Diffie and Hellman's Paper on Cryptography (1976)

8/9/2019 Diffie and Hellman's Paper on Cryptography (1976)

1/11

644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976

New Directions in CryptographyInvited Paper

WHITFIELD DIFFIE AND MARTIN E. HELLMAN, MEMBER, IEEE

Abstract-Two kinds of contemporary developments in cryp-tography are examined. Wi dening applications of teleprocessinghave given rise to a need for new types of cryptographic systems,which minimize the need for secure key distribution channels andsupply the equivalent of a written signature. This paper suggestsways to solve these currently open problems. It also discusses howthe theories of communication and computation are beginning toprovide the tools to solve cryptographic problems of long stand-ing.

I. INTRODUCTIONW E STAND TODAY on the brink of a revolution incryptography. The development of cheap digitalhardware has freed it from the design limitations of me-chanical computing and brought the cost of high gradecryptographic devices down to where they can be used insuch commercial applications as remote cash dispensersand computer terminals. In turn, such applications createa need for new types of cryptographic systems whichminimize the necessity of secure key distribution channelsand supply the equivalent of a written signature. At thesame time, theoretical developments in information theoryand computer science show promise of providing provablysecure cryptosystems, changing this ancient art into ascience.The development of computer controlled communica-tion networks pron$ses effortless and inexpensive contactbetween people or computers on opposite sides of theworld, replacing most mail and many excursions withtelecommunications. For many applications these contactsmust be made secure against both eavesdropping.and theinjection of illegitimate messages. At present, however, thesolution of security problems lags well behind other areasof communications technology. Contemporary cryp-tography is unable to meet the requirements, in that its usewould impose such severe inconveniences on the systemusers, as to eliminate many of the benefits of teleprocess-ing.

Manuscript received June 3,1976. This work was partially supportedby the National Science Foundation under NSF Grant E NG 10173.Portions of this work were presented at the IEEE Information TheoryWorkshop;Lenox , MA, J une 23-25, 1975 and the IEEE InternationalSymposium on Information Theory in Ronneby, Sweden, June 21-24,1976.W. Diffie is with the Department of Electrical Engineering, StanfordUniversitv. Stanford. CA. and the St,anford Artificial IntelliPence Lab-oratory, g&ford, CIk 94.505. YM. E. Hellman is with the Department of Electrical Engineering,Stanford University, Stanford, CA 94305.

The best known cryptographic problem is that of pri-vacy: preventing the unauthorized extraction of informa-tion from communications over an insecure channel. Inorder to use cryptography to insure privacy, however, it iscurrently necessary for the communicating parties to sharea key which is known to no one else. This is done by send-ing the key in advance over some secure channel such asprivate courier or registered mail. A private conversationbetween two people with no prior acquaintance-is a com-mon occurrence in business, however, and it is unrealisticto expect initial business contacts to be postponed longenough for keys to be transmitted by some physical means.The cost and delay imposed by this key distributionproblem is a major barrier to the transfer of businesscommunications to large teleprocessing networks.Section III proposes two approaches to transmittingkeying information over public (i.e., insecure) channelswithout compromising the security of the system. In apublic key cryptosystem enciphering and deciphering aregoverned by distinct keys, E and D, such that computingD from E is computationally infeasible (e.g., requiringlOloo instructions). The enciphering key E can thus bepublicly disclosed without compromising the decipheringkey D. Each user of the network can, therefore, place hisenciphering key in a public directory. This enables any userof the system to send a message to any other user enci-phered in such a way that only the intended receiver is ableto decipher it. As such, a public key cryptosystem is amultiple access cipher. A private conversation can there-fore be held between any two individuals regardless ofwhether they have ever communicated before. Each onesends messages to the other enciphered in the receiverspublic enciphering key and deciphers the messages he re-ceives using his own secret deciphering key.We propose some techniques for developing public keycryptosystems, but the problem is still largely open.Public key distribution systems offer a different ap-proach to eliminating the need for a secure key distributionchannel. In such a system, two users who wish to exchangea key communicate back and forth until they arrive at akey in common. A third party eavesdropping on this ex-change must find it computationally infeasible to computethe key from the information overheard, A possible solu-tion to the public key distribution problem is given inSection III, and Merkle [l] has a partial solution of a dif-ferent form.A second problem, amenable to cryptographic solution,which stands in the way of replacing contemporary busi-

.


2/11

DIFFIE AND HELLMAN: NEW DIRECTIONS IN CRYPTOGRAPHY 645ness communicati ons by teleprocessing systems is au-thentication. In current business, the validity of contractsis guaranteed by signatures. A signed contract serves aslegal evidence of an agreement which the holder canpresent in court if necessary. The u se of signatures, how-ever, requires the transmission and storage of writtencontracts. In order to have a purely digital replacement for KEYSOURCEthis paper instrument, each user must b e able to producea mess age whose authenticity can be check ed by anyone, Fig. 1. Flow of information in conventional cryptographic system.but which could not have been produced by anyone else,even the recipient. Since only one person c an originatemessag es but many people c an receive mess ages, this canbe viewed as a broadcast cipher. Current electronic au-thentication techniques cannot meet this need.Section IV discusses the problem of providing a true,digital, messa ge dependent signature. For reasons broughtout there, we refer to this as the one-way authenticationproblem. Some partial solutions are given, and it is shownhow any public key cryptosystem can be transformed intoa one-way authentication system.

Section V will c onsider the interrelation of variouscryptographic problems and introduce the even moredifficult problem of trap doors.At the same time that c ommunications and computationhave,given rise to new cryptographic problems, their off-spring, information theory, a nd the theory of computationhave begun to supply tools for the solution of importantproblems in classical cryptography.The search for unbreakable codes is one of the oldestthemes of cryptographic research, but until this centuryall proposed systems have ultimately been broken. In thenineteen twenties, however, the one time pad was in-vented, and shown to be unbreakable [2, pp. 398-4001. Thetheoretical basis underlying this and related sy stems wasput on a firm foundation a quarter century later by infor-mation theory [3]. One time pads require extremely longkeys and are therefore prohibitively expensive in mostapplications.

In contrast, the security of most cryptographic systemsresides in the computational difficulty to the cryptanalystof discovering the plaintext without knowledge of the key.This problem falls within the domains of computationalcomplexity and analysis of algorithms, two recent disci-plines which study the difficulty of solving computationalproblems. Using the results of these theories, it may bepossible to extend proofs of security to more useful classesof systems in the foreseeable future. Section VI exploresthis possibility.Before proceeding to newer developments, we introduceterminology and define threat envi ronments in the nextsection.

