The popular instant messaging application WhatsApp guarantees the security of your messages thanks to an encryption system called end to end. With this method, in which the encryption and decryption of the messages is carried out on the users’ mobile phones and, in addition, the encryption keys are renewed with each message, it can be ensured that, except for the recipients, no one, not even own apps, can read the communications. To do this, mathematical concepts such as elliptic curves, the discrete elliptic logarithm and modular arithmetic are used.

The system used by WhatsApp is symmetric, that is, it uses the same key to encrypt and decrypt messages —in contrast, the asymmetric ones use different encryption and decryption keys. Symmetrical ones require less computing resources and are easier to use, but in them it is essential to guarantee the security of the common key shared by two interlocutors. This key is generated by exchanging information over a public channel, using the method introduced by Whitfield Diffie and Martin Hellman in 1976. The challenge to implement it lies in designing algorithms —or functions— one waythat is to say, easy to execute, but that, from the result, it is not possible —computationally— to find out the starting point.

To create a common secret key, each interlocutor chooses a number, which he keeps secret —it will be the private key— and, from it, by means of a one-way function, he produces his own public key. Later, each one performs the same calculations on their own, starting from their own private key and the public key of their interlocutor, so that they both obtain the same number, the common key.

In 1985, Neal Koblitz and Victor Miller independently proposed using Diffie-Hellman methods based on the points of a type of curve called elliptical. The advantage of this option is that the keys are relatively small—only 256 bits—and easy to execute.

In particular, WhatsApp uses the call Montgomery elliptic curve curve25519, introduced by Daniel J. Bernstein in 2005, which has as equation and² = x³ + 486662x² + x.

Mathematical operations are performed in modular arithmetic. Specifically, a sum is defined at the points of the elliptic curve, which is explained in the following image. From it, the “sum d times” of a point P —which is denoted dP—, which is the one-way function that allows obtaining the secure common keys on which the encryption is based.

The image represents geometrically the sum of two different points R and S of the curve, the sum of point T with itself and the sum of two opposite points U and V. The chosen base point P is the one with abscissa x=9. mikel lezaun

To do this, the two interlocutors —let’s call them Ander and Beatriz— choose their secret number —d1 and d2, respectively— Each calculates his public key by adding the chosen base point P times given by his secret number—Ander’s result is d1P and Beatrice’s d2P—. Next, with his private key and Beatriz’s public key, Ander calculates d1(d2P) and, for her part, Beatriz calculates d2(d1P). Both get the same result (the operation dP is commutative), which is the common secret key. As we said, the security of the method resides in guaranteeing that it gives a result dP it is not possible to obtain the number computationally d that generated it, that is, that it is a one-way function. This is the call elliptic discrete logarithm problem.

Once the common key is available, WhatsApp encrypts and decrypts messages on the mobile phone itself. Specifically, this is done with the symmetric cryptographic system Advanced Encryption Standard -which is a version of the Rijndael algorithm for 256-bit keys, proposed in 1998 by Vincent Rijmen and Joan Daemen—. With today’s computing power, it’s virtually unbreakable.

In addition, the WhatsApp interlocutors generate and renew, with each message, the common encryption and decryption key, which further increases the reliability of the system. For each sending of a batch of messages, the user generates a pair of private-public keys on his mobile and, with his private key and the recipient’s public key, calculates the common root key. From it, it automatically generates, in a chained way, a different subkey to encrypt each message. In the header of the messages include your public key. The recipient calculates the same root key, and with it, obtains the subkeys and decrypts the messages. It does the same for their responses and when the person who started the communication receives them, they renew the private-public keys and replicate the process as many times as they want. Thus, with each batch of messages, the root key and the message subkeys are renewed.

Other instant messaging applications, such as signalThey also use end-to-end encryption to protect all communications, but not all of them work this way. For example, Telegram has an encryption option with its own protocol called MTProto. In it, the application does not save messages locally, but saves them in the cloud.

mikel lezaun He is a professor of Applied Mathematics at the University of the Basque Country (UPV/EHU).

Coffee and Theorems is a section dedicated to mathematics and the environment in which it is created, coordinated by the Institute of Mathematical Sciences (ICMAT), in which researchers and members of the center describe the latest advances in this discipline, share meeting points between the mathematics and other social and cultural expressions and remember those who marked their development and knew how to transform coffee into theorems. The name evokes the definition of the Hungarian mathematician Alfred Rényi: “A mathematician is a machine that transforms coffee into theorems.”

Edition and coordination: Ágata A. Timón G Longoria (ICMAT).

