PROCEEDINGS OF THE IEEE,
VOL.
67,
NO. 3, MARCH 1979
397
Privacy and Authentication: An Introduction
to
Cryptography
Invited
Paper
Akmct-This
paper plesenfs
a
tutorial introduction
to
contempomy
ayptography.
The
basic
information li~eoretic
and
computational
properties
of
dadd
and
modern cryptographic systems
are
presented,
fobwed
by
uyptanalytic examination
of
seved
important systems
and
an
exlminrtion
of
the
apptiation
of
uyptography
to
the
security
of
timeduring
systems
and
computer networks.
The
paper concludes
with
I
guide
to the cryptographic literature.
I. INTRODUCTION
u
NTIL RECENTLY, cryptography has been of interest
primarily to the military and diplomatic communities.
Private individuals and even commercial organizations
have rarely considered it necessary
to
resort to encryption for
the protection of their communications, and those that have,
have seldom done
so
with particular care. Today, however,
several factors have combined to stimulate great interest in
commercial applications.
Electronic communications are replacing paper media in a
rapidly increasing variety
of
applications. The effect of this
is
both to increase the amount and variety of information
available to an eavesdropper, and to make the act of eaves-
dropping easier. Fortunately the same factors which promote
the spread
of
electronic communications are producing ,a
marked decrease in the cost of cryptography.
Where once the nation's business was conducted either by
personal contact or written correspondence, it is now handled
largely over the telephone, creating the environment for a
sub-
stantial wiretapping industry. The replacement of wires by
microwaves has even allowed the wireman to ply his trade
without having to tap any actual wires. Finally, the introduc-
tion
of
direct
long
distance
dialing
has made it possible to
identify calls of interest even when the tap is placed
a
long
way from the person being spied upon, because each call is
preceded by a digital sequence identifying the number being
called.
It has come to light over the past two years that the Russians
are monitoring telephones from their embassy in Washington
and their consulates in other parts
of
the country. Microwave
antennas intercept telephone traffic destined for such vital
places as the Capitol building, and computer programs auto-
matically select the conversations of interest
[
1
],
[
21.
work
was partially supported by the National Science Foundation under
Manuscript received May 22, 1978; revised November 28, 1978. This
NSF
Grant ENG 10173.
W.
Diffie
was
with the Department of Electrical Engineering, Stanford
University and the Stanford Artificial Intelligence Laboratory, Stan-
ford, CA. He
is
now
with BNR, Inc., Palo Alto, CA 94304.
ford University, Stanford, CA 94305.
M.
E. Hellman
is
with the Department of Electrical Engineering, Stan-
Data communications are even more vulnerable than voice
telephony because, with voice the eavesdropper lacks the
ability
to
discern the content
of
a spoken message, unless a
costly human monitor
is
employed, but
if
the intercepted
material
is
in computer readable form (e.g., Telex), no such
limitation
is
imposed. It
has
been reported
[3,
p. 7651 that for
some years the National Security Agency (NSA), in its operation
Shamrock, scanned
all
telegraph and Telex messages passing
in and out
of
the United States for keywords.
The cost
of
eavesdropping should continue to decline with
time. There is at present extensive research into speech recog-
nition
[4],
[5],
and many communications will soon
be
carried
on digitized packet-switched networks [6]. Electronic mail
and Electronic Funds Transfer (EFT) are being developed to
replace their present day counterparts, and telephone verifi-
cation of credit data is already a reality.
As a result, private and commercial interest in cryptography
has been rising, new papers have begun to appear, and the
National Bureau
of
Standards (NBS) has adopted a crypto-
graphic system [7] to be used as the federal Data Encryption
Standard (DES) on sensitive but unclassified data.
This paper is intended as an introduction to the fascinating
but forbidding subject
of
cryptography. It provides both a
grounding
in
the fundamentals and a feel for the subject
to
anyone interested either in doing cryptographic research or
employing cryptographic security. Cryptography is currently
an engineering subject in which there are more facts and rules
of thumb than theorems or systematic developments. The
text naturally reflects this quality and,
of
necessity, combines
a wide variety of material.
