The First Ten Years of Public-Key
Cryptography
oo
WHITFIELD DIFFIE
Invited Paper
Pubkey cptosstems separate the capacities for encryption
and decryption 50 that 1 many people ca encnype messiges Ih
seit te es dy 2 on
an encrypt messages In Such 3 way that many people a re
{hern Tiesepration lows important prover the ate
{agement of enptogrphic hes nd make posible 1 Sigh a
‘Pere cigl esse
“Rblic hey crptonaphy was dscovered in the Spring of 1975
and has folowed s suprsing couse Although drs tes
Were proposed early onthe one tht appa both practical and
Sure tody areal very lonely related a the search ore ad
Stans itieece Depa on
{Timed mathematical foundation pubic toy cmptopaphy is re.
‘lutonting communication securty by mating posible secure
ommuniation newark wis Runde of hounds of subse
Equally important the impact of pc key cyptography on
the Deore sie of commision secu i Reef ep
{Opaphers 2 systematic meuns of addresting 4 bros ange of
Secu abjectvs and pointed the way tows! more coeds!
proc ht aos vctpent of eyptyaphcpters
1 fama Discovens
Public key cryptography was born in May 1975, the child
fof two problems and a misunderstanding
+ Frstcame the problem of key distribution. Iwo peo-
ple who have never met betore are to communicate
Privately using conventional cryptographic means,
theymust somehow agre in advance on key thatwill
bbe known to themselves and to no one else
+ Thesecond problem, apparentlyunrelatedtothe rst,
was the problem of signatures. Could 2 method be
‘evised that would provide the recipient ofa purely
digital electronic message with a way of demonstat-
ing to other people that t had come froma particular
person, justasawriten signaturean letter allows the
Fecipient to hold the author to its contents?
(On the face of it, both problems seem to demand the
Impossible. Inthe first case, if two people could somehow
‘communicate a seeret key from one to the other without
ever having met, why could they not communicate their
Manuscript recaved January 18, 198; revised March 25,1968
{he author wth Blt Norther Reseach; Mountain View. A
as, USA
THEE Lop Number ans
message in secret? The second isna better. Tobe effective,
signature must be hard to copy. How then can a digital
‘message, which can be copied perfectly, beara signature?
‘The misunderstanding was mine and prevented me from
«ediscovering the conventionalkey distributioncenter, The
virtue of cryptography, | reasoned, was that, unlike any
ther known securty technology, it did not require trust
in any party not directly involved in the communication,
‘only trust inthe cryptographic systems. What good would
Ido to develop impenetrable cryptosystems, I reasoned,
IW their users were forced to share their keys witha key die-
tnbution center that could be compromised by ether bur-
Blary oF subpoena,
The discovery consisted not ofa solution, but ofthe ree-
‘ogrition thatthe two problems, each of which seemed
Unsolvable by detintion, could be solved atalland that the
solutions to Both problems came in one package.
First to succumb was the signature problem: The con-
ventional use of cryptography to authenticatemessageshad
been joined in the 1950s by two new applications, whose
functions when combined constitute a signature.
Beginning in 1952, a group under the direction of Horst
Feistl at the Air Force Cambridge Research Center began
1 apply cryptography to the military problem of dstin-
_Buishing friendly from hostile icra. tational den:
Ufcation Friend or Foe systems, a fre contol radar deter.
imines the identity of an aireraft by challenging it, much as
sentry challenges a soldier on foot. the airplane returns
the correct identifying information, i is judged to be
friendly, otherwise itis thoughtto be hostile ort best new
tral. To allow the correct response to remain constant for
any significant period of time, however 1st invite oppo
rents to record a legitimate friendly response and play it
back whenever they themselves are challenged. The
approach taken by Felste’s group, and now used inthe MK
XILIFF system, isto vary the exchange cryptographicilly
from encounter to encounter. The radar sends a randomly
selected challenge and judges the aircraft by whether it
receives a correctly encrypted response. Because the chal:
lenges are never repeated, previously recorded responses
will not be judged correct by a challenging radar.
Later inthe decade, this navel authentication technique
was joined by another, which seems fist to have beenapplied by Roges Needham of Cambridge University [172
Thistime the problem was protecting computer passwords.
[Access control systems often suffer from the extreme sen-
sitivity oftheir password tables. The tables gather allof the
passwards together in one place and anyone who gets
$ccess to this information can impersonate any ofthe sys-
tems users, To guard against this possibilty, the password
{ables filled not with the passwords themselves, but with
the images ofthe passwords under a one-way function. A
‘one-way function Iseasy 0 compute, but ficult to invert.
For any password, the correct table entry can be cakulated
easly. Given an output from the one-way function, how-
fever iti exceedingly dificult to find any input that wal
produce i. This reduces the value of the password able to
An intruder tremendously, since its entries are not pass:
‘Words and are not acceptable othe password verification
‘Challengeand response identificationandone-way func:
tions provide protection against two quite different sors
blthreats. Challenge and response identification resststhe
tlfrts of an eavesdrapper who can spy on the commu-
‘ication channel, Since the challenge varies randomly from
tevent to event, the spy is unable to repay t and fool the
challenging radar. Thereis, however, no protection against
fn opponent who captures the radar and learns its cryP-
{ographic keys This opponent can use what hehas learned
to fool any other radar that is keyed the same. In contrast,
the one-way function defeats he efforts ofan intruder who
‘captures the system password table analogous to ca
ing the radar but scuccumbs to anyone who interceptsthe
login message because the password does not change with
{realized that the two goals might be achieved simul-
tancousi ithe challenger could pose questions that twas
‘unable answer, but whose answersitcould judge for cor
rectness. | saw the solution 25a generalization ofthe one
tvay function: a trp-door one-way function that allowed
Someone in possession of secret information to go back
‘wards and compute the function’ inverse. The challenger
‘would Issue a value in the ange of the one-way function
nd demandto know tsinverse. Onlytheperson whoknew
the trapdoor would be able to find the corresponding ele-
‘ment in the domain, but the challenger, im possession of
fn algorithm for computing the one-way function, could
teadiy check the answer Inthe applicaticnsthatlater came
toseemmostimportan, the leat thechallengewas played
bya message and the process took on the character of a
signature, a digital signacue
Tedd not take long to realize that the trapdoor one-way
function could also be applied (othe baling problem of
key distribution, For someone in possession ofthe forward
form of the one-way function to Send a secret message to
the person who knew the trapdoor, he had only to trans-
form the message with the oneway function. Only the
holder ofthe trap-door information would be ableto invert
the aperation and recover the message. Because knowing
the forward form of the function did not make it possible
tocompute the inverse, the function could be made freely
failable. Its this poseiility that gave the ld its name:
ublickey cryptography.
