Although the SFE protocol makes possible a wide range of capabilities, its power and generality come at a price: it takes a large amount of computation and communication. The protocol is efficient enough for special tasks such as elections, yet it is too cumbersome to be pressed into service every time you click on a link to a secure Web page. Instead computer scientists have developed specialized protocols that are much more efficient than SFE for particular common tasks. These include: Encryption. Neither Alice’s ISP nor Eve can decipher the messages Alice sends to Bob. The traffic between Alice’s computer and SophistiCats is secure as well. Authentication. Alice can be sure messages come from Bob, not Eve. Anonymous channels. Alice’s ISP cannot tell to whom she has sent the messages or that she has ever visited the SophistiCats Web site. Zero-knowledge proof. Alice can prove to some one else that something is true without revealing what her proof is. Anonymous authorization. SophistiCats knows that she is a member when she accesses its Web site, but it cannot tell who she is. This protocol is a special case of a zero-knowledge proof.
Secret Messages The oldest and one of the most fundamental problems studied in cryptography is that of encryption— the problem of how to communicate securely over an insecure channel (one on which an adversary can eavesdrop). Alice wants to send a message to Bob, but Eve has control over part of the channel (through the apartment’s network) that Alice will use. Alice wants Bob, but not Eve, to be able to read the message. In analyzing this problem, notice, first, that Bob must know something that Eve does not— otherwise Eve would be able to do whatever Bob can do. Bob’s private knowledge is called his secret key (SK). Second, notice that Alice must know something about Bob’s SK so that she can create a ciphertext— an encrypted message — specifically for Bob. If Alice knows the SK itself, the protocol is called secret-key encryption, the kind of encryption that has been known and practiced for centuries. In 1976 Whitfield Diffie and Martin E. Hellman, both then at Stanford University, enviw w w. S c i A m . c o m
sioned another possibility, called public-key encryption, in which Alice need not know the SK. All she needs is a public value related to the SK called Bob’s public key (PK). Alice uses his PK to encrypt her message, and only Bob, with his SK, can decrypt the resulting ciphertext [see box below]. It does not matter that Eve also knows Bob’s PK because she cannot use it to decrypt the ciphertext. Diffie and Hellman proposed the public-key idea but did not know how to carry it out. That came a year later, when Ronald L. Rivest, Adi Shamir and Leonard M. Adleman, all then at the Massachusetts Institute of Technology, gave the first construction of a public-key cryptosystem: the RSA algorithm. Their algorithm works for public-key encryption because it involves a so-called trapdoor function. Such a function is easy to compute, to produce the ciphertext, yet hard to invert, to recover the plaintext, unless a special “trapdoor” is used. The trapdoor serves as the secret key. The RSA algorithm was the first example of a function with a trapdoor property. For this work they won the 2002 A. M. Turing Award, the most prestigious prize in computer science.
key dates 1918: Major Joseph O. Mauborgne of the U.S. Army and Gilbert Vernam of AT&T Bell Laboratories invent the one-time pad, in which the random, secret key is as long as the message itself and is only ever used once. 1944: At Bletchley Park in England, Colossus (the first vacuum-tubebased, programmable computing machine) decrypts German High Command messages, providing invaluable information prior to the D-day invasion of Normandy. 1945: Claude Shannon of AT&T Bell Laboratories proves that the one-time pad is unbreakable even against an adversary with unlimited computational power. This definition of secrecy is so strong, however, that he also proves that the one-time pad is the only possible cryptosystem satisfying it.
Concealing Content Modern techniques for encrypting information come in one of two types: secret-key encryption and public-key encryption.
Alice and Bob share a key that they keep secret. Alice encrypts her message using this key. She sends the resulting ciphertext to Bob, who uses the same key to decrypt it.
Bob creates a matched pair of keys, one that he keeps secret and one that he makes public. Alice (or anyone else) can use the public key to encrypt a message, but only Bob, with the secret key, can decrypt it.
S C I E N T I F I C A M E R I C A N