The popular instant messaging application WhatsApp guarantees the security of your messages thanks to an end-to-end encryption system. With this method, in which the messages are encrypted and decrypted on the user’s mobile phone and the encryption key is also renewed for each message, it can be ensured that the message is not transmitted to anyone other than the recipients, not even the app itself read the communication. For this purpose, mathematical concepts such as elliptic curves, the discrete elliptic logarithm and modular arithmetic are used.
More information
The system used by WhatsApp is symmetric, which means it uses the same key to encrypt and decrypt messages – in contrast, the asymmetric systems use different encryption and decryption keys. Symmetric systems require fewer computational resources and are easier to use. With them, however, it is important to ensure the security of the common key shared by two interlocutors. This key is generated by exchanging information over a public channel using the method pioneered by Whitfield Diffie and Martin Hellman in 1976. The implementation challenge is to design one-way algorithms—or functions—that are easy to execute, but from the result it is not computationally possible to determine the starting point.
To create a shared secret key, each interlocutor chooses a number that they keep secret – it will be the private key – and uses a one-way function to generate their own public key. Later, everyone carries out the same calculations, starting from their own private key and the public key of their interlocutor, so that both get the same number, the common key.
In 1985, Neal Koblitz and Victor Miller independently proposed using Diffie-Hellman methods based on the points of a type of curve called an elliptic. The advantage of this option is that the keys are relatively small – only 256 bits – and easy to execute.
Specifically, WhatsApp uses the so-called elliptic curve Montgomery Curve25519, introduced by Daniel J. Bernstein in 2005, which has the equation y² = x³ + 486662x² + x.
Mathematical operations are performed in modular arithmetic. Specifically, a sum is defined at the points of the elliptic curve, which is explained in the following figure. From this the “sum d times” of a point P – called dP – is determined, which is the function of a single direction that makes it possible to obtain the secure shared keys on which encryption is based.
The figure represents geometrically the sum of two different points R and S of the curve, the sum of point T with itself and the sum of two opposite points U and V. The base point P chosen is the one with abscissa x=9. mikel lezaun
To do this, the two conversation partners – let’s call them Ander and Beatriz – dial their secret number d1 and d2. Everyone calculates their public key by adding the chosen base point P to the times given by their secret number – Anders’ result is d1P and Beatriz’s is d2P -. Next, using his private key and Beatrice’s public key, Ander computes d1(d2P), and Beatrice computes d2(d1P). Both get the same result (the dP operation is commutative), namely the shared secret key. As already mentioned, the security of the method consists in ensuring that it is not possible to calculate from a result dP the number d that produced it, ie that it is only a function of one direction. This is the so-called elliptic discrete logarithm problem.
Once the shared key is available, WhatsApp encrypts and decrypts messages on the phone itself. Specifically, it does so using the Advanced Encryption Standard symmetric encryption system – a version of the Rijndael algorithm for 256-bit keys proposed by Vincent Rijmen and Joan Daemen in 1998 became. With today’s computing power, it’s virtually unbreakable.
In addition, the WhatsApp interlocutors generate and renew the common encryption and decryption key with each message, which further increases the reliability of the system. Each time a batch of messages is sent, the user generates a pair of private and public keys on their mobile phone and uses their private key and the recipient’s public key to calculate the common root key. From this it automatically generates and concatenates another subkey to encrypt each message. Include your public key in the message header. The recipient calculates the same root key, uses it to obtain the subkeys and decrypts the messages. The same goes for their replies, and when the person who started the communication receives them, they renew the private-public keys and repeat the process as many times as they like. Therefore, with each batch of messages, the root key and message subkeys are renewed.
Other instant messaging apps like Signal also use end-to-end encryption to protect all communications, but not all work this way. For example, Telegram has an encryption option with its own protocol called MTProto. In it, the application does not save messages locally, but in the cloud.
Mikel Lezaun He is Professor of Applied Mathematics at the University of the Basque Country (UPV/EHU).
coffee and theorems is a field dedicated to mathematics and the environment in which it is created, coordinated by the Institute of Mathematical Sciences (ICMAT). In which researchers and members of the center describe the latest advances in this discipline and share points of contact between mathematics and other fields, social and cultural expressions and remember those who shaped its development and knew how to turn coffee into theorems. The name recalls the definition of the Hungarian mathematician Alfred Rényi: “A mathematician is a machine that converts coffee into theorems.”
Edition and coordination: Ágata A. Timón G Longoria (ICMAT).
you can follow THEME on Facebook, Twitter and Instagram, or sign up here to receive our weekly newsletter.