The concept that emerges fs that of a publickey eyp-
tosystem: a eryplosystem in which keys come in inverse
pars [36] and each pair of keys has two properties.
+ Anything encrypted with one key can be decrypted
with the other,
+ Given one member ofthe pair the public Key, iis
infeasible to discover the other, the Secret key.
This separation of encryption and decryption makes it
possible for the subscribers toa communication system 10
Tst their public Keys ina "telephone directory” along with
their ames and addresses. This done, the solutions tothe
original problems can be achieved by simple protocols
+ Onesubscrbercan send a private message o another
simply by looking up the addressee's public key and
"usingitto encrypt the message. Only the holder ofthe
corresponding secret key can read such a message;
feven the sender, should he lose the plaintext, since
pable of extracting it from the ciphertext
+ Reubseriber can sign a message by encrypting it with
bis own secret key, Anyone with access tothe public
key can verily that it must have been encrypted with
the cortesponding secret key, but this is of no help to
bi in eating forging) a message with this property
‘The first aspect of public-key cryptography greatly sim:
plfes the management of keys, especially in large com:
‘munication networks, In order for a pat of subscribers t0
Communicate. privately using conventional end-to-end
‘eryplography, they must both havecopiesof the samecryp-
tographic key and thiskey must be kept secret rom anyone
they do not wish to take into thelr confidence. Ifa network
has only afew subscribers, each person simpy stores one
key for every other subscriber against the day he will need
it but fora large network, this is impractical
Inanetworkiwith subscribers therearenin ~ 1Y2pairs,
eachofwhich may requ akey. This amountstofivethou-
sand keys in a network with only a hundred subscribers,
half milion in a network with one thousand, and twenty
million billion ina network the size ofthe North American
{elephione system. itis unthinkable to distabute this many
keys in advance and undesirable to postpone secure com:
‘munication while they are carried from one party to the
‘other by courier.
The second aspect makes ts possible to conducta much
broader range of normal business practices over a tele
‘communication network, Theavalabilityof asignaturethat
the receiver ofa message cannot forge and the sender can-
not realy disavow makes It possible to trust the network
‘with negotiations and transactions of much higher value
than would otherwise be possible.
must be noted that both problems can be solved with
ut publcckey cryptography, but that conventional sol:
tions come at a great price. Centralized key distibution
centers can on request provide a subscriber wth akey for
‘communicating with any other subscriber and protocols
{orthis purpose wil be discussed later on, The function of
thesignaturecanalzobe approximated by acentral registry
that records al ransactions and bears witness in cases of
dispute, Both mechanisms, however, encumber the net-
{Work with the intrusion ofa thie party into many conver-
Sations, diminishing security and degrading performance.
‘A he time publickey cryptography was siscovered, |
was working with Martin Hellman in the Electrical Eng
neering Department at Stanford University. It was our
Immediate reaction, and by no means ours alone, thattheproblem of producing publickeycryptosystems would be
‘quite dificult Instead of attacking this problem in earnest,
Marty and I forged ahead in examining the consequences,
The ist result ofthis examination to reach abroad audi
‘ence wasa paper entitled” Mult-User Cryptographic Tech-
‘iques” [35] which we gave at the National Computer Con-
ference in 1976, We wrote the paper in December 1975 and
sent preprints around immediately. One of the preprints
went to Peter Blatman, a Berkeley graduate student and
iriend since childhood of eryptography’s historian David
Kahn. The result was to bring from the woodwork Ralph
‘Merkle, possibly the single most inventive character inthe
public key saga
‘Merkle’ Puzzles
Ralph Merkle had registered in the Fall of 1974 for Lance
Hoffman's course in computer security at U.C, Berkeley.
Hoffman wanted term papers and required each student to
submit proposal early inthe term. Merkle addressed the
problem of public-key distribution ashe calledit "Secure
Communication over insecure Channels” (70. Hoffman
‘ould not understand Merkle’ proposal, Hedemanded tht
it be rewriten, butals found the revised version no more
‘comprehensible than the original After one more iteration
ofthis process, Merkle dropped the course, but he did mot
cease working on the problem despite continuing failure
to make his results understood.
Although Merkle’soriginal proposal may havebeen hard
1 follow, the idea is quite simple. Merkle's approach isto
‘communicate a cryptographic key from one person to
another by hiding It in 2 lage collection of puzsles, Fol.
‘owing the tradition in public-key cryptography the partes
to this communication wll be called Alice and Bob rather
than the faceless A and B, X and Y, oF and J, common in
technical literature.
‘Alice manufactures a milion or more puzzles and sends
them over the exposed communication channel to Bob,
Exch puzzle contains a cryptographic key ina recognizable
standard format. The puzzle sels acryplogram produced
bbya block cipher witha fairly small key space. As with the
‘numberof puzzles, a milion Isa plausible number. When
Bob receives the puzzes, he picks one and solves it bythe
simple expedient of trying each ofthe block cipher’s mil-
lion keys in turn unti he finds one that results in plaintext
‘ofthe correct form. This require large but hardly impos-
sible amount of work,
In order to inform Alice which puzzle he has solved, Bob
‘ses the key it contains to encrypt a fined test message,
hich he transmits to Alice. lice nw tries he milion Keys
‘on the test message until she finds the one that works. Ths
is the key from the puzzle Bob has chosen,
‘The task facing an intruder is more arduous, Rather than
selecting one ofthe puzzles to solve, he must solve on aver
age half of them. The amount of effort he must expend is
therefore approximately the squareof that expendediby the
legitimate communicators,
Themton? advantage the legitimate communicatorshave
‘over the intruder is smal by cryptographic standards, but
sufficient to. make the system plausible in some circum
stances. Suppose, for example, thatthe plaintext of each
puzzle is 96 bits, consisting of 64 bits of Key together with
thirty-two bitbiock of zeros that enables Bobo recognize
{the right solution. The puzzle is constructed by encrypting
{his plaintext using a block cipher with 20 bits of key. Alice
produces amillion of these puzzles and Bob requires about
half milion tests to solve one. The bandwidth and com-
puting power requited to make this feasible are large but
‘not inaccessible. On a DST (1.544 Mbit channel it would
‘equite about aminutetocommunicate the puzzles. keys
«an be tried on the selected puzzle at about tenthousand.
