345 lines
19 KiB
Plaintext
345 lines
19 KiB
Plaintext
### Hellman-Merkle: 4,218,582
|
|
|
|
Public key cryptographic apparatus and method
|
|
|
|
US PAT NO: 4,218,582
|
|
DATE ISSUED: Aug. 19, 1980
|
|
TITLE: Public key cryptographic apparatus and method
|
|
INVENTOR: Martin E. Hellman, Stanford, CA
|
|
Ralph C. Merkle, Palo Alto, CA
|
|
ASSIGNEE: The Board of Trustees of the Leland Stanford Junior University
|
|
, Stanford, CA (U.S. corp.)
|
|
APPL-NO: 05/839,939
|
|
DATE FILED: Oct. 6, 1977
|
|
INT-CL: [2] H04L 9/04
|
|
US-CL-ISSUED: 178/22; 364/900
|
|
US-CL-CURRENT: 380/30; 364/918.7, 919, 919.4, 926.1, 926.5, 929, 932.8, 933,
|
|
933.1, 937, 937.1, 937.2, 946, 946.2, 946.8, 947, 947.2,
|
|
949.71, 951.1, 951.4, 959.1, DIG.2; 380/49
|
|
SEARCH-FLD: 178/22
|
|
REF-CITED:
|
|
|
|
OTHER PUBLICATIONS
|
|
"New Directions in Cryptography," Diffie et al., IEEE Transactions on
|
|
Information Theory, vol. II22, No. 6, Nov. 1976, pp. 644-654.
|
|
"A User Authentication Scheme not Requiring Secrecy in the Computer," Evans,
|
|
Jr., et al., Communications of the ACM, Aug. 1974, vol. 17, No. 8, pp.
|
|
437-442.
|
|
"A High Security Log-In Procedure," Purdy, Communications of the ACM, Aug.
|
|
1974, vol. 17, No. 8, pp. 442-445.
|
|
Diffie et al., "Multi-User Cryptographic Techniques," AFIPS Conference
|
|
Proceedings, vol. 45, pp. 109-112, Jun. 8, 1976.
|
|
ART-UNIT: 222
|
|
PRIM-EXMR: Howard A. Birmiel
|
|
|
|
ABSTRACT:
|
|
A cryptographic system transmits a computationally secure cryptogram that is
|
|
generated from a publicly known transformation of the message sent by the
|
|
transmitter; the cryptogram is again transformed by the authorized receiver
|
|
using a secret reciprocal transformation to reproduce the message sent. The
|
|
authorized receiver's transformation is known only by the authorized receiver
|
|
and is used to generate the transmitter's transformation that is made
|
|
publicly known. The publicly known transformation uses operations that are
|
|
easily performed but extremely difficult to invert. It is infeasible for an
|
|
unauthorized receiver to invert the publicly known transformation or
|
|
duplicate the authorized receiver's secret transformation to obtain the
|
|
message sent.
|
|
17 Claims, 13 Drawing Figures
|
|
EXMPL-CLAIM: 1
|
|
NO-PP-DRAWING: 7
|
|
|
|
GOVT-INT:
|
|
|
|
The Government has rights in this invention pursuant to Grant No. ENG-10173
|
|
of the National Science Foundation and IPA No. 0005.
|
|
|
|
SUMMARY:
|
|
|
|
BACKGROUND OF THE INVENTION
|
|
|
|
1. Field of Invention
|
|
|
|
The invention relates to cryptographic systems.
|
|
|
|
2. Description of Prior Art
|
|
|
|
Cryptographic systems are widely used to ensure the privacy and authenticity
|
|
of messages communicated over insecure channels. A privacy system prevents
|
|
the extraction of information by unauthorized parties from messages
|
|
transmitted over an insecure channel, thus assuring the sender of a message
|
|
that it is being read only by the intended receiver. An authentication system
|
|
prevents the unauthorized injection of messages into an insecure channel,
|
|
assuring the receiver of the message of the legitimacy of its sender.
