Cryptography Lecturer : Michel Goemans 1 Public Key Cryptosystems

The traditional way of creating secret codes (used in various degrees of sophistication for centuries) is that both the sender and the receiver share a secret, called a key. The sender scrambles the message in a complicated way that depends on the key. The receiver then uses the key to unscramble the message. If these codes are constructed properly (something which is surprisingly hard to do), it seems virtually impossible for somebody without the key to decode the message, even if they have many examples of pairs of messages and their encodings to work from in trying to deduce the key. The drawback of this method is ensuring that every pair of people who need to communicate secretly have a shared secret key. Distributing and managing these keys is surprisingly difficult even when these keys are used for espionage. This would be extremely difficult for secret communication over the internet, when you may wish to send your credit card securely to a store you have never before heard of. Luckily, there is another way to proceed. Diffie and Hellman in 1976 came up with a scheme for handling such communications, called a public key cryptosystem. It is based on the assumption that there is a wide class of functions that are relatively easy to compute but extraordinarily difficult to invert unless you possess a secret. According to this scheme, each communicator or recipient, say Bob or B, publishes in a well defined place (a kind of telephone directory) a description of his function, fB from this class; this is Bob’s public key. Bob knows also the inverse of fB, this is his private key. The assumption is that this inverse is extremely difficult to compute if one does not know some private information. Suppose now that someone, say Alice or A, would like to send a message m to B. She looks up Bob’s public key and sends m′ = fB(m). Since Bob knows his own private key, he can recover m = f−1 B (m ′). The problem here is that Bob has no guarantee that Alice sent the message. Maybe someone else claiming to be Alice sent it. So, instead, suppose that Alice sends the message m′ = fB(f −1 A (m)) to Bob. Notice that Alice needs to know Bob’s public key (which she can find in the diretory) and also her known private key, which is known only to her. Having received this message, Bob can look up Alice’s public key and recover m by computing m = fA(f −1 B (m ′)); again, for this purpose, knowledge of Bob’s private key and Alice’s public key is sufficient. Anyone else