Ber second, it will take Bob another minvte to salve it
Finally itwilltakea similaramountoftime orAlicetofigure
‘out, from the test message, which key has been chosen,
The intruder can expect to have to solve half a millon
puzzles at hala milion wies apiece. With equivalent com-
putational facilities, this requires twenty-five million sec-
‘onds or about year. For applications such as authent-
Cation, in which the Keys are no longer of use after
‘communication is complete, the security of this system
might be sufficient.
When Merkle saw the preprint of “Multi-User Crypto-
{BraphicTechniques” heimmediately realized hehad found
People who would appreciate his work and sent us copies.
Of the paper he had been endeavoring unsuccessfully to
publish. We in turn realized that Merkle's formulation of
the problem was quite diferent from mine and, because
‘Merkle had isolated one of the two intertwined problems
"Thad seen, potentially simpler.
Even before the notion of putting ap-doors into one-way
functions had appeared, acentral objective of my workwith
Marty had been to identify and study functions that were.
{easy to compute in one direction, but dificult to invert.
‘Three principal examples ofthis simplest and most basic
of cxyptographic phenomena occupied our thoughts
* John Gil, a colleague in the Electrical Engineering
Department at Stanford, had suggested discrete expo
entiation because the inverse problem, discrete log-
arithm, was considered very dificult.
+ Thad sought suitable problems inthe chapter on NP
‘complete functions in Aho, Hoperoft, and Ullman’s
book on computational complexity [3] and selected
the knapsack problem as most appropriate,
+ Donald’ Knuth of the Stanford. Computer Science
Department had suggested that multiplying a pair of
primes was easy, but that factoring the result, even
When twas known to have precisely two factors, was
exceedingly hard.
Allthre ofthese one-way functions were hort toassume
Breat importance
I. xonenmat Key Excoance
‘The exponential example was tantalizing because of its
combinatorial peculiarities, When Ihadtirst thought of dig-
ital signatures, I had attempted to achieve them with 3
scheme using tablesof exponentials, This system falled, but
Marty and | continued twisting exponentials around in out
minds and discussions trying to make them fit. Marty ever
‘wally made the breakthrough early one morning in May
1876. | was working atthe Stanford Artificial Intelligence
Laboratory on the paper that we were shortly to publish
‘under the title" New Directions in Cryptography” (2s when,
‘Marty called and explained exponential key exchange te
‘unnerving simpli Listening to him, | realized that the
notion had been atthe edge of my mind for some time, but
had never really broken through
Exponential Key exchange takes advantage of the ease
withwhich exponentalscanbe computedina Galois(fnite)field Cqywitha primenumber qo elements the numbers
10,1,.-.q~ 1} under arithmeticmodulo q)ascompared
with he difficulty of computing logarithmsinthe same field.
"
Yaatmodq, forl
pute Y, from Ky Of Kye ftom Yy and Xp. Taking logarithms
ver Gig, ontheother hand, currently demands morethan
2° (or approximately 10°) operations.
The athmetic of exponential key exchange Is. not
restrlctedto prime fields; itcan also be done in Galois Fields
‘with 2" elements, orn prime product rings 103,68. The
“20 approach has been taken by several people (64) (117,
[56] because arithmetic in these fields can be performed
Wwithlinearshiftcegisters ands much faster than arithmetic
‘over large primes. thas turned out, however, that discrete
logarithms can also be ealeulated much more quickiyin'2”"
fields and s0 the sizes of the registers must beabout 50 per
cent greater
‘Marty and | immediately recognized that we had a far
‘more compact solution tothe key distribution problem than
Merkle's puzzles and hastened toadd it toboth the upcom-
ing National Computer Conference presentation and to
"New Directions” The latter now contained a solution to
teach aspect ofthe pubickey problem, thoughnotthe com:
bined solution I had envisioned. It was sent off tothe FEE
‘Transactions os lnrotnanionT ORY porto my departure
{for NCC and like all of our other papers was immediately
Circulated in preprint
IM, TeapDooe Kearsacns
Later inthe same year, Ralph Merkle began work on his
best known contribution to publickey cryptography:
building trapdoor into the knapsack one-way function 0
produce the trap-door knapsack public-key cryptosystem.
“The knapsack problem is fanciflly derived from the
notion of packing gear into a knapsack. A shipping clerk
facedwithan odd assortment ofpackagesanda reightcon-
{ainer will naturally ty to find asubset ofthe packages that
fils the container exactly with no wasted space. The sim=
plestcaseofthisproblem, and the onethathas found appi-
{Eatlonincryptographyisthe one dimensional case: packing
‘varying lengths of ishing fod ito atl hin tube,
‘Given a cargo vector of integers = (a 3, °°* 2) itis
easytoadd up the elements of any specified subvector.Pre-
‘sented with an integer 5, however, i isnot easy to find a
Subvectorafa whose elements sum to, evenifsuchasub-
vector is known to exist. This knapsack problem is well
known in combinatorics and is believed to be extremely
dificult in general It belongs to the class of NP-complete
problems, problems thought not to be solvable In poly-
‘nomial ime on any deterministic compute.
Thad previously entiied the knapsack problemasathe-
oretically attractive basis for a one-way function. The cargo
vector a'can be used to encipher an mbit message x =
Tors) by taking the dot product S = 47-35 the ciph-
trtext. Because one element of the dot product is binary,
this process is easy and simply requires additions. invert:
ing the function by finding 2 binary vector x such that
{= 5 solves the knapsack problem and is thus believed
{o be computationally infeasible if a Is randomly chosen.
