Symmetric and Asymmetric Encryption
Symmetric and Asymmetric Encryption
Symmetric and Asymmetric Encryption
GUSTAVUS J. SIMMONS
Sandm Laboratories, Albuquerque, New Mexico 87185
INTRODUCTION
T h e object of secure communications has
been to provide privacy or secrecy, i.e., to
hide the contents of a publicly exposed
message from unauthorized recipients. In
c o n t e m p o r a r y commercial and diplomatic
applications, however, it is frequently of
equal or even greater concern t h a t the receiver be able to verify t h a t the message
has not been modified during transmission
or t h a t it is not a counterfeit from an unauthorized transmitter. In at least one important class of problems message authentication is needed at the same time t h a t the
message itself is revealed.
In this paper secure communications are
discussed with emphasis on applications
t h a t cannot be satisfactorily handled by
present cryptographic techniques. Fortunately, an entirely new c o n c e p t - - t h e asymT h i s article was sponsored by t h e U.S D e p a r t m e n t of
E n e r g y u n d e r Contract DE-AC04-76DP00789.
metric e n c r y p t i o n / d e c r y p t i o n c h a n n e l - solves the new requirements in secure communications. For perspective, the reader
should keep in mind t h a t all current cryptosystems are symmetric in the sense t h a t
either the same piece of information (key)
is held in secret by b o t h communicants, or
else t h a t each communicant holds one from
a pair of related keys where either key is
easily derivable from the other. T h e s e secret keys are used in the encryption process
to introduce uncertainty (to the unauthorized receiver), which can be r e m o v e d in the
process of decryption by an authorized receiver using his copy of the key or the
"inverse key." This means, of course, t h a t
if a key is compromised, further secure communications are impossible with that key.
T h e new cryptosystems are asymmetric in
the sense t h a t the transmitter and receiver
hold different keys at least one of which it
is computationally infeasible to derive from
the other.
306
Gustavus J. Simmons
CONTENTS
INTRODUCTION
1 CLASSICAL CRYPTOGRAPHY
2 READER'S GUIDE
3 THE COMMUNICATIONS CHANNEL
4 THE ENCRYPTION/DECRYPTION
CHANNEL
5 COMPUTATIONAL COMPLEXITY AND SYMMETRIC ENCRYPTION
6 COMPUTATIONAL COMPLEXITY AND
ASYMMETRIC ENCRYPTION
6 1 The Knapsack Trapdoor
6 2 The Factonzatlon Trapdoor
7 AUTHENTICATION
8 SECURE COMMUNICATIONS
SUMMARY AND CONCLUSION
APPENDIX
ACKNOWLEDGMENTS
REFERENCES
v
M = (ala~ . . . a~]a, E d ) ,
then the stream cipher C -- It(M) is given
by
C = (Ir(al), ~r(a2). . . . . Ir(ak) I f(a,) ~ ~d).
The mapping ~ is commonly a function of
previous inputsmas in the rotor cryptomachines of the World War II period. The
various versions of Vigen~re encryption to
be discussed shortly are all examples of
stream ciphers, some of which use a f'Lxed
mapping and others, such as the running
key and autokey systems, a usage-dependent mapping.
In a block cipher a block of symbols from
M is operated on jointly by the encryption
algorithm, so that in general one may view
a block cipher as a nonsingular I mapping
from the set of plaintext n-tuples ~ n into
the set of cipher n-tuples ~n. For cryptosystems which use the same key repeatedly,
block
ciphers
are
cryptographicaUy
stronger than stream ciphers. Consequently, most contemporary cryptosystems
are block ciphers, although one-time key
systems are used in applications where the
very highest security is required. Examples
of block ciphers are the Playfair digraph
substitution technique, the Hill linear
transformation scheme, and the NBS Data
Encryption Standard (DES). The distinction between block and stream ciphers is
more apparent than real since a block cipher on n-tuples from d is equivalent
to a stream cipher over the enlarged
alphabet d n.
Since much of the discussion relies on
the concept of a "key" in the cryptosystem,
we shall present several examples that illustrate keys and possible attacks to discover them.
Nonsingularsnnplymeansthat everycipherdecrypts
to a unique message. In Section 6.2 an example of a
singular cryptomappmgis described.