The next section surveys cryptographic fundamentals, de-
fining concepts which are used and examined throughout the
paper. This is followed in Section
111
by a survey of crypto-
graphic systems ranging from puzzle cryptography to the
DES and the new public key systems. Section
IV
explores the
taxonomy of cryptographic systems, providing a framework for
classifying many of the systems given as examples in the pre-
vious section. Section
V
covers some practical problems of ap-
plying cryptography, while Section
VI
reviews various applica-
tions. The last section contains a survey of the relevant
literature.
11.
CRYPTOGRAPHIC
FUNDAMENTALS
A.
Privacy and Authentication
When valuable or secret data must
be
stored or transmitted,
they are frequently protected physically through the use
of
safes, armed couriers, shielded cables, and the like. As elec-
0018-9219/79/0300-0397$00.75
0
1979 IEEE
398
PROCEEDINGS
OF
THE IEEE,
VOL.
67,
NO.
3,
MARCH
1979
P
C
SENDER
SENDER
ENCRYPTW
--_-_-___.._____.
_-_-_______
-----I-----
___-____
4
_____.._
K
K
Ftg.
1.
The
flow
of information
in
a cryptographic privacy system.
Fig.
2.
The
flow
of information in a cryptographic authentication
system.
tronic forms
of
communication and storage take over from
their predecessors, however, such measures often become
in-
applicable, insufficient or uneconomical, and other techniques
must be employed.
Central among these techniques
is
cryptography: the
use
of
transformations of data intended to make the data useless
to
one's opponents. Such transformations provide solutions
to
two major problems of data security: the privacy problem,
preventing an opponent from extracting information from a
communication channel, and the authentication problem, pre-
venting an opponent from injecting false data
into
the channel
key. The general system
is
a set
of
instructions, a piece
of
hardware, or a computer program which
is
capable of encrypt-
ing the plaintext (and decrypting the ciphertext) in a variety
of
ways, one
of
which
is
selected by the specific key. There
is a close analogy here with a general purpose digital computer
and a program. The computer, like the general system,
is
capable of a wide variety of behaviors, from which the pro-
gram, like the specific key, selects one.
More formally, a cryptographic system is a single parameter
family
{SK}KE
K
of invertible transformations
or altering messages
so
that their meaning is changed.
SK:
9-c
(2)
In telephone communication the problem
of
authentication
predominates, since the called party cannot determine who
is
calling. Eavesdropping, which requires the use of a wiretap, is
technically more difficult and legally more hazardous than
calling and pretending to be someone else. In radio communi-
cation, the situation
is
reversed. Eavesdropping is passive and
involves scant legal hazard, while injection exposes the illegiti-
mate transmitter
to
discovery and prosecution.
Sometimes
it
is
sufficient to authenticate that a message has
not been modified by a third party (someone other than the
sender or receiver). At other times, it
is
important for the
receiver to be able to prove that he actually received the mes-
sage from the sender, and that he has
not
modified it or origi-
nated it himself. The problem
of
dispute is to provide the
recipient
of
a message with legal proof
of
the identity
of
the
sender.
On
channels used for electronic funds transfer or
contract negotiation, it
is
important to provide the electronic
equivalent
of
a written signature, in order
to
settle any dispute
between the sender and receiver as
to
what message,
if
any,
was sent.
The problems
of
privacy and authentication
are
closely re-
lated and techniques for solving one can frequently be applied
to
the other. This paper examines the problem
of
privacy
first because it
is
the older, the more widespread, and the
more familiar
of
the two.
B.
Basic Concepts
Fig. 1 illustrates the flow
of
information in a cryptographic
privacy system. The transmitter generates a plaintext or un-
enciphered message
P,
which
is
to
be communicated to a legiti-
mate receiver over an insecure channel monitored by an eaves-
dropper. To prevent the eavesdropper from learning the
contents
of
P,
the transmitter enciphers or encrypts
P
with an
invertible transformation
SK
to produce the cryptogram or
ciphertext
C
=
S,(P).
When the legitimate receiver obtains
C
he deciphers or decrypts it with the inverse transformation
SK-'
to
obtain
si'
(c)
=
si1
(sK(P))
=
.?
(1)
the
original
plaintext message.
