University of Sydney · FACULTY OF COMPUTER SCIENCE

INFO2222 · Computing 2 Usability and Security

- one subject, every graph, every model, every mark
Computer Science14 Chapters12-page Bible
Our own words - no uploaded lecturer files
Updated for this semester
Chapter 7 of 12 · INFO2222

Public-Key Cryptography

Week 7 introduces asymmetric cryptography and why it solves the key-distribution problem: public-key encryption, digital signatures, and Diffie-Hellman key exchange, all resting on the hardness of problems like the discrete logarithm. Small modular-arithmetic items (a DH shared key, a discrete-log search) and the pk/sk role distinctions are common 2-mark and 4-mark exam questions.

In this chapter

What this chapter covers

  • 01Why public-key crypto: the key-distribution problem — symmetric schemes need a shared secret per pair, hard to distribute
  • 02Public-key encryption (PKE): encrypt with the public key pk, decrypt with the private key sk; anyone can encrypt, only sk holder reads
  • 03Digital signatures: sign with sk, verify with pk — providing authenticity and integrity (the mirror of PKE)
  • 04Diffie-Hellman key exchange: public g and prime p; each side derives K = g^(ab) mod p without transmitting the secret
  • 05The Discrete Logarithm Problem: g^x mod p is easy forward, believed hard to reverse — the basis of DH security
  • 06Key agreement (DH, both contribute) vs key transport (PKE, one party picks and encrypts the key); RSA and ECDH
  • 07Forward secrecy via ephemeral keys; the man-in-the-middle attack on key exchange and fixes (certificates, pinning)
  • 08Authenticated encryption compositions (Encrypt-then-MAC preferred) and end-to-end vs hop-by-hop encryption
Worked example · free

Recover a discrete log by forward search

Q [4 marks]. In a Diffie-Hellman setup with generator g = 3 and prime p = 17, an eavesdropper captures the public value A = 5 and wants the secret exponent x with 3^x ≡ 5 (mod 17). (a) Explain why there is no shortcut like division or an ordinary logarithm. (b) Find x by forward search, showing the table of powers. (c) State why this method fails to break real Diffie-Hellman. (4 marks)
  • +1(a) Recovering x from A = g^x mod p is the Discrete Logarithm Problem. Modular exponentiation has no inverse you can compute directly — there is no modular 'division back' and an ordinary calculator log ignores the mod p wrap-around — so no closed-form shortcut applies.
  • +1(b) Brute-force forward, computing 3^x mod 17 for x = 1, 2, 3, ...: 3^1 = 3, 3^2 = 9, 3^3 = 27 ≡ 10, 3^4 = 3^3·3 = 30 ≡ 13, 3^5 = 13·3 = 39 ≡ 5. Match at x = 5.
  • +1So the secret exponent is x = 5 (since 3^5 = 243 = 14·17 + 5 ≡ 5 mod 17). The only method was to test exponents until g^x matched A — forward computation is easy, reversing it is not.
  • +1(c) It fails on real Diffie-Hellman because a genuine prime p is enormous (hundreds to thousands of bits): forward search would take infeasibly many trials. The gap between easy-forward and hard-backward is precisely what keeps the shared key secret.
(a) No shortcut — recovering x is the Discrete Logarithm Problem, which has no efficient inverse. (b) Building the table 3, 9, 10, 13, 5 gives a match at x = 5. (c) For a real, large prime the forward search is computationally infeasible, so the discrete-log hardness protects the key.
Sia tip — For small toy primes you can always brute-force the discrete log by tabulating powers — that is the whole point that it is only feasible when p is tiny. Reject distractors offering 'x = log_g A on a calculator' or 'x = A / g mod p': modular exponentiation has no such inverse.
Glossary