307
308
Gustavus J. Simmons
T H E M A T H E M A T I C S OF SECRECY
COV ERCOVERCOVE RC OVERCOV
VVZ RQVVZRQVWXW FH GZGIGQT.
Symmetric a n d A s y m m e t r i c Encryption
iski-type solution. A second proposed solution was to compute a key of n~n2 bits in
length by forming the logical sum, bit by
bit, of two shorter key tapes of relatively
prime lengths nl and n2, so that the resulting key stream would not repeat until n~n2
bits of key had been generated. This form
of Vernam system was used for a time by
the U.S. Army.
The greatest contribution of the two-tape
Vernam system came from its successful
cryptanalysis, which led to the recognition
of the unconditional cryptosecurity of onetime keys or pads. Major J. O. Mauborgne
of the U.S. Army Signal Corps showed that
cipher produced from key generated by the
linear combination of two or more short
tapes could be successfully analyzed by
techniques essentially the same as those
used against running-key systems. The unavoidable conclusion was that the VernamVigen~re system with either a repeating
single key tape or with linear combinations
of repeating short tapes to form a long key
sequence were both insecure. The truly significant conclusion was arrived at by Friedman and Mauborgne: The key in an unconditionally secure stream cipher 4 must be
incoherent (the uncertainty, or entropy, of
each key symbol must be at least as great
as the average information content per
symbol of the message}. Such a cryptosystem is referred to as a random one-time key
or pad. 5 In other words, the system is unconditionally secure--not because of any
failure on the cryptanalyst's part to find the
right technique, but rather because the
equivocation faced by the cryptanalyst
leaves an irresolvable number of choices for
key or plaintext message. While it is often
stated that a Vernam-Vigen~re cryptosystem with a nonrepeating random key is
309
310
Gustavus J. S i m m o n s
TABLE 1
Letter
Number of
Occurrences
Letter
Number of
Occurrences
Letter
Number of
Occurrences
E
T
O
A
N
I
R
S
L
540
479
384
355
354
326
317
3O8
219
C
M
D
H
U
P
F
G
W
212
177
168
145
136
114
87
67
65
Y
B
U
K
Q
x
Z
J
57
44
42
33
11
7
4
1
'
162)
~)(mod37).
311
550.
MS@0.
U
N 450
B
E4@0
0 350
F
0 300.
cC250.
U 2@@.
R ISO.
N
C lee,
C
S 50.
@.
5
3
9
?
13
11
17
15
21
19
25
23
flUNERIC EQUIUALENT
FIGURE l
Because of the unavoidable length and detail of the subsequent sections, a brief outline of the development is given here. First,
a parallel between the classical noisy communications channel and the general encryption/decryption channel is drawn. The
reason for doing this is that error detecting
and correcting codes and message or transmitter authentication are mathematically
dual problems. In both cases redundancy,
i.e., extra symbols, is introduced in the message, but the way in which this redundancy
is used to communicate through the channel is different in the two applications. This
is true whether the cryptosystem is symmetric or asymmetric.
Second, computationally infeasible problems are the source of cryptosecurity for
both symmetric and asymmetric systems.
One of the important points to this paper is
to make clear how these computationaUy
complex problems are embedded in an en-
312
Gustavus J. S i m m o n s
9 Whereas the H a m m i n g metric is the n u m b e r of symbol differences between two words, the Lee metric is
the s u m of the absolute differences of the symbols: for
WI = (0, 1, 2) and W2 = (2, 0, 1), H(W~, W2) = 3 and
L(W1, We) = 4. For binary code words the H a m m i n g
and Lee metrms are identical.
Computing Surveys, Vol I l, No 4, December 1979
Message
000o
0001
0010
0011
0100
0101
0110
0111
1000
1001
1010
1011
1100
1101
1110
1111
TABLE2
Co~ W o ~
000 0000
011 0001
11o 0OlO
1010011
1110100
10o 0101
001 0110
010 0111
lOl 100o
110 1001
011 lOlO
00o 1011
010 1100
0Ol 1101
100,1110
111,1111
bO
~.,.-I
,r4
0 o ~
r~
~,r5
T
-8
U3
9
,~ ,,H PH
oo
e.