II. CONVENTIONAL CRYPTOGRAPHY

transmitted over a public channel, thus assuring the senderof a mess age that it is being r ead only by the intended re-cipient. An authenticationsystemprevents the unauthor-ized injection of messag es into a public channel, assuringthe receiver of a messa ge of the legitimacy of its sender.A channel is considered public if its security is inade-quate for the needs of its users. A channel such as a tele-phone line may therefore be considered private by someusers and public by others. Any channel may be threatenedwith eavesdr opping or injection or both, depending on itsuse. In telephone communication, the threat of injectionis paramount, since the called party cannot deter minewhich pho ne is calling. Eavesdropping, which requires theuse of a wiretap, is technically more difficult and legallyhazardous. In radio, by comparison, the situation is re-versed. Eavesdropping is passive and involves no legalhazard, while injection exposes the illegitimate transmitterto discovery and prosecution.Having divided our problems into those of privacy andauthentication we will sometimes further subdivide au-thentication into messa ge authentication, which is theproblem defined above, and user authentication, in whichthe only t ask of the system is to verify that an individualis who he claims to be. For example, the identity of an in-dividual who presents a credit card must be verified, butthere is no messa ge which he wishes to transmit. In spiteof this apparent absence of a messa ge in user authentica-tion, the two problems are largely equivalent. In user au-thentication, there is an implicit messa ge I AM USER X,while message authentication is just verification of theidentity of the party sending the message. Differences inthe threat environments and other aspects of these twosubproblems, however, sometimes make it convenient todistinguish between them.Fig. 1 illustrates the flow of information in a conven-tional cryptographic system used for privacy of commu-nications. T here are three parties: a transmitter, a receiver,and an eavesdropper. The transmitter generates a plain-text or unenciphered messa ge P to be communicat ed overan insecure channel to the legitimate receiver. In order toprevent the eavesdropper from learning P, the transmitteroperates on P with an invertible transformation SK toproduce the ciphertext or cryptogram C = SK(P). The keyK is transmitted onlv to the legitimate receiver via a secureCryptography is the study of mathematical systems channel, indicated by a shielded path in Fig. 1. Since thefor solving two kinds of security problems: privacy and legitimate receiver k nows K, he can decipher C by oper-authentication. A privacy system prevents the extraction ating with SK-~ to obtain SK-~(C) = SK-~(SK(P)) = P,of information by unauthorized parties from messag es the original plaintext message. The secur e channel cannot


3/11

646 IEEE TRANSACTIONS ON INFORMATION THEORY. NOVEMBE R 1976be used to transmit P itself for reasons of capacity or delay.For example, the secure channel might be a weekly courierand the insecure channel a telephone line.A cryptographic system is a single parameter family{SKJK~~I(~ of invertible transformations

SdPl - WI (1)from a space (P) of plaintext messages to a space (C) of ci-phertext messages. The parameter K is called the key andis selected f rom a finite set (K) called the keyspace. If themessage spaces (PI and {C) are equal, we will denote themboth by (M). When discussing individual cryptographictransformations SK, we will sometimes omit mention ofthe system and merely refer to the transformation K.

The goal in designing the cryptosystem {SK) is to makethe enciphering and deciphering operations inexpensive,but to ensure that any successful cryptanalytic operationis too complex to be economical. There are two approachesto this problem. A system which is secure due to the com-putational cost of cryptanalysis, but which would succumbto an attack with unlimited computation, is called com-putationally secure; while a system which can resist anycryptanalytic attack, no matter how much computationis allowed, is called unconditionally secure. Uncondi-tionally secure systems are discussed in [3] and [4] andbelong to that portion of information theory, called theShannon theory, which is concerned with optimal perfor-mance obtainable with unlimited computation.Unconditional security results from the existence ofmultiple meaningful solutions to a cryptogram. For ex-ample, the simple substitution cryptogram XMD resultingfrom English text can represent the plaintext messages:now, and, the, etc. A computationally secure cryptogram,in contrast, contains sufficient information to uniquelydetermine the plaintext and the key. Its security residessolely in the cost of computing them.The only unconditionally secure system in common useis the one time pad, in which the plaintext is combinedwith a randomly chosen key of the same length. While sucha system is provably secure, the large amount of key re-quired makes it impractical for most applications. Exceptas otherwise noted, this paper deals with computationallysecure systems since these are more generally applicable.When we talk about the need to develop provably securecryptosystems we exclude those, such as the one time pad,which are unwieldly to use. Rather, we have in mind sys-tems using only a few; hundred bits of key and imple-mentable in either a small amount of digital hardware ora few hundred lines of software.We will call a task computationally infeasible if its costas measured by either the amount of memory used or theruntime is finite but impossibly large.

Much as error correcting codes are divided into convo-lutional and block codes, cryptographic systems can bedivided into two broad classes: stream ciphers and blockciphers. Stream ciphers process the plaintext in smallchunks (bits or characters), usually producing a pseudo-random sequence of bits which is added modulo 2 to the

