sign in sign up
<<
Home , MAG (cipher), Security level

Communications

An Overview of Public

Martin E. Hellman

With a public key , the key used to encipher a message can be made public without compromising the secrecy of a different key needed to decipher that message.

I. COMMERCIAL NEED FOR Thisproblem is compounded in remote computing Cryptography has beenof great importance to the mil- because the entire “conversation”is in computer readable itaryand diplomatic communities since antiquity but form. An eavesdropper can then cheaply sort messages failed, until recently,.to attract much commercial atten- not only on the basisof the called number, but also on the tion. Recent commercial interest, by contrast, has been content of’the message, and record all messages which almostexplosive due to the rapid computerization of contain one or more keywords. By including a name or information storage, transmission, and spying. product on this list, an eavesdropper will obtain all mes- Telephone lines are vulnerable to wiretapping, and.if sages from, to,or about the “targeted” personor product. carried by microwave radio, this need not entail the phys-While each fact by itself may not be considered sensitive, ical tapping.of any wires. The act becomes passive and the compilationof so many facts will often be.considered almost undetectable. It recently came to light that the highly confidential. Russians were using the antenna farms on the roofs of It is now seen why electronic mail must be cryptogra- their embassy and consulates to listen in on domestic tel-phically protected, even though almost no physical mail . ephone conversations, and that they had been successful is given this protection. Confidential physical messages in sorting out some conversations to Congressmen. are not written on postcards and, evenif they were, could Humansorting could be used, but is too expensive not be scanned at a cost of only $1 for several million because only a small percentage of the traffic is interest- words. ing. Instead, the Russians automatically sorted the traffic on the basis of the dialing tones which precede each con- 11. THE COST OF ENCRYPTION versation‘and specify the number being called. These tones can be demodulated and a microprocessor used to Books about World WarI1 intelligence operations make activate a tape recorder whenever an “interesting” tele- it clear that the allies were routinely reading enciphered phone number [one stored in memory) is detected. The German messages. The weakness of the Japanese codes low cost of.such a device makes it possible to economi- was established by the Congressional hearings into .the cally sort thousands of conversations for even one inter- Pearl Harbor disaster, and while it is less well publicized, esting one. theGermans had broken the primary American field I . This work was supported in part under NSF Grant ENGJ0173. If the major military powersof World War I1 could not The author is with the Department of Electrical Engineering, afford secure cryptographic equipment, how is industry Stanford University, Stanford, CA 94305. to do so in its much more cost-conscious environment? 0148-9615/78/1100-0024$00.75 01978 IEEE 24 IEEE COMMUNICATIONS SOCIETY MAGAZINE Encryption isa special formof computation and, just as and distributed to the appropriate users, but the cost it was impossible to build good, inexpensive, reliable, would be prohibitive. A system with even a million sub- .portable computers in the 1940'~~ it was impossible to scribers would have almost 500 billion possible keys to buildgood (secure), inexpensive, reliable, portable distribute. In the military, the chain of command limits encryption units. The scientific calculator which sells for the number of connections, but even there, key distribu- under $100 today would have cost on the orderof a mil- tion has beena major problem. It will be even more acute lion dollars and required an entire room to house it in in commercial systems. 1945. It is possible for each user to have only one key which While embryonic computers were developed during the he shares with the network rather than with any other war (often for codebreaking), they were too expensive, user, and for the network to use this asa master key for unreliable, and bulky for field use. Most computational distributingconversation specific keys [2], [3]. This aids were mechanical in nature and based on gears. Sim- method requires that the portion of the network which ilarly, all of the major field employed gear-based .distributes the keys (known as the key distribution cen- devices and, just as Babbage's failure indicates the diffi- ter or node) be trustworthy and secure. culty of building a good computer out of gears, it is also Diffie and Hellman [4] and independently Merkle [5] difficult to build a good cryptosystem from gears. The have proposed a radically different approach to the key development of general-purposedigital hardware has distribution problem. As indicated in. Fig. 2, secure com- freed the designersof cryptographic equipment to use the municationtakes place without any prearrangement best operations froma cryptographic pointof view, with- between the conversants and without'access toa secure outhaving to worry about extraneous mechanical key distribution channel. As indicated in the figure, two constraints. way communication is allowed and there are independent As an illustrationof the current low costof encryption, random number generators at both the transmitter and therecently promulgated national Data Encryption the receiver. Two way communication is essential to dis- Standard[DES) can be implemented on a singleinte- tinguishthe receiver from 'the eavesdropper. Having grated circuit chip, and will sell in the$10 range before random number generators at both ends is not as basica long. While some have criticized the standard as not beingrequirement, and isonly needed insome adequately secure [I], this inadequacy is due to political implementations. considerationsand is not the fault of insufficient technology.

