- Email: [email protected]
An efficient algorithm for constructing a cryptosystem which is harder to break than two other cryptosystems
Camp. & Marhr. wifh .&p/s. Vol. 7. No. 6. PP. 447.450. 1981 Printed in Great Britain.
0097-4943/81/cw4474sO2.cm/0 Pergamon Press Ltd.
AN EFFICIENT ALGORITHM FOR CONSTRUCTING A CRYPTOSYSTEM WHICH IS HARDER TO BREAK THAN TWO OTHER CRYPTOSYSTEMS C. A. ASMUTH and G. R. Department
of Mathematics,
Texas A&M Communicated
(Received
December
University,
BLAKLEY? College Station, TX 77843, U.S.A.
by Ervin Y. Rodin 1980; revised April
1981)
Abstract-Suppose that two organizations with their own separate cryptosystems are put into a context in which they must communicate. An example might be two businesses-accustomed to using different commercial cryptosystems-which have recently merged. Each might mistrust the security of the other’s cryptosystem. But neither could quarrel with a process which took their two cryptosystems and yielded a third cryptosystem which was demonstrably at least as strong as either of the original two. This paper constructs a practical working model of such a “least upper bound” of two cryptosystems.
I. INTRODUCTION
is well known that merely encrypting with system A followed by system B need not produce enhanced security. In fact B might even be inverse to A, so that cryptext equals plaintext in the composite system. There is, nevertheless, a simple way to take two cryptosystems, A and B, and produce a third cryptosystem C with the property that breaking C is equivalent to breaking both A and B. The recent discovery[l] of key safeguarding schemes (threshold schemes[2]) is the motivation behind this manner of combining cryptosystems to produce new ones. The process merely uses the hardware for the two systems, together with very fast simple hardware for merging them, and is about as fast as the slower of the two cryptosystems. As we shall see, one pays a price in message bandwidth expansion, inasmuch as the combined system produces cryptext about 3 times as long as the plaintext. Reasonable names for C might be join ([3], p. 8) of A and B, supremum of A and B, or least upper bound of A and B. We will adopt the first terminology and write C = A v B. Up to now there have been two dominant styles of cryptosystem security proof in the open literature. The Vernam one-time pad ([4], pp. 399-400; [5], pp. 394-399) is absolutely secure ([4], pp. 399-400; [5], pp. 398-399), but is not a true cryptosystem [6,7]. Rabin[8] and Williams [9] have recently produced quadratic analogs of RSA cryptosystems [lo] which are external/y relatively secure, in the sense that breaking them by what amounts to root extraction gives a way to solve an ostensibly hard problem outside cryptology, a case of the factoring problem in number theory [I I]. They are, however, susceptible to a chosen cryptext attack ([9], p. 729). Lempel, Even and Yacobi have provided another example[l2,13] of an externally relatively secure cryptosystem. Their cryptosystem is NP hard to crack but almost always easy to crack. This paper, which is influenced somewhat by them, introduces a third style, the internal relative security proof, which stays within a cryptographic frame of reference. This self contained frame of reference is reminiscent of the internal relative consistency proofs of mathematics, such as the proof that hyperbolic geometry is consistent if Euclidean geometry is ([14], pp. 343-346), or that X together with the continuum hypothesis is consistent if X is [18j. It
2. THE
JOIN
OF TWO
CRYPTOSYSTEMS
A key setting of a cryptosystem A is a triple (A, K, K*), where K is an encrypting key and K* is the corresponding decrypting key. Similarly (B, L, L*) for a cryptosystem B. In a public key (what Simmons[lS] calls an asymmetric) cryptosystem A the keys K and K* are distinct, and it is presumably not feasible to infer K* from K. In a conventional (symmetric) cryptosystem A the keys K and K* are equal. The flow diagram in Fig. 1 defines the cryptosystem A v B. It is apparent that a given tAuthor’s
research supported, in part. by NSF Grant MCS 7908516. 447
C. A. ASMUTH and G. R. BLAKLEY 7 FIRST RANDOM
SECOND RANDOM
XOR
I
BIT BLOCK
w ENCRYPT
F
WITH
XOR
CRYPTOSYSTEM A USING KEY I
W
t_
K
TO FORM AK(F)
S
I
ORIGINAL
ENCRYPT S
PLAINTEXT
CRYPTOSYSTEM B
MESSAGE
USING
BLOCK
TO FORM
P
w
KEY
WITH L
EL(S)
" TRANSMIT BL(S)
TRANSMIT
. P P XOR F XOR S
ON CHANNEL
1
ON CHANNEL 0 . . . .