|
|
|
|
Currently, most message authentication consists of appending an
|
|
authenticator pattern, known only to the transmitter and intended receiver,
|
|
to each message and encrypting the combination. This protects against an
|
|
eavesdropper being able to forge new, properly authenticated messages unless
|
|
he has also stolen the cipher key being used. However, there is little
|
|
protection against the threat of dispute; that is, the transmitter may
|
|
transmit a properly authenticated message, later deny this action, and
|
|
falsely blame the receiver for taking unauthorized action. Or, conversely,
|
|
the receiver may take unauthorized action, forge a message to itself, and
|
|
falsely blame the transmitter for these actions. The threat of dispute arises
|
|
out of the absence of a suitable receipt mechanism that could prove a
|
|
particular message was sent to a receiver by a particular transmitter.
|
|
|
|
One of the principal difficulties with existing cryptographic systems is the
|
|
need for the sender and receiver to exchange a cipher key over a secure
|
|
channel to which the unauthorized party does not have access. The exchange of
|
|
a cipher key frequently is done by sending the key in advance over a secure
|
|
channel such as private courier or registered mail; such secure channels are
|
|
usually slow and expensive.
|
|
|
|
Diffie, et al, in "Multiuser Cryptographic Techniques," AFIPS-Conference
|
|
Proceedings, Vol. 45, pp. 109-112, June 8, 1976, propose the concept of a
|
|
public key cryptosystem that would eliminate the need for a secure channel by
|
|
making the sender's keying information public. It is also proposed how such a
|
|
public key cryptosystem could allow an authentication system which generates
|
|
an unforgeable message dependent digital signature. Diffie presents the idea
|
|
of using a pair of keys E and D, for enciphering and deciphering a message,
|
|
such that E is public information while D is kept secret by the intended
|
|
receiver. Further, although D is determined by E, it is infeasible to compute
|
|
D from E. Diffie suggests the plausibility of designing such a public key
|
|
cryptosystem that would allow a user to encipher a message and send it to the
|
|
intended receiver, but only the intended receiver could decipher it. While
|
|
suggesting the plausibility of designing such systems, Diffie presents
|
|
neither proof that public key cryptosystems exist, nor a demonstration
|
|
system.
|
|
|
|
Diffie suggests three plausibility arguments for the existence of a public
|
|
key cryptosystem: a matrix approach, a machine language approach and a logic
|
|
mapping approach. While the matrix approach can be designed with matrices
|
|
that require a demonstrably infeasible cryptanalytic time (i.e., computing D
|
|
from E) using known methods, the matrix approach exhibits a lack of practical
|
|
utility because of the enormous dimensions of the required matrices. The
|
|
machine language approach and logic mapping approach are also suggested, but
|
|
there is no way shown to design them in such a manner that they would require
|
|
demonstrably infeasible cryptanalytic time.
|
|
|
|
Diffie also introduces a procedure using the proposed public key
|
|
cryptosystems, that could allow the receiver to easily verify the
|
|
authenticity of a message, but which prevents him from generating apparently
|
|
authenticated messages. Diffie describes a protocol to be followed to obtain
|
|
authentication with the proposed public key cryptosystem. However, the
|
|
authentication procedure relies on the existence of a public key cryptosystem
|
|
which Diffie did not provide.
|
|
|
|
SUMMARY AND OBJECTS OF THE INVENTION
|
|
|
|
Accordingly, it is an object of the invention to allow authorized parties to
|
|
a conversation (conversers) to converse privately even though an unauthorized
|
|
party (eavesdropper) intercepts all of their communications.
|
|
|
|
Another object of this invention is to allow a converser on an insecure
|
|
channel to authenticate another converser's identity.
|
|
|
|
Another object of this invention is to provide a receipt to a receiver on an
|
|
insecure channel to prove that a particular message was sent to the receiver
|
|
by a particular transmitter. The object being to allow the receiver to easily
|
|
verify the authenticity of a message, but to prevent the receiver from
|
|
generating apparently authenticated messages.
|
|
|
|
An illustrated embodiment of the present invention describes a method and
|
|
apparatus for communicating securely over an insecure channel, by
|
|
communicating a computationally secure cryptogram that is a publicly known
|
|
transformation of the message sent by the transmitter. The illustrated
|
|
embodiment differs from prior approaches to a public key cryptosystem, as
|
|
described in "Multiuser Cryptographic Techniques," in that it is both
|
|
practical to implement and is demonstrably infeasible to invert using known
|
|
methods.