Despite ths difculty in general, many cases ofthe knap-
sack problem are quite easy and Merkle contrived to build
2 trapdoor into the knapsack one-way function by tating
twith a simple cargo vector and converting it into a more
complex form (71
Ifthe cargo vector ais chosen so that each element is
larger than the sum ofthe preceding elements, itis called
“uperinreasing and its knapsack problem 1s particularly
simple. (In the special case where the components are 1,
2,4, 8, ete, this is the elementary operation of binary
aj = 1191 means that x.t00 must
equal. Finally S"~ aj = af = 196 = a} 50x, = 0,4 = 1,
and’, = 0
The simple cargo vector a’ cannot be used as a public
‘enciphering key because anyone can easily recover a Vector
xforwhichx-a'~ §troma’and’ by the process described
above. Thealgorithm for generating keys therefore chooses,
4 random superincreasing cargo vector a with a hundred
‘or more components) and keeps this vector secret It also
generates a random integer m, large than Da anda ran:
‘dom integer w, relatively prime to.m, whose inverse w
‘mod m will be used in decryption. The public cargo vector
‘orenciphering key is produced by multiplying each com
ponent ofa by w mod m
4 = wa" mod m.
‘lice publishes a tansposed version of a as her public
key, but keeps the transposition, the simple cargo vector
4 themultipier wand ts inverse, and the modulusm secret
as her private key.
‘When Bob wants to send the message x to Alice he com-
putes and sends
Searn,
Because
5’ = W'S mod m
= Zax, mod m
= Ww 3 wa mod mx; mod m
wa} mod mx, mod m
E at mod m
when m > Za, alice can use her secret information, w"!
{and m, to transform any message 5 that has been enci-
‘ered with her public Key into = w"" Sand salve the
easy knapsack problem S” = a" - x to obtain x
For example, for the secret vector a’, above, the values
w =2550 and m = 8443, result in thepublic vectora = 457,
4213, 5316, 6013, 7439, which hides the stuctute present
‘This process can be iterated to produce a sequence of
cargo vectors with more and more dificult knapsack prob-
lems by using transformations (mm. (vy, mete. The
‘veal transformation that results is n,n general, equiv-
lent to any single (w, m) transformation.
‘The rap-door knapsack system does not lend itself read-
‘tyto the production of signatures because most elements
Softhe ciphertext space (0 2 $= La}, donot have inverse
Images. This doesnot interfere with the use ofthe system
for sending private messages, but requires special adap.
tation for signature applications 71] [90 Merkiehad great
‘confidence in even the singe iteration knapsack system
and posted a note on his office offering a $100 reward to
Anyone who could break it
IV, Tae RSA Sesen
Unknown tous atthe time we wrote “New Directions”
were the three people who were to make the single most
spectacular contribution to public-key cryptography: Ron-
aid Rivest, Adi Shami, and Leonard Adieman. Ron Rivest
hhad been a graduate student in computer science at Stan
ford while was working on proving the correctness of pro-
kgfamsat the Stanford Arilicial Intelligence Laboratory. One
‘of my colleaguesin that work was Zohar Manna, who shorty
returned to Israel and supervised the doctoral research of
‘Adi Shamir, atthe Weitzman Institute, Len Aleman was a
native San Frangiscan with both undergraduate and grad
tate degrees from U.C. Berkeley. Despite this web of neat
‘connections, not one ofthe three had previously crased
‘our paths and their names were unfamiliar
‘When the New Directions paper reached MIT inthe fll
‘0197, thethreetook up the challenge of producing aul:
fledged public-key cryptosystem. The process lasted sev
eral months during which Rivest proposed approaches,
AAdleman attacked them, and Shamir recalls doing some of
each,
In May 1977 they were rewarded with success. After
investigating anumber of possibilities, some of which were
later pur forward by other researchers (67, (1, theyhad dis-
‘covered how a simple piece of classical number theory
‘ould be made to solve the problem. The resulting paper
[91)also introduced Alice and Bob, the frst couple of eryp-
tography (53,
"The RSA cryptosystem is a block cipher in which the
plaintexts and ciphertexs are integers between Qand N —
‘for some N. It resembles the exponential key exchange
system described above in using exponentiation in mod
Ula arithmetic for ts enciphering and deciphering ope!
ations but, unlike that system, RSA must dots arithmetic
not over prime numbers, but aver composite ones.
Knowiedge ofa plaintext M, a modulus Nand an expo-
nentearesutficienttoallow calculation of M' mod N Expo-
entiation, however, isa one-way function with respect 10
the extraction of roots a wellas logarithms. Depending on
the characteristics of N, M, and eit may be very dificult
‘The RSA system makes use ofthe fat that finding large
(e.g, 200 128%» 1281 mod 527
35 % 256 ¥ 35 C101 x 47 128 mod 527
= 2 mod 527
Just as the strength ofthe exponential key exchange sys
temisnot known tobe equivalent tothe dificulty of extract.
ing discrete logarithms, the strength of RSA has not been
proven equivalent to factoring. There might be some
‘method of taking the eth root of Mf without calculating d
and thus without providinginformation sufficient to factor.
While at MIT in 1978, M. O. Rabin [86 produced a variant
‘of RSA, subsequently improved by Hugh Willams of the
University of Manitoba[113}, that is equivalent factoring,
Rivest and Ihave independently observed (38), (82, how:
‘ever, thatthe precie equivalence Babin hasshownisatwo-
edged sword!
VTi Mefier Coomc Screne
‘Within a short time yet another publickey system was to
appear, this due to Robert |. McEliece ofthe Jet Propulsion
Laboratory at Cal Tech (69). Metliece’s system makes use
(of the exstence ofa class of error correcting codes, the
‘Goppa codes, forwhicha fastdecoding algorithm s known.
His idea was to consteuct a Goppa code and disguise fas
general linear code, whose decoding problem is NP-com-
plete. There eastrongparallet herewith thetrapdoor knap-
Sacksystem inwhicha superincreasingcargovector, whose
knapsack problem i simple to solves disguised asa gen-
era cargo vector whose knapsack problem s NP-complete.
Tha knapsack system, the secret key consists of a super-
Increasing cargo vector +, together withthe multiplier w
land the modulus m that disguise i; in Metliece’s system,
the secretkey consstsolthe generator matrix Gfor aGoppa
code together with a nonsingular matrix S and a permu-
tation matrix Pthat disguise it, The public key appears as
the encoding matrix G'= SGP ofa genera linear code.
+ Toencodea data block v into.a message s Alice mul-
tipies it by Bob's public encoding matrix Cand adds
‘Tocally generated noise block 2
+ Todecade, ob multiplies the received message x by
P=" decodes xp" togetaword inthe Goppa code and
rmuttplies this by $~! to recover Alice's data block,
Mctliece’s system has never achieved wide acceptance
and has probably never even been considered for imple-
‘mentation in any real application. This may be because the
public key are quite large, requiring on the order of a mil
lion bits t may be because the system entlls substantial
‘expansion of the data; ort may be because McEliece's ys-
tembearsa frightening structural similarity tothe knapsack
systems whose fate we shall discover shor.