0
9
.L
6
#
-a
bO
4~
4~
q
~3
el .,o
r..)
0 o ~
e~
It
4~
ilJ
N
,.O
rd -I~
ra l ~
0
~e
t~)q)
Computing
Surveys, V o l
11,
No. 4,
December
1979
314
Gustavus J. Simmons
315
t~
~no
II
'~x~
~o
I~vO
.H
o m
T
~
I.-I
~'~
Z
o~
ID
Oo~T ~
~
~
q)
II
~':::: o
~)
m~
316
Gustavus J. Simmons
= DE(C, K')
for all M.
(1)
5. COMPUTATIONAL COMPLEXITY
AND SYMMETRIC
ENCRYPTION
317
shift register
code
Feedback Network
FIGURE 5
t Exc|uslve OR.
Gustavus J. Simmons
11010
2 ~
FIGURE 6
319
320
Gustavus J. S i m m o n s
~2 I f s = ( S l ,
s.) a n d w = (w~, ., w.), t h e n t h e
d o t p r o d u c t s . w = ~ , ~ s,w, T h e v e c t o r s. w h e r e
s, = 0 or 1 s u c h t h a t S = s . w , s e l e c t s s o m e of t h e
" o b j e c t s " to fill a " k n a p s a c k " of c a p a c i t y S
L3w = (14, 28, 56, 82, 90, 132, 197, 284, 3 4 1 , 4 5 5 ) , a n d
s = ( 1 0 0 i l l 1 0 0 0 ) , (0110100010), or (1100010010) for
S = 515
,
problem can be for special w. An encryption system based on such a simple w would
not be secure.
Merkle and Hellman defined two special
classes of vectors w, which they call trapdoor knapsacks; with a trapdoor knapsack
the designer can easily compute the subset
vector s, while the opponent is faced with
solving a h a r d (O (2n/2)?) problem. T h e simplest scheme is an "additive trapdoor knapsack," in which the designer starts with any
strictly dominating weight vector w containing n weights, as described above, and
derives a related weight vector v, which is
believed to be a h a r d knapsack. This is
done by choosing a modulus n and a multiplier e which is relatively prime with respect to n, and t h e n computing the n
weights v~ of v by the rule ew, =-- v~
(mod m). Since e is relatively prime with
respect to m, there exists a d, easily comp u t e d using the Euclidean algorithm, such
t h a t ed - 1 (mod n). T h e n u m b e r s d and m
are the receiving key K', and the " h a r d "
knapsack weight vector v is the transmitting key K. A binary message is broken into
n-bit blocks. E a c h n-bit block becomes a
vector s for the knapsack problem: the
transmitter computes the cipher S' -- s v.
Since the cryptanalyst only knows S' and
v, he is forced to solve the knapsack problem for v. T h e authorized receiver, however, computes dS' - S (mod m); he t h e n
solves the simple knapsack (S, w) in O (n)
time because w is of the dominating form.
If m is chosen to strictly dominate the sum
of all the weights, t h e n the computations
m a y be done in integer arithmetic as well
as in the modular arithmetic.
T o further illustrate this simple trapdoor
knapsack, use the easy knapsack weight
vector w = (1, 2, 4, 8); choose m -- 17 > 1
+ 2 + 4 + 8 = 15 a n d e - - 5. T h e n d = 7 a n d
v ~- (5, 10, 3, 6). In this system the subset
vector s = (0, 1, 0, 1) would be transmitted
as S' = s v -~ 16. T h e receiver finds S =
7 . 1 6 = 10 (mod 17); since he also knows w,
the authorized receiver can solve for s in
three subtractions. T h e same principles apply to realistic implementations, which use
n = 100 or larger.
Note t h a t it has not yet been proved t h a t
the modular derivation of v from the easy
knapsack w results in a h a r d knapsack.
321
(modn),
(modn).
(modn),
b>_0,
322
Gustavus J. S~mmons
(Ron Rivest has pointed out that this statement is precisely true for ciphertext-only
attack and that it does not hold for chosenplaintext attack [BRIG77].)