111.KEY DISTRIBUTION AND PUBLIC CRYPTANALYST KEY SYSTEMS 7 Whiledigital technology has reduced the cost of encryption to an almost negligible level, there are other major problems involved in securing a communication network. Oneof the most pressing is key distribution, the problem of securely transmitting keys to the users who SOURCE #I SOURCE # 2 need them. The classical solution to the key distribution problem is Fig. 2. Pubilc Key Cryptographic System. indicated in Fig. 1. The key is distributed over a as indicated by the shielded cable. The secure The situation is analogous to havinga room full of peo- channel is not used for direct transmission of the plain- plewho have never met before and who are of equal text message P because it is too slow or expensive. mathematical ability. I choose one other person in the room and, with everyone else listening, give him instruc- tions which allow the twoof us to carry ona conversation that no one else can understand. I then choose another CRYPTANALYST person and do the same with him. This sounds somewhat impossible and, from one point 7of view, it is.If the cryptanalyst had unlimited computer time he could understand everything we said.But that is also true. of most conventional cryptographic systems- the cryptanalyst can try all keys until he finds the one that yields a meaningful decipherment of the intercepted I SOURCE I message. The real question is whether we can, with very limited computations, exchange a message which would Fig. 1. ConventionalCryptographic System. take the cryptanalyst eons to understand using the most powerful computers envisionable. The military has traditionally used courier service for A public key cryptosystem [4] has two keys, one for distributing keys to the sender and receiver. In commer- enciphering and one for deciphering. While the two keys cial systems registered mail might be used. Either way, effect inverse operations and are therefore,related, there key distribution is slow, expensiv.e, anda major impedi- must be no easily computed methodof deriving the deci- ment to secure communication. phering key from the enciphering key. The enciphering key Keys could be generated for each possible conversation can then be made public without compromising the deci-

NOVEMBER 1978 25 phering key so that anyone can encipher messages, but - 1 and which has no common factors with+(n). This then only the intended recipient can decipher messages. allows The conventional cryptosystemof Fig. 1 can be likened D = E-’(2)4(n) mod to a mathematical strongbox with a resettable combina- tion lock. The sender and receiver ause secure channelto to be calculated easily using an extended version of Eu- clid’s algorithm for computing the greatest common di- agree ona combination (key) and can then easily lock and visor of twonumbers [9, p.315, problem 15; p. 523, unlock (encipher and decipher) messages, but no one else solution to problem 151 can. A public key cryptosystem can be likened to a mathe- matical strongbox witha new kindof resettable combina- tion lock that has two combinations, one for locking and THE RIVEST-SHAMIR-ADLEMAN one for unlockingthe lock. (The lock does not lock if PUBLIC KEY SCHEME merely closed.) By making the locking combination (enci- phering key) public anyone can lock up information, but Design onlythe intended recipient who knows the unlocking Find two large prime numbersp and combination (deciphering key) can unlock the box to re- cover the information. q, each about 100 decimal digits long. Public key and related have been pro- Let n = pq and a,b = (p-l)(q-1). posed by Merkle [5], Diffie and Hellman [4], Rivestet al. Choose a random integer E between [6], Merkle and Hellman [7], and McEliece [8]. We will only outline the approaches, and the readeris referred to 3 and $ which has no common factors the original papers for details. with $. Thenit is easyto find an integer D which is the “inverse” of E modulo $, that is, D - E differs from 1 Electronic mail unlike ordinary mail is machine by a multiple of $. readable and can be automatically scanned for The public information consistsof E sensitive messages. and n! Allother quantities here are kept secret. The RSA (Rivest etal.) scheme [6] is based on the fact that it is easy to generate two large primes and multiply Encryption them together, but it is much more difficult to factor the Given a plaintext message ‘P which result. (Try factoring 518940557 by hand. Then try mul- is an integer between 0 and n-1 and tiplying 15107 by 34351.) The product can therefore be the public encryption number E, form made public as partof the enciphering key without com- promisingthe factors which effectively constitute the the integer deciphering key. By making each of the factors100 digits = PE mod long, the multiplication can be done in a fraction of a C n.. second,but factoring would require billions of years In other words, raiseP to the powerE, using the best known algorithm. As with all public key cryptosystems there must be an divide the result by n, and letC be the easilyimplemented algorithm for choosing an remainder. (A practical way to do this enciphering-deciphering key pair, so that any user can computation is givenin the text of generate a pair, regardless of his mathematical abilities. Hellman’s paper.] In the RSA scheme the key generation algorithm first selects two large prime numbers p and q and multiplies Decryption them to produce n = pq. Then Euler’s function is com- puted as@(n)= (p - l)(q - 1).(4(n) is thenumberof in- Using the secret decryption number tegers between 1 and n which have no common factor D, find the plaintext P by with n. Every pth number hasp as a common factor withn and every qth number has q as a common factor with n.) P = CDmod n. Note that it is easyto compute4ln) if the factorization of n is known, but computing+(n) directly fromn is equival- ent in difficulty to factoring n [6]. +In) as given above has the interesting property that Inorder to determine the secret for any integera between 0 and n - 1 (the integers modulo decryptionkey D, thecryptanalyst n) and any integer k must factor the200 or sodigit number

