Communications An Overview of Public Key Cryptography Martin E. Hellman With a public key cryptosystem, the key used to encipher a message can be made public without compromising the secrecy of a different key needed to decipher that message. I. COMMERCIAL NEED FOR ENCRYPTION Thisproblem is compounded in remote computing Cryptography has beenof great importance to the mil- because the entire “conversation”is in computer readable itaryand diplomatic communities since antiquity but form. An eavesdropper can then cheaply sort messages failed, until recently,.to attract much commercial atten- not only on the basisof the called number, but also on the tion. Recent commercial interest, by contrast, has been content of’the message, and record all messages which almostexplosive due to the rapid computerization of contain one or more keywords. By including a name or information storage, transmission, and spying. product on this list, an eavesdropper will obtain all mes- Telephone lines are vulnerable to wiretapping, and.if sages from, to,or about the “targeted” personor product. carried by microwave radio, this need not entail the phys-While each fact by itself may not be considered sensitive, ical tapping.of any wires. The act becomes passive and the compilationof so many facts will often be.considered almost undetectable. It recently came to light that the highly confidential. Russians were using the antenna farms on the roofs of It is now seen why electronic mail must be cryptogra- their embassy and consulates to listen in on domestic tel-phically protected, even though almost no physical mail . ephone conversations, and that they had been successful is given this protection. Confidential physical messages in sorting out some conversations to Congressmen. are not written on postcards and, evenif they were, could Humansorting could be used, but is too expensive not be scanned at a cost of only $1 for several million because only a small percentage of the traffic is interest- words. ing. Instead, the Russians automatically sorted the traffic on the basis of the dialing tones which precede each con- 11. THE COST OF ENCRYPTION versation ‘and specify the number being called. These tones can be demodulated and a microprocessor used to Books about World WarI1 intelligence operations make activate a tape recorder whenever an “interesting” tele- it clear that the allies were routinely reading enciphered phone number [one stored in memory) is detected. The German messages. The weakness of the Japanese codes low cost of.such a device makes it possible to economi- was established by the Congressional hearings into .the cally sort thousands of conversations for even one inter- Pearl Harbor disaster, and while it is less well publicized, esting one. theGermans had broken the primary American field I cipher. This work was supported in part under NSF Grant ENGJ0173. If the major military powersof World War I1 could not The author is with the Department of Electrical Engineering, afford secure cryptographic equipment, how is industry Stanford University, Stanford, CA 94305. to do so in its much more cost-conscious environment? 0148-9615/78/1100-0024$00.75 01978 IEEE 24 IEEE COMMUNICATIONS SOCIETY MAGAZINE Encryption isa special formof computation and, just as and distributed to the appropriate users, but the cost it was impossible to build good, inexpensive, reliable, would be prohibitive. A system with even a million sub- .portable computers in the 1940'~~ it was impossible to scribers would have almost 500 billion possible keys to buildgood (secure), inexpensive, reliable, portable distribute. In the military, the chain of command limits encryption units. The scientific calculator which sells for the number of connections, but even there, key distribu- under $100 today would have cost on the orderof a mil- tion has beena major problem. It will be even more acute lion dollars and required an entire room to house it in in commercial systems. 1945. It is possible for each user to have only one key which While embryonic computers were developed during the he shares with the network rather than with any other war (often for codebreaking), they were too expensive, user, and for the network to use this asa master key for unreliable, and bulky for field use. Most computational distributingconversation specific keys [2], [3]. This aids were mechanical in nature and based on gears. Sim- method requires that the portion of the network which ilarly, all of the major field ciphers employed gear-based .distributes the keys (known as the key distribution cen- devices and, just as Babbage's failure indicates the diffi- ter or node) be trustworthy and secure. culty of building a good computer out of gears, it is also Diffie and Hellman [4] and independently Merkle [5] difficult to build a good cryptosystem from gears. The have proposed a radically different approach to the key development of general-purposedigital hardware has distribution problem. As indicated in. Fig. 2, secure com- freed the designersof cryptographic equipment to use