For example, using the same primes and
message as above in the simple Rabin
scheme, p = 421, q -- 577, and M = 153,190,
and letting b = 0, one obtains the cipher
C = 153,1902 -- 179,315 (mod 242,917).
Four messages from d4 have C as their
square mod n: M, of course, and - M =
089,727, as well as M' = 022,788 and - M '
= 220,129.
The important point is that these results
are persuasive evidence of equivalence between decryption for almost all messages
and the factorization of n in these schemes.
A common misconception is that asymmetric encryption/decryption (public-key
encryption) is more secure than its (symmetric) predecessors. For example, Gardner
[GARD77] suggests that public-key cryptosystems are more cryptosecure than existing systems, and a lengthy editorial in the
Washington Post, July 9, 1978, was entitled
"The New Unbreakable Codes--Will They
Put NSA Out of Business?" [SHAP78]. The
discussion in the two previous sections on
symmetric and asymmetric encryption
demonstrates clearly that asymmetric cryptosecurity depends on precisely the same
mathematical condition as most high-quality symmetric cryptosystems--computational work factor. Basing cryptosystems
on NP-hard problems opens new worlds of
codes which may be as secure as traditional
codes. But the new systems are not necessarily more or less secure than existing
cryptosystems.
7. AUTHENTICATION
M dA=-CA (modnn)
using his secret key (dn, hA) and then computes
CAe B = C
(modnB)
(mod nA)
323
Despite the different concerns of the transmitter, the receiver, or the intermediary in
authentication, the objective is always an
authentication system whose cryptosecurity is equivalent to the security of the transmitter's encryption key. This means that
the transmitter can purposely introduce redundancy in such forms as message identifiers prior to encryption, or else he can
depend on redundancy inherent in the message format or language to allow the authorized receiver to reject bogus messages.
Computing Surveys, Vol. II, No 4, December 1979
324
Gustavus J. Simmons
Class
I
II
III
IV
Message~Transmitter
Authent~catmn
Secrecy
No
No
No
Yes
Yes
Yes
No
Yes
channel.
Class II is the classical case of secret or
private communications. We call this the
private channel. This channel is realizable
with symmetric or asymmetric techniques.
In the symmetric case a compromise of the
key at either end of the communications
channel precludes all further secret communications. In a forward asymmetric system secret communications are still possible even if the transmitter's key is public.
The necessity for communicants' using
symmetric systems to provide a secure way
to exchange keys in advance is a severe
restriction. A commercial cryptonet, for example, could have many thousands of subscribers, any pair of whom might wish to
communicate. Clearly the number of keys
to support symmetric encryption would be
unmanageable. In a forward asymmetric
encryption system, however, a subscriber S,
could publish his encryption pair E, and K,
in a public directory. Anyone wishing to
communicate a secret message M to S, in
secrecy transmits E~(M, K~), which can only
be deciphered by S~. It is this application
that led to the name "public-key cryptosystern." It is essential, however, that the
transmitter be certain that E, and K, are
the key entries for S,: In other words, while
a secret exchange of keys is no longer (in
an asymmetric system as opposed to a symmetric one) needed, an authenticated exchange of keys is still required! This is an
important point since it is frequently said-Computing Surveys. Vol I l, No 4, December 1979
325
326
Gustavus J. Simmons
327
putational cryptosecurity. An essential difference between symmetric and asymmetric cryptosystems is that one of the transmitter or receiver keys can be compromised
in the asymmetric system with some secure
communications still possible. In some instances, such as the public-key cryptosystem, the exposure may be deliberate; in
others it cannot be insured against simply
because of the physical exposure of one end
of the communications link. If in an asymmetric system the receiver key is concealed
from a knowledge of the transmitter key, it
is still possible to communicate in secrecy
even after the transmitter key is exposed.
Conversely, if the transmitter key is concealed from a knowledge of the receiver
key, it is possible for the transmitter to
authenticate himself even though the receiver key is known to an opponent. These
unique capabilities of asymmetric systems
distinguish them from symmetric systems.
Two vital points need to be restated.