GkdfnJ + 1 = (I mod n. (1) n. This task would takea million years Therefore, while all other arithmetic is done modulo n, with the best algorithm known today, arithmetic in the exponent is done modulo 4(n). assuming a 1 ps instruction time. A random number E is then chosen between 3 and 4(n)

26 IEEE COMMUNICATIONS SOCIETY MAGAZINE The information (E,n) is made public as the encipheringple method of solution is not possible. Given S = 17665, keyand is used to transform unenciphered, plaintext there is no obvious methodfor finding thatX = (0,1,0,1,1] messages into ciphertext messagesas follows: a message is other than trying almost all 2’ subsets. first represented asa sequence of integers each between0 But it “just so happens” that if each component of a is and n - 1. Let P denote such an integer. Then the corre- multiplied by 3950 modulo 8443 the vector a’ of (12) is sponding ciphertext integer is given by the relation obtained. By performing the same transformation on S, C(3) = PEn. mod the quantity S! = 3798 is obtained. It is now seen that thereis a simplemethod .for solving for x inthe The information (D,n)is used as the deciphering key to recover the plaintext from the ciphertext via equation P(4) = CDn. mod S = a*x (14) These are inverse transformations because from (3),[z), by transforming to the easily solved knapsack problem and (1) S‘ = a‘*x. (15) CD = PED = p,k+Inl + = p. 1 (5) As shown by Rivest et ol., computing the secret deci- The two solutions x are the same provided the modulus phering key from the public enciphering key is equivalentis greater than the. sum of the (ai’}. in difficulty to factoring n. Thevariables of thetransformation (the multiplier As a small example supp0se.p = 5 and q = 11. Then n 3950 and the modulus 8443) are secret, trap-door infor- = 55 and +(n)= 40. If E = 7 then D = 23 (7 X 23 = 161 = 1 mation’used in the construction of the trap-door knap- mod40). If P = 2, then sack vector a. There is no apparent, easy way to solve knapsackproblems involving a unlessone knows the C = 27 55mod = 18 (6) I trap-door’information. and When a is made public anyone can represent a mes- M Z3 mod 55 (7) 55 . CD=mod MZ3 sage as a sequence of binary x vectors and transmit the = 1811821841816 (8) informationsecurely in the corresponding sums, S = 49 36 26 mod 55mod = 26 18 36 49 (9) a*x. The intended recipient uses his trap-door informa- tion (secret deciphering key) to easily solve forx, but no =2 (10) one else can do this.Of course thea vector must be signifi- which is the original plaintext. cantly longer than that used in this small, illustrative Note that enciphering and deciphering each involve an example. exponentiation in modular arithmetic and that this can be. McEliece’spublic key cryptosystem [8] isbased on accomplished with at most 2(logzn) multiplications mod algebraic coding theory. Goppa codes are highly efficient n. As indicated in (8),to evaluateY = ax,the exponent X error correcting codes [lo], but their easeof error correc- is represented in binary form, the base a is raised to the tion is destroyedif the bits which makea upcodeword are lst, Znd, 4th, 8th, etc. powers, (each step involving only scrambled prior to transmission. To generate a public one squaring or multiplication), and the appropriate set enciphering key, a user first selectsa Goppa chosen of these are multiplied together to form Y. at random from a large set of possible codes. He then Merkle and Mellman’s method [7] makes use of trap- selects a permutation of the codeword bits, computes the door knapsack problems. The knapsack problema com- is generator matrix associated with the scrambled Goppa binatorial problem in which one is given a vector of n codeand makes it public as his enciphering key. His integers, a, and an integerS which isa sum of a subset of secret deciphering key is the permutation and choice of the {ai}.The problem is to solve for the subset,or equiva- Goppa code. lently, for the binary vectorx which is. the solution to the equation S = a*x. (11) Key distribution, the secure transmission of keys to the users who need them, is a’major problem While the knapsack.problem is very difficult to solve in general, there are specific cases which are easy to solve. in securing a communication network. For example, if the knapsack vector is