bits of the plaintext. Block ciphers act in a purely combi-natorial fashion on large blocks of text, in such a way thata small change in the input block produces a major changein the resulting output. This paper deals primarily withblock,ciphers, because this error propagation property isvaluable in many authentication applications.In an authentication system, cryptography is used toguarantee the authenticity of the message to the receiver.Not only must a meddler be prevented from injecting to-tally new, authentic looking messages into a channel, buthe must be prevented from creating apparently authenticmessages by combining, or merely repeating, old messageswhich he has copied in the past. A cryptographic systemintended to guarantee privacy will not, in general, preventthis latter form of mischief.To guarantee the authenticity of a message, informationis added which is a function not only of the message anda secret key, but of the date and time as well; for example,by attaching the date and time to each message and en-crypting the entire sequence. This assures that onlysomeone who possesses the key can generate a messagewhich, when decrypted, will contain the proper date andtime. Care must be taken, however, to use a system inwhich small changes in the ciphertext result in largechanges in the deciphered plaintext. This intentional errorpropagation ensures that if the deliberate injection of noiseon the channel changes a message such as erase file 7 intoa different message such as erase file 8, it will also cor-rupt the authentication information. The message willthen be rejected as inauthentic.The first step in assessing the adequacy of cryptographicsystems is to classify the threats to which they are to besubjected. The following threats may occur to crypto-graphic systems employed for either privacy or authenti-cation.A ciphertext only attack is a cryptanalytic attack inwhich the cryptanalyst possesses only ciphertext.A known plaintext attack is a cryptanalytic attack inwhich the cryptanalyst possesses a substantial quantityof corresponding plaintext and ciphertext.A chosen plaintext attack is a cryptanalytic attack inwhich the cryptanalyst can submit an unlimited numberof plaintext messages of his own choosing and examine theresulting cryptograms.In all cases it is assumed that the opponent knows thegeneral system (SK) in use since this information can beobtained by studying a cryptographic device. While manyusers of cryptography attempt to keep their equipmentsecret, many commercial applications require not only thatthe general system be public but that it be standard.A ciphertext only attack occurs frequently in practice.The cryptanalyst uses only knowledge of the statisticalproperties of the language in use (e.g., in English, the lettere occurs 13 percent of the time) and knowledge of certainprobable words (e.g., a letter probably begins DearSir:). It is the weakest threat to which a system can besubjected, and any system which succumbs to it is con-sidered totally insecure.


4/11

DIFFIE AND HELLMAN: NEW DIRECTIONS IN CRYPTOGRAPHY 647A system which is secure against a known plaintext at-tack frees its users from the need to keep their past mes-

sages secret, or to paraphrase them prior to declassifica-tion. T his is an unreasonable burden to place on the sys-tems users, particularly in commercial situations whereproduct announcement s or press releases may be sent inencrypted form for later public disclosure. Similar situa-tions in diplomatic corres pondence have led to the crackingof many supposedly secure systems. While a knownplaintext attack is not always possible, its occurrence isfrequent enough that a system which cannot resist it is notconsidered secure.A chosen plaintext attack is difficult to achieve inpractice, but can be approximated. For example, submit-ting a proposal to a competitor may result in his enci-phering it for transmission to his headquarters. A cipherwhich is secure against a chosen plaintext attack thus freesits users from conc ern over whether their opponents canplant messag es in their system.For the purpose of certifying systems as secure, it isappropriate to consider the more formidable cryptanalyticthreats as these not only gi ve more realistic models of theworking envi ronment of a cryptographic system, but makethe assessment of the systems strength easier. Many sys-tems which are difficult to analyze using a ciphertext onlyattack can be ruled out immediately under known plain-text or chosen plaintext attacks.As is clear from these definitions, cryptanalysis is asystem identification problem. The known plaintext andchosen plaintext attacks c orrespond to passive and activesystem identification problems, respectively. Unlike m anysubjects in which sy stem identification is considered, suchas automatic fault diagnosis, the goal in cryptography isto build systems which are difficult, rather than easy, toidentify.The chos en plaintext attack is often called an IFF at-tack, terminology which des cends from its origin in thedevelopment of cryptographic identification friend orfoe systems after World War II. An IFF sy stem enablesmilitary radars to distinguish between friendly and enemyplanes automatically. The radar sends a time-varyingchallenge to the airplane which receives the challenge,encrypts it under the appropriate key,and sends it back tothe radar. By comparing this response with a correctlyencrypted version of the challenge, the radar ca n recognizea friendly aircraft. While the aircraft are over enemy ter-ritory, enemy cryptanalysts can send challenges and ex-amine the encrypted responses in an attempt to determinethe authentication key in use, thus mounting a chosenplaintext attack on the system. In practice, this threat iscountered by restricting the form of the challenges, whichneed not be unpredictable, but only nonrepeating.There are other threats to authentication systems whichcannot be treated by conventional cryptography, andwhich require recourse to the new ideas and techniquesintroduced in this paper. The threat of compromi se of thereceivers authentication data is motivated by the situa-tion in multiuser networks where the receiver is often the

system itself. The receivers passwor d tables and otherauthentication data are then more vulnerable to theft thanthose of the transmitter (an individual user). As shownlater, s ome techniques for protecting against this threatalso protect against the threat of dispute. That is, a mes-sage may be sent but later repudiated by either thetransmitter or the receiver. Or, it may be alleged by eitherparty that a mess age was sent when in fact no ne was. Un-forgeable digital signatures and receipts are needed. Forexample, a dishonest stockbroker might try to cover upunauthorized buying and selling for personal gain byforging orders from clients, or a client might disclaim anorder actually authorized by him but which he later seeswill cause a loss. We will introduce concepts which allowthe receiver to verify the authenticity of a message, butprevent him from generating apparently authentic mes-sages, thereby protecting against both the threat of com-promise of the receivers authentication data and thethreat of dispute.

III. PUBLIC K EY CRYPTOGRAP HYAs shown in Fig. 1, cryptography has been a derivativesecurity measure. Once a secure channel exists along whichkeys can be transmitted, the security can be extended toother channels of higher bandwidth or smaller delay by

encrypting the mess agessent on them. The effect has beento limit the use of cryptography to communications amongpeople who have made prior preparation for cryptographicsecurity.In order to develop large, secure, telecommunicationssystems, this must be changed. A large number of users nresults in an even larger number, (n2 - n)/2 potential pairswho may wish to communicat e privately from all others.It is unrealistic to assume either that a pair of users withno prior acquaintance will be able to wait for a key to besent by some secure physical means, or that keys for all (n2n)/2 pairs can be arranged in advance. In another paperii th authors h ave considered a conservative approachrequiring no new development in cryptography itself, butthis involves diminished security, inconvenience, and re-striction of the network to a starlike configuration withrespect to initial connection protocol.We propose that it is possible to develop sys tems of thetype s hown in Fig. 2, in which two parties communicati ngsolely over a public channel and using only publicly knowntechniques can create a secure connection. We examine twoapproaches to this problem, called public key cryptosys-

Fig. 2. Flow of information in public key system.


