The Research Question
"To what extent does the application of prime numbers in RSA cryptography contribute to data security, and how do the mathematical principles behind RSA encryption affect its real-world applications and vulnerabilities?"
The IB Extended Essay is a 4,000-word independent research paper and one of the core components of the IB Diploma. Students choose a subject and a research question, then spend months developing an argument grounded in evidence. For mine, I chose Mathematics HL and focused entirely on RSA.
I didn't pick it because I already knew anything about it. I picked it because I kept hearing that "the internet runs on prime numbers" and I had no idea what that actually meant. I wanted to find out.
What the Essay Covers
The essay walks through RSA from first principles... not just describing it at a high level, but actually deriving each step mathematically. That meant understanding three building blocks before even touching the algorithm:
n share no common
factor with it. The essay derives the formula
φ(n) = (p−1)(q−1) from scratch using set theory,
which is the key step that makes the private key computable.
Once those foundations were in place, the essay walks through the full
key generation, encryption, and decryption process with a worked example
using p = 7, q = 11:
φ(N) = (7−1)(11−1) = 60
e = 7 // coprime with φ(N), public key component
d = 43 // modular inverse of e mod φ(N), private key
Encrypt: c = me mod N → 97 mod 77 = 37
Decrypt: m = cd mod N → 3743 mod 77 = 9 ✓
The second half covers attacks and real-world implications: a step-by-step walk through the Fermat factoring algorithm showing how small keys can be cracked, an analysis of why 2048-bit RSA is still considered secure against classical computers, and a section on the looming threat of quantum computing and specifically Shor's algorithm, which can factor large integers in polynomial time.
What I Got Wrong :: What I Learned
The essay isn't perfect. Re-reading it now, there are places where the argument is weaker than it could be and some of the sections on attack difficulty lean on qualitative language when they should have quantified the complexity.
But the things I got right, I got deeply. I had to sit with Euler's
totient function long enough to actually derive it, not just copy the
formula. I had to understand why e must be coprime with
φ(n) not just that it's a rule, but what breaks if it
isn't. That kind of forced understanding doesn't come from reading a
Wikipedia article.
How It Connects to Everything Since
When I started competing in CTFs a year later and encountered cryptography challenges, I wasn't starting from zero. I already knew what a cipher text was, why key size matters, what modular arithmetic is doing under the hood. The essay gave me a framework that actual competition problems could plug into.
In the NCL Fall 2025 Team Game, Cryptography was one of my strongest categories (98th percentile nationally), 305/340 points. A challenge called Crypto Twister involved exploiting a Mersenne Twister PRNG on a Rust TCP server. I solved it with 100% accuracy. The essay didn't teach me that specific technique, but it taught me to think about randomness and entropy as mathematical properties with exploitable structure and that instinct carried over.
The Essay
If you're curious about the actual paper (the full derivations, the worked examples, the brute force attack walkthrough) you can read it below.