a’= (171,197, 459, 1191, 2410) (12) Anyonecan easily encode information (scrambling . then, given anyS’, x is easily found because each compo- does not greatly increase the difficultyof encoding since nent of a’ is larger than the sumof the preceding compo- the scrambled code is still linear), adda randomly gener- nents, If s%’= 3798,then it is seen that xs mustbe 1 -ated error vector, and transmit this.But only the intended because, if it were 0, as‘= 2410 would not be in the sum recipient knows the inverse permutation which allows and the remaining elements sum to less than S’. After the errors to’be corrected easily. subtractingthe effect of as’ from Sf, thesolution con- McEliece estimates thata block lengthof 1000 bits with 500 information bits should foil cryptanalysis using the tinues recursively and establishes that x4 = 1, x3 = 0, x2 = 1, and XI = 0. best currently known attacks. The knapsack vector Theother two known methods for communicating securely over an insecure channel without securely trans- a = (5457,4213, 5316, 6013, 7439) (13) mitting a keyare not true public key cryptosystems. does not possess the property that each elementis larger Rather, they are public key distribution systems which than the sum of the preceding components, and the sim- are used to securely exchange a key over an insecure

NOVEMBER 1978 27 channel without any prearrangement, and that key is information toa friend and ask him to senda signed mes- then used in’ a conventional cryptosystem. sage of the receiver’s choosing. The legitimate sender of Merkle’s technique [5] involves an exchange of “PUZ- messages will of course deny having sent this message, zles.” The first user generatesn potential keys and hides but there is no way to tell whether the senderor receiver them as the solutions ton different puzzles, each of which is lying. The whole concept of a contract is embedded in costs n units to solve. The second user chooses onen ofthethe possibility of such disputes,SO stronger protection is puzzles at random, solves it, and sends a test message needed. encrypted in the associated key. The first user determines A true must bea number [so it can be which key was chosen by trying alln of them on the test sent in electronic form] which is easily recognized by the message. receiver as validating the particular message received, The cost to the first user is proportional to n. He must hut which could only have been generated by the sender. generate and store n keys, generate and transmit n puz- It may seem impossible for the receiver to be able to rec- zles, and try n keys on the test message. The cost to the ognize a number which he cannot generate, but such is not second user is also proportional to n because he must the case. solve one puzzle which was designed to have solution While there are other ways to obtain digital signatures, cost equal to n. .. the easiest ‘to understand makes use of the public key The cost to an eavesdropper appears to grow n2. as He cryptosystems discussed in the last section. The ith user can try solving puzzles at random and see if the asso- has a public key Ei and a secret keyDi. This notation was ciated key (solution) agrees with the test message. On the chosen becauseEi was used to encipher and Diwas used to average, he must solve n/2 puzzles, each at a cost of n. decipher. Suppose, as in the RSA scheme, the enciphering Diffie and Hellman [4] describe a public key distribu- function is onto, that is, for every integer C less than.n, tion system based on the discrete exponential and loga- there exists an integer rn for which Ei(m) = C. Then, we rithm functions.If q is a prime number anda is a primitive can interchange the order of operations and use Di first element, then X and Y are in a 1:1 correspondence for to sign the message and E, second to validate the signa- 1