5/11

64X IEEE TRANSACTJONS ON INFORMATION THEORY, NOVEMBER 1976

terns and public key distribution systems, respectively.The first are more powerful, lending themselves to thesolution of the authentication problems treated in the nextsection, while t,he second are much closer to reahzation.A public key cryptosystem is a pair of familiesPKIK E (KI and ID K K E JRJof algorithms representinginvertible transformations,I&:(Mj -+ {M)

D[(:(M) --- {M)on a finite message space (MJ, such that

(2)(3)

equals Em. Letting B = Em l we have m - DC. Thus, bothenciphering and deciphering require about n2 operations.Calculation of D from E, however, involves a matrix in-version which is a harder problem. And it is at least con-ceptually simpler to obtain an arbitrary pair of inversematrices than it is to invert a given mabrix, St.art with theidentity matrix I and do elementary row and column op-erations to obtain an arbitrary invertible matrix E. Thenstarting with I do the inverses of these same elementaryoperations in reverse order to obtain 61 - E--l. The se-quence of elementary operations could be easi1.y deter-mined from a random bit string.Unfortunately, matrix inversion takes only a.bout n3operations. The ratio of cryptanalytic time (i.e., com-puting D from E) to enciphering or deciphering t,ime isthus at most n, and enormous block sizes would be re-quired to obtain ratios of 3O6or greater. Also, it does notappear that knowledge of the element,ary operat.ions usedto obtain E from I greatly reduces the time for computingD. And, since there is no round-off error in binary arith-metic, numerical stability is unimportant in the matrixinversion. In spite of its lack of practicaleutili ty, this matrixexample is still useful for clarifying the relationshipsnecessary in a public key cryptosystem.

1)2)3)

4)

for every K E {Kb EK is the inverse of DK,for every K E {KJ and M E (MI, the algorithms EKand DK are easy to compute,for almost every K E (KJ, each easily computed al-gorithm equivalent to Df( is computationally in-feasible to derive from EK,for every K E {K), it is feasible to compute inversepairs EK and DK from K.

Because of the third property, a users enciphering keyEK can be made public without compromising the securityof his secret deciphering key DK. The cryptographic sys-tem is therefore split into two parts, a family of encipheringtransformations and a family of deciphering transforma-tions in such a way that, given a member of one family, itis infeasible to find the corresponding member of theother.The fourth property guarantees that there is a feasibleway of computing corresponding pairs of inverse trans-formations when no constraint is placed on what either theenciphering or deciphering transformation is to be. Inpractice, the cryptoequipment must contain a true randomnumber generator (e.g., a noisy diode) for generat,ing K,together with an algorithm for generating the EK ~- n,pair from its outputs.Given a system of this kind, the problem of key distri-bution is vastly simplified. Each user generates a pair ofinverse transformations, E and D, at his terminal. Thedeciphering transforrnation D must be kept secret, butneed never be communicated on any channel. The enci-phering key E can be made public by placing it in a publicdirectory along with the users name and address. Anyonecan then encrypt messages and send them to the user, butno one else can decipher messages inbended for him. Publickey cryptosystems can thus be regarded as multiple accessciphers.It is crucial that the public file of enciphering keys beprotected from unauthorized modification. This task ismade easier by the public nature of the file. Read prot,ection is unnecessary and, since the file is modified infre-quently, elaborate write protection mechanisms can beeconomically employed.A suggestive, although unfortunate!.y useless, exampleof a public key cryptosystem is to encipher the plaintext,represented as a binary n-vector m, by multiplying it byan invertible binary n X n matrix E. The cryptogram thus

A more practical approach to finding a pair of easilycomputed inverse algorithms E and D; such that, D is hardto infer from E, makes use of the difficulty of analyzingprograms in low level languages. Anyone who has tried todetermine what operation is accomplished by someoneelses machine language program knows that E itself (i.e.,what E does) can be hard to infer from an algorithm for E.If the program were to be made purposefully confusingthrough addition of umleeded variables and statements,then determining an inverse algorithm could be made verydifficult. Of course, E must be complicated enough toprevent its identification from input-output pairs.Essentially what is required is a one-way compiler: onewhich takes an easily understood program writ,ten in a h.ighlevel language and translates it into an incomprehensibleprogram in some machine language. The compiler is one-.way because it must be feasible to do the compila.tion, butinfeasible to reverse the process. Since efficiency in size ofprogram and run time are not crucial in this application,such compilers may be possible if the struct,ure of themachine language can be optimized to assist in the con-fusion.Merkle [I] has independently studied the problem ofdistributiug keys over an insecure channel. His approachis different from that of the public key cryptosystemssuggested above, and will be termed a public key distri-bution system. The goal is for two .users, A and B, to se-curely exchange a key over an insecure charmel. This keyis then used by both users in a normal cryptosystem forboth enciphering and deciphering. Merkle bas a solu.tionwhose crypt,analytic cost grows as n,2where n is the cost tothe legitimate users. Unfortunately the cost to the legiti-mate users of the system is as much in transmission timeas in computation, because Merkles protocol requires n


6/11

DIFFIE AND IIELLMAN: NEW DIRECTIONS IN CRYPTOGRAPHY 649potential keys to be transmitted before orie key can bedecided on. Merkle not.es that this high transmissionoverhead prevents the system from being very useful inpractice. If a one megabit limit is placed o n the setupprotocols overhead, his technique can achieve cost ratiosof approximately 10 000 to 1, which are too small for mostapplications. If inexpensive, high bandwidth data linksbecom e available, ratios of a million to one or greater couldbe achieved a nd the system would be of substantial prac-tical value.We now suggest a new public key distribution systemwhich has several advantages. First, it requires only onekey to be exchanged. Second, the cryptanalytic effortappears to grow exponentially in the effort of the legitimateusers. And, third, its use can be tied to a public file of userinformation which serves to authenticate user A to user Band vice versa. By making the public file essentially a readonly memory , one personal appearance allows a user toauthenticate his identity many times to many users.Merkles technique requires A and B to verify each othersidentities through other means.

