thought that cracking numbers was
difficult. Ansgar Heuser of the BSI, the German National Security Agency, recalls how in the 1980s they considered using RSA
in the field. They asked the mathematicians whether the west was stronger than the Russians at number theory. When the answer
came back ‘No’, the idea was shelved. But in the following decade RSA proved its worth not just for protecting
the lives of spies but also in the public world of business. The mathematics Rivest used to design this cryptographic trick is quite simple.
The shuffling of the cards is done by a mathematical calculation. When a customer places an order at a website, the computer
takes the customer’s credit card number and performs a calculation on it. The calculation will be easy to perform but
will be almost impossible to undo without the knowledge of the secret key. That is because the calculation will be done not
on a conventional calculator, but on one of Gauss’s clock calculators. The internet company tells its customers when they place
an order on its website how many hours to use on the clock calculator. It decides how many hours to choose by first taking
two large prime numbers, p and q, of around 60 digits each. The company then multiples the primes together to get a third
number, N = p x q. The number of hours on the clock will be huge, up to 120 digits long. Every customer will use the same
clock to encode their credit card number. The security of the code means that the company can use the same clock for months
before they need to consider changing the number of hours on the clock face. Selecting the number of hours on the website’s
clock calculator is the first step in choosing a public key. Although the number N is made public, the two primes p and q
are kept secret. They are two ingredients of the key that is used to unscramble the encrypted credit card number. Next, every customer
receives a second number, E, called the encoding number. This number E is the same for everyone and is as public as the number
N of the hours on the clock face. To encrypt their credit card number, C, the customer raises it to power E on the website’s
public clock calculator. (Think of the number E as the number of times the magician shuffles the pack of cards to hide the
one you’ve chosen.) The result, in Gauss’s notation is, C (modulo N). What makes this so secure? After all, any hacker can
see the encrypted credit card number as it travels through cyberspace and can look up the company’s public key, which
consists of the N-hour clock calculator and the instruction to raise the credit card number to the power E. To crack this
code all the hacker has to do is find a number which, when multiplied together E times on the N-hour clock calculator and
the instruction to raise the credit card number to the power E. To crack this code all the hacker has to do is find a number
which, when multiplied together E times on the N-hour clock calculator, gives the encrypted credit card number. But that is
very difficult. An extra twist comes from the way powers are computed on the clock calculator. On a conventional calculator
the answer grows in proportion of the number of times we multiply the credit card number together. That doesn’t happen
on the clock calculator. There, you very quickly lose sight of the starting pace because the size of the answer bears no relationship
to where you start from. The hacker is completely lost after E shuffles the pack of cards. What if the hacker tries working through
every possible hour on the clock calculator? No chance. Cryptographers are now using clocks on which N, the total number of
hours, has over a hundred digits – in other words, there are more hours on the clock face than there are atoms in the
universe. (In contrast, the encoding number E is usually quite small.) If it is impossible to solve this problem, how on earth
does the Internet company recover the customer’s credit card number? Rivest knew that Fermat’s little theorem guaranteed
the existence of a magic decoding number, D. When the Internet company multiplies the encrypted credit card number together
D times, the original credit card number reappears. The same idea is used by magicians in card tricks. After a certain number
of shuffles it looks as though the card order is completely random, but the magician knows that a few more shuffles will bring
the pack back to its original order. For example, the perfect shuffle – where the pack is equally divided, then interleaved
one card at a time from each half – takes eight shuffles to bring the pack into its original position. Of course, the
art of the magician is being able to perform a perfect shuffle eight times in a row. Fermat had discovered the analogue for
clocks of how many perfect shuffles it takes to return a pack of 52 cards to its original order. It was Fermat’s trick
that Rivest had exploited to decode messages in RSA. Although the pack of cards with your credit card number has been shuffled by the
website a number of times to lose it, the Internet company knows that shuffling it another D times will make your card appear
as if by mathematical magic at the top of the pile. But you can work out what D is only if you know the secret primes p and
q. Rivest used the generalisation of Fermat’s Little Theorem discovered by Euler which works on clock calculators built
from two primes rather than just one. Euler showed that on these clocks the pattern repeats itself after (p – 1) x (q
– 1) + 1 shuffles. So the only way you can know how long it takes to see the repeating pattern on the clock with N =
p x q hours is to know both the primes p and q. Knowledge of these two primes therefore becomes the key to unlocking the secrets
of RSA. The number of shuffles required to recover the lost credit card is known only by the Internet company, which has kept
the prime numbers p and q very secret. Although the number p and q have been kept secret, their product, N = p x q, has been made very public.