. . . . RECEIVE AK(F)
ON CHANNEL 2 \
. . . .
RECEIVE
P XOR F XOR S
ON CHANNEL
ON CHANNEL 0
1
W DECRYPT WITH
RECOVERED
XOR
CRYPTOSYSTEM A USING THE KEY
-$
K*
WHICH DECRYPTS
h
MESSAGES ENCRYPTED USING THE KEY
ON CHANNEL
2
DECRYPT WITH
PLAINTEXT
CRYPTOSYSTEM B
MESSAGE
USING THE KEY
BLOCK
WHICH DECRYPTS
P
MESSAGES ENCRYPTED USING THE KEY
K
TO FORM
TO FORM
AKt(AK(F)) = F
BL*(BL(S)) = S
I FIRST RANDOM BIT BLOCK
,
L*
L
I XOR
<
SECOND RANDOM BIT BLOCK
F
S
c
Fig. 1. The cryptographic join A v B.
cryptext message block (i.e. a given list of three synchronized block transmissions on channels 0, 1 and 2) can be decrypted to yield the plaintext message block P if and only if one can recover the exclusive or (F XOR S) of the corresponding ancestral first random bit block F which was encrypted by cryptosystem A (using key K) and the corresponding second ancestral random bit block S which was encrypted by cryptosystem B (using key 15). Assume that a cryptanalyst has somehow devised an algorithm which has channels 1 (carrying A,(F)) and 2 (carrying &(S)) as inputs, and has F XOR S as output. Thus he has a solution to the problem of breaking A v B. We claim that he then has the ability to break either A or B. Let us see how this makes it possible to break A. Assume system (A, K, K*) is in use, encrypting successive plaintext messages F(l), F(2), F(3), . . .,
A cryptosystem
which is harder IO break than two other cryptosystems
449
and the cryptanalyst has access to the (A, K, K*) cryptext stream AK(F(~)),
&(F(2)), &(F(3)), . . ..
He can hold the channel 2 input to his device fixed, say equal to M, while feeding the (.4, K, K*) cryptext into the channel 1 input. He does not know the plaintext B,.(M) ancestral to the “cryptext” M. But he has outputs F(1) XOR B,*(M), F(2) XOR B,.(M),
F(3) XOR BLe(M), . . ..
The problem of breaking A is thereby essentially reduced to the cryptanalytically trivial problem of discovering B,.(M), i.e. of breaking a “polyalphabetic cipher” having a “keyword” of known length by a cryptext only attack ([4], p. 402; [16], pp. 58-112; [17], pp. 34-85). The converse is also clear. Somebody who can break A operating with the key K and also break I3 operating with the key L can obviously break A v B, operating with the key-pair (K, L). It is important to keep in mind the role of the “garbage utility” which delivers the random bit blocks on which the operation of the join crucially depends. It is essential that this sequence of blocks make up a bit stream without redundancy. If it is not a truly random irredundant source of equally likely zeros and ones then all bets are off and the cryptanalyst may be able to read traffic without breaking any cryptosystem involved. But this caution applies elsewhere as well. Even a one-time pad ([4], pp. 399-400; [5], pp. 394-399) system is no stronger than the random process which produces its pads. 3. CONTEXTS
AND
GENERALIZATIONS
The join of 3,4 or more cryptosystems can easily be produced by using channels 3,4,. . . in a diagram which has appropriately many further right hand columns and further XOR boxes in the obvious positions. The join of N - 1 cryptosystems thus obviously involves an Nfold plaintext message expansion. It is approximately as fast as the slowest of the cryptosystems involved. J. Bloom has noted that the join is just one of a variety of possible ways to combine several cryptosystems. The “universal algebra[3] of cryptosystems” he has envisioned uses threshold schemes as finitary operations ([3], p Sl), and uses cryptosystems as numbers (i.e. as members of the set ([3], p. 5) on which the finitary operation is defined). The threshold scheme in this paper is the Vernam one-time pad[6] subcase of Bloom’s fast threshold