Professional Documents
Culture Documents
Symmetric and Asymmetric Encryption: Sandm Laboratories, Albuquerque, New Mexico 87185
Symmetric and Asymmetric Encryption: Sandm Laboratories, Albuquerque, New Mexico 87185
GUSTAVUS J. SIMMONS
Sandm Laboratories, Albuquerque, New Mexico 87185
INTRODUCTION metric e n c r y p t i o n / d e c r y p t i o n c h a n n e l - -
solves the new requirements in secure com-
T h e object of secure communications has
munications. For perspective, the reader
been to provide privacy or secrecy, i.e., to
should keep in mind t h a t all current cryp-
hide the contents of a publicly exposed
tosystems are symmetric in the sense t h a t
message from unauthorized recipients. In
c o n t e m p o r a r y commercial and diplomatic either the same piece of information (key)
applications, however, it is frequently of is held in secret by b o t h communicants, or
equal or even greater concern t h a t the re- else t h a t each communicant holds one from
ceiver be able to verify t h a t the message a pair of related keys where either key is
has not been modified during transmission easily derivable from the other. T h e s e se-
or t h a t it is not a counterfeit from an un- cret keys are used in the encryption process
authorized transmitter. In at least one im- to introduce uncertainty (to the unauthor-
portant class of problems message authen- ized receiver), which can be r e m o v e d in the
tication is needed at the same time t h a t the process of decryption by an authorized re-
message itself is revealed. ceiver using his copy of the key or the
In this paper secure communications are "inverse key." This means, of course, t h a t
discussed with emphasis on applications if a key is compromised, further secure com-
t h a t cannot be satisfactorily handled by munications are impossible with that key.
present cryptographic techniques. Fortu- T h e new cryptosystems are asymmetric in
nately, an entirely new c o n c e p t - - t h e asym- the sense t h a t the transmitter and receiver
hold different keys at least one of which it
T h i s article was sponsored by t h e U.S D e p a r t m e n t of
is computationally infeasible to derive from
E n e r g y u n d e r Contract DE-AC04-76DP00789. the other.
2 K a h n lKAHN67, p. 764] has analogized substitution J This notation means: move the first symbol to the
and transposition ciphers with continuous and batch fifth place, t h e fifth symbol to t h e third place, the
manufacturing processes, respectively. thtrd symbol to the second place, and so on.
The cornerstone of modern mathemati- Note that the three L's in LULL encipher
cal cryptography was laid by Hill [HILL29, into different symbols. This illustrates the
HILL31, ALBE41] in 1929. Hill recognized cryptographic advantage of polygraphic
that nearly all the existing cryptosystems systems: The raw frequency-of-occurrence
could be formulated in the single model of statistics for blocks up to size n are ob-
linear transformations on a message space. scured in the encryption process; in the
Hill identified a message n-tuple with an n- limit (with n), they are lost completely.
tuple of integers and equated the operations Table i shows the number of occurrences
of encryption and decryption with a pair of of each letter in 4652 letters of an English
inverse linear transformations. The sim- language computing science article. These
plest representation for such transforma- patterns, which survive any monographic
tions is multiplication of an n-tuple (mes- substitution, are invaluable clues to the
sage) by a nonsingular n )< n matrix to form cryptanalyst. For instance, he knows that
the cipher and by the inverse matrix to T is one of the most frequently occurring
decrypt and recover the message. For ex- letters and can be quite sure that T is one
ample, let the digits zero-nine be repre- of the eight most frequently seen letters.