The security of Rivest’s RSA code therefore relies on the difficult task of factorising N. A hacker is faced with the
same problem that occupied Professor Cole at the beginning of the last century: find the two prime building blocks for the
number N.
Throwing down the gauntlet of RSA 129
To persuade business that the
problem of factorising had a respectable heritage, the MIT three would quote what one of the big guns. Gauss, had to say about
factorising: ‘The dignity of the science itself seems to require that every possible means be exploited for the solution
of a problem so elegant and so celebrated.’ Although Gauss acknowledged the importance of the factorisation problem,
he made no headway with its solution. If Gauss had tried and failed to crack it, surely corporate security was safe in the
hands of RSA. Despite Gauss’s ‘endorsement’ of the RSA system, before they wired it into their new code the problem
of factorising large numbers lay on the margins of mathematics. Most mathematicians showed little interest in the nitty-gritty
of cracking numbers. What if it did take the lifetime of the universe to find the prime building blocks of large number –
surely that was of no theoretical importance. But with Rivest, Shamir and Adleman’s discovery, the problem of factorising
assumed a significance way beyond what it had in Cole’s day. So just how difficult is it to crack a number into its prime constituents? Cole
had no access to electronic computers, so it would have taken him a good number of Sundays before he stumbled on 193,707,721
or 761,838,257,287 as one of the two building blocks of the Mersenne number 267 – 1. Armed with our computers, can’t we just
check one number after another until we find one that divides the number we are trying to crack? The trouble is that to crack
a number with over a hundred digits entails checking more numbers than there are particles in the observable universe. With so many number
to check, Rivest, Shamir and Adleman felt confident enough to issue a challenge: to crack a number with 129 digits that they
had built from two primes. The number, along with an encoded message was published in Martin Gardner’s Scientific American
article that brought the code to the world’s attention. They were not yet the millionaires they were to become, so they
offered only $100 prize for unmasking the two primes used to build the number dubbed ‘RSA 129’. In the article
they estimated that it would take as many as 40 quadrillion years to crack RSA 129. They soon realised they’d made an
arithmetical slip in estimating the time it would take. Nevertheless, given the techniques for cracking numbers into primes
then available, it should still have taken thousands of years. RSA seemed to be the code-maker’s dream come true: an unbreakable code.
With so many primes to check, confidence in the impregnability of the system seemed justified. But the Germans had thought
that Enigma was invincible since it had more combinations than there are stars in the universe – but the Bletchley mathematicians
had showed that one cannot always place one’s faith in large numbers. The gauntlet of RSA 129 was thrown down. Never ones to
shirk a challenge, mathematicians around the world began beavering away, in the years that followed, they began to devise
ever more cunning plans to find Rivest, Shamir and Adleman’s two secret primes. Instead of 40 quadrillion years, as
the MIT three had estimated, their number was eventually cracked in a paltry seventeen years. That us still long enough for
a credit card encrypted with RSA 129 to be well out of date. Nevertheless, it begs the question how much longer it will be
for a mathematician to emerge with ideas that bring seventeen years down to seventeen minutes.
New tricks
on the block
The interaction between cryptography and mathematics introduced modern mathematicians
to a new culture more akin to the experimental and practical sciences. It was a culture not experienced since the nineteenth-century
German school had snatched the baton from the mathematicians of Revolutionary France. The French had regarded their subject
as a practical tool, as a means to an end, whereas Wilhelm von Humboldt believed in the pursuit of knowledge for its own sake.
Those theoreticians still steeped in the German tradition were quick to condemn the study of methods for factorising numbers
as a ‘pig in the rose garden’, in Hendrik Lenstra’s words. In contrast to the pursuit of watertight proofs,
this truffling for primes was seen as minor work of little mathematical importance. But as RSA grew commercially more important,
it became impossible to ignore the practical implications of finding an efficient technique for unveiling the prime building
blocks behind large numbers. Gradually, more mathematicians were drawn into the challenge of cracking RSA 129. The final breakthrough
came about not so much from the development of faster computers as from unexpected theoretical advances. The new problems
that sprang out of these forays into code-breaking have led to the development of some deep and difficult mathematics.
