sign in sign up
<<
Home , Key (cryptography), Security level

AN OVERVIEW OF PUBllC Martin E. Hellman

Originally published in IEEE Communications Magazine November 1978 - Valume‘li, Number.6

AUTHOR‘S INTRODUCTION

bout 30 years ago when I first started working in factor of approximately 100,000, so that the US$lO DES cryptography from an unclassified point of view, chip referred to in the article is today a very small part of the climate was far from conducive. On hearing of a chip or software and has almost no associated cost. my new interest, most of my colleagues told me I While the cryptanalyst’s costs have also fallen by this same was crazy to try working in an area where NSA had factor, fortunately his work increases much more rapidly if ‘Ahad a megabudget for decades. “How can you hope to dis- we do the larger computations that have become economi- cover anything new. And if you discover anything good, cal. The promulgation of the Advanced Stan- they’ll classify it.” History has shown that there was more dard (AES) is an important step in this direction. wisdom in their objections than I was willing to allow at Another system that appeared after this article should the time. But some inner foolishness drew me inexorably also be mentioned. Schnorr’s variant of EIGamal’s signa- to the area. And, as sometimes happens, being foolish ture scheme became the basis of the turned out to be smart as well. Two other fools, Diffie and Algorithm. Merkle, independently broke with the conventional wis- The need for large safety margins, mentioned toward dom. Eventually we found each other and joined forces. the end of the article, has been borne out by experience. Somehow we knew that cryptography was something The exponential work factor (at least in 1978) of what I the world would need, and expected great commercial then called the axlx2 system has since been cut to a demand to materialize within five to 10 years. This esti- subexponential level. And the subexponential effort to mate turned out to be optimistic, with widespread com- break RSA has also been significantly decreased. The mercial use taking roughly twice as long to develop. But Number Field Sieve is currently the attack of choice on the scale of deployment has met our grand expectations. both these systems with large keys. Literally millions of people use cryptography daily on the The system I called the axlx2 system in this paper has Internet and, as it should be, most do not even know it is since become known as Diffie-Hellman . protecting them. Their credit card and other sensitive While that system was first described in a paper by Diffie information is transmitted with a high level of crypto- and me, it is a public key distribution system, a concept graphic protection automatically and transparently. Public developed by Merkle, and hence should be called “Diffie- key cryptography, the subject of this paper, is critical in Hellman-Merkle key exchange” if names are to be associ- allowing that ease of use. ated with it. I hope this small pulpit might help in that Re-reading this article, I am struck by several points: endeavor to recognize Merkle’s equal contribution to the The decreasing cost of computation has continued to invention of public key cryptography. Space does not per- make cryptography ever more ubiquitous. In the 25 years mit an explanation of the quirk of fate that seems to have since the article was written, costs have fallen by a further deprived Merkle of the credit he deserves, but a quirk it is.

42 IEEE CommunicationsMagazine 50th Anniversary Commemorotive Issue/Moy 2002 Some systems will succumb, even with large safety mar- them (e.g., in protecting power networks and other critical gins, and the Trap Door Knapsack method described in infrastructure). The 1996 National Research Council’s the article was found to be insecure. This emphasizes the report, “Cryptography’s Role in Securing the Information experimental nature of cryptography and helps make the Society” (CRISIS), explores that theme in depth. The point that there is no substitute for certification via mock report is notable for its unanimous conclusions even attack by one’s colleagues. . though the participants’ backgrounds ranged from the As in 1978, there is still tension between the need for intelligence community to academia. to protect honest people’s sensitive Lastly, from a personal point of view, as I look back 25 information from bad guys and the government’s need to years, I feel a deep sense of gratitude that I was privileged spy on the bad guys when they use cryptography to protect to play a role in such an exciting drama. I thank the IEEE their own secrets. The horror of 9/11 helps bring both Communications Society for bringing a whiff of nostalgia those needs into focus since cryptography can be used both into my life as I write this retrospective. to protect the planning of terrorist operations and to foil

