, RSA Laboratories

, University of Charleston

Pages: pp. 10-13

Public-key cryptography today is having a significant impact throughout the microprocessor and microcomputer world. From smart cards to network protocols, from electronic payment systems to optimized arithmetic techniques, public-key cryptography affects microcomputer systems at every level.

The main concept of public-key cryptography is that users can communicate securely—with privacy from eavesdroppers and assurance that messages exchanged are authentic—without first sharing secret information. ^{1} With non-public-key (that is, secret-key) techniques, such sharing of secrets is essential at some point, which limits the flexibility of a security system, or at least requires that users place significant trust in a central authority. With public-key techniques, parties have pairs of keys: a secret private key and a public key available to other users. (For details, see the box, What is public-key cryptography?) Only one party knows a given private key, but the public key need not be kept secret and can be given to anyone.

In a sense, the move from secret- to public-key techniques parallels the transition from mainframes to microcomputers, as the ownership of data—keys in the case of cryptography—moves from a central authority to the users. Just as the transition in computing devices has opened opportunities for networking and communications, so the transition to public-key cryptography lends itself to all kinds of opportunities, including secure electronic commerce.

The most notable microprocessor-related impact of public-key technology is perhaps in the area of integrated circuit cards, variously known as smart cards or chip cards, the development of which coincided with the maturation of public-key cryptography. While initial IC cards were generally passive storage devices, a limited processing capability is now fairly standard. These cards often also have some degree of physical protection, making them suitable for storing secrets such as private keys.

IC card technology has influenced public-key cryptography in the sense that designers have developed public-key systems specifically to meet the stringent memory and communication bandwidth requirements of IC cards (for example, the Guillou-Quisquater identification scheme ^{2}). Likewise, public-key cryptography has affected IC card design in the introduction of coprocessors for the arithmetic in public-key systems.

David Naccache and David M'Raïhi's article, "Cryptographic Smart Cards," covers the latter kind of impact, surveying the arithmetic coprocessors for IC cards currently available and categorizing their features. A remarkable number of such coprocessors are available, reflecting the commitment of manufacturers to public-key technology based on modular arithmetic (for example, RSA and DSA—see the box). Two boxes accompany the article, "Toward available personal portable security," by Stephan Ondrusch, and "Motorola's SC49: A public-key microcontroller," by Carol H. Fancher. These boxes offer further comments on IC cards and cryptography, discussing such issues as performance, public-key certificate storage, and "electronic wallets."

While arithmetic coprocessors are convenient (and arguably essential) for dedicated hardware such as IC cards, software implementations are equally important. For those techniques based on modular arithmetic, researchers have developed a variety of implementation methods, particularly for the central step of modular multiplication (the computation of *a* × *b* mod *n*, for some fixed modulus *n*). One of the more promising methods, in terms of simplicity and speed, is that introduced by Peter Montgomery. ^{3} "Analyzing and Comparing Montgomery Multiplication Algorithms," by Çetin Koç, Tolga Acar, and Burton S. Kaliski, Jr., compares several approaches to this method.

Public-key technology finds many applications in microcomputer networking. Electronic mail is one example (and perhaps the most common illustration of the technology); parties can send mail confidentially and ensure its authenticity by applying public-key encryption and digital signatures. Electronic mail falls into the class of store-and-forward applications, as it is possible for one party to send protected mail, without the immediate participation of the recipient. Session-oriented applications assume the direct involvement of multiple participants, and as a result can sometimes employ a different set of cryptographic techniques. (For instance, in the session-oriented case, it may not be so important to the parties to have a digitally signed receipt of a transaction; an interactive identification scheme may be sufficient.)

"Transparent Authentication and Confidentiality for Stream Sockets," by André Zúquete and Paulo Guedes, describes a session-oriented application, in which parties on a network authenticate one another and agree on a session key with which they encrypt subsequent communications. The key agreement technique is Diffie-Hellman (see the box).

Electronic payment systems have become a public-key technology application of intense interest, especially with the potential for electronic commerce on the Internet. Such systems take many forms, from anonymous digital cash following David Chaum's pioneering work ^{4} to credit-card-oriented systems such as VISA and MasterCard's recently announced Secure Electronic Transaction (SET) specifications. ^{5}

Non-public-key systems are certainly possible for electronic payments, and indeed the backbone of the world's financial networks has long relied on secret-key technology. But public-key technology offers a much more open system, as merchants and consumers can join the system simply by presenting a public key (and for legal reasons, possibly a proof of identity); no sharing of secrets with other parties is necessary.

"SCALPS: Smart Card for Limited Payment Systems," by Jean-François Dhem, Daniel Veithen, and Jean-Jacques Quisquater describes one payment system based on public-key cryptography, specifically on a variant of the Guillou-Quisquater identification scheme. ^{2} SCALPS complements the other articles in the issue as well; it employs IC cards, and the multiple-precision arithmetic follows Montgomery's method.

