PROTOCOLS FOR PUBLIC KEY CRYPTOSYSTEMS

Ralph C. Merkle

ELXSi International

Sunnyvale,Ca.

ing both public key and conventional

Abstract
systems.

New Cryptographic protocols which The reader is assumed to be fami-

take full advantage of the unique pro- liar with the general ideas behind pub-

perties of public key cryptosystems are lic key cryptosystems, as described in

now evolving. Several protocols for [1,10] .

public key distribution and for digital For many of the following examples

signatures are briefly compared with we assume there are two communicants,

each other and with the conventional al- called A and B, and an opponent E. A

ternative. and B will attempt to send secret mes-

sages and sign contracts, while E will

1. Introduction attempt to discover the keys, learn the

secrets, and forge contracts. Some-

times, A will attempt to evade a con-

The special strengths of public key
tract he signed with B, or B will at-
SYS terns are briefly considered by exa-
tempt to forge A’s signature to a new
mining cryptographic protocols for key
contract.
distribution and digital signatures us-
A and B will need to apply one way

functions to various arguments of vari-

This work was partially supported under ous sizes, so we assume we have a one
NSF Grant ENG 10173, and much of the way function F which can be applied to
work was done at Stanford University
arguments of any size and produce a
ISL. The author would also like to ack-
fixed size output. For a more complete
nowledge the support of BNR Inc, where
discussion of one way functions, see
much of the work reported here was done.
[2,9,13,19].
An extended version has been submitted

to CACM.

122
CH1522-2C/80/OOOO-O122$O0.75@1980 IEEE
 The major drawback of this protocol
2. Centralized ~ Distribution
is its vulnerability to both centralized

loss of security and centralized loss of

Centralized key distribution using function. Theft of the central keys, or

conventional encryption functions was bribery of personnel at the central site

the only reasonable method of handling will compromise all users of the system.

key distribution in a multi-user network Similarlyr destruction of the central

environment before the discovery of pub- keys destroys the key distribution

lic key distribution methods. Only con- mechanism for all users.

ventional encryption functions need be The security and reliability of

used, which presently offers a perfor- centralized key distribution can be in-

mance advantage. (Presently known pub- creased by using two or more centers,

lic key systems are less efficient than each with its own keys [1]. Destruction

conventional cryptographic systems. or compromise of a single center will

Whether or not this will continue is not not affect the other centers.

now known. Discovery of new public key Security can also be improved if

systems seems almost inevitable, and all the user keys are encrypted with a
discovery of more efficient ones prob- master key by the center. The master

able. ) key must still be stored securely (and

In centralized key distribution, A, suitable provision made for its backup) ,

B, and all other system users somehow but the (encrypted) user keys can be

deposit a conventional cryptographic key stored anywhere. This approach is used

with a central key distribution center. by IBM [23].

If A wishes to communicate with B, the This protocol does not fully solve
key distribution center will send a com- the key distribution problem: some SOrt
mon (session) key to A and B using the of key distribution method must be used

prf2ViOUSly agreed on central keys, A between each user and the center to es-

and B can then communicate with no tablish the original keys. This problem

further assistance from the key distri- is nontrivial because no electronic com-

bution center. munications can be used and inexpensive

This protocol is simple and re- physical methods, e.g., registered mail,

quires only conventional encryption offer only moderate security. The use

functions. Its use has been defended in of couriers is reasonably secure,

the literature [17,18,20]. although more expensive.

123
 The disadvantage of this protocol

is that E might actively interfere with

3. Simple Public ~ Distribution
the exchange of keys. Worse yet, E can

force a known k on both A and B.

This is the most basic application

of public key systems [1,5,6,7,8]. Its

purpose is to allow A and B to agree on

4. Authenticated Public ~ Distribution
a common key k without any prior secret

arrangements, even though E overhears

all messages. A randomly computes enci- The now classic protocol [1] for

phering and deciphering keys EA and DA, secure and authenticated communications

and sends EA to B (and E). B picks the between A and B is: A and B generate EA

random key, k, and transmits EA(k) to A and EB and make them public, while keep-

(and E). A computes DA(EA(k)) = k. A ing DA and DB secret. The public enci-

then discards both EA and DA, and B dis- phering keys of all users are entered in

cards The key in future communica- a public filer allowing easy and authen-
‘A “
tions is k. It is used to encrypt al1 ticated access to EX for any user, X.