ryptography has been of great impor- no physical mail is given this protection. Confi- tance to the military and diplomatic dential physical messages are not written on communities since antiquity but failed, postcards-and, even if they were, could not be until recently, to attract much commer- scanned at a cost of only $1 for several million cial attention. Recent commercial words. interest, by contrast, has been almost explosive due to the rapid computeri- zation of information storage, trans- THE COST OF ENCRYPTION mission, and spying. Books about World War 11 intelligence opera- Telephone lines are vulnerable to wiretap- tions make it clear that the allies were routinely ping, and if carried by microwave radio, this reading enciphered German messages. The need not entail the physical tapping of any wires. weakness of the Japanese codes was established The act becomes passive and almost unde- by the Congressional hearings into the Pearl tectable. It, recently came to light that the Rus- Harbor disaster, and while it is less well publi- sians were using the antenna farms on the roofs cized, the Germans had broken the primary of their embassy and consulates to listen in on American field . domestic telephone conversations, and that they If the major military powers of World War I1 had been successful in sorting out some conver- could not afford secure cryptographic equip- sations to Congressmen. ment, how is industry to do so in its much more Human sorting could be used, but is too cost-conscious environment? expensive because only a small percentage of Encryption is a special form of computation the traffic is interesting. Instead, the Russians and, just as it was possible to build good, inexpen- automatically sorted the traffic on the basis of sive, reliable, portable computers in the 1940s, it the dialing tones which precede each conversa- was impossible to build good (secure), inexpen- tion and specify the number being called. These sive, reliable, portable encryption units. The sci- tones can be demodulated and a microprocessor entific calculator that sells for under $100 today used to activate a tape recorder whenever an would have cost on the order of a million dollars “interesting” telephone number (one stored in and required an entire room to house it in 1945. memory) is detected. The low cost of such a While embryonic computers were devel- device makes it possible to economically sort oped during the War (often for break- thousands of conversations for even one inter- ing), they were too expensive, unreliable, and esting one. bulky for field use. Most computational aids The problem is compounded in remote com- were mechanical in nature and based on gears. puting because the entire “conversation” is in Similarly, all of the major field computer readable form. An eavesdropper can employed gear-based devices and, just as Bab- then cheaply sort messages not only on the basis bage’s failure indicates the difficulty of build- of the called number, but also on the content of ing a good computer out of gears, it is also the message, and record all messages that con- difficult to build a good from tain one or more keywords. By including a name gears. The development of general-purpose or product on this list, an eavesdropper will digital hardware has freed the designers of obtain all messages from, to, or about the “tar- cryptographic equipment to use the best oper- geted” person or product. While each fact by ations from a cryptographic point of view, itself may not be considered sensitive, the com- without having to worry about extraneous pilation of so many facts will often be considered mechanical constraints. highly confidential. As an illustration of the current low cost of It is now seen why electronic mail must be encryption, the recently promulgated national cryptographically protected, even though almost (DES) can be imple- mented on a single integrated circuit chip, and will sell in the $10 range before long. While This work was suppolled in part under NSF Grant ENG some have criticized the standard as not being 10173. At the time ofpublication was adequately secure [l],this inadequacy is due to with the Department of Electrical Engineering at Stanford political considerations and is not the fault of Universip. insufficient technology.

