New Directions in Cryptography

W. Diffie and M. Hellman, 1976 paper

Konstantinos Chousos

kchousos@di.uoa.gr

Department of Informatics & Telecommunications, University of Athens

October 16, 2025

Introduction

Definitions

Cryptosystems

Cryptographic system: A single parameter family \(\{S_K\}_{K \in \{K\}}\) of invertible transformations: \[S_K: \{P\} \to \{C\}, \] from a set of messages \(\{P\}\) to a set of ciphertexts \(\{C\}\). If \(\{P\}=\{C\}\), we denote them as \(\{M\}\).

Definitions

Cryptosystems

Symmetric Cryptography: The same key is used for both encryption and decryption of the data. This means that both the sender and receiver must share the secret key securely beforehand.
Asymmetric Cryptography: A pair of keys is used — a public key for encryption and a private key for decryption. The public key can be shared openly, while the private key remains confidential, allowing secure communication without the need to share the secret key beforehand.

Definitions

Security

Computational security: Breaking the system is theoretically possible, but requires infeasible computation.
- Computationally infeasible: A problem whose time and/or spatial cost is finite but incredibly large.
Unconditional security: Impossible to break, regardless of computational resources (e.g., one-time pad).

Definitions

Attack models

Ciphertext only attack: Only ciphertexts available.
Known plaintext attack: Ciphertext-plaintext pairs known.
Chosen plaintext attack: Can encrypt arbitrary plaintexts.

Challenge

how can two parties securely communicate over an insecure channel with no prior shared secret?

W. Diffie (left) and M. Hellman (right).

Contributions

Επρόκειτο για γενικό paper πάνω στη κρυπτογραφία που θα έγραφε ο M. Hellman για ένα special τεύχος του IEEE Transactions on Information Theory, το 1976.

Παρόλα αυτά, έφερε μία επανάσταση στη κρυπτογραφία, προτείνοντας για πρώτη φορά τα εξής μοντέλα κρυπτογράφησης:

Υποτίθεται ότι το public key cryptography όπως και το RSA είχαν ανακαλυφθεί νωρίτερα από την μυστική υπηρεσία GCHQ της Αγγλίας, το 1987. Όμως, δεν δημοσιεύτηκε ποτέ κι έτσι εφευρέτες θεωρούνται οι Diffie και Hellman [1], [2].

Turing award το 2015.

Οι μέθοδοι που προτείνονται μέσα στο paper έρχονται να καλύψουν τα τότε κενά όσον αφορά τα secure key distribution systems και τα μέχρι τότε ανύπαρκτα digital signatures. Τα μέχρι τότε συστήματα είτε δεν μπορούσαν να υποστηρίξουν τέτοιες λειτουργίες ή χρειαζόντουσαν τόση προσπάθεια που δεν ήταν πρακτικά.

Public key cryptosystems (asymmetric encryption)
Public key distribution systems (securely establishing secrets over open channels)
Digital signatures (authenticated, non-refutable communication)

Supposedly already existing in secret (GCHQ) [1], [2].

Contributions

Definitions

Public key cryptosystem

Encryption and decryption using different “keys” \(E\) and \(D\), where calculating \(D\) given \(E\) is computationally infeasible.

This means that \(E\) can be made public without jeopardizing the secrecy of \(D\).

Public key distribution system

A system where two users communicate in a public channel can create a shared secret key, and it is computationally infeasible for an eavesdropper to derive the key from this communication.

One-way authentication system

A system that provides a valid digital signature for each message, which is dependent on that message.

All previous models rely on the computational difficulty of the cryptanalyst/adversary to derive a plaintext from a ciphertext without the key.

Conventional cryptography

Cryptography goals

Privacy: Preventing eavesdroppers from learning the message.
Authentication: Ensuring a message comes from the claimed sender.

Ιδιωτικότητα: για ασφαλή επικοινωνία σε insecure communication channels. Το τι θεωρείται secure και τι όχι αλλάζει ανάλογα το threat model (π.χ. τηλέφωνο: κοριός, eavesdropper κτλ).