scheme[7]. Suppose that the cryptosystems A and B are both one-to-one onto functions (i.e. bijections). Then so is A v B. This must be interpreted as follows. Once A, K, B and L are chosen, then to each input triple there corresponds a unique output triple (P, F. S) (P XOR F XOR S, AK(F), BL(S)). If both A and B are public key (i.e. asymmetric) cryptosystems then, obviously, A v B is a public key cryptosystem. The join of two digital signature schemes is a digital signature scheme. Suppose that A is a public key cryptosystem and B is a conventional (i.e. symmetric) cryptosystem. Then A v B is merely a conventional cryptosystem. But. in a sense. it behaves like a public key cryptosystem. The idea is as follows. An organization uses conventional channels to distribute a single encrypting/decrypting key L = L* for the conventional cryptosystem B to every member every week. Each member m publishes its own distinctive public encrypting key K(m) for the public cryptosystem A whenever it chooses, but keeps its private decrypting key K(m)* to itself. Thus, with no key distribution problem, any pair of members of the organization can communicate privately in A v B inside a security stockade as strong as both A and B. Outsiders must break both A (using the encrypting key K(m)) and B (using the encrypting/decrypting key L) to read traffic addressed to m. Insiders, who belong to the organization and therefore know L, can practice cryptanalysis against other insiders who are communicating with member m at a smaller cost than outsiders must pay, namely merely breaking A (using the encrypting key K(m)), i.e. by finding K(m)*. REFERENCES I. G. R. Blakley, Safeguarding cryptographic
keys. Proc. 1979 National CornpurerConf.. AFIPS Conf. Proc. 48.313-317
(1979). 2. A. Shamir. Hou to share a secret. Commun. ACM 22. 612-613 (1979). 3. G. Gratzer. Universal AIgehra. Van Nostrand. Princeton. New Jersey (1968).
450
C. A. ASMUTH and G. R. BL,~KLEY
Privacy and authentication: An introduction to cryptography. Proc. IEEE 67. 397-427 (1979). 5. D. Kahn. The Codebreakers. Macmillan, New York (1967). 6. G. R. Blakley, The Vernam one-time pad is a key safeguarding scheme, not a cryptosystem. Fast key safeguarding schemes (threshold schemes) exist. Proc. 1980 Symp. on Security and Pricacy. IEEE. Computer Society. Piscataway. New Jersey, 1980. 7. J. R. Bloom, A note on superfast threshold schemes, Preprint. Texas A & M Department of Mathematics (Dec. 19801. 8. M. 0. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Preprint, MIT Laboratory for Computer Science. Rep. MITILCSITR-212 (Jan. 1979). 9. H. C. Williams, A modification of the RSA public-key encryption procedure. IEEE Trans. Inform. Theory IT-26 726-729 (1980). 10 R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21. 120-126 (1978). II. R. K. Guy, How to factor a number. Congressus Numerantium XVI. Proc. 5th Manitoba Conf. on Numerical Mathematics, pp.49-89. Winnipeg (1976). 12. A. Lempel, Cryptology in transition. Comput. Surveys 11, 285-303 (1979). 13. S. Even and Y. Yacobi, Cryptocomplexity and NP-completeness. Tech. Rep. 172, Technion Computer Science Department (March 1980). 14. G. Ewald, Geometry: An Introduction. Wadsworth, Belmont, California (1971). 15. G. J. Simmons, Symmetric and asymmetric encryption. Comput. Surueys 11, 305-330 (1979). 16. A. Sinkov, Elemenfary Cryptanalysis: A Mathematical Approach. Mathematical Association of America. Washington, D.C. (1966). 17. W. F. Friedman. Elements of Cryptanalysis. Aegean Park Press, Laguna Hills, California (1976). 18. K. Gadel, The Consistency of the Continuum Hypothesis. Princeton University Press (1940). 4. W. Dillie and M. E. Hellman,
0097-4943/81/cw4474sO2.cm/0 Pergamon Press Ltd.