IEEE CommunitotionsMogozine 50th Anniversory Commemorotive Issue/Moy 2002 43 without any prearrangement between the conver- sants and without access to a sccure key distribu- tion channel. As indicated in the figure, two-way communication is allowed and there are indepen- P=SL’(O dent random number generators at both the trans- Receiver . mitter and the receiver. Two-way communication C=SJP) t‘ is essential to distinguish the receiver from the eavesdropper. Having random number generators at both ends is not as basic a requirement, and is only needed in some implementations. The situation is analogous to having a room full of people who have never met before and who are of equal mathematical ability. I choose FIGURE 1. Convenhonol cryptcgrophic system one other person in the room and, with everyone else listening, give him instructions that allow the two of us to carry on a conversation that no one else can understand. I then choose another person and do the same with him. This sounds somewhat impossible and, from one point of view, it is. If the cryptanalyst had unlimited computer time he could understand everything we said. But that is also true of most /I pb ! conventional cryptographic systems - the - analyst can try all keys until he finds the one source #1 source #2 that yields a meaningful decipherment of the I I intercepted message. The real question is Ei WURE1. Public key cryptogiophic system. whether we can, with very limited computations, exchange a message that would take the cryptan- alyst eons to understand using the most powerful KEY DISTRIBUTIONAND PUBLIC KEY SYSTEMS computers envisionable. A public key cryptosystem [4] has two keys, While digital technology has reduced the cost of one for enciphering and one for deciphering. encryption to an almost negligible level, there While the two keys effect inverse operations and are other major problems involved in securing a are therefore related, there must he no easily communication network. One of the most press- computed method of deriving the deciphering ing is key distribution, the problem of securely key from the enciphering key. The enciphering transmitting keys to the users who need them. key can then be made public without compro- The classical solution to the key distribution mising the deciphering key so that anyone can problem is indicated in Fig. 1. The key is dis- encipher messages, but only the intended recipi- tributed over a as indicated by ent can decipher messages. the shielded cable. The secure channel is not The conventional cryptosystem of Fig. 1 cmbe used for direct transmission of the plain-text likened to a mathematical strongbox with a reset- message P because it is too slow or expensive. table combination lock. The sender and the receiv- The military bas traditionally used courier er use a secure channel to agree on a combination service for distrih,uting keys to the sender and (key) and can then easily lock and unlock (enci- receiver. In commercial systems registered mail pher and decipher) messages, but no one else can. might he used.. Either way, key distribution is A public key cryptosystem can be likened to a slow, expensive, and a major impediment to mathematical strongbox with a new kind of reset- secure communication. table combination lock that has two combina- Keys could he generated for each possible tions, obe for locking and one for unlocking the conversation and distributed to the appropriate lock. (The lock does not lock if merely closed.) users, but the cost would be prohibitive. A sys- By making the locking combination (enciphering tem with even a million subscribers would have the key) public anyone can lock up information, almost 500 billion possible keys to distribute. In but only the intended recipient who knows the the military, the chain of command limits the unlocking combination (deciphering key) can number of connections, hut even there key dis- unlock the box to recover the information. tribution has been a major problem. It will he Public key and related have even more acute in commercial systems. been proposed by Merkle [SI, Diffie and Hell- It is possible for each user to have only one man [4], Rivest ef al. [6], Merkle and Hellman key which he shares with the network rather (71, and McEliece [SI. We will only outline the than with any other user, and for the network to approaches, and the reader is referred to the use as a master key for distributing conversation- original papers for details. specific keys [2, 31. This method requires that The RSA (Rivest ef al.) scheme [6] is based on the portion of the network that distributes the the fact that it is easy to generate two large primes keys (known as the key distribution center or and multiply them together, but it is much more node) be trustworthy and secure. difficult to factor the result. (Try factoring Diffie and Hellman [4] and independently 518940557 by hand. The try multiplying 15107 by Merkle [SI have proposed a radically different 34351.) The product can therefore be made pub- approach to the key distribution problem. As indi- lic as part of the enciphering key without compro- cated in Fig. 2, secure communication takes place mising the factors which cffectively constitute the