sented by the numbers 0-9, blank by 10, Figure 1 shows the frequency-of-occurrence
and the 26 letters of the alphabet by 11-36. data for single symbols in the cipher, for a
The number of symbols, 37, is a prime; the simple monographic encryption, and for po-
encoding and decoding can be carried out lygraphic encryption distributions with ma-
with arithmetic modulo 37. If the encrypt- trix sizes 2 × 2, 3 × 3, and 4 × 4. A perfect
ing matrix is encryption system would have a flat distri-
bution for all n-tuples; i.e., all possible n-
tuples would be equally likely,s
Tuckerman [TucK70] in his analysis
and the decrypting matrix is of Vigen~re-Vernam cryptosystems has
shown that Vigen~re systems using nonran-
dom transformations are always subject to
15 ' statistical attack. This is to be expected
then the message L U L L = (22, 31, 22, 22)
would encrypt to the cipher
Hill's s y s t e m using an n t h - o r d e r t r a n s f o r m a t i o n re-
sists simple statistical m e t h o d s of c r y p t a n a l y s m b a s e d
(7311,\226~(22 ~12)__(21~ 162) o n t h e frequency of occurrence of i-tuples in t h e cipher
for t less t h a n n; however, if t h e c r y p t a n a l y s t h a s two
ciphers r e s u l t m g from t h e encryption of a single mes-
(all computations mod 37). sage with two m v o l u t o r y t r a n s f o r m a t i o n s 3~ a n d ~2., in
M n so t h a t for all m e s s a g e s M ~ ~¢n, ~ ( ~ ( M ) ) =
Similarly, the cipher (27, 16, 12, 2) decrypts -¢2(-¢2(M) = M, a n d if h e k n o w s ~ , h e c a n recover ~l
to yield the message LULL by, a n d 22. It was n o t thin cryptanalytlc weakness, how-
ever, w h m h p r e v e n t e d t h e a d o p h o n of Hill's crypto-
s y s t e m , b u t r a t h e r t h e difficulty of carrying o u t t h e
(119530~(272]\121~)=(~22 ~)(mod37). m a n u a l e n c r y p t i o n / d e c r y p t i o n operations he h a d de-
fined
550.
MS@0.
U
N 450 •
B
E4@0 •
0 350 •
F
0 300.
cC250.
U 2@@.
R
R ISO.
N
C lee,
C
S 50.
@.
5 9 13 17 21 25
3 ? 11 15 19 23
flUNERIC EQUIUALENT
bO
~.,.-I
,r4
0 o ~
• N
~ 0 r~
~,r5
T
0 -8
U3
6
¢9 0
0 ,~ ,,H PH
e.
oo
0
¢9
0 ¢D
.L
6
¢#
bO -a
4~
4~ ¢q O
•el .,o
~3 r..)
0 o ~ e~
It
4~
o 0
ilJ
•,.O
rd -I~
ra l ~
N % ~e
0
£
t~)q)
t~
o ~no
II
'~x~ o
.H v
~o
I~vO
o m
T
0
I.-I
~
~'~
Z
o~
ID
Oo~T ~ II
~°
q)
~×° o
v
~ ~ ~':::: o
~)
m~
code
Feedback Network
Modern cryptology rests largely on the im- the feedback polynomial, and the starting
plementation of this principle. state of the register serve as the key.
In terms of Figure 4, the "diffusing" of Assuming that the cryptanalyst can by
uncertainty is defined by this condition: For some means, such as probable word analy-
nearly all encryption/decryption pairs sis, recover bits of the cipher (which need
(E, D) and keys K and K', it is computa- not be consecutive), he can set up and solve
tionally infeasible to compute K (or K') a system of at most 2n linear equations
from a knowledge of E, D, C, and M. A with which to duplicate the future output
system in which either K -- K' or one of K of the original sequence generator. Berle-
and K' is easily computed from knowledge kamp [BERL68] and Massey [MAss69] have
of the other is called a symmetric system. found efficient algorithms for doing this in
All the examples in the introduction are at most 2n steps. Thus the problem of find-
of symmetric systems. For a one-time key, ing K is only of linear complexity (in n);
the two communicants must each have a hence K is not well concealed despite the
copy of the same key; K = K' in this case. apparently large number of possible feed-
Similarly, the simple Vigen~re and Ver- back functions. A more complete descrip-
nam-Vigen~re systems both have K =- K'. tion of LFSRs is given in the appendix.