|
|
|
|
In the present invention, a receiver generates a secret deciphering key and
|
|
a public enciphering key, such that the secret deciphering key is difficult
|
|
to generate from the public enciphering key. The transmitter enciphers a
|
|
message to be communicated by transforming the message with the public
|
|
enciphering key, wherein the transformation used to encipher the message is
|
|
easy to effect but difficult to invert without the secret deciphering key.
|
|
The enciphered message is then communicated from the transmitter to the
|
|
receiver. The receiver deciphers the enciphered message by inverting the
|
|
enciphering transformation with the secret deciphering key.
|
|
|
|
Another illustrated embodiment of the present invention describes a method
|
|
and apparatus for allowing a transmitter to authenticate an authorized
|
|
receiver's identity. The authorized receiver generates a secret deciphering
|
|
key and a public enciphering key, such that the secret deciphering key is
|
|
difficult to generate from the public enciphering key. The transmitter
|
|
enciphers a message to be communicated by transforming the message with the
|
|
public enciphering key, wherein the transformation used to encipher the
|
|
message is easy to effect but difficult to invert without the secret
|
|
deciphering key. The enciphered message is then transmitted from the
|
|
transmitter to the receiver. The receiver deciphers the enciphered message by
|
|
inverting the enciphering transformation with the secret deciphering key. The
|
|
receiver's identity is authenticated to the transmitter by the receiver's
|
|
ability to decipher the enciphered message.
|
|
|
|
Another illustrated embodiment of the present invention describes a method
|
|
and apparatus for providing a receipt for a communicated message. A
|
|
transmitter generates a secret key and a public key, such that the secret key
|
|
is difficult to generate from the public key. The transmitter then generates
|
|
a receipt by transforming a representation of the communicated message with
|
|
the secret key, wherein the transformation used to generate the receipt is
|
|
difficult to effect without the secret key and easy to invert with the public
|
|
key. The receipt is then communicated from the transmitter to the receiver.
|
|
The receiver inverts the transformation with the public key to obtain the
|
|
representation of the communicated message from the receipt and validates the
|
|
receipt by comparing the similarity of the representation of the communicated
|
|
message with the communicated message.
|
|
|
|
Additional objects and features of the present invention will appear from
|
|
the description that follows wherein the preferred embodiments have been set
|
|
forth in detail in conjunction with the accompanying drawings.
|
|
|
|
DRAWING DESC:
|
|
|
|
BRIEF DESCRIPTION OF THE DRAWINGS
|
|
|
|
FIG. 1 is a block diagram of a public key cryptosystem that transmits a
|
|
computationally secure cryptogram over an insecure communication channel.
|
|
|
|
FIG. 2 is a block diagram of an enciphering device for enciphering a message
|
|
into ciphertext in the public key cryptosystem of FIG. 1.
|
|
|
|
FIG. 3 is a block diagram of a multiplier for performing modular
|
|
multiplications in the deciphering device of FIG. 7, the exponentiator of
|
|
FIG. 10, and the public key generator of FIG. 11.
|
|
|
|
FIG. 4 is a detailed schematic diagram of an adder for performing additions
|
|
in the enciphering device of FIG. 2, the multiplier of FIG. 3, and the public
|
|
key generator of FIG. 11.
|
|
|
|
FIG. 5 is a detailed schematic diagram of a comparator for performing
|
|
magnitude comparisons in the enciphering device of FIG. 2, the multiplier of
|
|
FIG. 3, the deciphering device of FIG. 7, the divider of FIG. 8, and the
|
|
alternative deciphering device of FIG. 9.
|
|
|
|
FIG. 6 is a detailed schematic diagram of a subtractor for performing
|
|
subtraction in the multiplier of FIG. 3, the deciphering device of FIG. 7,
|
|
and the dividier of FIG. 8.
|
|
|
|
FIG. 7 is a block diagram of a deciphering device for deciphering a
|
|
ciphertext into message in the public key cryptosystem of FIG. 1.