The new technique makes use of the apparent difficultyof computing logarithms over a finite field GF(q) with aprime number q of elements. Let

Y = crx mod q1 forl_


7/11

650 IEEE TRANSACTIONS ON INFORMATION THEORY, NOVEMBER 1976

however, makes it vital to preserve the security of thepassword directory since the information it contains wouldallow perfect impersonation of any user. The problem isfurther compounded if system operators have legitimatereasons for accessing the directory. Allowing such legiti-mate accesses, but preventing all others, is next to im-possible.This leads to the apparently impossible requirement fora new login procedure capable of judging the authenticityof passwords without actually knowing them. While ap-pearing to be a logical impossibility, this proposal is easilysatisfied. When the user first enters his password PW, thecomputer automatically and transparently computes afunction f(PW) and stores this, not PW, i n the passworddirectory. At each successive login, the computer calculatesf(X), where X is the proffered password, and comparesf(X) with the t ored value f (P W). If and only if they areequal, the user is accepted as being authentic. Since thefunction f must be calculated once per login, its compu-

tation time must be small. A million instructions (costingapproximately $0.10 at bicentennial prices) seems to bea reasonable limit on this computation. If we could ensure,however, that calculation of f-l required 1030 or more in-structions, someone who had subverted the system to ob-tain the password directory could not in practice obtainPW from f(PW), and could thus not perform an unau-thorized login. Note that f(PW) is not accepted as a pass-word by the login program since it will automaticallycompute f (f(PW)) which will not match the entry f(PW)in the password directory.We assume that the function f is public information, sothat it is not ignorance off which makes calculation of f-ldifficult. Such functions are called one-way functions andwere first employed for use in login procedures by R. M.Needham [9, p. 911. They are also discussed in two recentpapers [lo], [ll] which suggest interesting approaches tothe design of one-way functions.More precisely, a function f is a one-way function if, forany argument x in the domain off, it is easy to compute thecorresponding value f(x), yet, for almost all y in the rangeoff, it is computationally infeasible to solve the equationy = f(x) for any suitable argument x.It is important to note that we are defining a functionwhich is not invertible from a computational point of view,but whose noninvertibility is entirely different from thatnormally encountered in mathematics. A function f isnormally called noninvertible when the inverse of a pointy is not unique, (i.e., there exist distinct points 3~1 nd x2such that f(xi) = y = f (x2)). We emphasize that this is notthe sort of inversion difficulty that is required. Rather, itmust be overwhelmingly difficult, given a value y andknowledge of f, to calculate any x whatsoever with theproperty that f (3c) = y. Indeed, if f is noninvertible in theusual sense, it may make the task of finding an inverseimage easier. In the extreme, if f(x) = yc for all x: in thedomain, then the range off is (yc), and we can take any xas f-l(yo). It is therefore necessary that f not be too de-generate. A small degree of degeneracy is tolerable and, as

discussed later, is probably present in the most promisingclass of one-way functions.Polynomials offer an elementary example of one-wayfunctions. It is much harder to find a root xe of the poly-nomial equation p (3~) = y than it is to evaluate the poly-nomial p(x) at x = x0. Purdy [l l] has suggested the use ofsparse polynomials of very high degree over finite fields,which appear to have very high ratios of solution to eval-uation time. The theoretical basis for one-way functionsis discussed at greater length in Section VI. And, as shownin Section V, one-way functions are easy to devise inpractice.The one-way function login protocol solves only someof the problems arising in a multiuser system. It protectsagainst compromise of the systems authentication datawhen it is not in use, but still requires the user to send thetrue password to the system. Protection against eaves-dropping must be provided by additional encryption, andprotection against the threat of dispute is absent alto-gether.A public key cryptosystem can be used to produce a trueone-way authentication system as follows. If user A wishesto send a message M to user B, he deciphers it in hissecret deciphering key and sends DA(M). When user Breceives it, he can read it, and be assured of its authenticityby enciphering it with user As public enciphering keyEA. B also saves DA(M) as proof that the message camefrom A. Anyone can check this claim by operating onDA(M) with the publicly known operation EA to recoverM. Since only A could have generated a message with thisproperty, the solution to the one-way authenticationproblem would follow immediately from the developmentof public key cryptosystems.One-way message authentication has a partial solutionsuggested to the authors by Leslie Lamport of Massa-chusetts Computer Associates. This technique employs aone-way function f mapping k-dimensional binary spaceinto itself for h on the order of 100. If the transmitterwishes to send an N bit message he generates 2N, ran-domly chosen, k-dimensional binary vectorsx1,x1,x2,x2, * * * ,XN,XN which he keeps secret. The re-ceiver is given the corresponding images under f, namelyY 1, Yl,Y 2, yz, * * * ,YN,YN. Later, when the message m =(1721+2, * - - ,mN) is to be sent, the transmitter sends xi orXi depending on whether ml = 0 or 1. He sends x2 or X2depending on whether m2 = 0 or 1, etc. The receiver op-erates with f on the first received block and sees whetherit yields yi or Yi as its image and thus learns whether it was3~1 r X1, and whether ml = 0 or 1. In a similar manner thereceiver is able to determine m2,m3, . . . ,mN. But the re-ceiver is incapable of forging a change in even one bit ofm. This is only a partial solution because of the approxi-mately lOO-fold data expansion required. There is, how-ever, a modification which eliminates the expansionproblem when N is roughly a megabit or more. Let g be aone-way mapping from binary N-space to binary n-spacewhere n is approximately 50. Take the N bit message m


8/11

DIFFIE AND HELLMAN: NEW DIRECTIONS IN CRYPTOGRAPHY 651and operate on it with g to obtain the n bit vector m. Thenuse the previous schem e to send m. If iV = 106, n = 50, andk = 100, this adds kn = 5000 authentication bits to themessage. It thus entails only a 5 percent data expansi onduring transmission (or 15 percent if the initial exchangeOfYl,Yl, -*- ,YN,YN is included). Even though there area large number of other m essage s (2N-n on the average)with the same authentication sequence, the one-waynessof g makes them computationally infeasible to find andthus to forge. Actually g must be somewhat stronger thana normal one-way function, since an opponent has not onlym but also one of its inverse images m. It must be hardeven given m to find a different inverse image of m.Finding such functions appears to offer little trouble (seeSection V).

There is another partial solution to the one-way userauthentication problem. The user generates a passwordX which he keeps secret. He gives the systemfT(X), wheref is a one-way function. At time t the appropriate au-thenticator is f T-t(X), which c an be checked by the sys-tem by applying ft(X). Because of the one-wayness off,past respons es are of no value in forging a new response.The pr oblem with this solution is that it can require a fairamount of computation for legitimate login (althoughmany orders of magnitude less than for forgery). If forexample t is incremented every second and the systemmust work for one month on each password then T = 2.6million. Both the user and the system must then i terate fan average of 1.3 million times per login. While not insur-mountable, this problem obviously limits use of the tech-nique. The problem could be overcom e if a simple met hodfor calculating f c2tn), or n = 1,2, . . . could be found, muchas X8 = ((X2)2)2. F or then binary decompositions of T -t and t would allow rapid computation off T-t and ft. Itmay be, however, that rapid computation of fn precludesf from being one-way.