On the other hand, in the Hill linear trans- Another proposed mode of crypto use for
formation system, described in Section 1, LFSRs is for block ciphers: The register is
the receiver must have E -1, not E, although loaded with an n-bit block of plaintext, it is
it is easy to compute E -1 from a knowledge stepped for k :> n steps, and the resulting
of E. register state is taken as the cipher. Figure
Maximal length linear feedback shift reg- 6 shows an example of the state diagram
isters (LFSRs), which are used for error for such an LFSR. Using k ffi 7, for example,
detecting and correcting codes, illustrate the message 00001 encrypts to 11010. To
that one must take great care in choosing decrypt, one uses the "inverse feedback
key functions. Some apparently complex function," which reverses the stepping or-
functions are not so. Because the (2" - 1)- der of the state diagram of Figure 6, when
bit sequence from a maximal length LFSR a 00001 would be the register state resulting
satisfies many tests for randomness, e.g., from stepping the register seven steps from
the runs property [GoLo67] and lack of the starting point (cipher) of 11010. In this
intersymbol correlation up to the register example K (forward stepping) and K' (re-
length n, numerous suggestions have been verse stepping) are easily computable from
made to use these sequences either as key each other. Although the output is suffi-
in a Vernam-Vigen~re stream cipher mode, ciently random to be useful as a pseudo-
as shown in Figure 5, or as block encryption random bit sequence generator, the inver-
devices on n-bit blocks of message bits sion to find K' or K is only of linear com-
[BRIG76, GEFF73, GOLO67, MEYE72]. The putational complexity.
feedback network, i.e., the coefficients of The National Bureau of Standards Data
11010
9 2 ~
FIGURE 6
Shamir and Zippel [SHAM78] have shown party is in possession of the information
t h a t if the opponent knows m as well as v, which could compromise the system.
he can employ a simple algorithm whose A message M ~ ~ is e n c r y p t e d in this
o u t p u t is w with high probability. system to the cipher C b y the transmitter
using key K = (e, n) by the rule
6.2 The Factorization Trapdoor
M e-=C (modn),
Another asymmetric system is the public-
and C is decrypted by the authorized re-
key encryption scheme proposed by Rivest,
ceiver using K = (d, n) by the rule
Shamir, and Adleman [RIVE78]. T h e trap-
door in the scheme is based on the differ- C e~M (modn).
ence in computational difficulty in finding For example, if p = 421 and q = 577 so
large primes as opposed to factoring large t h a t n = p q = 242,917 and ¢p(n) = 241,920,
numbers. T h e best algorithms known at the t h e n for e = 101, d = 9581. Using these
present can find a d-digit prime n u m b e r in values K = (101:242,917) and K' = (9581:
time O (d3), while the complexity of factor- 242,917) so t h a t the message M = 153,190
ing a large n u m b e r n exceeds any polyno- encrypts by
mial bound, currently O (n (l"(l",)/1,,)~/2). In
the proposed system, one chooses a pair of C = 153,1901°1 -- 203,272 (mod 242,917),
primes p and q so large t h a t factoring n = and C decrypts by
p q is beyond all projected computational
capabilities. One also chooses a pair of num- M-- 203,272°~' -= 153,190 (mod242,917).
bers e and d, where (e, q~(n)) = 1, '4 and e d Much effort has been devoted to the in-
-= 1 mod q0(n); q0(n) = ( p - 1)(q - 1). In vestigation of whether the scheme just de-
other words, e and d are multiplicative in- scribed is secure and whether decryption
verses in the group of residue classes mod- (for almost all ciphers) is as hard as the
ulo ¢p(n). When used as a public-key cryp- factorization ofn. Several authors [HERL78,
tosystem, e and n are published in the SIMM77, WILL79a] have investigated the
public-key directory and d is kept secret. restrictions on the p r i m e s p and q t h a t must
Because the receiver (designer) knows p be imposed to ensure cryptosecurity; t h e y
and q, the system is forward asymmetric. conclude t h a t it is not difficult to choose
A variant of this scheme illustrates a the primes so t h a t the known cryptoweak-
bidirectional asymmetric encryption sys- nesses are avoided [WILL79a]. It is probable
tem. Assume t h a t a higher level of com- t h a t these same steps are also sufficient to
mand designs the system, e.g., choosesp, q, ensure t h a t decryption of almost all ciphers
and e, computes d, and then gives (e, n) is as hard as the factorization of n. How-
and (d, n) to two subordinate commands ever, this crucial result has not been proved.