Key terms

Public-key encryption (PKE)
Asymmetric encryption with a public key pk (publishable, used to encrypt) and a private key sk (secret, used to decrypt): C = Enc(pk, M), M = Dec(sk, C). Anyone can encrypt to the sk holder, enabling secure communication without pre-sharing a secret. RSA is the classic example.
Digital signature
The mirror of PKE for authenticity and integrity: sign with the private key, T = Sign(sk, M), and anyone verifies with the public key, Verify(pk, M, T). Only the sk holder can produce a valid signature; encryption alone gives confidentiality but not authenticity.
Diffie-Hellman key exchange
A protocol where two parties agree a shared secret over a public channel. With public g and prime p, Alice sends A = g^a mod p and Bob sends B = g^b mod p; each computes K = g^(ab) mod p by raising the received value to its own secret. The secret exponents are never sent.
Discrete Logarithm Problem (DLP)
Given g, p and y = g^x mod p, recovering x is believed computationally hard for large p, even though computing y from x is fast. DH and related schemes rest their security on this asymmetry.
Forward secrecy
The property that stealing a long-term private key later does not expose past sessions, because each session used a unique ephemeral (short-lived, then deleted) key. DH supports it naturally; TLS 1.3 only permits forward-secret key exchange (ephemeral ECDHE).
Man-in-the-middle (MITM) on key exchange
An attacker intercepts a public-key request, substitutes their own key, and relays traffic while reading or modifying it. Fixes verify the public key: digital certificates from trusted CAs (TLS), key pinning / web-of-trust (PGP), or decentralised verification.
FAQ

Public-Key Cryptography FAQ

Why do we need public-key cryptography at all?

Symmetric encryption and MACs require both parties to already share the same secret key, fully protected — but distributing that key, and managing a distinct key for every conversation pair, is a hard problem. Public-key cryptography solves it: you can publish an encryption (public) key so anyone can send you confidential messages, or use Diffie-Hellman so two parties derive a shared secret over an open channel without ever transmitting it.

How does Diffie-Hellman keep the key secret if the exchange is public?

Each party keeps a private exponent and only sends g raised to it (A = g^a mod p, B = g^b mod p). Each then raises the value it received to its own secret, so both reach g^(ab) mod p. An eavesdropper sees g, p, A and B but would have to recover a from A = g^a mod p — the Discrete Logarithm Problem — which is believed infeasible for a large prime. The shared key is computed by both sides but sent by neither.

What is the difference between key agreement and key transport?

In key agreement (Diffie-Hellman) both parties contribute to the secret and it is never sent over the wire; it is jointly derived. In key transport (public-key encryption) one party chooses a key, encrypts it under the other's public key, and sends it — only one side decides the key. DH also gives forward secrecy when ephemeral keys are used, which is why modern TLS prefers it.

Can AI help me with public-key cryptography in INFO2222?

Yes, as a study aid. Sia can walk you through a Diffie-Hellman shared-key calculation or a discrete-log forward search step by step, contrast the pk/sk roles in encryption versus signatures, and explain forward secrecy and MITM defences. Use it to rehearse the modular-arithmetic drills and the concepts for the security quizzes and exam; it does not do graded assessment for you, and the University of Sydney academic-integrity policy applies.

Study strategy

Exam move

Practise the two small numeric skills first: a full Diffie-Hellman computation (send g^a and g^b, each raises the received value to its own secret to reach g^(ab) mod p) and a discrete-log forward search (tabulate powers until a match). Use exponentiation by squaring so you are fast under time pressure, and rehearse rejecting the shortcut distractors (no calculator log, no modular division). Then lock the role distinctions as one-liners: encrypt with pk / decrypt with sk; sign with sk / verify with pk; DH is key agreement while PKE is key transport. Understand why each exists — public-key crypto answers the key-distribution problem — and know forward secrecy and the MITM fix by certificates. Because these ideas set up the TLS chapter, learning them well pays off twice. Confirm the exam scope on Canvas.

Working through Public-Key Cryptography in INFO2222? Sia is AskSia’s AI Computer Science tutor — ask any INFO2222 Public-Key Cryptography question and get a clear, step-by-step explanation grounded in how INFO2222 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.

A+Everything unlocked
Unlocks this Bible + all 38 of your University of Sydney subjects - and 1,000+ Bibles across every Australian university.
Sia - your INFO2222 tutor, unlimited, worked the way the exam marks it
The full 12-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full INFO2222 Bible + 38 University of Sydney subjects解锁完整 INFO2222 Bible + University of Sydney 38 门科目
$25/mo