44 IEEE Communiiohonr Mogorine 50th hniverroy Commemorotive Isue/Moy 2002 deciphering key. By making each of the factors 100 digits long, the multiplication can be done in I THE RIVEST-SHAMIR-ADLEMAN PUBLICKEY SCHEME a fraction of a second, but factoring would require Design billions of years using the best known algorithm. Find two large prime numbers p and 4,each about 100 decimal digits long. As with all public key cryptosystems there Let n = pq and I&! = 0, - t)( - 1). must be an easily implemented algorithm for ' Choose a random integer E between 3 and QI that has no common factors choosing an enciphering-deciphering key pair, so with I&!.Then it is easy to find an integer D that is the "inverse" of E modulo that any user can generate a pair, regardless of v, that is. D . E differsfrom 1 by a multiple of I&!. his mathematical abilities. In the RSA scheme The public information consists of E and n. All other quantities here are the algorithm first selects two kept secret. large prime numbers p and~qand multiplies them to produce n = pq. The Euler's function is Encryption Given a plin text message P that is an integer between 0 and n - 1 and the computed as $(E) = (p - l)(q - 1). ($(n)is the public encryption number E, form the integer number of integers between 1 a,nd n that have no common factor with n. Everypthnumber has C=PEmodn. p as a common factor with n and every qth num- In other words. raise P to the power E, divide the result by n, and let C be the ber has q as a common factor with n.) Note that remainder. (A practical way to do this computation is given in the text of Hell- it is easy to compute $(n) if the factorization of man's paper.) n is known, hut computing $(n) directly from n Decryption is equivalent in difficulty to factoring n [6]. Using the secret decryption number D. find the plain text P by $(n) as given above has the interesting prop- P = CD mod n. erty that for any integer a between 0 and n - 1 (the integers modulo n) and any integer k In order to determine the secret decryption key D. the cryptanalyst must akNn)+l=a.modn.' (1) factor the 200 or so digit number n. This task would take a million years with Therefore, while all other arithmetic is done the best algorithm known today, assuming a Ips instruction time. modulo n, arithmetic in the exponent is done modulo $(n). A random number E is then chosen between Note that enciphering and deciphering each 3 and $(n) - 1 and which has no common factors involve an exponentiation in modular arithmetic with $(n). This then allows and that this can be accomplished with at most Z(Iog2n) multiplication mod As indicated in D = E-' mod $(n) n. (2) [SI, to evaluate Y = ax,the exponent X is repre- to he calculated easily using an extended version sented in binary form, the base a is raised to the of Euclid's algorithm for computing the greatest lst, 2nd, 4th, Sth, etc. powers (each step involv- common divisor of two numbers [9, p. 315, prob- ing only one squaring or multiplication), and the lem 15; p. 523, solution to problem 151. appropriate set of these are multiplied together The information (E,n) is made'public as the to form Y. enciphering key and is used to transform unenci- Merkle and Hellman's method [7] makes use phered, plain text messages into ciphertext mes- of trapdoor knapsack problems. The knapsack sages as follows: a message is first represented as problem is a combinatorial problem in which a sequence of integers each between 0 and n - 1. one is given a vector of n integers, a, and an Let P denote such integer. Then the correspond- integer S which is a sum of a subset of the {UJ. ing ciphertext integer is given by the relation The problem is to solve for the subset, or equiv- alently, for the binary vector x which is the solu- C = PE modn. (3) tion to the equation The information (D,n) is used as the deciphering key to recover the plain text from the ciphertext via S =a*x. (11) While the knapsack problem is very difficult P = CDmodn. (4) to solve in general, there are specific cases that These are inverse transformations because from are easy to solve. For example, if the knapsack [31,121, and PI vector is = PED = pkN?t)+l = p CD (5) a' = (171,197,459,1191, 2410) (12) As shown by Rivest et al., computing the then given any S', x is easily found because each secret deciphering key from the public encipher- component of (I'is larger than the sum of the ing key is equivalent in difficulty to factoring n. preceding components. If S'=3798, then it is As a small example, suppose p = 5 and q = seen that x5 must be 1 because, if it were 0, a< 11. Then n = 55 and $(n) = 40. If E = 7 then =2410 would not be in the sum and the remain- D = 23 (7 x 23 = 161 = 1 mod 40). If P = 2 ing elements sum to less than s'. After subtract- then ing the effect of as' from S', the solution continues recursively and establishes thatx4 = 1, C = 2' mod 55 = 18 (6) and x3 = 0, xz = 1, and xl = 0. The knapsack vector CD = 1823 mod 55 (7) (I = (5457,4213, 5316, 6013, 7439) (13) =1811821X4181h (8) does not possess the property that each element =18 49 36 26 mod 55 (9) is larger than the sum of the preceding compo- =2 (10) nents, and the simple method of solution is not which is the original plain text. possible. Given S = 17665, there is no obvious A true digital method for finding that x = (O,l,O,l,l) other determines which key was chosen by trying all n than trying almost all 25 subsets. of them on the test message. signature must be a But it “just so happens” that if each compo- The cost to the first user is proportional to n. nent of a is multiplied by 3950 modulo 8443 the He must generate and store