that require an asymmetric encryption Instead, Rabin [RAm79] has shown t h a t if
channel between them. Since computing instead of the encryption function C -- M e
the multiplicative inverse d of e from a one uses
knowledge of e and n is essentially the same
as factoring n or determining q~(n), d is C--M(M+b) (modn), b>_0,
secure from an opponent knowing only n which is effectively the same as e = 2 where
and e. Conversely, computing e from a
n = p q , as in the Rivest et al. scheme, t h e n
knowledge of d and n is of the same diffi-
decryption to an unauthorized user is not
culty. T h e two keys (e, n) and (d, n) are
simply a consequence of being able to factor
separated by a computationally difficult
n but is actually equivalent. Unfortunately,
problem. Obviously, the "higher level of
even the authorized user is left with an
c o m m a n d " can be replaced by a volatile
ambiguity among four potential messages
m e m o r y computing device so that no single
in this scheme. Williams has completed this
work by proving t h a t for suitably chosen
,4 q~(n) m t h e E u l e r t o t i e n t ; i t is s i m p l y t h e n u m b e r of primes p and q the ambiguity is removed
integers less than n and relatwely prime with respect
to n. (e, q~(n)) = 1 Is a n o t a t i o n m d m a t l n g t h a t e a n d and t h a t decryption of almost all messages
q~(n) are r e l a t i v e l y pmme. is equivalent to factoring n [ W I L L 7 9 b ] .
(Ron Rivest has pointed out that this state- cerns of the transmitter and receiver: The
ment is precisely true for ciphertext-only transmitter wishes assurances that the mes-
attack and that it does not hold for chosen- sage cannot be disclosed or altered, whereas
plaintext attack [BRIG77].) the receiver is primarily concerned that the
For example, using the same primes and message could only have come from the
message as above in the simple Rabin transmitter.
scheme, p = 421, q -- 577, and M = 153,190, The different security concerns of trans-
and letting b = 0, one obtains the cipher mitter and receiver are well illustrated by
C = 153,1902 -- 179,315 (mod 242,917). the concerns of the various parties involved
in a transaction by check. The person writ-
Four messages from d4 have C as their ing the check (the transmitter) is not con-
square mod n: M, of course, and - M = cerned with its authenticity, but he is con-
089,727, as well as M' = 022,788 and - M ' cerned that no one will be able to alter the
= 220,129. amount shown on his signed draft. The
The important point is that these results person accepting the check (the receiver) is
are persuasive evidence of equivalence be- primarily concerned with the authenticity
tween decryption for almost all messages of the check. An intermediate party accept-
and the factorization of n in these schemes. ing the check as a second-party draft is
A common misconception is that asym- concerned with both of these aspects: that
metric encryption/decryption (public-key the check is unaltered and authentic. The
encryption) is more secure than its (sym- ultimate receiver, the bank, keeps signature
metric) predecessors. For example, Gardner cards on file to help verify (if needed) the
[GARD77] suggests that public-key crypto- identity of the person who wrote the check,
systems are more cryptosecure than exist- but its concerns are the same as those of
ing systems, and a lengthy editorial in the the other intermediate receivers.
