Now if one knows the factors of N it is easy to determine on the curve by defining three points to sum to zero if and only (Almost) 50 Years of Public-Key Cryptography a value d such that x = yd (modulo N), but it is difficult to if they lie on a straight line. For curves defined over a field with This article is based on a talk given by Clifford Cocks during the which is then combined with the message (or ‘plaintext’) to pro- determine x otherwise. The best method we have for factor- p elements the number of points will lie between p +1 2p1/2 − IMA@50 celebration at the Royal Society in May, and followed duce the enciphered message (or ‘ciphertext’) that is transmitted. ing N is the number field sieve and this takes time of order and p +1+2p1/2. his award of the 2014 IMA Gold Medal. As long as the recipient has the same key and same encryp- exp(1.92 log(N)1/3 log log(N)2/3), much longer than the time tion device as the sender he can generate the same pseudorandom to encrypt or to decrypt with knowledge of the factors. It is this 5 Other cryptosystems Introduction sequence and then remove this from the ciphertext, revealing the that gives the scheme its security. After the discovery of the RSA and Diffie–Hellman methods, ryptography is a subject that has changed a great deal plaintext. If the cryptography is sound, someone who intercepts there was an explosion of interest that lead to the discovery of over the last 50 years. It has gone from being something the communication and does not know the key will not be able many more public-key systems based on hard mathematical prob- C practised mainly by governments and a few enthusiasts, to recover the message content even if they know all the details lems with a secret trapdoor. Some, indeed one might say many of into a subject that has many applications and is now widely stud- about the encryption device itself. the proposals have been found to have weaknesses and have not ied in academia. It is also a good example of how pure mathe- There are situations in which this traditional approach for con- survived scrutiny but a number do seem to have passed the test matics can have unexpected real world applications. fidentiality is quite satisfactory. Car key fobs are an example – the of time. One of these is the McEliece system [4], which is based secret key will be installed by the manufacturer and will last for on error-correcting codes with a secret syndrome. Another is the the lifetime of the car. However, in situations in which the set of NTRU system [5] based on multiplication in a polynomial ring. potential recipients is wide open, as in the case of many uses on Neither system has been widely used as yet. However the the internet, the need to send keys over a different medium before search for a quantum-resistant public-key system makes these starting secure communication is a major limitation. candidates for possible future use. 2 Public-key cryptography 6 Authentication and digital signatures Public-key cryptography is a way of achieving security without Figure 1: The RSA public-key system As well as confidentiality, another feature that public-key cryp- the need for pre sent keys. The first papers in the public domain tography can offer is the ability to create digital signatures. A describing this idea were by Whit Diffie and Martin Hellman [1], 4 The Diffie–Hellman cryptosystem digital signature is a short string appended to a message which and by Rivest, Shamir and Adleman [2], although the techniques The other widely used cryptosystem is the Diffie–Hellman system confirms the identity of the sender and the integrity of the mes- had been discovered earlier by Ellis, Cocks and Williamson [3] [1]. Unlike RSA instead of actually encrypting plaintext in an in- sage. In many situations integrity and authentication are at least in a classified environment. vertible way this is a protocol that allows two parties to establish as important as confidentiality. To see how this functionality might be achieved we can think A digital signature can be checked by anyone in possession of Dr Clifford Cocks CB a shared secret that they can then use as the key for a conventional about the physical example of a padlock. It has become stan- (or symmetric) cryptosystem. the sender’s public key, and in essence confirms that the sender What has caused the change? Principally, the reason is the dard to name those wishing to communicate Alice and Bob, so Here the two parties Alice and Bob who wish to establish a knows the associated private key or trapdoor. massive increase in communications that we have seen over this imagine that Alice wishes to receive some confidential informa- shared secret must agree on a group G in which the discrete log- As an example one can use the RSA system to create digi- period. Modern communications need the protection that can tion from Bob using an untrusted courier, Charles. Alice can do arithm problem is difficult. One example of such a group is the tal signatures. Given a message M, a digest m is created that is be afforded by cryptography. Cryptography helps ensure the in- this by sending Bob a padlock, but keeping the key herself. If set of integers 0, 1,...,p 1 for a large prime p under multipli- a relatively short (320 bits for example) bit string that is a hash − tegrity of information passing over the internet, and through that Bob places his message in a case (which we presume is tamper cation modulo p. Alice and Bob must also agree on a generator of M, with the property that it is difficult to find other messages internet banking, and e-commerce. But the applications of cryp- resistant!), uses the padlock to secure it and then sends the case g of the group. Then