n keys, generate and number (so it can be vector a’ of [12] is obtained. By performing the transmit n puzzles, and try n keys on the test mes- same transformation on S, the quantity S‘ = sage. The cost to the second user is also propor- sent in electronic 3798 is obtained. It is now seen that there is a tional to n because he must solve one puzzle that that is easily simple method for solving for x in the equation was designed to have solution cost equal to n. form) The cost to an eavesdropper appears to grow recognized by the S=a*x (14) as n2. He can try solving puzzles at random and by transforming to the easily solved knapsack see if the associated key (solution) agrees with receiver as problem the test message. On the average, he must solve n/2 puzzles, each at a cost of n. S‘ = a’*x. validating the Diffie and Hellman [4] describe a public key The two solution x are the same provided the distribution system based on the discrete expo- particular message modulus is greater than the sum of the {a,’}. nential and logarithm functions. If q is a prime received, but which The variables of the transformation (the multi- number and a is a primitive element, then X and plier 3950 and the modulus 8443) are secret, trap- Yare in a 1:l correspondence for 1 2 X, Y 2 could only have door information used in the construction of the (q - 1) where trap-door knapsack vector a. There is no appar- Y=aX modq been generated by ent easy way to solve knapsack problems involv- (16) ing a unless one knows the trap-door information. and the sender. When a is made public, anyone can represent X = log,Y over GF (4). a message as a sequence of binary x vectors and transmit the information securely in the corre- While the discrete exponential function (16) sponding sums, S = a*x. The intended recipient is easily evaluated, as in [7] and [8], no general, uses his trap-door information (secret decipher- fast algorithms are known for evaluating the dis- ing key) to easily solve for x, but no one else can crete logarithm function (17). Each user chooses do this. Of course the a vector must be signifi- random element X and makes the associated Y cantly longer than that used in this small, illus- public. When users i and j wish to establish a key trative example. for communicating privately they use McEliece’s public key cryptosystem [8] is based K.. = axixj on algebraic coding theory. Goppa codes are (18) highly efficient error correcting codes [lo], but =(Yi)Xj = (Yj)Xi. (19) their ease of error correction is destroyed if the Equation 19 demonstrates how both users i and j bits that make up a codeword are scrambled prior use the easily computed discrete exponential func- to transmission. To generate a public enciphering tion to calculate Kij from their private and the key, a user first selects a Goppa code chosen at other’s public information. An opponent who knows random from a large set of possible codes. He neither user’s secret information can compute Kij if then selects a permutation of the codeword bits, he is willing to compute a discrete logarithm, but computes the generator matrix associated with that can be made computationally infeasible using the scrambled Goppa code, and makes it public the best currently known algorithms [ll]. as his enciphering key. His secret deciphering key The various public key systems are compared is the permutation and choice of Goppa code. in a later section. Anyone can easily encode information (scrambling does not greatly increase the diffi- culty of encoding since the scrambled code is D I G ITA L SIGNATU RES still linear), add a randomly generated error vec- Business runs on signatures, and until electronic , and transmit this. But only the intended communications can provide an equivalent of recipient knows the inverse permutation that the written signature, it cannot fully replace the allows the errors to be corrected easily. physical transportation of documents, letters, McEliece estimates that a block length of contracts, etc. 1000 bits with 500 information bits should foil Current digital authenticators are letter or cryptoanalysis using the best currently known number sequences that are appended to the end attacks. of a message as a crude form of signature. By The other two known methods for communi- encrypting the message and authenticator with a cating securely over an insecure channel without conventional cryptographic system, the authenti- securely transmitting a key are not true public cator can be hidden from prying eyes. It there- key cryptosystems. Rather, they are public key fore prevents third-party forgeries. But because distribution systems that are used to securely the information is shared by the exchange a key over an insecure channel without sender and receiver, it cannot settle disputes as any prearrangement, and that key is then used in to what message, if any, was sent. The receiver a conventional cryptosystem. can give the authentication information to a Merkles’s technique [5]involves an exchange friend and ask him to send a signed message of of “puzzles.” The first user generates n potential the receiver’s choosing. The legitimate sender of keys and hides them as the solution to n differ- messages will of course deny having sent this ent puzzles, each of which costs n units to solve. message, but there is no way to tell whether the The second user chooses one of the n puzzles at sender or receiver is lying. The whole concept of random, solves it, and sends a test message a contract is embedded in the possibility of such encrypted in the associated key. The first user disputes, so stronger protection is needed.