|
|
|
|
FIG. 8 is a block diagram of a divider for performing division in the
|
|
invertor of FIG. 7 and the alternative deciphering device of FIG. 9.
|
|
|
|
FIG. 9 is a block diagram of an alternative deciphering device for
|
|
deciphering a ciphertext into message in the public key cryptosystem of FIG.
|
|
1.
|
|
|
|
FIG. 10 is an exponentiator for raising various numbers to various powers in
|
|
modulo arithmetic in the alternative deciphering device of FIG. 9 and the
|
|
public key generator of FIG. 11.
|
|
|
|
FIG. 11 is a public key generator for generating the public enciphering key
|
|
in the public key cryptosystem of FIG. 1.
|
|
|
|
FIG. 12 is a flow chart for the algorithm of the logarithmic converter of
|
|
FIG. 11 when p-1 is a power of 2.
|
|
|
|
FIG. 13 is a flow chart for the algorithm for computing the coefficients
|
|
{b.sub.j } of the expansion ##EQU1## where 0.ltoreq.b.sub.j .ltoreq.p.sub.i
|
|
-1, of the logarithmic convertor of FIG. 11, when p-1 is not a power of 2.
|
|
|
|
DETDESC:
|
|
|
|
DESCRIPTION OF THE PREFERRED EMBODIMENT
|
|
|
|
Referring to FIG. 1, a public key cryptosystem is shown in which all
|
|
transmissions take place over an insecure communication channel 19, for
|
|
example a telephone line. Communication is effected on the insecure channel
|
|
19 between transmitter 11 and receiver 12 using transmitter-receiver units 31
|
|
and 32, which may be modems such as Bell 201 modems. Transmitter 11 possesses
|
|
an unenciphered or plaintext message X to be communicated to receiver 12.
|
|
Transmitter 11 and receiver 12 include an enciphering device 15 and
|
|
deciphering device 16 respectively, for enciphering and deciphering
|
|
information under the action of an enciphering key E on line E and a
|
|
reciprocal deciphering key D on line D. The enciphering and deciphering
|
|
devices 15 and 16 implement inverse transformations when loaded with the
|
|
corresponding keys E and D. For example, the keys may be a sequence of random
|
|
letters or digits. The enciphering device 15 enciphers the plaintext message
|
|
X into an enciphered message or ciphertext S that is transmitted by
|
|
transmitter 11 through the insecure channel 19; the ciphertext S is received
|
|
by receiver 12 and deciphered by deciphering device 16 to obtain the
|
|
plaintext message X. An unauthorized party or eavesdropper 13 is assumed to
|
|
have key generator 23 and deciphering device 18 and to have access to the
|
|
insecure channel 19, so if he knew the deciphering key D he could decipher
|
|
the ciphertext S to obtain the plaintext message X.
|
|
|
|
The example system makes use of the difficulty of the so-called "knapsack
|
|
problem." Definitions of the knapsack problem exist in the literature, for
|
|
example, Ellis Horowitz and Sartaj Sahni, "Computing Partitions with
|
|
Applications to the Knapsack Problem", JACM, Vol. 21, No. 2, April 1974, pp.
|
|
277-292; and O. H. Ibarra and C. E. Kim, "Fast Approximation Algorithms for
|
|
the Knapsack and Sum of Subset Problems", JACM, Vol. 22, No. 4, October 1975,
|
|
pp. 464-468. The definition used here is adapted from R. M. Karp,
|
|
"Reducibility Among Combinatorial Problems" in Complexity of Computer
|
|
Computations, by R. E. Miller and J. W. Thatcher, eds., Plenum Press, New
|
|
York (1972), pp. 85-104. Simply stated, given a one-dimensional knapsack of
|
|
length S and a vector a composed of n rods of lengths a.sub.1, a.sub.2, . . .
|
|
a.sub.n, the knapsack problem is to find a subset of the rods which exactly
|
|
fills the knapsack, if such a subset exists. Equivalently, find a binary
|
|
n-vector x of 0's and 1's such that S=a*x, if such an x exists, (* applied to
|
|
vectors denotes dot product, applied to scalars denotes normal
|
|
multiplication).