Vi. THe Faas oF re Knarsacts
[Nineteen eighty-two was the most exiting time for pub:
lickey erptography since its spectacular frst three years.
In March, Adi Shamie sent outa research announcement:
He had broken the single iteration Merkle-Helman knap-
sack system [107] [102 By applying new results of Lensea
atthe Mathematsche Centrum in Amsterdam, Shamit had
learned how to take a public cargo vector and discover a
wand m’ that would convert it back into a superincreasing
"secret cargo vector—not necessary the same one the
originator had used, but one that would suffice for decrypt
lng messages encrypted with the public cargo vector.
‘Shami’ original attack was narrow. It seemed that per
haps its only consequence would be to strengthen the
‘knapsack system by adding conditions to the construction
tules for avoiding the new attack. The first response of
Gustavus}. Simmons whose work wlldominatealatersec-
tion, was that he could avoid Shamir’ attack without even
changing the cargo vector merely by a more careful choice
‘of wand m{ 6), He quickly learned, however, that Shamir’
Spproach could be extended to break afar larger class of
knapsack systems [16].
‘Crypto ‘82 revealed that several other people had con-
tinued down the tll Shamir had blazed. Shamie irnselt
had reached the same conclusions. Andy Odlyako and Jett
Lagarias at Bell Labs were on the same track and Len Adle-
‘man had not only devised an attack but programmed iton
AnApple i, The substance of theatacks will not be treated
here since it is central to another paper inthis special sec-
ion (EF Brickell and A.M. Odlvako "Cryptanalysis:A Sur
vey of Recent Results). The events they engendered, how
ever, wl
1 had the pleasure of chairing the cryptanalysis session
at Crypto 82 in which the various results were presented.
onically, at the time accepted the invitation to organize
such a session, Shamir’s announcement stood alone and
knapsack systems were only one of the topics to be dis-
cussed. My original program ran into very bad luck, how.
ever. Ofthe papersinitaly scheduled only Donald Davies's
talk on: “The Bombe at Bletchley Park,” was actualy pre-
sented. Nonetheless, the lost papers were more than
replaced by presentations on various approaches to the
knapsack problem,
aston the program were Lea Adleman and his com-
puter, which had accepted a challenge on the first ight of
the conference. The hour passed; various techniques for
attacking knapsack systems with different characteristics‘were heard:and the Applet satonthe table waitngtoreveal
theresuits ofits labors At last Adleman roseto speak mum
bling something sel'leprecatingly about "the theory frst,
the public humiliation later” and beginning to explain his
work. Allthe while the igure of Carl Nicola! moved silently
inthe background seting up the computer and copying a
Sequence of numbers from is screen onto a transparency.
Atlast another transparancy was drawn fromasealed enve-
lope and the results placed side by side on the projector.
‘They were identical. The public humiliation was nat Adle-
was knapsack’
Ralph Merkle was not present, but Marty Hellman, who
‘was, gamely arose to make a concession speech on thelr
behalf. Merkle, always one to put his money where his
‘mouth was, had long since paid Shami the $100 in prize
money that he had placed on the table nearly six years
before.
‘The press weote that knapsacks were dead. Iwas skep:
tical but ventured that the results were suficint threat
ening that | felt “nobody should entrust anything of great
value to a knapsack system unless he had a much deeper
theory oftheir functioning than was currently avaiable”
Nor was Merkles enthusiasm dampened. He_promptly
raised his bet and offered $1000 to anyone who could break
2 multiple iteration knapsack (72),
took two years, but in the end, Merkle had to pay [42
‘The money was finally laimed by Ernie Brickell inthe sury-
mer of 1884when he announced the destruction af aknap-
sacksystemof forty iterations and ahundred weightsin the
argo vector in about an hour of Cay ime (17. Tat Fall
Iwas forced to admit: “knapsacks are Maton thee back.”
Closely related techniques have also been applied to
‘make a dramatic reduction inthe time needed to extract
iscrete logarithms in fields of type GF". This approach
was pioneered by Blake Fuj:Hara, Vanstone, and Mullin
in Canada 10} and refined by Coppersmith in the US. [28]
‘A comprehensive survey of this field was given by Andy
Odlyzko at Eurocrypt 84 79
VIL. Ene Risronsts 10 Putte Key
‘copy ofthe MIT report 90] on the RSA cryptosystem
was sent to Martin Gardner, Mathematical Games editor of
Scientific American, shorty ater it was printed. Gardner
Promptly published a column [48 based on his reading of
both the MIT reportand "New Directions.” Bearing thet:
“A.New Kind of Cryptosystem That Would Take Millions of
‘Years to Break,” it began 2 contusion that persists to this
day between the two directions explored by the "New
Directions” paper: public key cryptography and the prob-
lemof provingthe security of cryptographic systems, More
significant, however, was he prestige that public-key cryp-
{ography got from beingannounced inthe slentifie world’s
‘most prominant lay journal more than six months before
Its appearance inthe Communications ofthe ACM.
The excitement publickey cryptosystems provoked in
the popular and scientific rest was not matched by cor:
responding acceptance in the cryptographic establish
‘ment, however, In the same year that public-key eryptog:
raphy was discovered, the National Bureau of Standards,
‘with the support ofthe National Security Agency, proposed
2 conventional cryptographic system, designed by IBM, a8
{federal Data Encryption Standard (4), Hellman andl crit
ikized the proposalon the groundsthatitskeywastoosmall
[37, but manufacturers were gearing upto suppor the pro:
posed standard and our ertieism was seen by many 36 an
attempt to disrupt the standards making process to the
Advantage of our own work, Public key in its torn was
attacked, in sales Ineratre [7] and technical papers (761,
[SiJalike, moreas though itwere a competing product than
8 recent research discovery. Ths, however, did not deter
NSA from claiming ts share of the credit. sdirector, inthe
words of the Eneyclopaedia Britannica [110], "pointed out
that tworkey cryplography had been discovered at the
agencya decade earlier,” though noevidence for thisclaim
was ever offered public.