V. PROBLEMINTERRELATIONSANDTRAPDOORSIn this section, we will show that some of the crypto-graphic problems presented thus far can be reduced toothers, thereby defining a loose ordering according todifficulty. We also introduce the more difficult problem

of trap doors.In Section II we showed that a cryptographic systemintended for privacy can also be used to provide authen-tication against third party forgeries. Such a system canbe used to create other cryptographic objects, as well.

A cryptosystem which is secure against a knownplaintext attack can be used to produce a one-way func-tion.

As indicated in Fig. 3, take the cryptosystem (SK:(P) -{C]}K,(Kf which is secure against a known plaintext attack,fix P = PO and consider the ma p

CIPHERTEXT

Y-f(x)Fig. 3. Secure cryptosystem used as one-way function.

defined byf(X) = SxPd. (15)

This function is one-way becaus e solving for X given f(X)is equivalent to the cryptanalytic problem of finding thekey from a single known plaintext-cryptogram pair. Publicknowledge off is now equivalent to public knowledge of(SK] and PO.While the converse of this result is not necessarily true,it is possible for a function originally found in the searchfor one-way functions to yield a good cryptosystem. Thisactually happe ned with the discrete exponential functiondiscussed in Section III [8].One-way functions are basic to both block c iphers andkey generators. A key generator is a pseudora ndom bitgenerator whose output, the keystream, is added modulo2 to a messa ge represented in binary form, in imitation ofa one-time pad. The key is used as a seed which deter-mines the pseudorandom keystream sequence. A knownplaintext attack thus reduces to the problem of deter-mining the key from the keystream. For the system to besecure, computation of the key from the keystream mustbe computationally infeasible. While, for the system to beusable, calculation of the keystream from t he key must becomputationally simple. Thus a good key generator is, al-most by definition, a one-way function.Use of either type of cryptosystem as a one way functionsuffers from a minor problem. As noted earlier, if thefunction f is not uniquely invertible, it is not necessary (orpossible) to find the actual value of X used. Rather any Xwith the same image will suffice. And, while eac h mappingSK in a cryptosystem must be bijective , there is no suchrestriction on the function f from key to cryptogram de-fined above. Indeed, guaranteeing that a cryptosystem hasthis property appears quite difficult. In a good crypto-system the mapping f can be expected to have the char-acteristics of a randomly chosen mapping (i.e., f(Xi) ischosen uniformly from all possible Y, and successivechoices are independent). In this case, if X is chosen uni-

formly and there are an equal number of keys and mes-sages (X and Y), then the probability that the resultantY has k + 1 inverses is approximately e-l/k! for k =0123 . . . ., , f This is a Poisson distribution with mean X =1, shifted by 1 unit. The ex pected number of inverses isthus only 2. While it is possible for f to be more degenerate,a good cryptosystem will not be too degenerate since thenthe key is not bei ng well used. In the worst case, if f (X) =Yc for some Yc, we have S,(P,) = Cc, and enciphermentof PO would not d ependon the key at all!


9/11

652 IEEE TRANSACTIONS ON INFORMATION THEORY, NOVEMBER 1976While we are usually interested in functions whose do-main and range are of comparable size, there are excep-tions. In the previous section we required a one-wayfunction mapping long strings onto much shorter ones. Byusing a block cipher whose key length is larger than theblocksize, such functions can be obtained using the abovetechnique.Evans et al. [lo] have a different approach to the prob-lem of constructing a one-way function from a block cipher.Rather than selecting a fixed Pa as the input, they use thefunction f(X) = SXLQ. (16)

This i s an attractive approach because equations of thisform are generally difficult to solve, even when the familyS is comparatively simple. This added complexity, how-ever, destroys the equivalence between the security of thesystem S under a known plaintext attack and the one-wayness off.Another relationship has already been shown in SectionIV.

A public key cryptosys tem can be used to generate aone-way authentication system.The converse does not appear to hold, making the con-struction of a public key cryptosys tem a strictly moredifficult problem than one-way authentication. Similarly,a public key cryptosystem can be used as a public keydistribution system, but not conversely.Since in a public key cryptosys tem the general systemin which E and D are used must be public, specifying Especifies a complete algorithm for transforming input

messages into output cryptograms. As such a public keysystem is really a set of trap-door one-way functions,These are functions which are not really one-way in thatsimply computed inverses exist. But given an algorithmfor the forward function it is computationally infeasibleto find a simply computed inverse. Only through knowl-edge of certain trap-door information (e.g., the randombit string which produced the E-D pair) can one easily findthe easily computed inverse.Trap doors have already been seen in the previousparagraph in the form of trap-door one-way functions, butother variations exist. A trap-door cipher is one whichstrongly resists cryptanalysis by anyone not in possessionof trap-door information used in the design of the cipher.This allows the designer to break the system after he hassold it to a client and yet falsely to maintain his reputationas a builder of secure systems. It is important to note thatit is not greater cleverness or knowledge of cryptographywhich allows the designer to do what others cannot. If hewere to lose the trap-door information he would be nobetter off than anyone else. The situation is preciselyanalogous to a combination lock. Anyone who knows thecombination can do in seconds what even a skilledlocksmith would require hours to accomplish. And yet, ifhe forgets the combination, he has no advantage.

A trap-door cryptosys tem can be used to produce apublic key distribution system.

For A and B to establish a common private key, Achooses a key at random and sends an arbitrary plain-text-cryptogram pair to B. B, who made the trap-door ci-pher public, but kept the trap-door information secret,uses the plaintext-cryptogram pair to solve for the key. Aand B now have a key i n common.There is currently little evidence for the existence oftrap-door ciphers. However they are a distinct possibilityand should be remembered when accepting a cryptosys temfrom a possible opponent [12].By definition, we will require that a trap-door problembe one in which it is computationally feasible to devise thetrap door. This leaves room for yet a third type of entityfor which we shall use the prefix quasi. For example aquasi one-way function is not one-way in that an easilycomputed inverse exists. However, it is computationallyinfeasible everrfor the designer, to find the easily computedinverse. Therefore a quasi one-way function can be usedin place of a one-way function with essentially no loss insecurity.Losing the trap-door information to a trap-door one-wayfunction makes it into a quasi one-way function, but theremay also be one-way functions not obtainable in thismanner.It is entirely a matter of definition that quasi one-wayfunctions are excluded from the class of one-way functions.One could instead talk of one-way functions in the widesense or in the strict sense.Similarly, a quasi secure cipher is a cipher which willsuccessfully resist cryptanalysis, even by its designer, andyet for which there exists a computationally efficientcryptanalytic algorithm (which is of course computation-ally infeasible to find). Again, from a practical point ofview, there is essentially no difference between a securecipher and a quasi secure one.We have already seen that public key cryptosys temsimply the existence of trap-door one-way functions.However the converse is not true. For a trap-door one-wayfunction to be usable as a public key cryptosystem, it mustbe invertible (i.e., have a unique inverse.)