46 IEEE Communications Mogozine 50th Annivenory Commemorahve Issoe/Moy 2002

~~ A true digital signature must be a number (so it can he sent in electronic form) that is easily THE KNAPSACKPROBLEM recognized by the receiver as validating the par- ticular message reccived, but which could only 1.156 have been generated by the sender. It may seem impossiblc fur the receiver tu be able tu recog- nize a number that he cannot generate, but such is nut the case. While there arc other ways tu obtain digital signatures, the easiest tu understand makes use of the public key cryptosystems discussed in the last section. The ith user has a public kcy Ei and a secret key Di. This notation was chosen bccause E, was used tu encipher and 0, was used tu decipher. Suppose, as in the RSA scheme, the enciphering function is onto, that is, for every integer C less than n, there exists an integer m fur which E,(m) = C. Then we can interchange the order of operations and use Di first to sign the message and E; secund to validate the signa- ture. When user i wants to sign and send a mes- sage M tu user j, he operates on M with his secret key 0, to obtain c = Di(M) (20) which he then scnds tu user j. User j obtains i’s public kcy E; from a public file and operates with it on C to obtain M E,(C) = Ei[Di(M)]= M (21) User j saves C as proof that message M was sent to him by user i. Nu one else could have gener- ated C, because only i knows 0;.And ifj tries tu change even one bit in C, he changes its entire The knapsack is filled with a subset of the items shown, with weights indi- meaning (such error propagation is necessary in cated ingrams.Given theweightofthefilled knapsack, 11 56grams.canyoudeter- a good cryptosystem). mine which of the items are contained in the knapsack? (The scale is calibrated to deduct the weight of the empty knapsack.) If i later disclaims having sent message M to This simple version of the classic knapsack problem generally becomes user j, then j takes,C to a “judge” who accesses computationally feasible when there are 100 items rather than 10 as in this the public file and checks whether Ei(C) is a example. However. if the set of weights for the items happens to have some meaningful message with the appropriate date, nice properties known onlyto someonewithspecial “trap-door”information, then time, address, name, etc. If it is, the judge rules that person can quicklydecipher thesecretinformation,i.e., a 100-bit binaly word in favor of j. If it is nut, the ruling is in favor of i. that specifies which of the items are in the knapsack. Digital signatures have an advantage over written signatures because written signatures look thc same, independent of the message. My signature is supposed to look the same on a $100 If signatures are desired, attention should be chcck as on a $1000 check, so a dishonest recipi- directed tu the RSA [6] and trap-door knapsack ent can try to alter the check. Similarly, if a pho- systems [7]. The RSA scheme yields signatures tostat of a contract is acceptable as proof, a directly. While the trap-door knapsack signature dishonest person can alter the contract and method described in [7] is not direct, Merkle make a copy that hides the alteration. Such mis- and Reeds have developed a method for gener- chief is impossible with digital signatures, pro- ating “high-density” trap-door knapsacks that vided the signature system is truly secure. simplify signature generation, and Shamir has The disadvantage of digital signatures is that recently suggested a dircct method for obtaining the ability tu sign is equivalent to possession of a signatures. Both of these approaches are nut yet secret key. This key will probably be stored on a published. magnetic card which, unlike the ability tu sign The (1(~1~2)and Goppa code methods do not one’s name, can be stolen. appear to lend themselves to signatures, but Mekle bas developed a puzzle-like technique for COMPARISON OF PURLIC SYSTEMS generating signatures. KEY So far, as storage requirements for the public This section compares the public key systems file, the ~(~1~2)and RSA schcmes are most that have been proposed. Speed, ease of signa- interesting. Each requires on the order of500 ture generation, and certain other characteristics hits of storage per user. The trap-door knapsack can be compared more readily than the all scheme requires on the order of 100 kbits of important question of . We can storage per user, and the Goppa code method compare the security level using the best known requires on the order of a megabit per user. methods fur breaking each system, but there is Merkle’s puzzle scheme is not really suited tu the danger that better methods will be found public file storage and rather depends on trans- that will change the relative rankings. mission of public information at the start of each

IEE€ (ommunirotiom Mogozine 50th Anniverroly hmemorotive Irwe/Moy 2002 47 ...... As computers b (bits) 100 200 300 500 750 1000 ...... - ...... become foster and 1 Operations 1.1~10’5 1.3~1030 1.4~104s l.8~1075 7.7~10112 3.3~10150 more porallel, ...... 1 Time (years) 36 4X1OT6 5x1O3’ 6x106’ 2 x log9 1 x 10137 the time for > .___ _.~- ...... , .. 0 Table 1. cryptanalysis also ~. ~. r-..- - ’ - falls. A 1 ns i b (bits) 100 200 300 500 750 1000 1-..- ...... ___ ...... _.....I - computer with j Operations 2.8~107 2.3x1011 2.9~10’~3.6~10’9 5.8~10~~1.8~10~~ ’ j ...... _.I ...... millionfold ! Time 30s 3 days 9 years 1 Myr 2 Gyr 6 x 10’5yrs

