## Math 5410 Public Key Cryptosystems

Major problems with conventional cryptosystems are:
- Key distribution
- Authentication

Diffie and Hellman (1976) introduced the idea of a public key cryptosystem.

The system is based on each participant having a *public encryption algorithm* (or a common
algorithm and a public key) E_{U} and a* private decryption algorithm* (or a common algorithm
with a private key) D_{U}. These algorithms are inverses in the sense that:

**PK1:** D_{U}(E_{U}(m)) = m for every message m and user U.

The E_{U} are made public and are available to everyone.
For A to send a message m to B, A looks up E_{B} and sends c = E_{B}(m). Upon recieving the
message, B applies the secret D_{B}(c) = m. Since B is the only one who has D_{B}, B is the only
one who can read this message.

In order to make this work, for practical reasons we require:

**PK2:** The algorithms do not need much computing time nor memory storage.

And for security,

**PK3:** It is practically impossible to find an algorithm D* from knowledge of E_{U} so that
D*(E_{U}(m)) = m for all possible m.

Notice that PK3 requires the system to withstand a** choosen text cryptographic attack.**

Diffie & Hellman suggested the use of *trapdoor one-way functions* for the encryption
algorithm.

A *one-way function* is a function f that is easy to evaluate, but whose inverse f^{-1} is difficult
to compute. A *trapdoor one-way function* is a one-way function whose inverse is easy to
compute given certain additional information.

D&H seemed to have some difficulty coming up with examples, but a few years later a
number of systems were suggested.** RSA, Knapsack, etc**.

A one-way function can be used for storage of password authorization in a computer.

### Authentication - Computer Signatures

To design a signature protocol one would need:
**PK4:** E_{U}(D_{U}(m)) = m for all messages m and users U.

In order to prevent counterfeiting, we require:

**PK5:** It is practically impossible to find an algorithm D* from knowledge of E_{U} so that
E_{U}(D*(m)) = m for all possible m.

If A wants to sign a message m being sent to B, then A sends D_{A}(m) = c and B looks up the
public encryption key for A and applies it to get E_{A}(c) = m. As D_{A} is secret, only A could
have sent this message ... but anyone can read it.

To send a signed crypted message, A sends E_{B}(D_{A}(m)). Only B can now read the message.