further messages using a conventional If A and B wish to agree on a com-

encryption function. Once A and B have mon key k, then each sends a (session)

finished talking, they both discard k. key to the other by encrypting it with

If they later resume the conversation the others public key. The two keys

the process is repeated to agree on a thus agreed on are combined and used to
new key k“. encrypt further messages.
This protocol is very simple, and At the end of this protocol, A and

has a great deal to recommend it. B have agreed on a common key, k, which

Firstr no keys and no secret materials is both secret and authenticated.

exist before A and B start communicat- This protocol suffers from two

ing, and nothing is retained after they weaknesses. Firstr entries in the pub-
have finished. It is impossible for E lic file might be altered. This can be

to compromise any keys either before the dealt with both by good physical securi-
conversation takes place, or after it is ty, or by using new protocols (see sec-

over, for the keys exist only during the tions 5 and 6) for authenticating the

conversation. entries in the public file.

124
 can be published in newspapers
‘CA
Secondr secret deciphering keys can and magazines, and sent over all avail-

be lost. This problem must ultimately able communication channels: blocking

be solved by good physical security. its correct reception would be very dif-

ficult.

If DCA is compromised, then it is

no longer possible to authenticate the

5. Public ~ Distribution with Certifi-
users of the system and their public en-
cates
ciphering keys. The certificates are

now worthless because the (unauthorized)

Kohnfelder [3] first suggested that person who

‘as learned ‘CA can produce
entries in the public file be authenti- false certificates at will.

cated by having a Central Authority (CA)

sign them with DCA. He called such

signed entries certificates.

6. Public ~ Distribution ——
with Tree —
Au-
The protocol with certificates is
thentication
the same as the authenticated protocol,

except that A and B can now check the

entries in the public file by checking Key distribution with certificates

each other’s certificates. This proto- was vulnerable to the criticism that D
CA
col assures A and B that each has the can be compromised, resulting in system

other’s public enciphering key, and not wide loss of authentication. This prob-

the public enciphering key of some im- lem can be solved by using tree authen-

poster. tication [13].

The security of this protocol rests Again, this protocol attempts to

on the assumptions that the secret deci- authenticate entries in the public file.

phering keys of A, B, and CA have not However, instead of signing each entry

been compromised; that A and B have in the public file, this protocol ap-

correct copies of (to check the plies a one way hash function, H, to the
‘CA
signed certificates) ; and that CA has entire public file. Even though H is

not issued a bad certificate, either applied to the entire public file, the

deliberately because it was un- output of H is only 100 or 200 bits

trustworthy, or accidentally because it long. The (small) output of H will be

was tricked. called the root, R, of the public file.

125
If all users of the system know R, then

all users can authenticate the correct- Where F is a one way function.

ness of the (whole) public file by com- If A wishes to confirm B-s public

puting R = H(public file). Any attempt enciphering key, then A need only know

to introduce changes into the public the first half of the public filet

file will imply R # H(altered public (which is where YB appears) and Ii(second

file), an easily detected fact. half of public file) which is only 100

This method effectively eliminates bits long. A can compute H(public file)

the possibility of compromising DCA be- knowing only this information, and yet A

cause no secret deciphering key exists. only knew half the entries in the public

Because the public file will be sub- file.

jected to the harsh glare of public In a similar fashion, A does not

scrutiny, and because making alterations really need to know all of the first

in the public file is effectively impos- half of the public file, for

sible after it has been published, a

high degree of assurance that it is H(first half of public file) =

~orrect can be attained. F( H(first quarter of public file),

This method is impractical as stat- H(second quarter of public file) )

ed. Fortunately, it is possible to

selectively authenticate individual en- All A needs to know is the first quarter

tries in the public file without having of the public file (which has YB), and

to know the whole public file by using H(second quarter of public file).

Merkle*s “tree authentication,” [131. By applying this concept recursive-

‘l’heessence of tree authentication ly , A can confirm YB in the public file
is to authenticate the entire public Knowing only R, log2 n intermediate
file by “divide and conquer.” If we de- values, and YB itself. The information
fine : = public file = Yl, Y2, ... Yn, needed to authenticate YB, given that R
(so the ith
— entry in the public file is has already been authenticated, lies

denoted Yi, and B’s entry is YB); we can along the path from R to YB and will be
define H(public file) = H(x) as: called the authentication path.
These definitions are illustrated
H(z) = F( H(first half of ~), in figure 1, which shows the authentica-
H(second half of ~) ) tion path for Y5.