One
of the mathematicians attracted to this emerging subject was Carl Pomerance. Pomerance is happy to split his time between
the academic corridors of the University of Georgia and the commercial environment of Bell Laboratories in Murray Hill, New
Jersey. As a mathematician he has never lost that childish love of playing with numbers and looking for new connections between
them. He came to Paul Erdos’s attention when the Hungarian read an intriguing article by Pomerance on the numerology
of baseball scores. Stimulated by a curious question raised in the article, Erdos descended on Pomerance in Georgia to begin
a collaboration that would product over twenty joint papers.
Factorising numbers had fascinated Pomerance ever since he
had been asked to factorise the number 8,051 in a high-school mathematics competition. There was a time limit of five minutes,
in the 1960s pocket calculators didn’t exist. Although Pomerance was excellent at mental arithmetic, he decided first
to look for a quick route to the solution rather than just testing one number after another. ‘I spent a couple of minutes
looking for the clever way, but grew worried that I was wasting too much time. I then belatedly started trial division, but
I had wasted to much time, and I missed the problem.’
His failure to crack 8,051 fuelled Pomerance’s lifelong
quest for a fast way to factorise numbers. Eventually he learnt about the trick his schoolteacher had had in mind. Before
1977, the smartest way to crack numbers still, amazingly, belonged to the man whose Little Theorem was the catalyst for the
invention of RSA’s prime number code. Fermat’s Factorisation Method is a fast way factorise special choices of
numbers by exploiting some simple algebra. Using Fermat’s method, Pomerance took just seconds to crack 8,051 into 83
x 97. Fermat, who loved the idea of secret codes, would probably have been delighted to find his work at the heart of making
and breaking codes some three centuries later.
When Pomerance heard of Rivest, Shamir and Adleman’s
challenge, he knew immediately that cracking the 129-digit number was the way to exorcise the memories of his childhood failure.
In the early 1980s it dawned on him that there was a way to exploit Fermat’s Factorisation Method. By implementing the
method on a variety of different clock calculators, it could provide a powerful factorisation machine. Now it was no longer
just the outcome of a high-school mathematics competition that was at stake. This new discovery, called the quadratic sieve,
had very serious implications for the emerging world of Internet security.
Pomerance’s quadratic sieve works
by using Fermat’s Factorisation Method but continually changing the clock calculator being used to try to crack a number.
The method is similar to the Sieve of Eratosthenes, the technique invented by the Alexandrian librarian, which sifts out primes
by taking the primes in turn and then striking out all number which are multiples of that prime. Thus, by dropping numbers
through different-sized sieves, non-primes are eliminated without having to consider them individually. In Pomerance’s
attack the prime sieves are replaced by varying the number of hours on the clock calculators. The calculations performed on
each separate clock calculator provided Pomerance with more information about possible factors. The more clocks that could
be used, the closer he could get to cracking a number into its prime constituents.
The ultimate test of this idea was
to set it to work on the challenge of RSA 129. But in the 1980s this number still looked well out of reach of Pomerance’s
factorisation machine. In the early 1990s help arrived in the shape of the Internet. Two mathematicians, Arjen Lenstra and
Mark Manasse, realised that the Internet would be the perfect ally for the quadratic sieve in an attack on the RSA 129. The
beauty of Pomerance’s method was that the workload could be spread over many different computers. The Internet had been
employed to find Manasse and Lenstra realised that they could now use the Internet to co-ordinate an attack on RSA 129. Each
computer could be assigned different clocks to sieve with. Suddenly, the Internet – which was meant to be protected
by these codes – was being asked to help crack the RSA challenge.
Lenstra and Manasse put Pomerance’s
quadratic sieve on the Internet and called for volunteers. In April 1994 came the announcement that RSA 129 had crumbled.
By combining several hundred desktop computers across twenty-four countries, RSA 129 was cracked after eight months of real
time in a project led by Derek Atkins at MIT, Michael Graff at Iowa State University, Paul Leyland of Oxford University and
Arjen Lenstra. Even two fax machines had joined in the search – while they weren’t handling messages, they were
helping to look for the two prime numbers with 65 and 64 digits. The project used 524.339 different prime clocks.
