The Evolution of Public Key Cryptography

1. The Evolution of Public Key Cryptography Martin E. Hellman Professor Emeritus of Electrical Engineering October 9, 2003

2. Personal Evolution

3. Privacy and Authentication • Privacy prevents unauthorized users from reading messages not intended for them. • Authentication prevents unauthorized users from injecting or changing messages. • While modern communications require both, authentication is at least as important. Are you more unhappy if someone can read or write checks on your account?

4. Economics of Cryptography • The major military powers of WW2 could not afford secure encryption. How can we? • Computing power has increased by an order of magnitude every five years. Since 1945 that gains about 1011 = 100 billion. • While the cryptanalyst also benefits, n2:n or higher work factors imply more security, rather than less – but only for new systems!

5. Economics of Spying/Spoofing • Well over a billion words can be scanned for $1, looking for keywords. Credit card sniffers often “steal cycles” and cost nothing. Privacy is needed. • Economical, automated spoofing (denial of service attacks, viruses, worms) creates a similar need for authentication. • Encryption should be automatic, transparent, and integrated as in SSL.

6. Conventional Cryptosystem • C = EK(M) M = DK (C) • Once a secure channel (courier) has communicated the key K, an insecure channel (radio) can securely send M. • This protects against third party forgeries, but not disputes between the sender and receiver. (The key K is used both to encipher and decipher.)

7. Public Key Distribution • Alice and Bob, by talking back and forth across a public channel derive a random key that Eve, the eavesdropper, cannot determine. • This is impossible in the “Shanon theory” where A, B and E have unlimited computational power, but may be possible from a computational point of view (1 sec vs. 1 Gyr).

8. Public Key Cryptosystems • User i generates a pair of random, inverse keys, PKi and SKi. • Alice sends Bob a private message: PKB(M) • Alice signs a message to Bob: SKA(M) • Alice signs a private message: PKB SKA(M) • Public key cryptosystems can be (and are) used as public key distributions systems.

9. Revolution or Evolution? • “We stand today on the brink of a revolution in cryptography,” Diffie & Hellman, New Directions in Cryptography, November 1976. • Public key cryptography was revolutionary, but especially in hindsight, we can see an evolutionary process as well.

10. La Cryptographie MilitaireAuguste Kerckhoffs 1883 • The general system must be considered public. All security must reside solely in the secrecy of the key. • Seemingly at odds with a public key. • But, in hindsight, it is the first step in making public what had before been thought to be necessarily secret.

11. Lock Analogy • A conventional (symmetric) cryptosystem is like a strange combination lock that requires the combination both to lock (encipher) and unlock (decipher). Dialing the combination does a flip-flop. • A public key (asymmetric) cryptosystem is like a stranger combination lock with two combinations, one to lock and a different one to unlock.

12. Simple Substitution as PKC? • Simple substitution key: P abcdefghijklmnopqrstuvwxyz C msdfghjklqwertyuiopzxcvbna • buy now <=> sxn tyv • Above key is best for enciphering. Better key for deciphering: C abcdefghijklmnopqrstuvwxyz P zxvcldefqghiayrsjmbnpwkuot

13. Cryptographic Hierarchy • Conventional cryptosystems and one-way functions (login) were well known. • Cryptosystem > one-way function. P0 P K C X Y

14. Trap Doors • PK Cryptosystems are sometimes called trap door ciphers. • Trap doors are integral to all cryptographic problems, even before PKC. • One-way functions allow the ultimate trap door quiz problem. • Trap door ciphers are a general’s dream. • TDC PKC

15. Merkle’s Puzzle PKD System • Predates RSA and DHM. • Birthday problem: If there are n days in the year, O[sqrt(n)] people needed for overlap. • n2:n work factor, so not very practical, especially since part of n is communication. • Depends only on existence of secure conventional system, so it is on the firmest theoretical foundation.

16. Economics of Merkle’s PKD • Alice and Bob each generate n keys from a universe of n2. • Alice transmits the images of her n keys under a one-way function. Bob and Eve see these. • Bob generates images of his n keys, looks for a match, and enciphers M under the matching key. • Alice does exhaustive search over all n of her keys. Cost = O(n). • Eve’s exhaustive search is over n2 keys.

17. Start With One-Way Functions • John Gill suggested discrete logarithms. • Y = aX % q with a and q public. • X ® Y is easy: a17 = a * (a2 ) 2) 2) 2 • Y ® X is believed to be hard (discrete log) • Can discrete logs be used as a basis for the next most complex cryptographic entity, a conventional cryptosystem?

18. Pohlig-Hellman System 1975 • a, X ® Y is easy: a17 = a * (a2 ) 2) 2) 2 • X, Y ®a is easy: a = Y 1/X % q-1 % q • a, Y ® X is hard: discrete log problem. • P, K ® C is easy: enciphering. • C, K ® P is easy: deciphering. • P, C ® K is hard: cryptanalysis. • C = PK % q P = CD % q D = 1/K % q-1

19. RSA Public Key System 1977 • C = PE % n P = CD % n D = 1/E % f(n) where f(n) = (p-1)(q-1). • RSA’s PKC is a natural evolution of Pohlig-Hellman’s conventional cryptosystem, but we missed that. • C = PK % q P = CD % q D = 1/K % f(q) since f(q) = q-1.

20. Diffie-Hellman-Merkle System • Yi = aXi % q with a and q public. • KAB = YAXB= YBXA = aXA XB % q • Exponentiation is commutative. • All the major developments in PKC stem from John Gill’s original suggestion that we look at discrete logs as a possible one-way function.