Professional Documents
Culture Documents
G. R. Blakley
Department of Mathematics
Texas A&M University
College Station, TX 77843-3368
blakley@math.tamu.edu
This paper concentrates on the real-world problems cre- In 1974, George Purdy [1012] published a high-security
ated in the last two decades by cryptographers who publish log-in scheme based on sparse polynomials over finite
in the open literature, and mentions only incidentally what fields, and therein publicized the idea (though not the ter-
gave rise to these problems – the solutions we gave to vari- minology) of a one-way function.
ous theoretical problems. often of our own posing. In 1976, Whitfield Diffie and Martin Hellman [0345] in-
For the last twenty years, the annual IEEE Symposia on troduced the general ideas of one-way function, of trapdoor
Security and Privacy have provided us with a stimulating one-way function, and of digital signature, and introduced
and encouraging environment within which to expand cryp- an exponentiation-based key exchange scheme.
tography’s structure and visibility, while exposing us to crit- The (then) U. S. National Bureau of Standards adopted
icism from workers in other security-related areas. Cryptog- an algorithm designed largely by IBM as a federal Data En-
raphy has been an important component of S&P, but seldom cryption Standard in 1977.
a major one. Much work mentioned below is from confer- In 1978, Ron Rivest, Adi Shamir and Len Adleman
ences other than S&P. But S&P’s influence has been ubiq- published their public-key (i.e. unsymmetric, i.e. two-key)
uitous and formative for the worldwide community of open number theoretic cryptosystem based on exponentiation,
literature cryptographers. which gained lasting celebrity for its bijective feature,
To set the problems stage, here are six propositions for which suited it well to digital signatures, among other
consideration, not necessarily for acceptance. things.. That same year, Ralph Merkle and Hellman pub-
I. Not all secrecy or authentication or integrity systems lished [0857] their trapdoor knapsack public key cryptosys-
have security proofs, but all have lifetimes. tem.
II. The signing (decrypting) functions and the sealing In 1979, Adi Shamir [1110] and I [0148] published
(encrypting) functions of public key cryptosystems or dig- threshold schemes, the type of cryptographic object most
ital signature schemes are quite different replacements for naturally capable of provably exhibiting Shannon perfect
glued envelopes or inked signatures. They aren’t merely security.
variant forms of these old-fashioned objects. By 1980, people were arguing that perhaps even cryp-
III. Bandwidth expansion is not necessarily either a tosystems could be shown secure – by means of complex-
drawback or a strength of a system, merely a feature. ity theory or other approaches. However, in 1980, Shimon
IV. Shannon perfect security of a system is based on the Even and Yacov Yacobi published [0379] an example of a
(often false) assumption that no attacker can do better than cryptosystem which is NP hard to break but almost always
model the “random” numbers the system user employs as easy to break. To many, this looked like support for Bob
independent uniformly distributed random variables. Morris’ asseveration that secrecy systems typically have
V. The Kerckhoffs principle is neither a correct descrip- lifetimes, rather than proofs which guarantee their security
tion of, nor a self-evident prescription for, all secrecy sys- forever.
tem design projects.
VI. A billion dollars is tons of money. So you can’t loot 3. 1980 through 1999
a big vault in a trice. “Ponderability” is neither a drawback
nor a virtue of gold or of paper money. It is merely a feature, Some of the important developments in cryptography
which can be mimicked electronically. over the twenty year lifetime of S&P to date are the fol-
lowing. we might want to do a bandwidth-cost/security-benefit anal-
George Davida, Richard DeMillo and Richard Lipton de- ysis of this approach to cryptosystem design.
livered a paper [0003] to the first S&P symposium, in 1980. Shannon perfect security imposes a bandwidth expan-
Davida pointed out at S&P that threshold schemes could sion cost which may be prohibitive in some applications.
exhibit types of security very far from Shannon perfect se- As regards Proposition IV, secret sharers may want to re-
curity,viz. merely cryptographic security. In 1983, E. D. place Shannon perfect security with less stringent types of
Karnin, J. W. Greene and Hellman, also discussed threshold security, as well as to accept degraded modes of secret re-
schemes involving merely cryptographic security [0662]. covery, in order to enhance various types of functionality.
In 1984 Catherine Meadows and I generalized thresh- Major, sophisticated governments with important inter-
old schemes to ramp schemes [0151], which are more eco- ests design cryptosystems secretly in-house. As regards
nomical than threshold schemes, but exhibit only Shannon Proposition V, we need a less worshipful, more mathemati-
relative security. In 1987, Ito, Saito and Nishizeki pub- cal, view of the Kerckhoffs approach– perhaps a Kerckhoffs
lished a paper [0625] on access structures, a generalization “phase diagram” which instructs many of the small players
of threshold schemes in yet another direction – one in which to use secrecy systems with publicized design principles,
coalitions of very different size levels have the same power but assures some of the big players that they are well ad-
to reveal the secret. In the 1990s, Gus Simmons [1141, vised to use home-grown systems whose design principles
1142, 1145] published very significant real-world-grounded are secret.
investigations of access structures. Some vaults are, or should be, bulky places full of bulky
The only PKC to rival knapsack and RSA in popularity things. Access structures constitute a naturally bulky, nat-
has been the 1985 elliptic curve PKC due to V. S. Miller urally secure cryptographic storage vehicle. They can be
[0878], and extensively investigated by Neal Koblitz [0695] artificially bulked up to any desired degree of bandwidth
and others. expansion. As regards Propositions III and VI, Bob Blakley
In 1994, the National institute of Standards and Tech- [0001] argues that electronic money could be stored elec-
nology (the successor of NBS) adopted a Digital Signature tronically so that even an allowed coalition can only carry
Standard, and is now proceeding toward adoption of an Ad- out the vault’s contents at a certain rate because of band-
vanced Encryption Standard which will to some extent re- width constraints. An access structure vault which could not
place DES, which is nearing the end of its useful life. release more than a million dollars an hour would be neither
a blessing nor a curse. It would simply have a depletion-rate
4. After 1999 feature, which hinders looting.