the municationtakes place without any prearrangement best operations froma cryptographic pointof view, with- between the conversants and without'access toa secure outhaving to worry about extraneous mechanical key distribution channel. As indicated in the figure, two constraints. way communication is allowed and there are independent As an illustrationof the current low costof encryption, random number generators at both the transmitter and therecently promulgated national Data Encryption the receiver. Two way communication is essential to dis- Standard[DES) can be implemented on a singleinte- tinguishthe receiver from 'the eavesdropper. Having grated circuit chip, and will sell in the$10 range before random number generators at both ends is not as basica long. While some have criticized the standard as not beingrequirement, and isonly needed insome adequately secure [I], this inadequacy is due to political implementations. considerationsand is not the fault of insufficient technology. 111.KEY DISTRIBUTION AND PUBLIC CRYPTANALYST KEY SYSTEMS 7 Whiledigital technology has reduced the cost of encryption to an almost negligible level, there are other major problems involved in securing a communication network. Oneof the most pressing is key distribution, the problem of securely transmitting keys to the users who SOURCE #I SOURCE # 2 need them. The classical solution to the key distribution problem is Fig. 2. Pubilc Key Cryptographic System. indicated in Fig. 1. The key is distributed over a secure channel as indicated by the shielded cable. The secure The situation is analogous to havinga room full of peo- channel is not used for direct transmission of the plain- plewho have never met before and who are of equal text message P because it is too slow or expensive. mathematical ability. I choose one other person in the room and, with everyone else listening, give him instruc- tions which allow the twoof us to carry ona conversation that no one else can understand. I then choose another CRYPTANALYST person and do the same with him. This sounds somewhat impossible and, from one point 7of view, it is.If the cryptanalyst had unlimited computer time he could understand everything we said.But that is also true. of most conventional cryptographic systems- the cryptanalyst can try all keys until he finds the one that yields a meaningful decipherment of the intercepted I SOURCE I message. The real question is whether we can, with very limited computations, exchange a message which would Fig. 1. ConventionalCryptographic System. take the cryptanalyst eons to understand using the most powerful computers envisionable. The military has traditionally used courier service for A public key cryptosystem [4] has two keys, one for distributing keys to the sender and receiver. In commer- enciphering and one for deciphering. While the two keys cial systems registered mail might be used. Either way, effect inverse operations and are therefore,related, there key distribution is slow, expensiv.e, anda major impedi- must be no easily computed methodof deriving the deci- ment to secure communication. phering key from the enciphering key. The enciphering key Keys could be generated for each possible conversation can then be made public without compromising the deci- NOVEMBER 1978 25 phering key so that anyone can encipher messages, but - 1 and which has no common factors with+(n). This then only the intended recipient can decipher messages. allows The conventional cryptosystemof Fig. 1 can be likened D = E-’(2)4(n) mod to a mathematical strongbox with a resettable combina- tion lock. The sender and receiver ause secure channelto to be calculated easily using an extended version of Eu- clid’s algorithm for computing the greatest common di- agree ona combination (key) and can then easily lock and visor of twonumbers [9, p.315, problem 15; p. 523, unlock (encipher and decipher) messages, but no one else solution to problem 151 can. A public key cryptosystem can be likened to a mathe- matical strongbox witha new kindof resettable combina- tion lock that has two combinations, one for locking and THE RIVEST-SHAMIR-ADLEMAN one for unlocking the lock. (The lock does not lock if PUBLIC KEY SCHEME merely closed.) By making the locking combination (enci- phering key) public anyone can lock up information, but Design onlythe intended recipient who knows the unlocking Find two large prime numbersp and combination (deciphering key) can unlock the box to re- cover the information. q, each about 100 decimal digits long. Public key and related cryptosystems have been pro- Let n = pq and a,b = (p-l)(q-1). posed by Merkle [5], Diffie and Hellman [4], Rivestet al. Choose a random integer E between [6], Merkle and Hellman [7], and McEliece [8]. We will only outline the approaches, and the readeris referred to 3 and $ which has no common factors the original papers for details. with $. Thenit is easyto find an integer D which is the “inverse” of E modulo $, that is, D - E differs from 1 Electronic mail unlike ordinary mail is machine by a multiple of $.