Washington Post, July 9, 1978, was entitled Authentication is closely related to error
"The New Unbreakable Codes--Will They detecting codes. The message J¢ is parti-
Put NSA Out of Business?" [SHAP78]. The tioned into two classes, acceptable and un-
discussion in the two previous sections on acceptable messages, similar to the classes
symmetric and asymmetric encryption comprising the most probably correct and
demonstrates clearly that asymmetric cryp- incorrect messages in the previous case. To
tosecurity depends on precisely the same realize authentication despite an intelligent
mathematical condition as most high-qual- opponent, it is essential to conceal these
ity symmetric cryptosystems--computa- classes in the ciphers. Using an uncondi-
tional work factor. Basing cryptosystems tionally secure cryptosystem to encrypt the
on NP-hard problems opens new worlds of messages from J4 into ciphers from ~d,every
codes which may be as secure as traditional cipher C E ~d would with equiprobability
codes. But the new systems are not neces- over ~ be the encryption of any message
sarily more or less secure than existing in J4. But in this ideal case, if the opponent
cryptosystems. substituted another cipher C' for the
correct cipher C, the probability that it
7. AUTHENTICATION would decrypt to a message in the class of
The asymmetric encryption channel serves acceptable messages would be simply
two functions: Id l / IJ4 I, where d i s the class of acceptable
1) Secret communication is possible even messages. For example, i f ~ is the set of 264
if the transmitter's key (K) is public. -- 456,976 four-letter alphabetic sequences
2) Authentication of messages is possible and d is the set of four-letter English words
by anyone who knows the receiver's key in Webster' s Unabridged International
(K'), assuming that K and K' are not Dictionary, then the probability that a ran-
easily computed from each other. domly chosen four-letter cipher will decrypt
to an English word is very close to 1/7. In
The separation of secrecy and authentica- other words, the equivocation to the oppo-
tion in asymmetric systems has a natural nent of this "natural" authentication sys-
counterpart in the different security con- tem is =2.81 bits.
APPENDIX FIGURE 7.
A n especially simple class of primitive poly- EVAN74 EVANS, A, JR., AND KANTROWITZ,
W. "A user authenticationscheme not
nomial [ZIER68, ZIER69], both to analyze reqmring secrecyin the computer," Com-
and to implement, is the trinomials, x" + m u n A C M 17, 8 (Aug. 1974),437-442.
x a + 1, which require only two stages of the FEIS73 FEISTEL, H. "Cryptography and com-
puter privacy," SCL Am. 228, 5 (May
feedback shift register to be tapped and 1973), 15-23.
c o m b i n e d by an Exclusive O R GAIN56 GAINES, H.F. Cryptanalys~s"a study of
ciphers and their solutzon, Dover, New
0 1 York, 1956.
GAIT77 GAIT, J "A new nonlinear pseudoran-
0 0 1 dora number generator," [EEE Trans
1 1 0 Softw Eng. SE-3, 5 (Sept. 1977), 359-363
GARD77 GARDNER, M. Mathematical games
to c o m p u t e the feedback sum. (section), Sct. Am. 237, 2 (Aug 1977),
120-124.
GEFF73 GEFFE, P.R. "How to protect data with
ACKNOWLEDGMENTS ciphers that are really hard to break,"
The author wishes to acknowledge the many and Electronws 46, 1 (Jan. 4, 1973), 99-101.
GILB74 GILBERT, E. N., MACWILLIAMS, F J.,
valuable contributions of M J. Norris to the ideas AND SLOANE, N. J. A "Codes which
presented here. He is also grateful to D. Kahn and H. detect deception," Bell Syst Tech. J. 53,
Bright for careful reviews of a first draft of the man- 3 (March 1974), 405-423.
uscript and to the anonymous referees whose detailed GOLO67 GOLOMR, S W. Shift register sequences,
Holden-Day, San Francisco, Calif., 1967.
suggestions materially shaped the present form of the HART64 HART, G L The Beale papers, Roan-
paper. Finally, he wishes to express his appreciation oke Public Library, Roanoke, Va, 1964
to R. J. Hanson and P. J. Denning whose assmtance HELL78 HELLMAN, M. E "An overview of pub-
has made it possible for this material to be published hc-key cryptography," IEEE Trans.