126
 The only practical method of
For a more detailed discussion the
compromising this protocol is to
reader is referred to [13].
compromise DA or DB. A user’s security
Using tree authentication, user A
is thus dependent on himself and no one
has an authentication path which can be
else.
used to authenticate user A*s public en-

ciphering key, provided only that R has

already been authenticated. An “authen-

tication path” is a new form of certifi- 7. Digital Signatures

cate, with ECA replaced by R.

This protocol can only be comprom-

The use of public key cryptosystems
ised if: DA or D~ is compromised, or if
to provide digital signatures was sug-
R is not correctly known by A or B, or
gested by Diffie and Hellman [11.
if there is a false and misleading entry
Rivest, Shamir and Adleman [8] have sug-
in the public file.
gested an attractive implementation.
The latter two are easily detect-
Signature techniques based on methods
able. If either A or B has the wrong R,
other than public key cryptosystems have
they will be unable to complete the pro-
been suggested by Lamport and Diffie
tocol with any other legitimate user who
[1,241~ Rabin [151, and Merkle [13].
has the correct R, a fact that will be
Digital signatures, whether based
quickly detected.
on conventional encryption functions, on
Because the public file is both
public key cryptosystemsr on probabilis-
open to public scrutiny and unalterable,
tic computations, or on other techniques
false or misleading entries can be ra-
share several important properties in
pidly detected. In practice, a few
common. These common properties are
users concerned with correctness can
best illustrated by the following now
verify that the public file satisfies
classic example.
some simple global properties i.e.,
A wishes to place a purchase order
each user name appears once and once
with his stock broker B. A, on the
only in the entire public file; indivi-
Riviera, cannot send a written order to
dual users can then verify that their
B in New York in time. All that A can
own entry is correct, and need not both-
quickly send to B is information, i.e.,
er examining the rest of the public
a sequence of bits, but B is concerned
file.
that A may later disclaim the order. A

L27
must somehow generate a sequence of bits
disputes are different. Failure to
(a digital signature) which will con-
understand this point has led to confu-
vince B (and if need be a judge) that A
sion in the literature [17,20].
authorized the order. It must be easy
We now turn to specific digital
for B to validate the digital signature,
signature protocols.
but impossible for him (or anyone other

than A) to generate it (to prevent

charges that B was dabbling in the mark-

et illegally with A’s money) . 8. ~ Conventional Signature Protocol

There are digital signature schemes

which do not involve public key cryp- A conventional “signature” protocol

tosystems but it will be convenient ro- relies on the observation that if A and

B trust some central authority CA, and

tationally to let A sign message m by

computing the signature, DA(m) . if A and B have a secure method of com-

Check-

ing a signature will then be done by municating with CA, then A can “signw a

computing m = EA(DA(m)). message simply by sending it to CA and

If EA(DA(m))

produces an illegible message (random relying on CA to adjudicate disputes.

bits) then the signature is rejected as This approach is defended by some [17’].

invalid. This notation is somewhat This protocol is subject to the

misleading because the actual method of weaknesses of centralized key distribu-

generating and validating signatures can tion (described earlier).

be very different from this model; it is

retained because it is widely known and

because we will not discuss the differ-

ences among different digital signature

methods, only their common properties.

Digital signature protocols are na-

turally divided into three parts: a

method of signing messages used by A, a 9. The Basic Digital Signature Protocol

——

method for authenticating a signature

used by B, and a method for resolving

The first public key based digital
disputes, used by the judge. It is im-
signature protocol [1], proceeded by
portant to note that two protocols that
having A sign message m by computing
differ only in the method of resolving
DA (m) and giving it to B as the signed

128
 message. B (or a judge) can compute been confused with each other for this

EA(DA(m)) = m, thus confirming the reason. Some criticism of “the” public

correctness of the signed message. A is key digital signature protocol has actu-

held responsible for a signed message if ally been of this second protocol, and
and only if it can be verified by apply- failed to consider the first protocol at

ing A’s public enciphering key to it. all.

This protocol can be criticized If we assume khat A knows DA, then

[16,17,20] on two grounds: First, the under the second protocol A can make DA

public file might have been tampered public and effectively disavow the

with. Methods of authenticating the signed message. For this reason, some

public file, discussed previously under critics have argued that this protocol

key distribution protocols, solve this is inadequate.

problem. If we assume that A does not know

A second criticism is that A has no D then he is unable to disavow his

A’
recourse should his secret deciphering signature under this protocol. It is

key be compromised and made public. easy to design a system in which this is

Anyone can sign any message they desire the case.