I_ parallelism might Table 2. reduce the time estimates given in new conversation. The transmitted information communication links become available, Merklc’s must be on the order of a gigabit before signifi- techniquc would become of greater practical the tobles by a cant levels of security are afforded. interest. Instead of storing each user’s public key in a Diffie and Hellman’s enponcntiation method factor of 109. public file (similar to a telephone hook), Kohn- [4] requires the legitimate users to perform an feldcr [12] has suggested having the system give exponentiation in modular arithmetic while the each user a signed mcssage, or certificate, stat- best known cryptanalytic method requircs the ting that user’s public key. The Certificate could computation of a logarithm in modular arith- he stored by the user on a magnetic card, and metic. Exponentiation is easily accomplished in transmitted at the start of a conversation. This at most 2h multiplications, much as in 181, where method converts public file storagc rcquiremcnts b is the number of bits in the reprcscntation of into transmission requirements. The systcm’s the modulus. Each multiplication can hc accom- public key would he needed to check the certifi- plished with at most 2h additions or subtractions, cate and could be published widely. Protccting and cach of these operations involves at most b the system’s secret key might he casy bccause no gate delays for the propagation of carry signals. one else ever has to use it and it could he Overall, an exponentiation in modular arithmetic destroyed after it was used tu certify a group of can be accomplished in at most 4b3 gatc delays. users. Computation of a logarithm in modular arith- Computation time on the part of thc Icgiti- metic is much more complex, and the best cur- mate users is smallest with the trap-door knap- rently known algorithm [ I l] requires Zbi3 or sack method. Th’c a@‘IX2) and RSA schemcs more operations provided the modulus is prop- each require several hundred times as much erly chosen. Each operation involves a multipli- computation, but are still wihin reason. Merkle’s cation, or 2b3 gate delays. Thc work factor is technique requires even more computation. Thc therefore exponential in b. Goppe code technique is extremely fast for enci- If b = 500, the 500 million gate delays arc phering, requiring approximately 500 XORs on required at the legitimate users’ terminals. With 1000-bit vectors, but I have not yet estimated its current technology this can he accomplished in deciphering requirements. scveral seconds, a not unreasonable delay for Turning to security level, Merkle’s puzzie establishing a key during initial connection. method [5]has the advantage of being the most Using b = 500 results in the cryptanalyst having solid method for communicating securely over to do morc than 1075 times as much work as the an insecure channel. That is, it is extrcmely lcgitimate uscrs, a very safe margin. The rcal doubtful that a better method will be found for question is whether better methods cxist for breaking it. Unfortunately, it is also the least computing logarithms in modular arithmetic, or secure, using the best known algorithm. Its work if it is even necessary to compute such a loga- factor (ratio of cryptanalytic effort to encipher- rithm to break this system. ing and deciphering effort, using the best known Table 1 gives the number of operations and algorithms) is only nz:n. Since encryption should time required for cryptanalysis for various values cost on the order of $0.01 and cryptanalysis of b assuming a Ips instruction time. should cost on the order of @ 10 million or more, The storage requirements of this system are this ratio needs to be 10’ or more and corre- small. The public file stores a single b-bit num- sponds ton = lo9. If all of the enciphering and ber for each user and only sevcral b-bit words of deciphering effort were in computation, this memory are required at the transmitter and might he possible in the near future (a $10 receiver, so that single-chip implementation is microprocessor can execute on the order of 1 possible for h on the order of 500. million instructions per second), hut Merkle’s The RSA system [h] also rcquires that the method requires n transmissions as well as n legitimate users perform a modular exponentia- operations on the part of the legitimate users. tion, hut cryptanalysis is equivalent to factoring a Current technology therefore limits Merkle’s h-bit number. Schroeppel has developed a new, scheme ton 2 10,000 which corresponds to as yet unpublished factoring algorithm that approximately 500 kbits of transmission. If fiber appears to require approximately exp{[ln(n) optic or other low cost, ultra-high-bandwidth In(lnn)]1/2} machine cycles where n = 2b is the