Of course, for electronic payment systems and many other applications of public-key technology to become a part of everyday life, such applications need a legal standing. Indeed, it is only recently that the concept of a digital signature has been given a legal interpretation. One reason is that there are more issues to consider than just the cryptographic operations. Ownership of a key pair is one issue (whose signature is it?); the recovery from the compromise of a key is another. The sidebar, "Legal recognition of digital signatures," by Lee Hollaar and Alan Asay, gives a synopsis of efforts in this area.

These articles offer a view into some of the ways public-key technology affects microcomputer and microprocessor systems today. We can find many other illustrations. As a popular example, one might consider Netscape's Navigator, a browser for the World Wide Web. The key icon in the lower left-hand corner of the Navigator display is either intact or broken depending on whether the current connection is secured. Regardless, the public-key cryptography is already there; the only difference is whether the Web server turns security on. One may expect the Netscape key—as well as its counterparts in other applications—to be intact more often as public-key cryptography becomes a standard feature of the microcomputer world.

Public-key cryptography is a technology for protecting data based on the concept that a cryptographic operation and its inverse can involve different keys, in which one of the keys can be made public without compromising the security of the other. The key that can be made public is called the public key; the other is called the private key. Typically, a public key and a private key are generated together, as a pair; only one party knows a given private key.

Prior to public-key cryptography, an operation and its inverse always involved the same key. We now call this secret-key cryptography, since all keys must be kept secret.

Public-key cryptography thus solves the most difficult problem of secret-key cryptography: the initial sharing of secrets. In a large group, it may be difficult for all parties to establish secrets securely if this requires physical delivery. A third party can mediate the establishment of secrets, but users must trust this party not to disclose or misuse the secrets.

With public-key cryptography as introduced by Diffie and Hellman in 1975 and described in their seminal 1976 paper, ^{1} new users and communities of users can easily join a system, simply by sharing their public keys with each other, perhaps in a public directory. There are now many techniques based on the public-key concept. The four basic and most commonly implemented fall into the following categories.

These protect data from eavesdroppers. Here, a user—Alice—encrypts data with another user's public key—Bob's—and sends the resulting ciphertext to Bob. Bob recovers the data by decrypting the ciphertext with his private key, which only he possesses. Anyone can encrypt a message for Bob with Bob's public key, but only Bob can recover a message so encrypted.

These assure the authorship and authenticity of data. Here, Alice "signs" the data with her private key and sends the data and the resulting signature to Bob. With Alice's public key, Bob verifies that the signature and data are from Alice and have not been modified. (Depending on the digital-signature mechanism, Alice may not need to send the data along with the signature, as Bob may be able to recover it from the signature.) Anyone, not just Bob, can verify that the signature is from Alice, but only Alice can generate such a signature. As a result, a signature gives cryptographic evidence of Alice's authorship, providing the property of nonrepudiation: Unless Alice's key is compromised, she cannot deny a valid signature.

A directory of public keys must only be protected from modification, not disclosure. Digital-signature mechanisms, for which the signer is a trusted authority, can provide the necessary protection. A public-key certificate, consisting of a key, a user name, and a trusted authority's signature, is an essential component here. ^{2}

These establish shared secrets. It is possible to establish shared secrets with public-key encryption, but it is often more efficient, or more attractive for other reasons, to do so by other techniques. In one case, called key agreement, Alice and Bob exchange public keys and perhaps some other data. From each one's own private key and the exchanged keys and data, each computes a value which cannot be derived from the exchanged values; the value is the same for both Alice and Bob. Thus, Alice and Bob obtain a shared value, but no one else can determine it.

These authenticate the identity of a party. While it is possible to achieve identification with digital signatures, other techniques may have advantages. The Guillou-Quisquater mechanism, ^{3} as well as zero-knowledge techniques, ^{4} fall into this category.

Public-key mechanisms tend to be significantly slower than secret-key mechanisms, and so are not generally applied directly to large amounts of data. Instead, they are applied to a small amount of data, such as a key, which in turn protects a larger amount. For instance, typical applications encrypt data with a secret-key encryption mechanism and then encrypt only the secret key with a public-key encryption mechanism. For digital signatures, typical applications reduce data to a hash value with a cryptographic hash function, and then sign only the hash value with a digital-signature mechanism. The combination of technologies is quite effective, as it inherits both the convenience of public-key cryptography and the speed of secret-key cryptography and hash functions. (As an analogy in the microcomputer world, one might consider the combination of high-speed associative cache memory and inexpensive random access memory, which achieves most of the benefits of each.) The following are perhaps the most widely available public-key cryptosystems today.

Diffie-HellmanWhitfield Diffie and Martin Hellman invented this key-agreement mechanism at Stanford in 1976. ^{1} Diffie-Hellman provides only key agreement, but variants such as those of El Gamal offer digital signatures and public-key encryption as well. ^{5} Diffie-Hellman key agreement is based on exponentiation modulo a prime number, where the prime number is a system parameter that several users may share. The security of Diffie-Hellman depends on the discrete-logarithm problem. For typical applications, the length of the prime number is 768 to 1,024 bits.