with A’s compromised D A, and A will be The major difference between the

held responsible. second protocol and the first is in the

It seems clear that A will only division of risk: in the second proto-

agree to this digital signature protocol col B will be left holding the bag if

if he can provide very good physical A’s signing key is compromised. Clear-

security for D ly, B must be given assurances that this

A“ The loss to A if DA is
compromised can be substantial. condition is unlikely before he will be

A different method of solving this willing to use this protocol.

problem is to alter the dispute resolu-

10. The Time-Stamp Protocol
——
tion protocol so that A is not held

responsible for his signature if his

secret deciphering key is compromised A protocol that would allow A to

and made public. report loss or theft of DA and disclaim

The fact that altering the dispute messages signed after the reported loss

resolution procedure creates a different yet force A to acknowledge the validity

protocol has not been fully appreciated, of signatures made before the reported

and the preceding two protocols have loss must involve the concept of time.

129
We introduce time into the following been dealt with fairly.
protocol by using time-keepers who can The major disadvantage of this pro-
digitally time-stamp information given tocol , as compared with the basic digi-
to them. We assume that both A and B tal signature protocol, is the require-
have agreed on a set of acceptable ment that B obtain both a time-stamp and
time-keepers whose time-stamps will be a validity-check, presumably in real
accepted in dispute resolution. time. These requirements force the use
If A can report that ‘A has been of a communications network, which both
lost, then he must report this fact to increases expense and decreases relia-
some agent who will be responsible for bility.
answering queries about the current If B is willing to obtain the
status of DA, i.e., has it been lost or time-stamp and the validity-check after
not. For simplicity, we shall assume the transaction has been completed,
this role is played by the central au- i.e., within a few days, an off-line
thority, CA. CA will sign messages system can be used. This modified pro-
stating that A-s secret deciphering key tocol could be used by B either as a
has not been compromised as of the fail-soft protocol during communications
current time. These signed messages outages, or as the standard protocol if
will be called “validity-checks. ” communication costs are too high.
In the time stamp protocol, user A Off-line operation is cheaper ahd
signs message m by computing DA(m) and more reliable, but it exposes B to some
sending it to B. B then has a time- risk: A might have recently reported
keeper time stamp the message and ob- the loss of and B would not know
‘A
tains a validity-check from CA. If DA about it. If physical security for
has aiready been reported lost B rejects secret deciphering keys is good, this
the signature, otherwise he accepts. risk should be minimal.
In dispute resolution, the judge

holds that a message has been validly

signed if and only if it can be checked

11. Witnessed Digital Signatures
by applying A’s public enciphering key

AND it has been time-stamped prior to

any reported loss of DA. If the value of a transaction is

This protocol provides very good high enough, it might be desirable to
assurance to all parties that they have have a witness physically confirm that A

130
signed message m. The witness, w, would vious solution is for updates to be di-
compute DW(”I, W, physically saw A agree gitally signed by an appropriate network
to and sign message m.”) . It would be administrator, and for the nodes to
necessary for A and B to agree in ad- check the digital signature prior to ex-
vance on acceptable witnesses. ecuting them.

The primary advantage of this pro- This example leads naturally to

tocol is that it reduces B’s risk. The another application of digital signa-
primary disadvantage is that it forces A tures in operating system security. A
to find a (physically present) witness major risk to the security of an operat-
to confirm the transaction. ing system is the possibility that the

system code that it is executing today

is not the same that it was executing

yesterday: someone might have put a trap

12. Digital Signature Applications Not
door into the operating system that lets
Involvinq Dispute
them do anything they please. To guard

against this possibility, the operating

Not all applications of digital system could refuse to execute any code
signatures involve contracts between two in privileged mode unless that code had
potentially disputing parties. Digital been properly signed. Carried to its
signatures are also an ideal method of logical conclusion, the operating system
broadcasting authenticated messages from would check the digital signature of
a central source which must be confirmed privileged programs each time they were
by many separate recipients, or repeat- loaded into central memory If this check
edly confirmed by the same recipient at were implemented in hardware, it would
different times to insure that the mes- be impossible for any software changes
sage has not been modified. to subvert it. The machine would be
One example of such an application physically incapable of executing code
is the distribution of network software in privileged mode unless that code was
to individual nodes of a communications signed.
network. It would be clearly undesir- If privileged programs are digital-
abl~ for any node to start executing the ly signed by the programmer who origi-
wrong software. On the other hand, it nally wrote them, as well as by various
is very desirable to send updates to the supervisory levels, and if the computer

nodes over the network itself. The ob- is physically unable to execute unsigned

131
 15. BIBLIOGRAPHY
code in privileged mode, then it is pos-

sible to have complete assurance that

the privileged programs running on the

computer “right now have not been modi- 1. Diffie, W., and Hellman, M. New

fied since they were given there final directions in cryptography. IEEE Trans.

checkout and signed by the programmer. on Inform. IT-22, 6(Nov. 1976), 644-654.