they privately generate random variables a which hash to the same m. A cryptographically strong hash can tography are wider than that, and one can find cryptography em- to Alice she can then use her key to unlock the case. and b respectively. Alice sends ga to Bob and Bob sends gb to be created using any of the standard hash functions [6]. bedded in chip and pin cards, in mobile phones, in machine- Charles the courier does not have the key so cannot open the Alice (see Figure 2). Then if the public key is the pair of numbers (N,e) and the d readable passports, and even in car keys where cryptography pre- case. One might worry that Charles could substitute his own pad- It is easy to see that both can calculate the common value gab, private key is d, the signature is s = m (modulo N). Anyone vents remote entry signals being maliciously recorded and re- lock, which he can open, read the message and only then replace but as long as the discrete logarithm problem in G is hard (that is knowing the public key can check the validity of this, by first cal- e played. Furthermore, in addition to confidentiality – the keeping it secured with Alice’s padlock. This is in fact an example of a to say it is hard to calculate x from knowledge of gx) it seems in culating m from M and then checking that s = m (modulo N). of information secret from those not authorised to access it, cryp- ‘man in the middle’ attack and indeed is something in electronic general to be hard for an interceptor to calculate gab knowing ga There are established standards for digital signatures, for ex- tography can provide a mechanism for authentication, providing form that public-key protocols have to protect against. and gb. The Diffie–Hellman protocol can be used with any group ample: confidence that a message (or a website) really is from the claimed Of course we have to find a mathematical way to replicate the for which the discrete logarithm problem is hard, and one that is 1. Digital Signature Algorithm (DSA), used in the Digital originator. Cryptography also provides a strong way of assuring idea of a padlock. This is done with what is called a trapdoor increasingly popular is the group formed by the addition of points Signature Standard [7], is based on multiplication modulo the integrity of data, which provides confidence that it has not one-way function: a function that is easy to evaluate, and hard to on an elliptic curve defined over a finite field. This is because with a prime. been modified in transmission, either deliberately or by accident. invert without knowledge of a secret used in the construction of elliptic curves it is possible to have shorter transmissions for the 2. ECDSA [8] is based on elliptic curve arithmetic. One of the biggest advances in cryptography in the last 50 the function. The method known as RSA (after Rivest, Shamir same level of security compared to multiplication in a finite field. Both signature schemes have the advantage that they are relatively years has been the discovery and development of public-key cryp- and Adleman) achieves this. RSA is one of the two public-key An elliptic curve can be defined by an equation of the form: short – for example just 512 bits long to give 128 bits of security. tography. It is the functionality of public key that has enabled cryptosystems that are most widely used. y2 = x3 + ux + v and being cubic means that if a straight line For a signature to be useful, the recipient must have confi- many of the applications just mentioned. To explain what public- meets the curve in two points then it meets the curve in exactly one dence that he correctly knows the sender’s public key. In prac- 3 The RSA cryptosystem key cryptography is, I first need to describe traditional cryptog- further point. We can therefore form an addition rule on points tice the sender may need to transmit this along with the message. raphy as has been understood and practised for centuries. Firstly, we need to construct the ‘trapdoor’ – the secret used to The way this is usually achieved is through a certificate. In a construct a one-way function and which is needed to be able to certificate the sender’s public key is itself signed, but this time 1 Traditional cryptography invert it efficiently. For RSA the trapdoor is a pair of prime num- by a certification authority. This certificate can be nested so that With traditional (often called ‘symmetric’) cryptography, before bers P, Q , where only the product N = PQ is made public the certification authority’s public key may itself be signed by a { } communicating securely the sender and receiver have to agree in (see Figure 1). N forms part of the public key, along with an higher signing authority until at the top of the tree is a signature advance on some secret information, usually called a key. This exponent e, a number chosen to be co-prime to P 1 and Q 1. issued by a universally recognised authority. − − key does not need to be particularly large, as few as a hundred Then to encrypt, we write the data to be enciphered as a num- Of course for this process to be valid, it is necessary that cer- bits or so will suffice, but nevertheless it must be communicated ber x in the range 1