|
|
|
|
A supposed solution, x, is easily checked in at most n additions; but, to
|
|
the best of current knowledge, finding a solution requires a number of
|
|
operations which grows exponentially in n. Exhaustive trial and error search
|
|
over all 2.sup.n possible x's is computationally infeasible if n is larger
|
|
than one or two hundred. Thus, it is computationally infeasible to invert the
|
|
transformation; such transformations are characterized by the class of
|
|
mathematical functions known as one-way cipher functions. A task is
|
|
considered computationally infeasible if its cost as measured by either the
|
|
amount of memory used or the computing time is finite but impossibly large,
|
|
for example, on the order of approximately 10.sup.30 operations with existing
|
|
computational methods and equipment.
|
|
|
|
Theory suggests the difficulty of the knapsack problem because it is an
|
|
NP-complete problem, and is therefore one of the most difficult computational
|
|
problems of a cryptographic nature. (See for example, A. V. Aho, J. E.
|
|
Hopcraft and J. D. Ullman, The Design and Analysis of Computer Algorithms,
|
|
Reading, Ma.; Addison-Wesley, 1974, pp. 363-404.) Its degree of difficulty,
|
|
however, is dependent on the choice of a. If a=(1, 2, 4, . . . 2.sup.(n-1)),
|
|
then solving for x is equivalent to finding the binary representation of S.
|
|
Somewhat less trivially, if for all i, ##EQU2## then x is also easily found:
|
|
x.sub.n =1 if and only if S.gtoreq.a.sub.n, and, for i=n-1, n-2, . . . 1,
|
|
x.sub.i =1 if and only if ##EQU3## If the components of x are allowed to take
|
|
on integer values between 0 and l then condition (1) can be replaced by
|
|
##EQU4## and x.sub.i can be recovered as the integer part of ##EQU5##
|
|
Equation (2) for evaluating x.sub.i when x.sub.i is binary valued is
|
|
equivalent to this rule for l=1.
|
|
|
|
A trap door knapsack is one in which careful choice of a allows the designer
|
|
to easily solve for any x, but which prevents anyone else from finding the
|
|
solution. Two methods will be described for constructing trap door knapsacks,
|
|
but first a description of their use in a public key cryptosystem as shown in
|
|
FIG. 1 is provided. Receiver 12 generates a trap door knapsack vector a, and
|
|
either places it in a public file or transmits it to transmitter 11 over the
|
|
insecure channel 19. Transmitter 11 represents the plaintext message X as a
|
|
vector x of n 0's and 1's, computes S=a*x, and transmits S to receiver 12
|
|
over the insecure channel 19. Receiver 12 can solve S for x, but it is
|
|
infeasible for eavesdropper 13 to solve S for x.
|
|
|
|
In one method for generating trap door knapsacks, the key generator 22, uses
|
|
random numbers generated by key source 26 to select two large integers, m and
|
|
w, such that w is invertible modulo m, (i.e., so that m and w have no common
|
|
factors except 1). For example, the key source 26 may contain a random number
|
|
generator that is implemented from noisy amplifiers (e.g., Fairchild .mu. 709
|
|
operational amplifiers) with a polarity detector. The key generator 22 is
|
|
provided a knapsack vector, a' which satisfies (1) and therefore allows
|
|
solution of S'=a'*x, and transforms the easily solved knapsack vector a' into
|
|
a trap door knapsack vector a via the relation
|
|
|
|
a.sub.i =w*a'.sub.i mod m (3)
|
|
The vector a serves as the public enciphering key E on line E, and is either
|
|
placed in a public file or transmitted over the insecure channel 19 to
|
|
transmitter 11. The enciphering key E is thereby made available to both the
|
|
transmitter 11 and the eavesdropper 13. The transmitter 11 uses the
|
|
enciphering key E, equal to a, to generate the ciphertext S from the
|
|
plaintext message X, represented by vector x, by letting S=a*x. However,
|
|
because the a.sub.i may be psuedo-randomly distributed, the eavesdropper 13
|
|
|
|
(This text is incomplete)
|
|
|