Of course, this does not necessarily

mean that the operating system is 2. Evans A., Kantrowitz, W., and Weiss,

secure, but it does eliminate a major E. A user authentication system not re-

class of worries. quiring secrecy in the computer. Comm .

ACM 17, 8(Aug. 1974), 437-442.

3. Kohnfelder, L.M. Towards a practical

13. Conclusions
public-key cryptosystem. MIT EE

Bachelor’s thesis.

This paper has briefly described a

number of cryptographic protocols. Cer- 4. Liptonr S.M., and Matyas, S.M. Mak-

tainly, these are not the only ones pos- ing the digital signature legal--and

sible; however, they are valuable tools safeguarded. Data Communications (Feb.

to the system designer: they illustrate 1978), 41-52.

what can be achieved and provide feasi-

ble solutions to problems of recurring 5. McEliece, R.J. A public-key cryp-

interest. tosystem based on algebraic coding

Further constructive work in this theory. DSN Progress Report, JPL, (Jan.

area is very much needed. and Feb. 1978), 42-44.

14. ACKNOWLEDGEMENTS 6. Merkle, R. Secure Communications

over Insecure Channels. COmm. ACM 21,

It is a great pleasure for the au- 4 (Apr. 1978), 294-299.

thor to acknowledge the pleasant and in-

formative conversations he had with Dov 7. Merkle, R., and Hellman, M. Hiding

Andelmanr Whitfield Diffie, Martin Hell- information and signatures in trapdoor

man, Raynold Kahn Loren Kohnfelder, knapsacks. IEEE Trans. on Inform. IT-

Frank Olken, and Justin Reyneri. 24, 5(Sept. 1978), 525-530.

132
 16. Saltzer, J. On Digital Signatures,
8. Rivest, R.L., Shamir, A.t and Adle-
private communication.
man, L. A method for obtaining digital

signatures and public-key cryptosystems.

17 ● Popek G.J. and Kline, C.S. Enc ryp-
Comm. ACM 21, 2(Feb. 1978), 120-126.
tion Protocolsr Public Key Algorithms,

and Digital Signatures in Computer Net-

9. Wilkes, M.V., Time-Sharing Computer
works; in Foundations of Secure Computa-
Systems. Elsevier, New York, 1972.
tion pp. 133-153.

10. Diffie, W., and Hellman, M.E.,

18. Needham R.M. and Schroeder, M.D.
Privacy and authentication: an introduc-

tion to cryptography, Proceedings of the Using Encryption for Authentication in

IEEE Vol. 67, No. 3, Mar. 1979 pp. 397- Large Networks of Computers. CACM 21,12

427. Dec. 1978 pp. 993-999.

19. Merkle, R. Secrecy, authentication,

11. Squires, J. Russ monitor of Us.
and public key systems. Stanford Elec.
phones, Chicago Tribune pp. 123, June

25, 1975. Eng. Ph.D. Thesis, ISL SEL 79-017, 1979.

20. Popek, G.J., and Kline, C.S. En-

12. Davis, R. Remedies sought to defeat
cryption and Secure Computer networks.
Soviet eavesdropping on microwave links,
Computing Surveys 11,4 Dec. 1979 pp.
Microwave Syst., vol. 8, no. 6, pp. 17-
331-356.
20, June 1978.

21. Simmons, G.J. Symmetric and Asym-

13. Merkle, R.C. A certified digital
metric Encryption. Computing Surveys
signature, to appear, CACM.
11,4 Dec. 1979 pp. 305-330.

14. Kahn, D. The Codebreakers, New

22. Lamport, L. Time, clocks, and the
York: Macmillan. 1967.
ordering of events in a distributed sys-

tem. CACM 21,7 Jul 1978 pp. 558-565.

15. Rabin, M.O. , Digitalized signa-
turesr in Foundations of Secure Computa-

tion, ed. Demillo, R.A., et. al . pp.

155-166.

133
23. Ehrsam, W.F., Matyas, S.M., Meyer,

C.H., and !l?uchman,W.L. A cryptographic

key management scheme for implementing

the data encryption standard. IBM SYS.

Jour. 17,2 1978PP. 106-125.

24. Lamport, L., Constructing digital

signatures from a one way function. SRI

Intl. CSL - 98

Y1 ‘2 Y’3 Y4

FIG. I

134