28 IEEE COMMUNICATIONS SOCIETY MAGAZINE tion, and certain other characteristics can be compared lion or more, this ratio needs to be IO9 or more and cor- more readily than the all important question of security respondsto n = lo9. If all of theenciphering and level. We can compare the security level using the best decipheringeffort were in computation, this might be known methods for breaking each system, but there is possiblein the near future (a $10 microprocessorcan the danger that better methods will be fdund which will executeon the order of 1 millioninstructions per changethe relative rankings. second), but Merkle’s method requires n transmissions If signatures are desired, attention shouldbe directed aswell as n operationson the part of thelegitimate primarily to the RSA [6] and trap-door knapsack sys- users.Current technology therefore limits Merkle’s tems[7]. The RSA scheme yields signatures directly. schemeto n < 10 000 whichcorresponds to approxi- Whilethe trap-door knapsack signature method de- mately 500 kbits of trans’mission. If fiber optic or other scribed in [7] is not direct, Merkle and Reeds have de- lowcost, ultra-high bandwidth communication links veloped a methodfor generating “high density” trap- become available, Merkle’s technique would become of doorknapsacks which simplify signature generation, greaterpractical interest. and Shamir has recently suggested a direct method for Diffieand Hellman’s exponentiation method [4] obtaining signatures. Both of these approaches are not requires the legitimate users to perform an exponentia- yetpublished. tion in modular arithmetic while the b.est known crypta- The o[’;X2].and Goppacode methods do ,not appear nalytic method requires the computationof a logarithm in tolend themselves to signatures, but Merkle has de- modulararithmetic. Exponentiation is easilyaccomp- veloped a puzzle-liketechnique forgenerating lished in at most 2b multiplications, much (8),as inwhere signatures. b is the numberof bits in the representationof the modu- So far, as storage requirements for the public file, the lus.Each multiplication can be accomplished with at andRSA schemes are most .interesting. Each most 2 b additions or subtractions, and eachof these oper- requires on. the orderof 500 bits of storage per user. The ations involves at mostb gate delays for the propagation trap-door knapsack scheme requires on the order of 100 of carry signals. Overall, an exponentiation in modular kbits of storage per user, and the Goppa code method arithmetic can be accomplished in at most 4b3 gate delays. requireson the order of a megabitper user. Merkle’s Computation of a logarithm in modular arithmetic is puzzle scheme is not really suited to public file storage much more complex, and the best currently known algo- and rather depends on transmission of public informa- rithm [11] requires 2b’2 or more operations provided the tion at the start of each new conversation. The trans- modulus is properly chosen. Each operation involves a mittedinformation must be on the order of a gigabit multiplication, or 2b2gate delays. The work factor is beforesignificant levels of securityare afforded. therefore exponential in b. Instead of storing each user’s public .key in a public If b = 500, then 500 million gate delays .are required at file(similar to a telephonebook), Kohnfelder [I21 has the legitimate users’ terminals: With current technology suggestedhaving the system give each user a signed this can be accomplished in several seconds, a not un- message, or certificate,stating that user’s public key. reasonable delay for establishinga key during initial con- .Thecertificate could be stored by the user on a mag- nection. Using b = 500 results in the cryptanalyst having netic card, and transmitted at the start of a conversa- to do more thanlo7’ times as much work as the legitimate tion.This method converts public file storage users, a very safe margin. The real question.is whether requirements into transmission requirements. The sys- better methods exist for computing logarithms in modu- tem’s public key would be needed to check the certifi- lar arithmetic,or if it is even necessary to compute sucha cateand cbuld be published widely. Protecting the logarithm to break this system. system’s secret key might be easy because no one else The following table gives the numberof operations and ever has to use it and it could be destroyed after it was time required for cryptanalysis for various values of b usedto certify a group of users. assuming a 1 ps instruction time: Computation time on the part of the legitimate users issmallest with the trap-door knapsack method. The a(XIx21 and RSA schemes each require several hundred b (bits) 100 200 300 500 750 1000 times as much computation, but are still within reason. Operations l.lX10’51.3X1030 1.4X10‘5 1.8X1075 7.7XlO”Z 3.3X10’50 Merkle’stechnique requires even more computation. Time (yrs.) 36 4X1Ol85X103’ 6x10“ ZXlOgB 1x10”’ TheGoppa code technique is extremely fast for enci- phering, requiring approximately 500 XOR’s on1000 bit vectors,but I havenot yet estimated,its deciphering The storage requirements of this system are small. The requirements. ’ public file stores a single b-bit number for each user and Turning to security level, Merkle’s puzzle method [5] only several b-bit words of memory are required at the has the advantage of beingthe most solid method for transmitter and receiver,so that single chip implementa- communicating securely over an insecure channel. That tion is possible for b on the order of 500. is, it is extremely doubtful that a better method will be The RSA system [6] also requires that the legitimate found for breaking it. Unfortunately, it is also the least usersperform a modularexponentiation, but crypt- secure using the best known algorithm. Its work factor analysisis equivalent to factoring a b-bitnumber. (ratioof cryptanalytic effort to enciphering and deci- Schroeppelhas developed a new, a’s yetunpublished phering effort, using the best known algorithms) is only factoring algorithm which appears to require approxi- n2:n. Since encryption should cost on the order of $0.01 matelyexp{[ln(n) ln(lnn)]”*} machine cycles where and cryptanalysis should cost on the order of $10 mil- n = Zb isthe number to be factored. The following