AN EFFICIENT ALGORITHM FOR CONSTRUCTING A CRYPTOSYSTEM WHICH IS HARDER TO BREAK THAN TWO OTHER CRYPTOSYSTEMS C. A. ASMUTH and G. R. Department
of Mathematics,
Texas A&M Communicated
(Received
December
University,
BLAKLEY? College Station, TX 77843, U.S.A.
by Ervin Y. Rodin 1980; revised April
1981)
Abstract-Suppose that two organizations with their own separate cryptosystems are put into a context in which they must communicate. An example might be two businesses-accustomed to using different commercial cryptosystems-which have recently merged. Each might mistrust the security of the other’s cryptosystem. But neither could quarrel with a process which took their two cryptosystems and yielded a third cryptosystem which was demonstrably at least as strong as either of the original two. This paper constructs a practical working model of such a “least upper bound” of two cryptosystems.
I. INTRODUCTION
is well known that merely encrypting with system A followed by system B need not produce enhanced security. In fact B might even be inverse to A, so that cryptext equals plaintext in the composite system. There is, nevertheless, a simple way to take two cryptosystems, A and B, and produce a third cryptosystem C with the property that breaking C is equivalent to breaking both A and B. The recent discovery[l] of key safeguarding schemes (threshold schemes[2]) is the motivation behind this manner of combining cryptosystems to produce new ones. The process merely uses the hardware for the two systems, together with very fast simple hardware for merging them, and is about as fast as the slower of the two cryptosystems. As we shall see, one pays a price in message bandwidth expansion, inasmuch as the combined system produces cryptext about 3 times as long as the plaintext. Reasonable names for C might be join ([3], p. 8) of A and B, supremum of A and B, or least upper bound of A and B. We will adopt the first terminology and write C = A v B. Up to now there have been two dominant styles of cryptosystem security proof in the open literature. The Vernam one-time pad ([4], pp. 399-400; [5], pp. 394-399) is absolutely secure ([4], pp. 399-400; [5], pp. 398-399), but is not a true cryptosystem [6,7]. Rabin[8] and Williams [9] have recently produced quadratic analogs of RSA cryptosystems [lo] which are external/y relatively secure, in the sense that breaking them by what amounts to root extraction gives a way to solve an ostensibly hard problem outside cryptology, a case of the factoring problem in number theory [I I]. They are, however, susceptible to a chosen cryptext attack ([9], p. 729). Lempel, Even and Yacobi have provided another example[l2,13] of an externally relatively secure cryptosystem. Their cryptosystem is NP hard to crack but almost always easy to crack. This paper, which is influenced somewhat by them, introduces a third style, the internal relative security proof, which stays within a cryptographic frame of reference. This self contained frame of reference is reminiscent of the internal relative consistency proofs of mathematics, such as the proof that hyperbolic geometry is consistent if Euclidean geometry is ([14], pp. 343-346), or that X together with the continuum hypothesis is consistent if X is [18j. It
2. THE
JOIN
OF TWO
CRYPTOSYSTEMS
A key setting of a cryptosystem A is a triple (A, K, K*), where K is an encrypting key and K* is the corresponding decrypting key. Similarly (B, L, L*) for a cryptosystem B. In a public key (what Simmons[lS] calls an asymmetric) cryptosystem A the keys K and K* are distinct, and it is presumably not feasible to infer K* from K. In a conventional (symmetric) cryptosystem A the keys K and K* are equal. The flow diagram in Fig. 1 defines the cryptosystem A v B. It is apparent that a given tAuthor’s
research supported, in part. by NSF Grant MCS 7908516. 447
C. A. ASMUTH and G. R. BLAKLEY 7 FIRST RANDOM
SECOND RANDOM
XOR
I
BIT BLOCK
w ENCRYPT
F
WITH
XOR
CRYPTOSYSTEM A USING KEY I
W
t_
K
TO FORM AK(F)
S
I
ORIGINAL
ENCRYPT S
PLAINTEXT
CRYPTOSYSTEM B
MESSAGE
USING
BLOCK
TO FORM
P
w
KEY
WITH L
EL(S)
" TRANSMIT BL(S)
TRANSMIT
. P P XOR F XOR S
ON CHANNEL
1
ON CHANNEL 0 . . . .