The US National Institute of Standards and Technology developed the Digital Signature Algorithm as part of the federal Digital Signature Standard. ^{6} DSA provides only digital signatures; the signatures are based on arithmetic operations, including exponentiation modulo two prime numbers. The two prime numbers are system parameters that several users may share. The security of DSA, like Diffie-Hellman, depends on the discrete-logarithm problem. In the Digital Signature Standard, the larger of the DSA prime numbers can be up to 1,024 bits long. (The standard fixes the smaller prime at 160 bits.)

A significant amount of a DSA signature operation can be precomputed before the message being signed is known, making the on-line part of the DSA signature operation very fast. DSA signatures are somewhat shorter than those for RSA (320 bits versus 768 to 1,024 bits).

RSARivest, Shamir, and Adleman invented this cryptosystem at MIT in 1977. ^{7} RSA provides both public-key encryption and digital signatures; both are based on exponentiation modulo a composite number. The composite number and another quantity known as the public exponent form the public key; the prime factors of the number, and quantities derived from them, form the private key. Thus, the security of RSA depends on the difficulty of factoring. For typical applications, the length of the composite number is 768 to 1,024 bits.

RSA encryption and signature verification operations can be very fast with an appropriate choice of public exponent.

As noted, Diffie-Hellman, DSA, and RSA are all based on modular arithmetic, which reduces intermediate results by dividing by a predetermined value (the modulus) and keeping only the remainder. This explains the interest in modular arithmetic coprocessors and software for public-key cryptography. All three mechanisms have a variable key size (length of the prime or composite number), allowing a trade-off between speed and security.

Currently, there is also considerable interest in public-key cryptosystems based on elliptic curves. The most promising systems are variants of the Diffie-Hellman family (as introduced by Koblitz ^{8} and Miller ^{9}), which replace the modular arithmetic operations by composition of points on elliptic curves. The current draft of the proposed IEEE P1363 standard defines several elliptic-curve mechanisms. ^{10}

The security of elliptic-curve cryptosystems depends on the elliptic-curve logarithm problem, which many researchers consider to be more secure, for a given key size, than the discrete-logarithm problem. A typical security parameter for an elliptic-curve system is 160 bits, making its key sizes, ciphertext, and signatures among the shortest of any public-key cryptosystem. Elliptic-curve cryptosystems are generally comparable in speed to the discrete-logarithm systems on which they are based, and will thus become likely candidates for the next generation of public-key mechanisms as their security becomes more firmly established.

Diffie gives an enjoyable recounting of the first 10 years of public-key cryptography. ^{11} Patterson has given a mathematical introduction to the field. ^{12} Bruce Schneier's *Applied Cryptography* is becoming a standard introduction to the modern cryptography in general, including public-key techniques. ^{13}

An LEQSF PLEx grant, LEQSF(1993-96)-ENH-PLEx-03, funded part of this work.

- 1. W. Diffie, and M.E. Hellman, "New Directions in Cryptography,"
*IEEE Trans. Information Theory,*Vol. IT-22, 1976, pp. 644-654. - 2. L. Guillou, and J.-J. Quisquater, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory,"
*Advances in Cryptology—Eurocrypt 88,*C.G. Günth, ed.,*Lecture Notes in Computer Science,*Vol. 330, Springer-Verlag, New York, 1988, pp. 123-128. - 3. P.L. Montgomery, "Modular Multiplication without Trial Division,"
*Mathematics of Computation,*Vol. 44, No. 170, 1985, pp. 519-521. - 4. D. Chaum, "Blind Signatures for Untraceable Payments,"
*Advances in Cryptology: Proc. Crypto 82,*D. Chaum, R.L. Rivest, and A.T. Sherman, eds., Plenum, New York, 1983, pp. 199-203. - 5.
*Secure Electronic Transaction Specification,*MasterCard and VISA Int'l Services Assn., http://www.visa.com/, current as of March21 1996.

Mahdi Abdelguerfi, a professor of computer science at the University of New Orleans, participates in research on database systems, information retrieval, and VLSI architectures for encryption. He is the recipient of the 1991 University of New Orleans Early Career Achievement award for excellence.

Abdelguerfi received a Dipl in electrical engineering from the National Polytechnic School of Algiers, Algeria, and MS and PhD degrees in computer engineering from Wayne State University, Detroit. He is a member of the IEEE, the ACM, Eta Kappa Nu, and Tau Beta Pi.

Burton S. Kaliski, Jr. is chief scientist of RSA Laboratories. His research interests include cryptography and computer arithmetic.

Kaliski received BS, MS, and PhD degrees in computer science from the Massachusetts Institute of Technology. He is a member of the IEEE Computer Society, Sigma Xi, and Tau Beta Pi. He chairs IEEE P1363, a group developing standards for public-key cryptography. He performed part of this work during his time at the Isaac Newton Institute for Mathematical Sciences, University of Cambridge (UK).

Wayne Patterson is vice president for research, dean of graduate studies, and professor of computer science at the University of Charleston, South Carolina. He is the author of the widely used textbook, Mathematical Cryptology, and numerous research articles, primarily in the areas of cryptology and parallel computer arithmetic.

Patterson received BS and MS degrees in math from the University of Toronto, an MS in computer science from the University of New Brunswick, and a PhD from the University of Michigan. He is a member of the ACM, the IEEE Computer Society, and the International Association for Cryptologic Research.