The transformation
SK
is
chosen from a family
of
trans-
formations
known
as a cryptographic system, general system,
or merely system. The parameter that selects the individual
transformation to be employed
is
called the specific key or
from a space
9
of
plaintext messages to a space
C
of
ciphertext
messages. The parameter or key,
K,
is selected from a finite
set
K
called the keyspace.
It is customary to regard the general system, that is the family
of
transformations, as public information. This
is
partly a
matter
of
convention-that the portion that
is
publicly revealed
is
called the general system-and partly a reflection
of
a very
important rule
of
security engineering: The security of a sys-
tem should not depend on the secrecy
of
something which
cannot be easily changed
if
it is compromised. The general
system
is
usually a piece
of
equipment, which can
be
replaced
only at considerable delay and expense, while the key is an
easily changed datum such
as
an
IBM
card.
A
cryptographic system
is
analogous
to
a resettable combina-
tion lock used
to
secure a safe. The structure
of
the lock is
available
to
anyone who cares
to
purchase one. The combina-
tion, however, is kept secret and can be changed whenever
it
is
suspected
of
having fallen into unauthorized hands. Even
though an opponent
knows
the set
of
all
possible keys or
combinations, he may
still
be unable
to
discover which one
is
correct.
Despite the principle of publicity
of
the general system, it is
still the practice
of
many
users
of cryptography
to
keep their
systems secret.
This
is both because
it
is more difficult for an
opponent to break a system with which he is unfamiliar, and
because many suppliers
of
cryptographic equipment are them-
selves espionage organizations which want
to
prevent good
systems from falling into the hands of their opponents. Un-
fortunately,
this
practice has carried over into the commercial
area, making
it
difficult for a customer to obtain the informa-
tion needed to make an intelligent choice among cryptographic
products.
Since
all
security resides in the secrecy
of
the key, it must be
conveyed
to
the sender or the receiver over a secure key dis-
tribution channel, such as courier service or registered mail,
indicated by the shielded path in Fig.
1.
Fig.
2
illustrates why a cryptographic system can
also
be
used to solve the authentication problem. In this case, the
opponent not only sees
all
cryptograms flowing on the channel,
but can alter them at
will.
The legitimate receiver protects
himself from being deceived by an altered or injected message
by decrypting
all
the messages he receives, &d accepting only
messages encrypted with the correct key.
DIFFIE
AND HELLMAN:
AN
INTRODUCTION
TO
CRYPTOGRAPHY
399
Any attempt by the eavesdropper either to decrypt a cryp-
togram
C
to get the plaintext
P,
or to encrypt an inauthentic
plaintext
P‘
to
get an acceptable cryptogram
C’,
without
ob-
taining the key
K
from the key channel is called cryptanalysis.
If cryptanalysis is impossible
so
that a cryptanalyst cannot
deduce
P
from
C,
or
C’
from
P‘
without prior knowledge of
the key, the cryptographic system is said to be secure.
C. Cryptanalytic Attacks
The first step in assessing the adequacy of a cryptographic
system is to classify the types of attack to which it may be
subjected. For this purpose we must make a more thorough
examination
of
the information which may be available to
the cryptanalyst.
Usually the worst circumstance from the point of view of
the cryptanalyst is to have nothing available to him but the
material he has intercepted, knowledge of the general system,
and some general knowledge of his opponent’s messages. This
may be limited
to
a knowledge of the statistical properties of
the language in use (e.g., in English, the letter E occurs 13
percent of the time) and a knowledge of certain probable
words (e.g., a letter probably ends “Sincerely yours,”).
Although occasionally a cryptanalyst may be ignorant even of
the language or system in use, this is the weakest threat to
which a system
is
normally subjected, and any system which
succumbs to it must be considered completely insecure. It
is called a ciphertext only attack.
When cryptography is used to protect computer or business
data, the cryptanalyst often knows substantial amounts
of
corresponding plaintext and ciphertext, making possible a
known
plaintext attack. The rigid structure of the formal
languages used in programming, or of data such as business
forms, guarantees that the opponent
will
know much detail
of the plaintext
a priori.