In
the late 1990s Rivest, Shamir and Adleman issued a new set of challenges. By the end of 2002 the smallest of their challenges
to remain uncracked was a number with 160 digits. The trio’s finances have improved since 1977, so you can now $10,000
for cracking an RSA challenge number. Rivest threw away the primes he used to build these challenge numbers, so no one actually
knows the answers until the numbers are cracked. RSA Security regards $10,000 as a small price to pay to keep ahead of the
current band of number-crackers. And each time a new record is set, RSA simply advises businesses to increase the size of
the primes.
Pomerance’s quadratic sieve has been superseded by a new sieve called the number field sieve.
This new sieve is responsible for the current record, set by cracking RSA 155. This was achieved by a network of mathematicians
operating under the messianic name of Kabalah. RSA 155 was a significant psychological breakthrough. In the mid-1980s, when
security agencies were still toying with the idea of using RSA, computer security with this level of complexity had been considered
sufficient. As Ansgar Heuser of the BSI, the German security agency, admitted at a cryptography conference in Essen, had they
gone ahead ‘we would be in the middle of a disaster’. RSA Security is now recommending clocks for which N, the
number of hours, has at least 230 digits. But the likes of BSI, who need long-term security to protect their agents, are currently
recommending clocks with over 600 digits.
Head in the sand
The number field sieve makes a brief appearance in the
Hollywood film Sneakers. Robert Redford sits listening to a young mathematician lecturing about cracking very big numbers:
‘The number field sieve is the best method currently available. There exists an intriguing possibility for a far more
elegant approach… But maybe, just maybe, there is a shortcut…’ Sure enough this whizz-kid, played by Donal
Logue, has discovered such a method, ‘a breakthrough of Gaussian proportions’, and has wired it into a small box
which unsurprisingly falls into the evil hands of the film’s villain, played by Ben Kingsley. The plot is so outlandish
that most viewers must imagine that this could never happen in the real world. Yet, as the credits for the film roll, up pops
‘Mathematical Advisor: Len Adleman’, the A in RSA. As Adleman admits, this is not a scenario that we can guarantee
won’t happen. Larry Lascar, who wrote Sneakers, Awakening and War Games, came to Adleman to make sure he got the maths
right. ‘I liked Larry and his desire for verisimilitude, so I agreed. Larry offered money, but I countered with Robert
Redford – I would do the scene if my wife Lori could meet Redford.’
How prepared are businesses for such
an academic breakthrough? Some more so than others, but on the whole most have their head in the sand. If you ask business
and government security agencies, their answers are a little worrying. These are all comments I’ve recorded on the cryptograph
circuit:
‘We met the government standards, that’s all we’re worried about.’
‘If we go down then at least a lot
of other people will be going down with us.’
‘Hopefully I will have retired anyway by the time such a mathematical breakthrough will have happened,
so it won’t be my problem.’
‘We work on the principle of hope – for the time being nobody expects a dramatic breakthrough.’
‘Nobody is able to give guarantees.
We simply don’t expect it.’
When I give presentations to businesses about Internet security I like to
offer my own little RSA challenge: a bottle of champagne for the first person to uncover two prime numbers whose product is
126,629. The difference in response to this challenge I gave in three banking seminars in different corners of the globe revealed
the interesting cultural differences in the financial world’s attitude to security. In Venice the challenge and the
mathematics behind these codes washed straight over the heads of European bankers, and I resorted to a plant in the audience
to offer the solution. In contrast to the bankers of Europe, trained in the humanities as most of them are, the Far Eastern
banking community has a far greater scientific pedigree. By the end of the presentation, in Bali, one man rose to his feet
with the two primes and claimed the champagne. They showed that they appreciated the mathematics and its implementation in
e-business much better than their European counterparts.
But the presentation to the Americas gave me the most striking
insight. Within fifteen minutes of returning to my room after the presentation I received three phone calls with correct solutions.
Two of the US bankers had logged on to the Internet, downloaded code-cracking programs and run 126,619 through them. The third
was very cagey about his method, and he strongly suspected of having eavesdropped on the other two.