NOVEMBER 1978 29 ‘ THE Ps 1.156

The knapsack is filled witha subset are 100 items rather than 10 as in this of theitems ‘shown, with weights example.However, if theset of indicated in grams. Given the weight weights for the items happens to have of the filled knapsack,1156 grams, can somenice properties known only to you determine which of the items are someonewith special “trap-door” contained in the knapsack? (The scale information,then that person can is calibrated to deduct the weight of quicklydecipher the secret the empty knapsack.) information, i.e., a 100 bit binary word Thissimple version of theclassic that specifies whichof the items are in knapsack problem generally becomes the knapsack. computationally infeasible when there ART Jeff Wyszkowski

30 IEEE COMMUNICATIONS SOCIETY MAGAZINE table gives the numberof operations and time to factora fold parallelism might reduce the time estimates given in b-bit number again assuming a 1 ps instruction time: the tables by a factor of lo9.

VI. CONCLUSIONS b [bits) 100 200 300 500 750 1000 We are in the midst of a communications revolution Operations 2.8X107 2.3X10” 2.9X1014 3.6X10’9 5.8X10z‘ 1.8~10~9 which will impact many aspects of people’s every day Time 30’s 3 days 9 yr 1 Myr 2 Gyr 6X10’5 yr lives.Cryptography is an essential ingredient in this revolution,and is necessary to preserve privacy from computerizedcensors capable of scanningmillions of Public file storage for the RSA scheme is reasonable, pages of documents for even one sensitive datum. The beingseveral hundred to a thousandbits per user. public key and digital signature concepts are necessary in Memory requirements at the transmitter and receiver are commercial systems becauseof the large numberof inter- also comparable to the ofxIx2) scheme, soa single that chip connections which are possible, and becauseof the need device can be built for enciphering and deciphering. to settle disputes. The best known method of cryptanaly,zingthe trap- A major problem which confronts cryptographyis the door knapsack system requires on the orderof 2”’2 opera- certification of these systems. How can we decide which tionswhere n is thesize of theknapsack vector. proposedsystems really are secure, and. which only Enciphering requires at mostn additionts, so the work fac- appear to be secure? Proofs are not possible using the cur- tor is exponential. If n is replaced by b, the first table rentlydeveloped theory of computationalcomplexity above gives the cryptanalytic effort required for various and,while such proofs may be possible in the future, values of n, so n 2 200 provides relatively high security somethingmust be done immediately. The currently levels.Since each element of. the a vector is approxi- accepted technique for certifying~a cryptographic system mately 2n bitslong, if n = 200,the public storage is as secure is to subject it to a mock attack under circum- approximately 80 kbitduser. Memory requirements at stances which are extremely favorable to the cryptana- the transmitter and receiver are on the same order. lyst and unfavorable to the system. If the system resists Both enciphering and deciphering require less compu- such a concerted attack under unfavorable conditions, it tation than either thec~~~~~’~ or RSA scheme. Enciphering is hoped that it will also resist attacks by one’s opponents requires at mostn additions and deciphering requires one under more realistic conditions. multiplication in modular arithmetic, followed by at most Governments have built up expertise in th6 certifica- n subtractions. tion area but, due to security constraints, this is not cur- rently available for certificationof commercially oriented systems. Rather, this expertise in the hands of a foreign Until electronic.cornrnunications can provide an governmentposes a distinctthreat to a nation’sbusi- equivalent of the written signature, it cannot fully nesses. It has even been suggested that poor or nonexis- tentencryption. will lead to international economic replace the physical transportation of documents, warfare, a concern of importance to national security. letters, contracts, etc. (There is