The known plaintext attack is a natural extension
of
the
use of probable words in a ciphertext only attack. In formal
languages such as Algol, the almost certain and often repeated
occurrence of words like
PROCEDURE
and
INTEGER
provide a
close approximation
to
known plaintext in most cases. Diffie
and Hellman
[8]
describe how a known plaintext attack on
the DES can be adapted to be a ciphertext only attack when
the plaintext
is
represented in ASCII.
This
is an illustration
of
how rigid structure in the underlying language may provide the
cryptanalyst with the equivalent of known.plaintext, and em-
phasizes the prudence of assuming that any system will be sub-
ject to
a
known plaintext attack.
Many secret messages sent for business purposes, press
releases and product announcements, for example, are intended
for subsequent public release. If such a message is sent in
a
system which is not secure against a known plaintext attack,
then all messages encrypted in the same key will
be
compro-
mised. In the past, users have tried
to
counter this threat by
paraphrasing plaintexts which had been encrypted prior to
their release. In an English message, such as a press release,
paraphrasing introduces the danger that the meaning will
be
altered, while in a formal message, such as a program, it is next
to impossible. It is far better to design the cryptosystem to be
secure against a known plaintext attack.
While a known plaintext attack is not always possible, its
occurrence is frequent enough that a system that succumbs to
it is not considered secure. The NBS has accepted the known
plaintext attack as appropriate in judging the security
of
its
DES.
The cryptanalyst is sometimes in the even stronger position
of being able to see the ciphertext corresponding to any plain-
text he chooses.
His
problem is to determine the key for later
use
in enciphering or deciphering other messages. This is a
chosen plaintext attack. It is sometimes appropriate to con-
sider the cryptanalyst as being able to select either the cipher-
text or the plaintext at will. This is the even more powerful
chosen text attack.
For the purpose of certifying systems as secure, it is appro-
priate to consider the more formidable cryptanalytic threats,
as these not only give more realistic models of the working
environment
of
a cryptographic system, but also make the
assessment of the system’s strength easier. IBM used a chosen
plaintext attack in certifying the national DES
[91.
And, as
will
be
shown in Section 111, many systems which were difficult
to break using a ciphertext only attack could have been ruled
out immediately under known plaintext attack or chosen text
attack.
Systems vulnerable to the less powerful attacks are no longer
of
interest in view
of
the ease with which systems resistant to
chosen text attacks can now be constructed. Systems of World
War I1 or earlier vintage were frequently insecure against even
a known plaintext attack, and were therefore subject to a cum-
bersome set of signaling rules designed to prevent an opponent
from gaining possession of corresponding plain and cipher
texts. Examples were, “Never encipher the same plaintext in
two different cryptosystems.” and “Never declassify a plaintext
without first paraphrasing it.” Human nature being what it is,
such rules were often broken, sometimes with disastrous results.
D.
Unconditional and Computational Security
There are two fundamentally different ways in which cryp-
tographic systems may be secure.
In some systems, the amount of information available to the
cryptanalyst is actually insufficient to determine the encipher-
ing and deciphering transformations, no matter how much
computing power the cryptanalyst has available. A system of
this kind if called unconditionally secure.
Even when the intercepted material contains sufficient in-
formation to allow a unique solution to the cryptanalytic
problem, there is no guarantee that this solution can be found
by a cryptanalyst with limited computational resources. It
then becomes the goal of the designer of a cryptographic sys-
tem to make the enciphering and deciphering operations in-
expensive, while ensuring that any successful cryptanalytic
operation would be too complex to be economical. What is
required is that the task of the cryptanalyst, though known to
be achievable with a finite amount
of
computation,
is
so
over-
whelming as to exhaust the physical computing resources of
the universe. We will call a task of this magnitude computa-
tionally unfeasible, and the associated cryptographic system
computationally secure.
While some unconditionally secure systems can be proven
secure, the theory of computational complexity is at present
inadequate to demonstrate the computational infeasibility
of
any
cryptanalytic problem. Cryptography is therefore
forced to rely on the less formal certification process of
subjecting
a
prospective cryptosystem to cryptanalytic assault
under circumstances considered favorable to the cryptanalyst.