First, it is false that key protection and
secure key dissemination are unnecessary
in an asymmetric system. As Needham and
Schroeder [NEED78] have shown for network authentication, the protocols are quite
similar, and the number of protocol messages which must be exchanged is comparable using either symmetric or asymmetric
encryption techniques. At the end of the
section on secure communications we illustrated an anomaly, the establishing of a
secret link with a party whose identity cannot be verified, which can arise in the absence of key dissemination. For this reason
asymmetric techniques can be used to disseminate a key which is then used in a
symmetric system.
The second point is that asymmetric systems are not a priori superior to symmetric
ones. The particular application determines
which system is appropriate. In the 1979
state of the art, all the proposed asymmetric systems exact a high price for their
asymmetry: The higher amount of computation in the encryption/decryption process
significantly cuts the channel capacity (bits
per second of message information communicated). No asymmetric scheme known
to the author has a capacity better than
C 1/2, where C is the channel capacity of a
symmetric channel having the same crypComputing Surveys, Vol. II, No 4, December 1979
328
Gustavus J. S i m m o n s
FIGURE 7.
Xl t =
Ec,
z-1
and
x, t = x~=],
i> 1
1000
0001
0011
0110
1100
0100
1001
0010
0101
1010
1110
1101
1011
0111
1111
( x + 1)(x 4 + x 3 + x 2 + x + l )
=x ~+1.
1
0
0
1
0
0
0
1
0101
1011
0110
1100
1001
0010
0100
0
0
1
1
EVAN74
FEIS73
GAIN56
GAIT77
GARD77
ACKNOWLEDGMENTS
The author wishes to acknowledge the many and
valuable contributions of M J. Norris to the ideas
presented here. He is also grateful to D. Kahn and H.
Bright for careful reviews of a first draft of the manuscript and to the anonymous referees whose detailed
suggestions materially shaped the present form of the
paper. Finally, he wishes to express his appreciation
to R. J. Hanson and P. J. Denning whose assmtance
has made it possible for this material to be published
in Computing Surveys.
REFERENCES
ACME23
ALBE41
BERL68
BRAN79
BRIG76
BRIG77
DAVI79
DEAD77
DIFF76
DIFF77
GILB74
GOLO67
HART64
HELL78
HELL79a
HELL79b
ADLE78
GEFF73
HERL78
HILL29
HILL31
HOFF77
HORO74
KAHN66
KAHN67
KARP72
KULL76
LEMP79
LIPT78
329
1973), 15-23.
GAINES, H.F.
Cryptanalys~s"a study of
ciphers and their solutzon, Dover, New
York, 1956.
GAIT, J "A new nonlinear pseudorandora number generator," [EEE Trans
Softw Eng. SE-3, 5 (Sept. 1977), 359-363
GARDNER, M. Mathematical games
(section), Sct. Am. 237, 2 (Aug 1977),
120-124.
GEFFE, P.R. "How to protect data with
ciphers that are really hard to break,"
Electronws 46, 1 (Jan. 4, 1973), 99-101.
GILBERT, E. N., MACWILLIAMS, F J.,
AND SLOANE, N. J. A "Codes which
detect deception," Bell Syst Tech. J. 53,
3 (March 1974), 405-423.
GOLOMR, S W. Shift register sequences,
Holden-Day, San Francisco, Calif., 1967.
HART, G L The Beale papers, Roanoke Public Library, Roanoke, Va, 1964
HELLMAN, M. E "An overview of pubhc-key cryptography," IEEE Trans.
Commun COM-16, 6 (Nov. 1978), 24-32.
HELLMAN, M . E . "DES will be totally
insecure within ten years," IEEE Spectrum 16, 7 (July 1979), 32-39.
HELLMAN, U . E "The mathematics of
public-key cryptography," Scz. Am. 241,
3 (Aug. 1979), 146-157.
HERLESTAM, T. "Critical remarks on
some public-key cryptosystems," BIT 18
(1978), 493-496
HILL, L. S "Cryptography in an algebraic alphabet," Am. Math. Monthly 36
(June-July 1929), 306-312.
HILL, L. S. "Concerning certain linear
transformation apparatus of cryptography," Am Math. Monthly 38 (March
1931), 135-154.
HOFFMAN, L. J. Modern methods for
computer security and prwacy, PrenticeHall, Englewood Cliffs, N J., 1977
HOROWITZ, E.,
AND SAHNI, S.
