5700 upvotes later: be careful about crypto advice from Reddit.

Watch out where you get our advice from

By Mike on 11th Feb 2016

Three months ago Reddit's /r/math had a thread about about things that seem untrue, but which are actually true.

Encryption came up: surely there's no way Alice and Bob can share a secret if Eve can hear everything they say? Of course, encryption works and handles that exact situation. Someone asked for more information, and a user posted this in response:

Take your message, treat it as a number and multiply it by a bunch of primes.

Send it to me. I will then multiply by a bunch of primes too.

I send it back to you. You then divide by all of your primes. Send it back to me. I divide by all of my primes and get the original message.

It may be easier to think of the message as a box and the primes as locks.

You want to send a box to me without Eve getting at what's inside. So you put a lock on it and send it to me.

Now neither Eve nor I can open it because it's locked. I add my own lock because fuck you and your stupid lock. I send it back to you.

Now you can't open it and it's locked so it's worthless, therefor you take your precious lock back and send the now worthless piece of shit back to me.

Eve is still like "WTF?" All she has seen so far is the same box going back and forth with locks she can't open.

So now I get the box with my lock on it and I take my lock off. Now the box is unlocked and I can take your shit.

Reddit went wild. What a simple, understandable model for encryption. The math is easily doable at home - try it with some small primes - and the box analogy makes perfect sense.

The post is the top item in the thread, has over 5700 upvotes, and 4 users even purchased Reddit gold for the author.

There's just a small problem.

It's not with the box analogy: as another commenter noted, it's a well known example example you'll find in great books like Simon Singh's The Code Book.

It's the math: if you've looked at crypto math you might have noticed something missing: there aren't any modulos. Although encryption does start with two prime numbers being multiplied to make (most of) the public key, messages themselves are encrypted using modular arithmetic, ie, remainders.

Someting seemed off here and it was bugging the back of my mind for a while. Thankfully Crypto Stack Exchange is great for this stuff: unlike some of the other Stack Exchange sites, answers either have references or straight up proof inside them. So I asked.

5700 upvotes and 4 Reddit golds later: the example is bunk and the message can be read by an attacker in a moment.

Henrick Hellström spotted it in a second: Eve could take the first message Bob sent Alice, divide it by the second message Alice sends Bob, and get the original message.

Try it: it works. The conclusion's pretty obvious: don't take internet points as an indicator of truth.

Mike MacCana, founder at CertSimple.

CertSimple makes EV HTTPS fast and painless.

An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!