Commun COM-16, 6 (Nov. 1978), 24-32.
in Computing Surveys. HELL79a HELLMAN, M . E . "DES will be totally
insecure within ten years," IEEE Spec-
REFERENCES trum 16, 7 (July 1979), 32-39.
HELL79b HELLMAN, U . E "The mathematics of
ACME23 Acme commodity and phrase code, Acme public-key cryptography," Scz. Am. 241,
Code Co., San Francisco, Calif., 1923. 3 (Aug. 1979), 146-157.
ADLE78 ADLEMAN, L. M , AND RIVEST, R HERL78 HERLESTAM, T. "Critical remarks on
L "The use of public-keycryptography some public-key cryptosystems," BIT 18
in communication system design,"I E E E (1978), 493-496
Trans Commun. COM-16, 6 (Nov 1978), HILL29 HILL, L. S "Cryptography in an alge-
20-23. braic alphabet," Am. Math. Monthly 36
ALBE41 ALBERT, A. A "Some mathematical as- (June-July 1929), 306-312.
pects of cryptography," presented at the HILL31 HILL, L. S. "Concerning certain linear
A M S 382nd Meeting, Manhattan, Kans., transformation apparatus of cryptogra-
Nov 22, 1941. phy," Am Math. Monthly 38 (March
BERL68 BERLEKAMP, E. R. Algebrazc coding 1931), 135-154.
theory, McGraw-Hill, New York, 1968. HOFF77 HOFFMAN, L. J. Modern methods for
BRAN79 BRANSTAD, D. "Hellman's data does not computer security and prwacy, Prentice-
support his conclusion," IEEE Spectrum Hall, Englewood Cliffs, N J., 1977
16, 7 (July 1979), 41 HORO74 HOROWITZ, E., AND SAHNI, S.
BRIG76 BRIGHT, H S , AND ENISON, R "Computing partitions with applications
L. "Cryptography using modular soft- to the knapsack problem," J. ACM 21, 2
ware elements," in Proc AFIPS 1976 (April 1974), 277-292
NCC, Vol. 45, AFIPS Press, Arlington, KAHN66 KAHN, D. "Modern cryptology," Scz
Va, pp 113-123 Am. 215 (July 1966), 38-46
BRIG77 BRIGHT, H. S. "Cryptanalytic attack KAHN67 KAHN, D. The codebreakers, the story
and defense, ciphertext-only, known- of secret writing, MacMillan, New York,
plaintext, chosen-plaintext," Cryptologta 1967
1, 4 (Oct 1977), 366-370. KARP72 KARP, R.M. "Reducibility among com-
DAVI79 DAVZDA, G. I. "Hellman's scheme binatorial problems," in Complexzty of
breaks DES in its basic form," IEEE computer computations, R. E Mdler and
Spectrum 16, 7 (July 1979), 39. J. W Thatcher (Eds.), Plenum Press,
DEAD77 DEAVOURS, C. A. "UnIcity points In New York, 1972, pp. 85-104.
cryptanalysis," Cryptologta 1, 1 (Jan KULL76 KULLBACK, S Statistical methods in
1977}, 46-68 cryptanalysis, Aegean Park Press, La-
DIFF76 DIFFI]$, W , AND HELLMAN, M E. "New guna Hills, Calif, 1976.
dLrections in cryptography," IEEE Trans LEMP79 LEMPEL, A "Cryptology In transitmn" a
Inform. Theory ITo22, 6 (Nov. 1976), 644- survey," Comput. Surv. 11, 4 (Dec. 1979},
654. 285-304.
DIFF77 DIFFIE, W., AND HELLMAN, M. E LIPT78 LIPTON, S M., AND MATYAS, S. M
"Exhaustive cryptanalysIs of the NBS "Making the digital signature legal--and
data encryptlon standard," Computer 10, safeguarded," Data Commun. 7, 2 (Feb
6 (June 1977), 74-84. 1978), 41-52.