Mathematics TODAY AUGUST 2014 184 1 Alice 2 Bob 3 Shared secret: gab a b Now if one knows the factors of N ait is easy to determine on the curve by defining three points to sum to zero if and only (Almost) 50 Years of Public-Key Cryptography 1 Alice d g a value d such that x = y (modulo N), but it1 is Alice difficult to if they lie on a straight line. For curves defined over a field with This article is based on a talk given by Clifford Cocks during the which is then combined with the message (or ‘plaintext’) to pro- determine x otherwise. The best methodgb we have for factor- p elements the number of points will lie between p +1 2p1/2 2 Bob − ing N is the number field sieve and this takes2 time Bob of order and p +1+2p1/2. IMA@50 celebration at the Royal Society in May, and followed duce the enciphered message (or ‘ciphertext’) that is transmitted. ab his award of the 2014 IMA Gold Medal. As long as the recipient has the same key and same encryp- 3 Sharedexp(1.92 secret: log(N)1g/3 log log(N)2/3), much longer than the time 1 Alice d, N 3= PQ Shared secret: gab 5 Other cryptosystems tion device as the sender he can generate the same pseudorandom to encrypta or to decrypt with knowledge of the factors. It is this Introduction d sequence and then remove this from the ciphertext, revealing the that gives2 Bob the scheme its security.x = y mod N a After the discovery of the RSA and Diffie–Hellman methods, b ryptography is a subject that has changed a great deal plaintext. If the cryptography is sound, someone who intercepts e there was an explosion of interest that lead to the discovery of 3 Shared secret: gab y = x mod N b over the last 50 years. It has gone from being something the communication and does not know the key will not be able ga many more public-key systems based on hard mathematical prob- practised mainly by governments and a few enthusiasts, to recover the message content even if they know all the details 1 Alice N,e ga lems with a secret trapdoor. Some, indeed one might say many of C b a into a subject that has many applications and is now widely stud- about the encryption device itself. g the proposals have been found to have weaknesses and have not gb ied in academia. It is also a good example of how pure mathe- There are situations in which this traditional approach for con- 2 Bobb 1 Alice survived scrutiny but a number do seem to have passed the test matics can have unexpected real world applications. fidentiality is quite satisfactory. Car key fobs are an example – the 3 Sharedd, N = secret:gPQa gab of time. One of these is the McEliece system [4], which is based 2 Bob on error-correcting codes with a secret syndrome. Another is the secret key will be installed by the manufacturer and will last for d b d, N = PQ x = y a modg N ab the lifetime of the car. However, in situations in which the set of 3 Sharedd secret: g NTRU system [5] based on multiplication in a polynomial ring. e x = y mod N potential recipients is wide open, as in the case of many uses on y = x b mod N Neither system has been widely used as yet. However the 1 Alice ea the internet, the need to send keys over a different medium before d, N = PQ y = x mod N search for a quantum-resistant public-key system makes these N,ega candidates for possible future use. starting secure communication is a major limitation. 2 Bobd bN,e x = yb mod N g Padlock © aBuriy | Dreamstime.com ab Case © Nancy Catherineg Walker | Dreamstime.com 6 Authentication and digital signatures 2 Public-key cryptography 3 Sharedy = x secret:e mod Ng Figure 1: The RSA public-key system b As well as confidentiality, another feature that public-key cryp- Public-key cryptography is a way of achieving security without a g the need for pre sent keys. The first papers in the public domain d, N =N,ePQ tography can offer is the ability to create digital signatures. A describing this idea were by Whit Diffie and Martin Hellman [1], d b 4 The Diffie–Hellman cryptosystem digital signature is a short string appended to a message which x = y mod N d, N = PQ and by Rivest, Shamir and Adleman [2], although the techniques a confirms the identity of the sender and the integrity of the mes- Thee otherg widely used cryptosystem is the Diffie–Hellman system had been discovered earlier by Ellis, Cocks and Williamson [3] y =[1].x Unlikemod RSAN instead of actually encryptingx = plaintextyd mod in anN in- sage. In many situations integrity and authentication are at least in a classified environment. gb as important as confidentiality. vertibleN,e way this is a protocol that allows twoy parties= xe tomod establishN To see how this functionality might be achieved we can think A digital signature can be checked by anyone in possession of Dr Clifford Cocks CB a shared secret that they can then use as the key for a conventional the sender’s public key, and in essence confirms that the sender about the physical example of a padlock. It has become stan- (ord, N symmetric)= PQ cryptosystem. N,e What has caused the change? Principally, the reason is the dard to name those wishing to communicate Alice and Bob, so knows the associated private key or trapdoor. Hered the two parties Alice and Bob who wish to establish a massive increase in communications that we have seen over this imagine that Alice wishes to receive some confidential informa- x =sharedy secretmod N must agree on a group G in which the discrete log- As an example one can use the RSA system to create digi- tal signatures. Given a message M, a digest m is created that is period. Modern communications need the protection that can tion from Bob using an untrusted courier, Charles. Alice can do y =arithmxe problemmod N is difficult. One example of such a group is the be afforded by cryptography. Cryptography helps ensure the in- this by sending Bob a padlock, but keeping the key herself. If set of integers 0, 1,...,p 1 for a large prime p under multipli- a relatively short (320 bits for example) bit string that is a hash − tegrity of information passing over the internet, and through that Bob places his message in a case (which we presume is tamper cationN,e modulo p. Alice and Bob must also agree on a generator of M, with the property that it is difficult