Far from hurting public key, the attacks and count
claims added toa ground swel of publicity that spread
reputation far faster than publication in scientific journals
alone ever could. The ertcism nonetheless bears careful
‘examination, because the field has been afected as much
by discoveries about how public key cryptosystems should
be used as by discoveries about how they can be bull,
Inviewing public-key cryptography asanew format cryp-
{osystem rather than a'new form Of key management, | se
the stage fr enitcism on grounds of bath security and per:
formance. Opponents were quick point out thatthe RSA,
system ran about one thousandth as fast as DES and
required keysabout tn times aslarge. Although ithad been
‘obvious from the beginning that the use of publicckey sy=-
‘tems could be limited to exchanging keys for conventional
Cryptography, it was not immediately clear that this was
necessary n this context, the proposal to build hybrid sys
tems [62] was hailed asa discovery nits own right.
AN present, the convenient features of publickey cryp-
tosystems are bought at the expense of speed. The fastest.
RSA implementations un at only few thousand bits per
second, while the fastest DESimplementations runat many
million tis generally desirable, therefore, to make use of
hybrid inwhichthe public-key systems are used only dur:
ing key management processes to establish shared keys for
‘employment with conventional systems.
'Noknown theorem, however, saysthatapublcckeycryp-
tosystem must be larger and slower than a conventional
‘one. The demonstrable restrictions mandate a larger mi
{mum block size though pethaps nolargerthan that of DES)
and preclude use in stream modes whose chunks are
Smaller than this minimum. Foralong ime fl that "high
efficiency” publickey systems would be discovered and
‘would supplant both current public key and conventional
systems in'most applications. Using publickey systems
throughout, | argued, would yield a more uniform archi
tecture with fewer components and would give the best
possible damagelimitationintheeventofakey distribution
‘center compromise [8] Most important, | thought, fonly
fone system were in use, only one certification study would
bbe required. As certification is the most fundamental and
‘mos dificult problem in eryptography, this seemed to be
where the real savings lay
In time t saw the folly ofthis view. Theorems or not, it
seemed silly to expect that adding a major new criterion to
the requirements fora cryptographic system could fil to
slow it down. The designer would always have more lat
tude wth systems that did not have tosatistythe public key
propertyand someo' these would doubtles be aster. ven
more compelling was the realization that modes of oper-
ation incompatible withthe public-key property ae essen-
til in many communication channels.‘To date, the “high-efficiency publickey systems" that |
hhadhopedfor havenot appeared andtherestriction of pub-
liekey cryptography to key management and signature
applications is almost universally accepted. More funda-
‘mental crticism focuses on whether publickey actually
makes any contribution to security, but, before examining
this eciim, we must undertake a more careful study of
key distibution mechanisms.
Key Management
‘The solution tothe problem of key management using
‘conventional cryptography i forthe network to provide a
key distibution center KOO): a rusted network resource
that shares a key with each subscriber and uses these in a
bootstrap process to provide additional keys tothe sub-
scribers as needed. When one subscriber wants to com-
mmunicate securely with another, he first contacts the KDC
to obtain a session key for use in that particular conver.
sation,
Key distribution protocols vary widely depending on the
cost of messages, the availabilty of multiple simultaneous
connections, whether the subscribers have synchronized
‘locks, and whether the KDC has authorty not only to facil
hate, but to allow or prohibit, communications. The fo:
towing example is typical and makes use ofan important
property of cryptographic authentication. Recause'8 mer.
Sage altered by anyone who doesnot have the correct key
will when tested for authenticity, thereisnolossot secu
Fity in receiving a message from the hands of a potential
‘opponent. In so doing, titroduces, ina conventional con:
text, the concept of a certieate—a_ cryptogeaphically
authenticated message containing 3 cryptographic key—2
Concept that play a vial ole in modern key management.
1) When Alice wants to cll Bob, she fist alls the KDC
and requests a ke for communicating with Bob.
2) The KDC responds by sending Alicea pair of cert:
ieates. Each contains a copy of the required session
key, one encrypted so that only Alice can read it and
‘one so that only Bob can read
53) When Alice calls Bob, she presents the proper cer-
tifeateas her introduction. tach of them decrypts the
appropriate certificate under the key that he shaees
with the KOC and thereby gets access tthe session
key.
{9 Allee and Bob can now communicate securely using
the session key,
‘Alice and Bob need not go through ll of this procedure
‘on every cll they can instead save the certificates fr later
tse. Such cacheing of keysallows subscribers to avoid call.
Jing the KDC every time they pick up the phone, but the
‘number of KDC call Is tl proportional to the number of
distinct pairs of subscribers who want to communicate
‘securely. Afar more serious disadvantage ofthe arrange-
iment described above is thatthe subscribers must share
the secrecy oftheir keying information with the KOC and
itis penetrated, they too will be compromised
‘Abig improvement in both economy and security can be
made by the use of publickey cryptography. A certificate
functions asa letter of introduction. In the protocol above,
‘Alice has obtained a letter that introduces her to Bob and
Bob alone. in a network using public key encryption, she
can instead obtain a single cetificate that introduces hee
tony network subsceber (62).
What accounts for the difference? Ina conventional net
work, everysubscribersharesa secret key with theKDCand
an only authenticate messages explicitly meant for him.
Ione subscriberas the key needed toauthenticateames:
sage meant for another subscriber, he wil also be able 10
create such a message and authentication falls. na public
key network, each subscriber has the public key ofthe KDC
andthus the capacity toauthenticate any message from the
KDC, but no power to forge one
‘Aliceand Bob, each having obtaineda certificate from the
KOC in advance of making any secu calls, communicate
with each other as follows
1). Alice sends her certificate to Bob.
2) Bob sends his certificate to Alice.
3) Aliceand Bob each check the KDC's signature on the
certificates they have received.
4, Alice and Bob ean now communicate using the keys
contained in the certilicates,
When making a call, there if no need to call the KDC and.
litle to be gained by cacheing the celifcates. The added
security arses from the fact thatthe KDC isnot privy to any
information that would enable ito spy on the subscriber.
‘The keys that the KOC dispenses are public keys and mes-
sages encrypted with these can only be decrypted BY Using
the corresponding secret key, t0 which the KDC has no
“The most carefully articulated atack came from Roger
Needham and Michael Schroeder 76] who compared con.
ventional key distribution protocols with similar public key
‘ones. They counted the numbers of messages required and
concluded that conventional eryptouraphy was more ef
‘lent than publickey cryptography. Unfortunately inthis
Analysis, they had ignored the fact that security was better
tnder the public key protocol they presented than the con
ventional one.