The only unconditionally secure system in common use is
the one time tape, in which the plaintext is combined with a
totally random key
of
the same length. Usually the plaintext
is represented as an n-bit binary string which is XoRed with a
400
PROCEEDINGS
OF
THE IEEE,
VOL.
67, NO.
3,
MARCH 1979
totally random key of the same length.
As
the name suggests,
this key is never reused.
Even
if
the cryptanalyst could try deciphering under all 2"
possible keys, he would merely see all
2"
possible plaintexts,
including not only the correct one, but also all other meaning-
ful plaintexts of the same length. Because intercepting the
cryptogram does not allow the cryptanalyst to rule out any
plaintext messages, he learns absolutely nothing except the
length of the message.
BH-JFf
CRYPTANALYST
RECEIVER
SOURCE
#I
SOURCE
#
2
Fig.
3.
The
flow
of information
in
a
public
key system.
Shannon [lo1 analyzed unconditional security
in
more
maining
3.2
bits
are
redundant,
so
=
3.2
bitslcharacter.
Equation (3) thus predicts
NO
=
28
characters,
in
excellent
detail. If the cryptanalyst has unlimited computing time, he
has no need for computational efficiency, and can do a com-
agreement
with practice.
plete 'ryptanalysis by trying all possible
and
keeping
all
me
the Shannon theory approach to cryptography
(i.e.,
meaningful plaintexts
which
result* In
a
One
time
tape, all that the cryptanlyst has computational
meaningful
messages
Of
the
same
length
as
the
cryptogram
resources)
is
usually associated with a ciphertext only attack,
must be kept, but in other unconditionally secure systems
known plaintext can be included as additional redundancy. If
example, the cryptogram XMDA resulting from simple sub-
stitution on English can stand for any four letter word
with
no
100 plaintext characters
is
known, then the total redundancy
letter repeated (e.g., TIME or
FOUR,
but not
LOOK
or HASH).
is not just 3200 bits, but
there
may
be
a
smaller
number
Of
meaningful
For
a
1000
character message
is
intercepted and
sequence
of
As the amount of intercepted text increases a point may be
(900
characters)
X
(3.2 bits/character)
+
(100
characters)
reached at which a unique solution
is
possible. Shannon calls
this the unicity distance
NO.
In a one time tape this never
X
(4.7
bitslcharacter)
=
3350 bits
(5)
happens and
NO
=
00
while
in
a simple substitution cipher
NO
is
clearly
finite.
According
to
Friedman
[1
J
almost
any
because logz(26)
=
4.7
bits of information are
known
about
simple substitution cryptogram of 25 characters or more can
be broken by a skilled cryptanalyst. Since the cryptanalyst
Equation (3) indicates the value of data compression prior
has
limited
computational
abilities,
he
cannot
try
all
26!
to encryption. Data compression removes redundancy thereby
%
4
X
10%
keys and must rely on suboptimal methods such as
increasing the
unicity
distance. The redundant information
frequency analysis. Thus we can only say that
NO
<
25
can be added after deciphering
so
the legitimate receiver sees
characters.
no difference. Perfect data compression would remove all
Shannon provides a model for predicting the unicity distance
redundancy and result in
NO
=
00
with any size key, but
is
of a cipher, and the result of
this
model often agrees with prac-
prohibitively expensive. Limited data compression tends to
tice. According to this "random cipher" model
increase security while
also
reducing transmission costs.
each of the
100
known characters.
No
=
H(K
)/D
(3)
E.
Public
Key Systems
where
H(K)
is
the entropy of the key (usually this
is
just the
length of the key measured
in
bits or logz of the number of
keys) and
D
is the redundancy of the language measured in
bits per character. (e.g., in English
Q
is
always followed by
U
so
the
U
is redundant).
The reader
is
referred to Shannon's paper I1
01
or a more
recent presentation by Hellman
11
21
for a complete deriva-
tion, but an intuitive feel can
be
obtained by rewriting (3)
as
the requirement for a unique solution
H(K)
<
ND.
(4)
H(K)
represents the number of unknowns
in
a binary repre-
sentation of the key, and
in
a loose sense
ND
represents the
number of equations available for solving for the key. When
the number of equations
is
smaller than the number of un-
knowns,
a unique solution
is
not possible and the system is
unconditionally secure. When the number of equations is
larger than the number of unknowns,
as
in
(4),
a unique
solution is possible and the system is no longer unconditionally
secure (although it may
still
be computationally secure).