Business has
put its trust in a piece of mathematics that few have taken the time to examine for themselves. True, the immediate threat
to the security of everyday Internet business is more likely to come from sloppy management leaving vital information unencrypted
on a website. Like any cryptographic system, RSA is susceptible to human imperfection, During the Second World War the Allies
benefited from a host of textbook errors made by German operators which helped them to crack Enigma. RSA can equally be weakened
by operators choosing numbers which are too easily crackable. If you want to break codes, buying up second-hand computers
is probably better investment than enlisting for a Ph.D. in a pure mathematics department. The amount of sensitive information
left on outmoded machines is frightening. Offering a simple bribe to someone guarding secret keys could get you far more for
your money than sponsoring a team of mathematicians to crack numbers. As Bruce Schneier comments in his book Applied Cryptography,
‘It’s a whole lot easier to find flaws in people than it is to find them in crypto-systems.’
However,
such security breaches. Though serious for the company involved, pose no threat to the whole fabric of Internet business.
This is what gives a firm like Sneakers an edge. Although the probability of a breakthrough cracking numbers is small, the
risk is still there and the result would be globally devastating. It could become the Y2K of e-business, bringing the whole
house of emails crumbling to the ground. We think that cracking numbers is inherently difficult, but we can’t prove
it. It would be a weight off the lot of executives’ minds if we could assure them that it is impossible to find a fast
programme that can factorise numbers. Obviously it is difficult to prove that such a thing does not exist.
Cracking
numbers is a complex task not because the mathematics is particularly difficult, but because there is such a huge haystack
from which to pluck the two needles. There are many other problems related to this ‘haystack’ quality. For example,
although every map can be coloured with for colours, how can you tell, given a particular map, whether you can seem to be
by laboriously working through all possible combinations until, with luck, you hit upon a map that requires only three colours.
One
of Landon T. Clay’s Millennium Problems, known as P versus NP, raises a rather interesting question about such problems.
In the complexity of a problem such as factorising numbers or colouring maps arises from the very large size of the haystack
one has to search through, might there always be an efficient method to find the needle? Our hunch is that the answer to the
P versus NP question is ‘no’. There are problems which have an inherent complexity that can’t be got around
even with the hacking skills of a modern-day Gauss. If, however, the answer turns out to be ‘yes’, then as Rivest
says, ‘it would be a catastrophe for the cryptographic community’. Most cryptographic systems, RSA included, concern
problems about large haystacks. A positive answer to this Millennium Problem would mean that there really is a fast way to
crack numbers – it’s just that we haven’t found it yet!
Not too surprisingly, business is not
overly concerned with mathematicians’ obsession for building our mathematical edifice on foundations which are 100 per
cent secure. Cracking numbers has remained difficult for the last few millennia, so the business world is happy to build the
Internet shopping mall on a foundation which is 99.99 per cent secure. Most mathematicians think that there is something inherently
computationally different about cracking numbers. But no one can predict what advances the next decades may bring. After all,
RSA 129 looked secure some twenty years ago.
One of the main reasons why factorising numbers is so difficult is the randomness
of primes. Since the Riemann Hypothesis seeks to understand the source of the wild behaviour of the primes, a proof could
provide new insights. In 1900 Hilbert has stressed in his description of the Riemann Hypothesis that its solution had the
potential to unlock many other secrets about numbers. Given the central role of the Riemann Hypothesis in understanding the
primes, mathematicians began to speculate proof, if it is ever found, might yield new ways to crack numbers. This is why businesses
are now beginning to keep an eye on the abstruse world of prime number research. There is another reason why business is particularly
interested in the Riemann Hypothesis. Before they can use the RSA code, Internet companies must be first able to find two
prime numbers with sixty digits. If the Riemann Hypothesis is true, then there is a fast way to discover the primes used to
build the RSA codes on which the security of e-business currently relies.
Hunting for big primes
Given the increasing pace of the Internet and the consequent demand for bigger and bigger prime numbers, Euclid’s
proof that the primes will never run dry suddenly takes on an unexpected commercial significance. If the primes are such an
unruly bunch how are businesses going to find these big prime numbers? There may be an infinite number of prime numbers, but
as we count higher they get thinner on the ground. If there are fewer primes the further we count, then are there enough primes
with around 60 digits for everyone in the world to have two of them in order to make their own private key? And even if there
are enough, perhaps there are only just enough, in which case there is a high chance that two people will get the same pair.
Fortunately,
Nature has been kind to the world of e-commerce. Gauss’s Prime Number Theorem implies that the number of primes with
60 digits is approximately 1060 divided by the logarithm of 1060. This means that there are enough primes with 60 digits for every atom in
the Earth to have its own two primes. Not only that, the chance of you winning the National Lottery is higher than the likelihood
of two different atoms being assigned the same pair of primes.