speculation that this occurred with the large Russian purchases of several years ago.) Thereis a tradeoffbetween this and other national Caremust be exercised in interpreting these tables. security considerations which needs to be resolved, but First, they assume that the cryptanalyst uses the best thehandling of thenational data encryption standard currently known method, and there may be much faster ap-indicates that public discussion and resolution of the proaches.For. example, prior to the development of tradeoff is unlikely unless individuals make their concern Schroeppel’salgorithm, the best factoring algorithm known at a technical and political level. appeared to require exp{[2 ln(n) ln(1n n)]”*} operations. When b = 200, that would have predicted that360 yr, not REFERENCES 3 days, would be required for cryptanalysis. There is the W. Diffie and M. E. Hellman, “Exhaustive cryptanalysisof danger that even faster algorithms will be found, necessi- the NBS data encryption standard,” Computer, pp. 74-84, tating a-safety margin inour estimates. As demonstrated June 1977. by this example, the safety marginis needed in the expo- D. Branstad,.“Encryption protection in computer data com- nent, not the mantissa. munications,” presented at the IEEE Fourth Data Commu- nications Symposium, Oct. 7-9, 1975, Quebec, Canada. A similarcomment applies to the seemingly higher IBM Syst. J., (SpecialIssue on Cryptography), vol. security level afforded by theoI(xIx2) and trap-door knap- 17, no. 2, 1978. sack methods when compared to the RSA scheme. Fora W. Diffie and M. E. Hellman, “New directions in cryptog- given value of b the two tables show that the RSA scheme raphy,” IEEE Trons. Inform. Theory, vol. IT-22, pp. 644- requires much less computation to break, using the best 654, Nov. 1976. R. C. Merkle,“Secure communication over an insecure currently known techniques. But it is not clear whether channel.” Common. Ass. Comput. Moch., vol. 21. ..pp. 294- this is because factoring is inherently easier than comput- 299, Apr. 1978. ing discrete logarithmsor solving knapsack problems,or R. L. Rivest. A. Shamir, andL. Adleman, “On digital- signa- whether it is due to the greater study which has been tures and public key cryptosystems,”Commun. Ass. Corn- put. Moch., vol. 21, pp. 120-126, Feb. 1978. devoted. to factoring. R. C. Merkle and M. E. Hellman, “Hiding information and As computers become faster and more parallel, the time signatures in trap-door knapsacks,” IEEE Trons. Inform. for cryptanalysis also,falls.A 1 ns computer with million- Theory, vol. IT-24, pp. 525-530, Sepl. 1978.

NOVEMBER 1978 31 [E] R. J. McEliece. “A public key system based on algebraic cod- , ”, Martin E. Hellman (S’63-M’69) was born ing theory.” JPL DSN Progress Rep., 1978. , in New York, NY, on October 2,1945. He 191 D.E. Knuth, The Art of Computer Progrc~mn~ing,Vol. 2. received th‘e B.E. degree in electrical engi- SeminumcricalAlgorithms. Reading, MA: Addison- neering from New York University, New Wesley, 1969. York,NY,in1966,and theM.S.andPh.D. [lo] E. R. Berlekamp, “Goppa codes.” IEEE Trans. Inform. The- degrees in electricalengineering from ory, vol. IT-19, pp. 590-592, Sept. 1973. StanfordUniversity, Stanford, CA, in 1111 S. C. Pohlig and M. E. Hellman, “An improved algorithm for 1967 and 1969, respectively. computing logarithms over GF(p)and its cryptographic sig- During 1968 to 1969 he was at the IBM nificance, IEEE Trans. Inform. Theory. vol. IT-24. pp..106- Thomas J. Watson Research Center. From 110, Jan. 1978. 1969 to 1971 he was an Assistant Profes- [12] L. Kohnfelder, Towards a Practical Public-Key’Cryptosys- sor of ElectricalEngineering at M.I.T. He iscurrently an tern, M.1.T; Lab. for Comput. Sci., lune 1978. AssociateProfessor of ElectricalEngineering atStanford University, doing research in the areas of cryptography and information theory. Dr. Helhnan is a member of Tau Beta Pi, Eta Kappa Nu and Sigma Xi, and consults in the areasof communications and infor- mation theory. He is a past president of the San Francisco Sec- tion’s InformationTheory Chapter and is a member of the Information Theory Group’s Board of Governors:

