$ Crypt ographic Protocols Richard A. DeMillo Nancy A. Lynch Michael I. Merritt School of Information and Computer Science Georgia Institute of Technology Atlanta, Georgia 30332 Section 1.0 Introduction A czyptographic transformation is a mapping f from a set of cleartext messages, M, to a set of cipheztext messages. Since for m e M, f(m) should hide the contents of m from an enemy, f-1 should, in a certain technical sense, be difficult to infer from f(m) and public knowledge about f. A czyptosystem is a model of computation and communication which permits the manipulation of messages by cryptogzaphic transformations. Usually, one assumes that f is generated by an algorithm E (the encryption alRorithm), while f-1 is generated by an algorithm D (the decryption algorithm). Knowledge about f and f-1 is is embodied in keys, K and K': f(m) = E~(m), m = f-l(;(m)) = DK,(f(m)). In a traditional cryptosystem, K = K', and the key is kept secret from all but the sender and receiver of messages, while in a public key cryptosystem [Rive7g] K ~ K', K is publically known, but K' is separated from K by a computationally intractable problem. aThis work was supported in part by the National Science Foundation Grants MCS-8103508 and MCS- 7924370, and by the US Army Research Office, Grant No. DAAG29-79-C-0155. Some of this work was done while the third author was at Bell Laboratories. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. © 1982 ACM 0-89791-067-2/82/005/0383 $00.75 Much work in the past decade has concentrated on insuring the security of various cryptosystems see e.g. [KonnS1]. Although provably secure czyp- tosystems are still elusive, there are a number -- e.g., the Data Encryption Standard and public key schemes based on the complexity of factorization -- that are high quality ciphers. That is, they are easy to use and are evidently resistent to all but the most determined attacks. The availability of such schemes has led investigators to ask whether or not more complex secure communication algorithms can be devised based on these schemes. Public key systems have proved to be one especially fruitful area for such investigation. It was realized quite early, for instance, that a public key cryptosystem can be used to implement a form of digital signature [RiveTg]. Informally, a digital signature is a mark attached to a message which cannot be forged, cannot be denied and which is bound to the message in such a way that the mes- sage cannot be altered without destroying the signature. To sign a message m, the sender simply uses the private key K': s = DK,(m). The signature cannot be forged since K' is secret, and it is unlikely that for mf ~ m, DK,(mP) = s. It is arguable, however, that the signer can successfully disavow having signed m. If the holder of K' makes it public, he can then claim that m was signed by someone else. Such weaknesses have led to some ingenious methods of implementing digital signatures [Maty79]. One of these methods, due to Michael Rabin [Rabi78], is notable both for its rather involved structure and its probabilistic flavor. The digital signature scheme given above is an example of a cryptographic protocol. A protocol is a communications algorithm which makes essential use of cryptographic transformations. Since the goal of a protocol is usually somethin 8 beyond the simple secrecy of message transmission, it is help- ful to separate the security properties of the underlying c~yptosystem from those of the protocol. We illustrate attacks on protocols which result 383