VI. COMPUTATIONALCOMPLEXITYCryptography differs from all other fields of endeavor

in the ease with which its requirements may appear to besatisfied. Si mple transformations will convert a legible textinto an apparently meaningless j umble. The critic, whowishes to claim that meaning might yet be recovered bycryptanalysis, is then faced with an arduous demonstrati onif he is to prove his point of view correct. Experience hasshown, however, that few systems can resist the concertedattack of skillful cryptanalysts, and many supposedly se-cure systems have subsequently been broken.In consequence of this, judging the worth of new systemshas always been a central concern of cryptographers.During the sixteenth and seventeenth centuries, mathe-matical arguments were often invoked to argue thestrength of cryptographic methods, usually relying oncounting methods which showed the astronomical number


10/11

DIFFIE AND HELLMAN: NEW DIRECTIONS IN CRYPTOGRAPHY 653of possible keys. Though the problem is far too difficult tobe laid to rest by such simple m ethods, even the noted al-gebraist Cardano fell into this trap [2, p. 1451. As systemswhose strength had been so argued were repeatedly bro-ken, the notion of giving mathematical proofs for the se-curity of systems fell into disrepute and was replaced bycertification via crypanalyt ic assault.During this century, however, the pendulum has begunto swing back in the other direction. In a paper intimatelyconnected with the birth of information theory, Shannon[3] showed that the one time pad system, which had beenin use since the late twenties offered perfect secrecy (aform of unconditional security). The provably securesystems investigated by Shannon rely on the use of eithera key whose length grows linearly with the length of themessage or on perfect source coding and are therefore toounwieldy for most purposes. We note that neither publickey cryptosystems nor one-way authentication systems canbe unconditionally secure because the public informationalways determines the secret information uniquely amongthe members of a finite set. With unlimited computation,the problem could therefore be solved by a straightforwardsearch.The past deca de has seen the rise of two closely relateddisciplines devoted to the study of the costs of computa-tion: computational complexity theory and the analysis ofalgorithms. The former has classified known problems incomput ing into broad class es by difficulty, while the latterhas concentrated on finding better algorithms andstudying the resources they consume. After a brief di-gression into complexity theory, we will examine its ap-plication to cryptography, particularly the analysis ofone-way functions.A function is said to belong to the complexity class P (forpolynomial) if it can be computed by a deterministicTuring Machine in a time which is bounded above by somepolynomi al function of the length of its input. One mightthink of this as the class of easily computed functions, butit is more accurate to say that a function not in this classmust b e hard to compute for at least some inputs. Thereare problems which are known not to be in the class P [13,pp. 405-4251.There are many pr oblems which arise in engineeringwhich cannot b e solved in polynomial time by any knowntechniques, unless they are run on a computer with anunlimited degree of parallelism. These problems may ormay not belong to the class P, but bel ong to the class NP(for nondeterministic, polynomial) of problems solvablein polynomial time on a nondeterministic computer (i.e.,one with an unlimited degree of parallelism). Clearly theclass NP includes the class P, and one of the great openquestions in complexity theory is whether the class NPisstrictly larger.Among the problems known to be solvable in NP time,but not kn own to be solvable in P time, are versions of thetraveling s alesman problem, the satisfiability problem forpropositional calculus, the knapsack problem, the graphcoloring problem, and many scheduling and minimizationproblems [13, pp. 363-4041, [14]. We see that it is not l ack

of interest or effort which has prevented people fromfinding solutions in P time for these problems. It is thusstrongly believed that at least one of these problems mustnot be in the class P, and that therefore the class NP isstrictly larger.Karp has identified a subclass of the NP problems,called NP complete, with the property that if any one ofthem is in P, then all NPproblems are in P. Karp lists 21problems which are NP complete, i ncluding all of theproblems mentioned above [14].While the NP complete problems show promise forcryptographic use, current understanding of their diffi-culty includes only worst case analysis. For cryptographicpurposes, typical computational costs must be considered.If, however, we replace worst case computation time withaverage or typical computation time as our complexitymeasure, the current proofs of the equivalences amon g theNPcomplete problems are no longer valid. This suggestsseveral interesting topics for research. The ensemble and

typicality concepts familiar to information theorists havean obvious role to play.We can now identify the position of the generalcryptanalytic problem among all computational prob-lems.

The cryptanalytic difficulty of a system whose en-cryption and decryption operations can be done in P timecannot be greater than NP.To see this, observe that any cryptanalytic problem canbe solved by finding a key, inverse image, etc., chosen froma finite set. Choose the key nondeterministically and verifyin Ptime that it is the correct one. If there are M possiblekeys to choose from, an M-fold parallelism must be em-ployed. For example in a known plaintext attack, theplaintext is encrypted simultaneously under each of thekeys and compared with the cryptogram. Since, by as-sumption, encryption takes only P time, the cryptanalysistakes only NP time.We also observe that the general cryptanalytic problemis NP complete. This follows from the breadth of ourdefinition of cryptographic problems. A one-way functionwith an NP complete inverse will be discussed next.Cryptography can draw directly from the theory of NPcomplexity by examining the way in which NY completeproblems can be adapted to cryptographic use. In partic-ular, there is an NP complete problem known as theknapsack problem which l ends itself r eadily to the con-struction of a one-way function.