Tn order to compromise a network that employs cor
ventional cryptography, suficies to corrupt the KDC. This
Bives the intruders access to information suticient for
Fecovering the session keys used to encrypt past present,
and perhaps fulure messages. These keys, together with
information obtained from passive wiretaps allow the pen-
ttrators ofthe KDC access tothe contents of any message
fenton the system,
‘Apublic key network presents the intruder with auch
‘more dificult problem. Even the KOC has been corrupted
nd is secret keys known to opponents, this information
Is insufcient to read the trathe recorded by a passive
wiretap. The KDC’s secret keys useful only for signing ce
tiieates containing subscribers” public Keys does not
‘enable the inruders to decrypt any subscriber trafic. To
be able to gain acces to this taf, the intruders must use
their ablity to forge certticates a a way of tricking sub-
Scribersinto encrypting messages with phony public keys.
Inorderto spyon acal romAlicetoBob, opponentsiho.
have discovered the secret key ofthe KDC must intercept
themessage inwhich Alice sends Bob the certificate for her
Public key and substitute one fora public key they have
‘manufactured themselves and whose corresponding secret
key is therefore known to them, This wil enable them to
detrypt any message that Alice sends to Bob. sucha mis-‘encrypted message actually reaches Bob, however, he will
bbe unable to decrypt itand may alert Alice tothe ertor. The
opponents must therefore intercept Alice's messages,
decrypt them, and reencrypt them in Bob's public key in
‘order to maintain the deception. I the opponents want to
Understand Bob's repliesto Alice they must gothrough the
same procedurewith Bob, supplying him witha phony pub
Ihc key for Alice and translating al the messages he sends
her
The procedute above is cumbersome at best. Active
wiretaps ae in principle detectable, and the number the
intruders must place in the net in order to maintain thet
Control, grows rapidly with thenumber of subscribers being
Spied on. Over large portions of many networks-radio
broadcast networks, for example—the message deletions
essential to this scheme are extremely dificult. This forces
the opponents to place thei aps very close to the targets
and recreates the circumstances of conventional wiretap-
ping, thereby denying the opponents. precisely those
advantages of communications intelligence that make itso
Its worth observing that the use of a hybrid scheme
diminishes the gain in security aitle because the intruder
‘does not need to control the channel ater the session key
has been selected. This threat, however can be countered,
without losing the advantages of a session key, by period.
ically(and unpredictably using the publickeysto exchange.
new session key (40).
Publickey techniques also make it posible to conquer
nother troubling problem of conventional cryptographic
security the fact that compromised keys can be used t0
ead watic taken at an eatier date. At the tal of Jey
Whitworth, aspywho passed US. Navykeying information
to the Russians, the judge asked the prosecution's expert
witness 27] "Why ist necessary o destroy yesterday's
[key]... ist if i's never going to be used again?” The wit
es responded in shock: "A used key, Your Honor, isthe
‘most critical key there is. If anyone ean gain acess to that,
they can read your communications.”
“The solution to this problem is tobe found in a judicious
combination of exponential Key exchange and digital sig-
natures, inherent in the operation ofa secure telephone.
currently under development at BellNorthern Research
(41, (1) and intended for use on the Integrated Services
Digiat Network
Fach ISDN secure phone has an operating secret-key!
public-key pair that has been negotiated with thenetwork’s
key management facility. The publickey portion is embod
ied ina certificate signed by the key management facility
along with such identifying information ass phone num
ber and location. in the cal setup process that follows, the
phone uses this certificate to convey ts public key to other
phones.
1). Thetelephones performan exponential keyexchange
lo generate session keysunique othe current phone
call. These keys are then used to encrypt all ubse-
{quent transmissions ina conventional eryptosystm,
2) Having established an encrypted (though not yet
authenticated) channel, the phones begin exchang-
ing credentials. Each sends the other its publicskey
certiate
3) Each phone checks the signature on the certificate it
has received and extracts from it the other phone's
public key.
4) The phones now challenge each other to sign test
messages and check thesignatutes on the responses
using the public keys from the certiticates.
‘Once the cal setup is complete, each phone displays for
i user the identity of the phone with which it sin com.
‘The use ofthe exponential key exchange creates unique
session keys that exist only inside the phones and only for
the duration of the eal, This provides s security guarantee
‘whose absence in conventional eryptography sat the heart
‘of many spy cases: once a call between uncompromised
ISDN secure phones is completed and the session keys are
‘destroyed, no compromise ofthe long term keys that stil
reside in the phones will enable anyone to decrypt the re
Cording of the call. Using conventional key management
techniques, session keys ate always derivable from a com-
bination of longeterm keying material and intercepted
trafic. If longterm conventional keys are ever compro:
‘mised, al communications, even those of earlier date,
encrypted in derived keys, are compromised as wel
Inthe late 1970s, a code clerk named Christopher Boyce,
who worked fora ClAsponsored division of TRW, copied
‘eying material that was supposed to have been destroyed
and sold it tothe Russians (66. More recently, Jerry Whit:
‘worth did much the same thing in the communication cea
{er of the Alameda Naval Air Staion [8 The use of expo-
‘ential key exchange would have rendered such previously
Used keys virtually worthess
‘Another valuable ingredient of modern public-key tech-
nology is the message digest. Implementing a digital sig
natureby encrypting the entiredocument tobe signed with
asecret key has two disadvantages. Because public key ys-
tems are sow, both the signature process (encrypting the
‘message with a secret key}, and the veriieation process
{decrypting the message wth a public key are stow. There
‘is also another dticuly. If the signature process encrypts
entire message the recipient must etn theciphertent
for however long the signed message is needed. In order
tomakeanyuse oft during this period he musteither save
a plaintext copy as wel or repeatedly decrypt the eipher=
‘The solution to this problem seems fisttohave been pro-
posed by Donald Davies and Wyn Price of the National
Physical Laboratory in Teddington, England. They. pro-
posed constructing a eryptographically compressed form
‘or digest ofthe message(33] and signing by encrypting this
‘with the secret key. In adltion tots economies, this has
theadvantage ofallowing the signature tobe passed around
independently of themessage. This is often valuable in pro-
tocols in which a portion ofthe message that is required
in the authentication process is not actualy transmitted
because itis alteady known to both parties
‘Most criticism of publickey cryptography came about
because publickey management has not always been seen
from the clear, certificate oriented, view described above,
When we first wrote about public key, we spoke ether of
users ookingina public directory to find each other's keys
(or simply of exchanging them in the course of communi
Cation. The essential fact that each usec had toauihentcate
any public key he received was glossed over. Those with
PROCEEDINGS OF THE ML, VOL 75, NO. 5, MAY 1968an investment in traditional cryptography were not slow to
Point out this oversight. ublickey cryptography was st
‘matizedas being weak on authentication and, although the
problems the critics saw have long been solved, the cat
‘hsm is heard to this dy.