In a one time pad,
H(K)
=W,
so
by (3)
NO
=
00.
In a
simple substitution,
H(K)
=
log2 (26!)
=
88.4
bits,
so
to
calculate
No
we must find
D.
Each character could convey
as much as logz 26
=
4.7
bits
if
all strings of characters were
possible. Since spelling and gramatical rules rule out most
strings,
in
an
average sense
[
131,
[
141 only about
1.5
bits
of information are conveyed by each character. The re-
The difficulty of distributing keys
has
been one of the major
limitations on the use of conventional cryptographic technol-
ogy.
In order for the sender and receiver to make
use
of a
physically secure channel such as registered
mail
for key
dis-
tribution, they must be prepared to wait while the keys are
sent, or have made prior preparation for cryptographic
communication.
In the military, 'the chain of command helps to limit the
number of user-pair connections, but even there, the key dis-
tribution problem has been a major impediment to the
use
of
cryptography.
This
problem
will
be accentuated
in
large com-
mercial communication networks where the number of possible
connections grows as
(n2
-
n)/2
if
n
is
the number of
users.
A system with one million users
has
almost
500
billion possible
connections, and the cost of distributing this many keys
is
prohibitive.
Section V-A discusses key management for conventional
cryptographic systems in more detail, but at this point we
introduce a new kind of cryptographic system which simplifies
the problem of key distribution. Diffie and Hellman
[
151
and,
independently, Merkle
[
16
J
have suggested that it
is
possible
to dispense
with
the secure key distribution channel of Figs.
1
and
2,
and communicate securely over the insecure channel
without any prearrangement.
As
indicated in
Fig.
3, two way
communication is allowed between the transmitter and re-
ceiver, but the eavesdropper
is
passive and only listens. Sys-
tems which allow this are called public key systems, in con-
trast to conventional systems.
DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY
401
Two basic approaches have been suggested
to
this problem.
In public key distribution the sender and receiver are able
to
agree on a key for use in a conventional cryptographic system.
Even though the eavesdropper hears all exchanges, he is unable
to
compute the key, and thus cannot understand any
of
the
conversation that follows. A public key distribution system
is
described in Section
111-K.
The second approach
is
through
public key cryptosystems, which separate the keys used
for enciphering and deciphering. Examples
of
such systems
are examined in Sections 111-L and
111-M.
The reason that keys must
be
so
carefully protected in con-
ventional cryptographic systems is that the enciphering and
deciphering functions are inseparable. Anyone who has access
to
the key in order
to
encipher messages can also decipher
messages. If the enciphering and deciphering capabilities are
separated, privacy can
be
achieved without keeping the en-
ciphering key secret, because it can no longer
be
used for
deciphering.
The new systems must be designed
so
that
it
is easy to
generate a random pair of inverse keys
E,
for enciphering,
and
D,
for deciphering, and easy to operate with
E
and
D,
but computationally infeasible
to
compute
D
from
E.
A public key cryptosystem is a pair
of
families
{EK}KE{K}
and
{DK)KE{~}
of algorithms representing invertible trans-
formations
EK
:
{MI
-
{MI
(6)
DK
:
{MI
-
(7)
on a finite message space
{M},
such that:
1) For every
K
E
{K},
DK
is
the inverse
of
EK.
That is for
any
K
and any
M,
DKEK(M)
=
M.
2)
For every
K
E
{K}
and
ME {M},
the values
EK(M)
and
DK(M)
are easy to compute.
3)
For almost every
K
E
{K},
any easily computed algorithm
equivalent
to
DK
is computationally infeasible
to
derive from
4)
For every
K
E
{K},
it
is
feasible to generate the inverse
pair
EK
and
DK
from
K.
The third property
allow
a user’s enciphering key
EK
to
be
made public without compromising the security
of
his
secret
deciphering key
DK.
The cryptographic system
is
therefore
split into two parts, a family
of
enciphering transformations,
and a family
of
deciphering transformations in such a way that
given a member of one family
it
is
infeasible to fiid the corre-
sponding member of the other.