So, given that there are enough prime
numbers to go round, how can we be sure that a number is prime? As we have seen, it is difficult enough to find the prime
constituents of a non-prime number. If a candidate number is prime then isn’t it doubly difficult to discover this fact?
After all, it means showing that no smaller number divides the candidate.
It turns out that to determine whether
a number is prime isn’t as tall an order as you might expect. There is a fast test to discover whether a number is not
prime, even if you can’t find any of its prime constituents. That is why Cole knew, as had the rest of the mathematical
world for some twenty-seven years before he announced his calculation, that the number he was trying to crack wasn’t
prime. This test isn’t much help in predicting the distribution of primes, the heart of the Riemann Hypothesis. But
because it tells us whether any particular number is prime, it lets us hear individual notes in music, though it doesn’t
help us appreciate the overall melody encapsulated in the Riemann Hypothesis.
The origin of this test is Fermat’s
Little Theorem, which Rivest had exploited that night after the Passover wine when he had discovered RSA. Fermat found that
if he took a number on a clock calculator with a prime number of hours, p, and raised it to the power p, he always got the
number he started with. Euler realised that Fermat’s Little Theorem could be used to prove that a number isn’t
prime. For example, on a clock with 6 hours, multiplying 2 together 6 times lands us at 4 o’clock. If 6 were prime,
we could have arrived back at 2 again. So Fermat’s Little Theorem tells us that 6 can’t be a prime number –
else it would be a counter-example to the theorem.
If we want to know whether a number p is prime, we take a
clock calculator with p hours. We start testing different times to see whether raising the hour of the power of p gets us
to the time we started from. Whenever it doesn’t, we can throw that number out, confident that it is not a prime number.
Each time we find an hour that does satisfy Fermat’s test, we won’t have proved that p is prime, but that the
hour on the clock is, if you like, bearing witness to p’s claim to be prime.
Why is testing times on the clock any
better than testing whether each number is less than p divides p? The point is that if p fails the Fermat test, it fails very
badly. Over half the numbers on the clock face will fail this test and testify to the non-primality of p. That there are so
many ways to prove that this number is not prime is therefore an important breakthrough. This method contrasts strongly with
the step-by-step division test, checking off every number to see whether it is a factor of p. if p is the product of, say,
two primes, then with the division test only those two primes can prove that p is not prime. None of the other numbers will
be of any help. One has to get an exact hit for the division test to work.
In one of his multitude of collaborations,
Erdos estimated (though did not rigorously prove) that to test whether a number less than 10150 is prime, finding just one time on the clock which passes Fermat’s test already means
that the odds of that number not being prime as 1 in 1043. The author
of The Book of Prime Number Records, Paulo Ribenboim, points out that using this test, any business selling prime numbers
could realistically peddle their wares under the banner ‘satisfaction guaranteed or your money back’, without
too much fear of going bust.
Over the centuries mathematicians have refined Fermat’s test. In the
1980s two mathematicians, Gary Miller and Michael Rabin, finally came up with a variation that would guarantee after just
a few tests that a number is prime. But the Miller-Rabin test comes with a bit of mathematical small print: it works for really
big numbers only if you can prove the Riemann Hypothesis (To be precise, you need a slight generalisation of the Riemann Hypothesis.)
This is probably one of the most important things we know hiding behind Mount Riemann. If you can prove the Riemann Hypothesis
and its generalisation, then, as well as earning a million dollars, you will have guaranteed that the Miller-Rabin test really
is a fast and efficient method for proving whether a number is prime or not.
In August 2002, three Indian mathematicians,
Manindra Agrawal, Neeraj Kayal and Nitin Saxena, at the Indian Institute of Technology in Kanpur devised an alternative to
the Miller-Rabin test. It was very slightly slower but avoided having to assume the Riemann Hypothesis. This came as a complete
surprise to the prime number community. Within twenty-four hours of the announcement from Kanpur, 30,000 people across the
world – Carl Pomerance among them – had downloaded the paper. The test was sufficiently straightforward for Pomerance
to present the details to his colleagues in a seminar that same afternoon. He described their method as ‘wonderfully
elegant’. The spirit of Ramanujan still burns strong in India, and these three mathematicians were not afraid to challenge
the received wisdom of how one should check whether a number is prime.