. . . . RECEIVE AK(F)
ON CHANNEL 2 \
. . . .
RECEIVE
P XOR F XOR S
ON CHANNEL
ON CHANNEL 0
1
W DECRYPT WITH
RECOVERED
XOR
CRYPTOSYSTEM A USING THE KEY
-$
K*
WHICH DECRYPTS
h
MESSAGES ENCRYPTED USING THE KEY
ON CHANNEL
2
DECRYPT WITH
PLAINTEXT
CRYPTOSYSTEM B
MESSAGE
USING THE KEY
BLOCK
WHICH DECRYPTS
P
MESSAGES ENCRYPTED USING THE KEY
K
TO FORM
TO FORM
AKt(AK(F)) = F
BL*(BL(S)) = S
I FIRST RANDOM BIT BLOCK
,
L*
L
I XOR
<
SECOND RANDOM BIT BLOCK
F
S
c
Fig. 1. The cryptographic join A v B.
cryptext message block (i.e. a given list of three synchronized block transmissions on channels 0, 1 and 2) can be decrypted to yield the plaintext message block P if and only if one can recover the exclusive or (F XOR S) of the corresponding ancestral first random bit block F which was encrypted by cryptosystem A (using key K) and the corresponding second ancestral random bit block S which was encrypted by cryptosystem B (using key 15). Assume that a cryptanalyst has somehow devised an algorithm which has channels 1 (carrying A,(F)) and 2 (carrying &(S)) as inputs, and has F XOR S as output. Thus he has a solution to the problem of breaking A v B. We claim that he then has the ability to break either A or B. Let us see how this makes it possible to break A. Assume system (A, K, K*) is in use, encrypting successive plaintext messages F(l), F(2), F(3), . . .,
A cryptosystem
which is harder IO break than two other cryptosystems
449
and the cryptanalyst has access to the (A, K, K*) cryptext stream AK(F(~)),
&(F(2)), &(F(3)), . . ..
He can hold the channel 2 input to his device fixed, say equal to M, while feeding the (.4, K, K*) cryptext into the channel 1 input. He does not know the plaintext B,.(M) ancestral to the “cryptext” M. But he has outputs F(1) XOR B,*(M), F(2) XOR B,.(M),
F(3) XOR BLe(M), . . ..
The problem of breaking A is thereby essentially reduced to the cryptanalytically trivial problem of discovering B,.(M), i.e. of breaking a “polyalphabetic cipher” having a “keyword” of known length by a cryptext only attack ([4], p. 402; [16], pp. 58-112; [17], pp. 34-85). The converse is also clear. Somebody who can break A operating with the key K and also break I3 operating with the key L can obviously break A v B, operating with the key-pair (K, L). It is important to keep in mind the role of the “garbage utility” which delivers the random bit blocks on which the operation of the join crucially depends. It is essential that this sequence of blocks make up a bit stream without redundancy. If it is not a truly random irredundant source of equally likely zeros and ones then all bets are off and the cryptanalyst may be able to read traffic without breaking any cryptosystem involved. But this caution applies elsewhere as well. Even a one-time pad ([4], pp. 399-400; [5], pp. 394-399) system is no stronger than the random process which produces its pads. 3. CONTEXTS
AND
GENERALIZATIONS
The join of 3,4 or more cryptosystems can easily be produced by using channels 3,4,. . . in a diagram which has appropriately many further right hand columns and further XOR boxes in the obvious positions. The join of N - 1 cryptosystems thus obviously involves an Nfold plaintext message expansion. It is approximately as fast as the slowest of the cryptosystems involved. J. Bloom has noted that the join is just one of a variety of possible ways to combine several cryptosystems. The “universal algebra[3] of cryptosystems” he has envisioned uses threshold schemes as finitary operations ([3], p Sl), and uses cryptosystems as numbers (i.e. as members of the set ([3], p. 5) on which the finitary operation is defined). The threshold scheme in this paper is the Vernam one-time pad[6] subcase