Some General Interest Books on Cryptology ’

Selected by A. M. Bush, Book Reviews Editor

The fieldof cryptology has long beenof interest, partic- WalterLord, Incredible Victory. New York, Evanston, ularly in the affairsof governments. Becauseof its sensi- London: Harper and Row, 1967. tive nature, the field exists in the shadowsof the public J. C. Masterman; The Double-cross System in the War of domain, rather than in the forefrontof current publicity. 1939-1945.New Haven and London: Yale Univer- The following listof books, mostlyof general interest and sity Press, 1972. of more historical than current perspective may be useful Donald McLachlan, Room 39: A Study in Naval Intelli- to those who hold an interest in the field. The list should gence.New York: Atheneum, 1968. notbe assumed to be exhaustive or complete. ‘ Dan T. Mooreand Martha Waller, Cloak and Cipher. Paul W. Blackstock, The Secret Road to World War IZ: New York and Indianapolis: Bobbs-Merrill. SovietVersus Western Intelligence 1921-2939. New GeorgeMorgenstern, Pearl Horbor: The Story of the York:Quadrangle Books, 1969. SecretWar. New York: Devin-Adair, 1947. Burke Davis,Get Yamamoto. New Yorli: Random Gilles Perrault,The Secret of b-Day. Translated from the Hou,se, 1969. . FrenchbyLen Ortzen. Boston, Toronto: Little, AllenW. Dulles, The Secret Surrender. New York, Brown, 1964. Evanston, London: Harper and Row, 1966. FletcherPratt, Secret and Urgent. Garden City, NY:

Ladislas Farago, The Broken Seal. New York: Random BlueRibbon Books, 1942. , House, 1967. Abraham Sinkov, Elementary Cryptanalysis: A Mothe- Alexander Foote, Handbook for Spies. New York: Dou- maticalApproach. New York: Random House, 1970. bleday, 1979. Laurence D. Smith,Cryptography. New York: Norton, William F. and Elizabeth S. Friedman, The Shakespear- 1943. eanCipher Examined. New’ York: Cambridge Uni- Sir Kenneth Strong, Men of Intelligence. New York: St. versity Press, 1957. Martin’s, 1972. HelenF. Gaines, Cryptanalysis. New York: Dover, RobertA. Theobald, Rear Admiral, U.S.N., [Ret.) The 1956. FinalSecret of PearlHarbor. New York: Devin- Joseph S. Galland, An Historical and Analytical Bibli- Adair, 1954. ography of theLiterature of Cryptology.New York: Hans L. Trefousse, Ed., What Happened at Pearl Harbor. AMS Press, 1945. New York: Twayne Publishers, 1958. A. A. Hoebling,The Week Before Pearl Harbor. New BarbaraTuchman, The Zimmermann .Telegram. New York: Norton, 1963. York: Viking, 1958. Admiral Sir William James, The Code Breakers of Room Roberta Wohlstetter, Pearl Harbor: Warning and Deci- 40.New York: St. Martin’s, 1956. sion.Stanford: Stanford University Press, 1962. David Kahn, The Codebreakers. New York: Macmillan, James R. Wolfe,Secret Writing. New York: McGraw- 1967. Hill, 1970. Husband E. Kimmel, Admiral Kimmel’s Story. Chicago: Herbert 0. Yardley,The American Black Chamber. Regnery, 1955. Indianapolis: Bobbs-Merrill, 1931. Abraham L. Lavine,Circuits of Victory.Garden City, Ellis M. Zacharias, Secret Missions: The Story of an Intel- NY: Doubleday and Page, 1921. ligenceOfficer. New York: Putnam, 1946.

32 IEEE COMMUNICATIONS SOCIETY MAGAZINE