\Whileargumentsabout the rue worth of publi-keycryp-
tography raged inthe late 1970s, itcame tothe attention of
‘one person who had no doubt: Gustavus . Simmons, head
fof the mathematics department of Sandia National Labo-
ratories. Simmons was responsible forthe mathematical
aspects of nuclear command and contro! and digital sig
natures were jus what he needed. The applications were
limitless: A nuclear weapon could demand adigitlly signed
‘order before it would arm ist, a badge admitting some-
‘one toa sensitive area could beara digitally signed descrip-
tion of the person; a sensor monitoring compliance with
A nuclear test ban teaty could place a digital signature on
the information t reported. Sandia began immediately both
to develop the technology of public-key devices [08107
{@0]andto study the strength ofthe proposed systems{105)
106), 4.
‘The application about which Simmons spoke most fre
quently, testban monitoring by remote seismic observa
tories 06, the subject of another paper inthis special
section (G.. Simmons, "How to Insure that Data Acquired
to Verity Treaty Compliance are Trustworthy’? ithe United
Statesand the Soviet Union could puseismometersoneach
other's teritoris and use these seismometers to monitor
teachother's nuclear tests, the rather generoushundredand
{ity kloton upper limit imposed on underground nuclear
testing by the Limited Nuclear Test Ban Teeaty of 1963 could
betightened considerably perhaps totenkllotons oreven,
‘one kiloton, The problem is this: A monitoring nation must
assure self that he host nation isnot concealing tests by
tampering withthe data rom the monitor's observatories
Conventional cryptographic authentication techniques can
solvethisprobler,butinthe processcreateanother.Ahost
nation wants to assure itsel that the monitoring nation can
‘monitoronly toa yieldand does not employ aninstrument
package capable of detecting staging or other asect of the
‘weapon not covered by the treaty. Ifthe data from the
remote seismicobservatoryare encrypted, thehost country
Cannot tell what they contain,
Digital signatures provided a perfect solution. digitally
signed message from aremote seismic observatory cannot
be altered by the host, ut can be read. the host country
can assure ite that the observatory ls not exceeding ts
authorityy comparing the data transmitted withdataftom
a nearby observatory conforming to its own interpretation
ofthe treaty language
The RSA system was the one best suited 10 signature
applications, s0 Sandia began building hardware to catty
‘out the RSA calculations. In 1979 wt announced a board
{Implementation intended forthe seismic monitoring app
«ation [105] This was later followed by work on both fow-
and high speed chips (89,98)
‘Sandia was not theonlyhardwate builder. Ron Rivestand
colleagues at MIT, ostensibly theoretical computer scien:
tists learned to design hardware and produced a board at
approximately the same time as Sandia. The MIT board
Wafer phot: Sanda low spd chip.
would caryoutanRSA eneryption with aone hundred digit
modulus in about a twentieth of a second. It was adequate
‘proof of concept” but too expensive forthe commercial
applications Rivest had in mind
‘No sooner was the board done than Rivest tated study
Ing the recently popularized methods for designing large
scale integrated circuits, The result was an experimental
nMOS chip that operated on approximately 500 bit nua
bersand should have been capable of about three encryp-
tions per second 83). This chip was orginally intended 35.
prototype or commercial applications. Asithappend, the
chip wat never gotten to work correctly, and the appear
ance ofa commercially available RSA chip was to awalt the
brillant work of Cyink corporation inthe mid-1980s 31].As the present decade dawned, publickey technology
‘began the transition from esoteric research to product
development, Par of ATAT's response toa Carter Admin-
stration initiative to improve the overall security of Amer-
ean telecommunications, was to develop 2 specialized
cryptographic device fr protecting the Common Channel
Interoffice Signaling (CCIS) on telephone tunks. The
devices were link eneryptors that used exponential key
exchange to distribute DES keys [731 [161
"Although ATAT's system wa widely used within it own
huge network, itwas never made available asa commercial
product. At about the same time, however, Racal-Milgo
began producing the Datacryptor Il, a link encryption
device that offered an RSA key exchange mode (87) One
Racabtlgo Dataeypor I
device used exponential key exchange, the other RSA, but
‘overall function was quite similar, When the publickey
‘option of the Datacryptor finalized, manufactures &
Rew RSA ey pair and communicates the public portion to
the Datacryptor atthe other endot the line. The device that
receives this public key manufactures a DES key and sends
ito the fist Datacryptor encrypted with RSA. Unfort
ately, the opportunty for sophisticated digtal signature
based authentication that RSA makes possible was missed,
Future Secure Voice System
Asthe early 1980s became the mid880s, publicskeyeryp-
tography finally achieved offical, nominally secret,
acceptance In 7983, NSA began feasibility studies fora new
Secure phone system. There was fewer than tenthousand
‘of thee then latest system the Secure Telephone Unit or
STU and already the key dstibution center forthe prin
cipal network was overloaded, with users often complain.
ingot busy signals. A'S12 000 or more piece, tenthousand
STU:llsmay have been all the government could afford, but
iewas hardlyall the secuce phones that were needed, nits
desireto protect ar more than ust explicitly classified com-
munications, NSA was dveaming ofa milion phones, ech
Able to talk to any ofthe others, They could not have them
allcalling the key distribution center every day.
The system to be replaced employed electronic key ds-
tribution that allowed the STU-I to bootstrap itself into
direct end-to-end encryption with a difierent key on every
call. When 2 STU-I made a secure call 0 a terminal wth
which tid nt share a key, it acquired one by calling key
istibution center using a protocol similar tone described
carl
‘Although the STUsI seemed wonder/ulwhen firstfielded
Inthelate seventies thad some majo shortcomings. Some