Let y = f(x) = a . x where a is a known vector of n in-tergers (al,az, . -. ,a,) and x is a binary n-vector. Calcu-lation of y is simple, involving a sum of at most n integers.The problem of inverting f is known as the knaps ackproblem and requires finding a subset of the (ai) which sumtoy.Exhaustive search of all 2n subsets grows exponentiallyand is computationally infeasible for n greater than 100or so. Care must be exercised, however, in selecting theparameters of the problem to ensure that shortcuts are notpossible. For ex ample if n = 100 and each ai is 32 bits long,y is at most 39 bits long, and f is highly degenerate; re-


11/11

654 IEEE TRANSACTIONS ON INFORMATION THEORY, NOVEMBER 1976

quiring on the average only 238 tries to find a solution.Somewhat more trivially, if ai = 2i-1 then inverting f isequivalent to finding the binary decomposition of y.This example demonstrates both the great promise andthe considerable shortcomings of contemporary com-plexity theory. The theory only tells us that the knapsackproblem is probably difficult in the worst case. There is noindication of its difficulty for any particular array. It ap-pears, however, that choosing the {ai) uniformly from{O,i,Z, * - - ,2n-l] results i n a hard problem with probabilityoneasn-m.Another potential one-way function, of interest i n theanalysis of algorithms, is exponentiation mod q, which wassuggested to the authors by Prof. John Gill of StanfordUniversity. The one-wayness of this functions has alreadybeen discussed in Section III.

VII. HISTORICALPERSPECTIVEWhile at first the public key systems and one-way au-thentication systems suggested in this paper appear to beunportended by past cryptographic developments, it ispossible to view them as the natural outgrowth of trendsin cryptography stretching back hundreds of years.Secrecy is at the heart of cryptography. In early cryp-

tography, however, there was a confusion about what wasto be kept secret. Cryptosystems such as the Caesar cipher(in which each letter is replaced by the one three placesfurther on, so A is carried to D, B to E, etc.) depended fortheir security on keeping the entire encryption processsecret. After the invention of the telegraph [2, p. 1911, thedistinction between a general system and a specific keyallowed the general system to be compromised, for exam-ple by theft of a cryptographic device, without comprom-ising future messages enciphered in new keys. This prin-ciple was codified by Kerchoffs [2, p. 2351 who wrote in1881 that the compromise of a cryptographic systemshould cause no inconvenience to the correspondents.About 1960, cryptosystems were put into service whichwere deemed strong enough to resist a known plaintextcryptanalytic attack, thereby eliminating the burden ofkeeping old messages secret. Each of these developmentsdecreased the portion of the system which had to be pro-tected from public knowledge, eliminating such tediousexpedients as paraphrasing diplomatic dispatches beforethey were presented. Public key systems are a naturalcontinuation of this trend toward decreasing secrecy.Prior to this century, cryptographic systems were limitedto calculations which could be carried out by hand or withsimple slide-rule-like devices. The period immediatelyafter World War I saw the beginning of a revolutionarytrend which is now coming to fruition. Special purposemachines were developed for enciphering. Until the de-velopment of general purpose digital hardware, however,cryptography was limited to operations which could beperformed with simple electromechanical systems. Thedevelopment of digital computers has freed it from thelimitations of computing with gears and has allowed thesearch for better encryption methods according to purelycryptographic criteria.

The failure of numerous attempts to demonstrate thesoundness of cryptographic systems by mathematical proofled to the paradigm of certification by cryptanalytic attackset down by Kerchoffs [2, p. 2341 in the last century. Al-though some general rules have been developed, which aidthe designer in avoiding obvious weaknesses , the ultimatetest is an assault on the system by skilled cryptanalystsunder the most favorable conditions (e.g., a chosen plain-text attack). The development of computers has led for thefirst time to a mathematical theory of algorithms which canbegin to approach the difficult problem of estimating thecomputational difficulty of breaking a cryptographicsystem. The position of mathematical proof may thus comefull circle and be reestablished as the best method of cer-tification.The last characteristic which we note in the history ofcryptography is the division between amateur and pro-fessional cryptographers. Skill in production cryptanalysishas always been heavily on the side of the professionals,but innovation, particularly in the design of new types ofcryptographic systems, has come primarily from the am-ateurs. Thomas Jefferson, a cryptographic amateur, in-vented a system which was still in use in World War II [2,pp. 192-1951, while the most noted cryptographic systemof the twentieth century, the rotor machine, was inventedsimultaneously by four separate people, all amateurs [2,pp. 415,420,422-4241. We hope this will inspire others towork in this fascinating area in which participation hasbeen discouraged in the recent past by a nearly total gov-ernment monopoly.

REFERENCES[I] R. Merkle, Secure communication over an insecure channel,submitted to Communications of the ACM.[2] D. Kahn, The Codebreakers, The Story of Secret Writing. NewYork: Macmillan, 1967.[3] C. E. Shannon, Communication theory of secrecy systems, BellSyst. Tech. J., vol. 28, pp. 656-715, Oct. 1949.[4] M. E. Hellman, An extension of the Shannon theory approach tocryptography, submitted to IEEE Trans. Inform. Theory, Sept.1975.[5] W. Diffie and M. E. Hellman, Multiuser cryptographic techniques,presented at National Computer Conference, New York, June 7-10,1976.[6] D. Knuth, The Art of Computer Programming, Vol. 2, Semi-

Numerical Algorithms. Reading, MA.: Addison-Wesley, 1969.[7] --, The Art of Computer Programming, Vol. 3, Sorting andSearching. Reading, MA.: Addison-Wesley, 1973.[S] S. Pohlig and M. E. Hellman, An improved algorithm for com-puting algorithms in GF(p) and its cryptographic significance,submitted to IEEE Trans. Inform. Theorv.[9] M. V. Wilkes, Time-Sharing Computer Systems. New York: El-sevier, 1972.[lo] A. Evans, Jr., W. Kantrowitz, and E. Weiss, A user authentication

11111121[I31

[I41

system not requiring secrecy in the computer, Communicationsof the ACM, vol. 17, pp. 437-442, Aug. 1974.G. B. Purdy, A high security log-in procedure, Communicationsof the ACM, vol. 17, pp. 442-445, Aug. 1974.W. Diffie and M. E. Hellman, Cryptanalysis of the NBS data en-cryption standard submitted to Computer, May 1976.A. V. Aho, J. E. Hopcroft, and J. D. Ullman, The Design andAnalysis of Computer Algorithms. Reading, MA.: Addison-Wesley, 1974.R. M, Karp, Reducibility among combinatorial problems, inComplexity of Computer Computations. R. E. Miller and J. W.Thatcher, Eds. New York: Plenum, 1972, pp. 855104.

Diffie and Hellman's Paper on Cryptography (1976)

Documents