of Bloom’s fast threshold scheme[7]. Suppose that the cryptosystems A and B are both one-to-one onto functions (i.e. bijections). Then so is A v B. This must be interpreted as follows. Once A, K, B and L are chosen, then to each input triple there corresponds a unique output triple (P, F. S) (P XOR F XOR S, AK(F), BL(S)). If both A and B are public key (i.e. asymmetric) cryptosystems then, obviously, A v B is a public key cryptosystem. The join of two digital signature schemes is a digital signature scheme. Suppose that A is a public key cryptosystem and B is a conventional (i.e. symmetric) cryptosystem. Then A v B is merely a conventional cryptosystem. But. in a sense. it behaves like a public key cryptosystem. The idea is as follows. An organization uses conventional channels to distribute a single encrypting/decrypting key L = L* for the conventional cryptosystem B to every member every week. Each member m publishes its own distinctive public encrypting key K(m) for the public cryptosystem A whenever it chooses, but keeps its private decrypting key K(m)* to itself. Thus, with no key distribution problem, any pair of members of the organization can communicate privately in A v B inside a security stockade as strong as both A and B. Outsiders must break both A (using the encrypting key K(m)) and B (using the encrypting/decrypting key L) to read traffic addressed to m. Insiders, who belong to the organization and therefore know L, can practice cryptanalysis against other insiders who are communicating with member m at a smaller cost than outsiders must pay, namely merely breaking A (using the encrypting key K(m)), i.e. by finding K(m)*. REFERENCES I. G. R. Blakley, Safeguarding cryptographic
keys. Proc. 1979 National CornpurerConf.. AFIPS Conf. Proc. 48.313-317
(1979). 2. A. Shamir. Hou to share a secret. Commun. ACM 22. 612-613 (1979). 3. G. Gratzer. Universal AIgehra. Van Nostrand. Princeton. New Jersey (1968).
450
C. A. ASMUTH and G. R. BL,~KLEY
Privacy and authentication: An introduction to cryptography. Proc. IEEE 67. 397-427 (1979). 5. D. Kahn. The Codebreakers. Macmillan, New York (1967). 6. G. R. Blakley, The Vernam one-time pad is a key safeguarding scheme, not a cryptosystem. Fast key safeguarding schemes (threshold schemes) exist. Proc. 1980 Symp. on Security and Pricacy. IEEE. Computer Society. Piscataway. New Jersey, 1980. 7. J. R. Bloom, A note on superfast threshold schemes, Preprint. Texas A & M Department of Mathematics (Dec. 19801. 8. M. 0. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Preprint, MIT Laboratory for Computer Science. Rep. MITILCSITR-212 (Jan. 1979). 9. H. C. Williams, A modification of the RSA public-key encryption procedure. IEEE Trans. Inform. Theory IT-26 726-729 (1980). 10 R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21. 120-126 (1978). II. R. K. Guy, How to factor a number. Congressus Numerantium XVI. Proc. 5th Manitoba Conf. on Numerical Mathematics, pp.49-89. Winnipeg (1976). 12. A. Lempel, Cryptology in transition. Comput. Surveys 11, 285-303 (1979). 13. S. Even and Y. Yacobi, Cryptocomplexity and NP-completeness. Tech. Rep. 172, Technion Computer Science Department (March 1980). 14. G. Ewald, Geometry: An Introduction. Wadsworth, Belmont, California (1971). 15. G. J. Simmons, Symmetric and asymmetric encryption. Comput. Surueys 11, 305-330 (1979). 16. A. Sinkov, Elemenfary Cryptanalysis: A Mathematical Approach. Mathematical Association of America. Washington, D.C. (1966). 17. W. F. Friedman. Elements of Cryptanalysis. Aegean Park Press, Laguna Hills, California (1976). 18. K. Gadel, The Consistency of the Continuum Hypothesis. Princeton University Press (1940). 4. W. Dillie and M. E. Hellman,