48 IEEE Communicotioni Mogoiine 50m Anniveriory Commemorative Irnle/Moy 2002

~~ number to be factored. Table 2 gives the number key and digital signature concepts are necessary A maior problem of operations and time to factor a b-bit number in commercial systems because of the large num- again assuming a 1ps instruction time. ber of interconnections that are possible, and that confronts Public file storage for the RSA scheme is rea- because of the need to settle disputes. sonable, being several hundred to a thousand A major problem that confronts cryptography cryptography is the bits per user. Memory requirements at the trans- is the certification of these systems. How can we mitter and receiver are also comparable to the decide which proposed systems really are secure, certification of these u(x1x2) scheme, so that a single-chip device can and which only appear to be secure? Proofs are systems. How can be built for enciphering and deciphering. not possible using the currently developed theo- The best known method of crytpanalyzing ry of computational complexity and, while such we decide which the trap-door knapsack system requires on the proofs may be possible in the future, something order of 2fl12 operations where n is the size of must be done immediately. The currently accept- proposed systems ' the knapsack vector. Enciphering requires at ed technique for certifying a cryptographic sys- most n additions, so the work factor is exponen- tem as secure is to subject it to a mock attack really are secure, tial. If n is replaced by b, Table 1 gives the under circumstances that are extremely favor- cryptanalytic effort required for various values able to the cryptanalyst and unfavorable to the and which only of n, so n 2 200 provides relatively high security system. If the system resists such a concerted appear to be levels. Since each element of the a vector is attack under unfavorable conditions, it is hoped approximately 2n bits long, if n = 200, the pub- that it will also resist attacks by one's opponents secure? lic storage is approximately 80 kbits/user. Mem- under more realistic conditions. ory requirements at the transmitter and receiver Governments have built up expertise in the I .j,. . , are on the same order. certification area, but due to security constraints, Both enciphering and deciphering require this is not currently available for certification of less computation than either the ~(~1~2)or RSA commercially oriented systems. Rather, this scheme. Enciphering required at most n addi- expertise in the hands of a foreign government , tions and deciphering requires one multiplica- poses a distinct threat to a nation's businesses. It tion in modular arithmetic, followed by at most has even been suggested that poor or nonexis- n subtractions. tent encryption will lead to international eco- Care must be exercised in interpreting these nomic warfare, a concern of importance to tables. First, they assume that the cryptanalyst national security. (There is speculation that this uses the best currently known method, and there occurred with the large Russian purchases may be much faster approaches. For example, of several years ago.) prior to the development of Schroeppel's algo- There is a tradeoff between this and other rithm, the best factoring algorithm appeared to national security considerations that needs to be require exp{ [21n(n) In(lnn)]"2} operations. resolved, but the handling of the national data When b = 200, that would have predicted that encryption standard indicates that public discus- 360 years, not three days, would be required for sion and resolution of the tradeoff is unlikely cryptanalysis. There is the danger that even unless individuals make their concern known at faster algorithms will be found, necessitating a a technical and political level. safety margin in our estimates. As demonstrated by this example, the safety margin is needed in REFERENCES the exponent, not the mantissa. [l] W. Diffie and M. E. Hellman, "Exhaustive Cryptanalysis A similar comment applies to the seemingly of the NBS Data Encryption Standard," Computer, pp. higher security level afforded by the ~(~1~2)and 74-84, June 1977. trap-door knapsack methods when compared to [21 D. Branstad, "Encryption Protection in Computer Data the RSA scheme. For a given value of b the two Communications," presented at the I€€€ Fourth Data tables show that the RSA scheme requires much Communications Symposium, Oct. 7-9, 1975, Quebec, Canada. less computation to break, using the best cur- 131 IBM Syst. J., (Special Issue on Cryptography), vol. 17, rently known techniques. But it is not clear no. 2, 1978. whether this is because the factoring is inherent- [4] W. Diffie and M. E. Hellman, " New Directions in Cryp- ly easier than computing discrete algorithms or tography," I€€€ Trans. Info. Theory, vol. IT-22, Nov. 1976, pp. 644-54. solving knapsack problems, or whether it is due [51 R. C. Merkle, "Secure Communication over an Insecure to the greater study that has been devoted to Channel," Commun. Ass. Comp. Mach., vol. 21, Apr. factoring. 1978, pp. 294-99. As computers become faster and more paral- [6] R. L. Rivest, A. Shamir, and L. Adleman, "On Digital Sig- natures and Public Key Cryptosystems," Commun. Ass. lel, the time for cryptanalysis also falls. A Ins Comp. Mach., vol. 21, Feb. 1978, pp. 120-26. computer with millionfold parallelism might [71 R. C. Merkle and M. E. Hellman, "Hiding Information reduce the time estimates given in the tables by and Signatures in Trap-door Knapsacks," I€€€ Trans. a factor of 109. Info. Theory, vol. IT-24, Sept. 1978, pp 525-30. [81 R. J. McEliece, "A Public Key System based on Algebraic Coding Theory," JPL DSN Progress Rep., 1978. [91 D. E. Knuth, The Art of Computer Programming, VoI. 2, CONCLUSIONS Seminumerical Algorithms, Reading, MA: Addison-Wes- We are in the midst of a communications revolu- ley, 1969. [I01 E. R. Berlekamp, "Goppa Codes," /€E€ Trans. Info. The- . tion that will impact many aspects of people's ory, vol. IT-19; Sept. 1973, pp. 590-92. every day lives. Cryptography is an essential [l11 S. C. Pohlig and M. E. Hellman, "An Improved Algo- ingredient in this revolution, and is necessary to rithm for Computing Logarithms over GF(p) and its preserve privacy from computerized censors Cryptographic Significance," I€€€ Trans. Info. Theory, vol. IT-24, Jan. 1978, pp. 106-1 0. capable of scanning millions of pages of docu- 11 21 L. Kohnfelder, Towards a Practical Public-Key Cryp- ments for even one sensitive datum. The public tosystem, MIT Lab. For Comput. Sci., June 1978.

IEEE CommunicotionsMogozine 50th Anniversary Commemorative Issue/Moy 2002 49