The fourth property guarantees that there
is
a feasible way
of
computing corresponding pairs
of
inverse transformations
when no constraint is placed on what either the enciphering or
deciphering transformation
is
to be. In practice, the crypto-
equipment must contain a’true random number generator (e.g.,
a noisy diode) for generating
K,
together with an algorithm for
generating the
EK-DK
pair from
K.
A system
of
this kind greatly simplifies the problem
of
key
distribution. Each user generates a pair
of
inverse transforma-
tions,
E
and
D.
He keeps the deciphering transformation
D
secret, and makes the enciphering transformation
E
public by
placing it in a public directory, similar to directory assistance.
Anyone can now encrypt messages and send them
to
the user,
but no one else can decipher messages intended for
him.
If instead of to conditions
lt4)
above, the set
of
transfor-
mations satisfy
1
’)
For every
K
E
{K},
EK
is the inverse
of
DK.
That
is
for
any
K
and any
M,
EKDK(M)
=
M.
EK
.
It
is
possible, and often desirable, to encipher with
D
and
decipher with
E.
For this reason, we will usually refer
to
EK
as
the public key and
DK
as the
private key,
instead.
In the short time since public key cryptosystems were first
proposed
[
151
several approaches have been discovered
[
171
-
[191.
F.
Digital Signatures
A
second difficulty which has limited the application of
conventional cryptography is
its
inability
to
deal with the
problem
of
dispute. Conventional authentication systems,
as
shown in Fig.
2,
can prevent third party forgeries, but
cannot settle disputes between the sender and receiver as
to
what message,
if
any, was sent.
In current commercial practice, the validity of contracts
and agreements
is
guaranteed by handwritten signatures. A
signed contract serves as proof
of
an agreement which the
holder can present
in
court
if
necessary, but the
use
of
signatures requires the transmission and storage of written
documents which
is
a major barrier to more widespread
use
of
electronic communications in business.
The essence
of
a signature
is
that although only one person
can produce
it,
anybody can recognize it. If there is to be a
purely digital replacement for this paper instrument, each user
must be able
to
produce messages whose authenticity can
be
checked by anyone, but which could not have been produced
by anyone else, especially the intended recipient.
In
a conven-
tional system the receiver authenticates any message he receives
from the sender by deciphering
it
in a key which the two hold
in common. Because
this
key
is
held in common, however, the
receiver has the ability
to
produce any cryptogram that could
have been produced by the sender and
so
cannot prove that
the sender actually sent a disputed message.
The public key cryptosystems discussed in the previous
sub-
section provide a direct solution to the signature problem,
if
they satisfy condition
1
’).
Systems which almost satisfy con-
dition 1
’)
are also usable
[
181
.
If user
A
wishes to send a signed message
M
to user
B,
he
operates on it with his private key
DA
to produce the signed
message
S
=
D,
(M). DA
was used as
A’s
deciphering key
when privacy was desired, but
is
now used
as
his
“enciphering”
or “signing” key. When user
B
receives
S
he can recover
M
by
operating on
S
with
A’s
public key
EA.
B
saves
S
as proof that user
A
sent
him
the particular message
M.
If
A
later disclaims having sent
this
message,
B
can take
S
to
a judge who obtains
EA
from the public fide and checks
that
EA(S)
=
M
is a meaningful message with
A’s
name at the end,
the proper date and time, etc. Only user
A
could have gener-
ated
S
because only he knows
DA
,
so
A
will
be held responsible
for having sent
M.
This technique provides unforgeable, message dependent,
digital signatures, but allows any eavesdropper
to
determine
M
because only the public information
EA
is needed
to
recover
M
from
S.
To obtain privacy of communication as well,
A
can
encrypt
S
with
B’s
public key and send
EB(S)
instead of
S.
Only
B
knows
DB,
so
only he can recover
S
and thence
M.
B
still saves
S
as proof that user
A
sent
him
M.
111.
EXAMPLES
OF
SYSTEMS
AND
SOLUTIONS
So
far we have discussed cryptography abstractly with few
examples
of
specific cryptographic systems. In this section we
restore the balance by examining in detail a number
of
exam-