"Computing partitions with applications
to the knapsack problem," J. ACM 21, 2
(April 1974), 277-292
KAHN, D. "Modern cryptology," Scz
Am. 215 (July 1966), 38-46
KAHN, D. The codebreakers, the story
of secret writing, MacMillan, New York,
1967
KARP, R.M. "Reducibility among combinatorial problems," in Complexzty of
computer computations, R. E Mdler and
J. W Thatcher (Eds.), Plenum Press,
New York, 1972, pp. 85-104.
KULLBACK, S Statistical methods in
cryptanalysis, Aegean Park Press, Laguna Hills, Calif, 1976.
LEMPEL, A "Cryptology In transitmn" a
survey," Comput. Surv. 11, 4 (Dec. 1979},
285-304.
LIPTON, S M., AND MATYAS, S. M
"Making the digital signature legal--and
safeguarded," Data Commun. 7, 2 (Feb
1978), 41-52.
Computing Surveys, VoI 11. No 4, December 1979
330
MAcW77
MART73
MASS69
MERK78a
MERK78b
MEYE72
MORR77
NEED78
PETE72
POHL78
PURD74
RARI79
RIVE78
ROBE75
SCHR79
G u s t a v u s J. S i m m o n s
MACWILLIAMS, F J., AND SLOANE, N . J .
SHAM78
A. The Theory of error-correcting
codes, Vols. I and II, North-Holland, New
York, 1977.
MARTIN, J. Security, accuracy and priracy tn computing systems, PrenticeSHAM79
Hall, Englewood Cliffs, N J., 1973.
MASSEY, J. L "Shift-register synthesis
and BCH decoding," IEEE Trans. Inform. Theory IT-15, 1 (Jan. 1969), 122SHAN48
127.
MERKLE, R C. "Secure communications over insecure channels," Commun.
ACM 21, 4 (April 1978), 294-299.
SHAN49
MERKLE, R. C, AND HELLMAN, M.
E "Hiding information and signatures
in trapdoor knapsacks," IEEE Trans. InSHAP78
form Theory IT-24, 5 (Sept. 1978), 525530.
MEYER, C,
AND TUCHMAN, W.
"Pseudo-random codes can be cracked,"
SIMM77
Electron Des. 23 (1972), 74-76.
MORRIS, R., SLOANE, N. J A., AND WYNER, A. D "Assessment of the National
SIMM79
Bureau of Standards proposed federal
Data Encryptlon Standard," Cryptologla
1, 3 (July 1977), 281-291.
SUGA79
NEEDHAM, R. M., AND SCHROEDER, M.
D. "Using encryptIon for authentication
in large networks of computers," Corn- TAUS65
mun. ACM 21, 12 (Dec. 1978), 993-999
PETERSON, W. W., AND WELDON, E.
J Error correcting codes, 2nd ed., MIT
TUCH79
Press, Cambridge, Mass, 1972
POHLIG, S C, AND HELLMAN, M
E. "An improved algorithm for computTUCK70
mg logarithms over GF(p) and its cryptographlc significance," IEEE Trans Inform Theory IT-24, 1 (Jan 1978), 106110
PURDY, G. B "A high security log-In VERN26
procedure," Commun. ACM 17, 8 (Aug
1974), 442-445.
RABIN, M. O. Dtgttahzed signatures
and pubhc-key functions as retractable
WILK68
as factor~zat:on, Tech Rep M I T / L C S /
TR-212, MIT Lab Comput SCL, Cambridge, Mass, Jan 1979.
WILL79a
RIVEST, R., SHAMIR, A., AND ADLEMAN,
L. "A method for obtaining digltalsignatures and pubhc-key cryptosystems,"
C o m m u n A C M 21, 2 (Feb 1978), 120- WILL79b
126.
ROBERTS, R . W . Encryption algorithm
for computer data encryption," (NBS)
Fed. Reg. 40, 52 (March 17, 1975), 12134ZIER68
12139
SCHROEPPEL, R., AND SHAMIR, A. "A
T. S 2 = O(2") time/space tradeoff for eerZIER69
tain NP-complete problems," to appear
as MIT Lab. Comput Sei Rep.