to find other messages internet banking, and e-commerce. But the applications of cryp- resistant!), uses the padlock to secure it and then sends the case g of the group. Then they privately generate random variables a which hash to the same m. A cryptographically strong hash can tography are wider than that, and one can find cryptography em- to Alice she can then use her key to unlock the case. and b respectively. Alice sends ga to Bob and Bob sends gb to be created using any of the standard hash functions [6]. bedded in chip and pin cards, in mobile phones, in machine- Charles the courier does not have the key so cannot open the Alice (see Figure 2). Then if the public key is the pair of numbers (N,e) and the d readable passports, and even in car keys where cryptography pre- case. One might worry that Charles could substitute his own pad- It is easy to see that both can calculate the common value gab, private key is d, the signature is s = m (modulo N). Anyone vents remote entry signals being maliciously recorded and re- lock, which he can open, read the message and only then replace but as long as the discrete logarithm problem in G is hard (that is knowing the public key can check the validity of this, by first cal- e played. Furthermore, in addition to confidentiality – the keeping it secured with Alice’s padlock. This is in fact an example of a to say it is hard to calculate x from knowledge of gx) it seems in culating m from M and then checking that s = m (modulo N). of information secret from those not authorised to access it, cryp- ‘man in the middle’ attack and indeed is something in electronic general to be hard for an interceptor to calculate gab knowing ga There are established standards for digital signatures, for ex- tography can provide a mechanism for authentication, providing form that public-key protocols have to protect against. and gb. The Diffie–Hellman protocol can be used with any group ample: confidence that a message (or a website) really is from the claimed Of course we have to find a mathematical way to replicate the for which the discrete logarithm problem is hard, and one that is 1. Digital Signature Algorithm (DSA), used in the Digital originator. Cryptography also provides a strong way of assuring idea of a padlock. This is done with what is called a trapdoor increasingly popular is the group formed1 by theAlice addition of points Signature Standard [7], is based on multiplication modulo one-way function: a function that is easy to evaluate, and hard to a prime. the integrity of data, which provides confidence that it has not on an elliptic curve1 Alice defined over a finite field. This is because with been modified in transmission, either deliberately or by accident. invert without knowledge of a secret used in the construction of elliptic curves it is possible to have shorter2 transmissions Bob for the 2. ECDSA [8] is based on elliptic curve arithmetic. One of the biggest advances in cryptography in the last 50 the function. The method known as RSA (after Rivest, Shamir same level of security2 Bob compared3 to multiplicationShared secret: in a finitegab field. Both signature schemes have the advantage that they are relatively and Adleman) achieves this. RSA is one of the two public-key short – for example just 512 bits long to give 128 bits of security. years has been the discovery and development of public-key cryp- An elliptic curve can be definedab by an equation of the form: tography. It is the functionality of public key that has enabled cryptosystems that are most widely used. y2 = 3x3 + Sharedux + v and secret: beingg cubic means thata if a straight line For a signature to be useful, the recipient must have confi- many of the applications just mentioned. To explain what public- meets the curve in two points then it meets the curve in exactly one dence that he correctly knows the sender’s public key. In prac- 3 The RSA cryptosystem a b key cryptography is, I first need to describe traditional cryptog- further point. We can therefore form an addition rule on points tice the sender may need to transmit this along with the message. a raphy as has been understood and practised for centuries. Firstly, we need to construct the ‘trapdoor’ – the secret used to b g 1 Alice The way this is usually achieved is through a certificate. In a construct a one-way function and which is needed to be able to 1 Alice ga gb 2 Bob certificate the sender’s public key is itself signed, but this time 1 Traditional cryptography invert it efficiently. For RSA the trapdoor is a pair of prime num- by a certification authority. This certificate can be nested so that b With traditional (often called ‘symmetric’) cryptography, before bers P, Q , where only the product N = PQ is made public 2 Bob g 3 Shared1 Alice secret: gabthe certification authority’s public key may itself be signed by a { } communicating securely the sender and receiver have to agree in (see Figure 1). N forms part of the public key, along with an ab d, N = PQ higher signing authority until at the top of the tree is a signature 3 Shared1 Alice secret: g 2 Boba advance on some secret information, usually called a key. This exponent e, a number chosen to be co-prime to P 1 and Q 1. 1 Alice d issued by a universally recognised authority. − − d, N = PQ x = y mod N key does not need to be particularly large, as few as a hundred Then to encrypt, we write the data to be enciphered as a num- a 3 Shared secret:b gab Of course for this process to be valid, it is necessary that cer- 2 Bob d 2 Bob e bits or so will suffice, but nevertheless it must be communicated ber x in the range 1

Corporate sponsors of IMA@50 Celebrations include:

Mathematics TODAY AUGUST 2014 186