Αυθεντικοποίηση: α) σε πρόβλημα αυθεντικοποίησης του αποστολέα ενός μηνύματος ή β) πρόβλημα αυθεντικοποίησης ενός ατόμου.

Δηλαδή, στο πρώτο ότι το μήνυμα στάλθηκε όντως από τον φαινομενικό αποστολέα και στο δεύτερο ότι το άτομο είναι όντως αυτός που ισχυρίζεται να είναι. Στην πραγματικότητα αυτά τα προβλήματα είναι γενικώς ισοδύναμα.

Classic cryptographic system

Transmitter & receiver pre-share a secret key \(K\), defining a reversible transformation \(S_K\).
Message \(P\) encrypted as \(C = S_K(P)\).
Receiver decrypts \(C\) to obtain \(P = S_K^{-1}(C)\).

Flow of information in conventional cryptographic system [4, p. 645].

Σημαδάκια: “ασπίδες” -> secure channel

Στο σχήμα φαίνεται το κλασσικό μέχρι τότε framework για secure communication. Υπάρχουν τρία parties: Ο transmitter, ο eavesdropper/cryptanalyst/adversary κι ο receiver. Ο transmitter κι ο receiver έχουν ήδη ένα κοινό μυστικό κλειδί \(K\), το οποίο έχουν επικοινωνήσει μέσω ενός secure channel.

Έστω ότι ο transmitter θέλει να στείλει στον receiver ένα μήνυμα i.e. plaintext \(P\). Για να το στείλει μέσω ενός δημόσιου/insecure channel χωρίς να μπορεί να βρει το μήνυμα κάποιος ενδιάμεσος eavesdropper, εφαρμόζει στο \(P\) μία αντιστρέψιμη μεταμόρφωση \(S_K\) εξαρτώμενη από το \(K\), δηλαδή στέλνει ένα \(C=S_K(P)\). Ο receiver, γνωρίζοντας το \(K\), μπορεί να αποκτήσει το αρχικό μήνυμα \(P=S_K^{-1}(C)\).

Όλο αυτό γίνεται με δεδομένο ότι το secure channel δεν μπορεί να χρησιμοποιηθεί για τη μεταφορά των μηνυμάτων \(P\) λόγω καθυστέρησης ή/και κόστους.

Public key cryptography

Till then, preparation in advance was needed for secure communication.

Our goal is to enable two parties communicating over a public channel and using only publicly known techniques to create a secure connection.

This goal can be achieved with a system like this:

Flow of information in public key system [4, p. 647].

Two techniques can achieve this:

A public key cryptosystem
A public key distribution system

Public key cryptosystem

Each user generates a pair of keys \((E, D)\):
- \(E\): Public encryption key.
- \(D\): Private decryption key, hard to infer from \(E\).
Anyone can send secure messages by encrypting with \(E\).
Only the intended recipient can decrypt using \(D\).

Formal definition

A pair of algorithm families \(\{E_K\}_{K\in \{K\}}\), \(\{D_K\}_{K \in \{K\}}\) represents reversible transformations \[E_K: \{M\} \to \{M\}\] \[D_K: \{M\} \to \{M\}\] over a finite set \(\{M\}\), such that:

For every \(K \in \{K\}\), \(E_K\) is the inverse of \(D_K\).
For every \(K \in \{K\}\) and \(M \in \{M\}\), \(E_K(M)\) and \(D_K(M)\) are easily computable.
Computing \(D_K\) from \(E_K\) is computationally infeasible.
Deducing a reversible pair \(E_K, D_K\) from a given \(K\) is computationally straightforward.

Due to the third property, a user’s enciphering key \(E_K\) can be made public without compromising the system’s security.

With a public key cryptosystem, key distribution is now easy.

Example

Message \(\mathbf{m}\): a binary vector in \(n\) dimensions.
Encryption: Multiplication with an invertible binary \(n \times n\) matrix \(E\).
- Ciphertext: \(\mathbf{c} = E \mathbf{m}\).
Let \(D = E^{-1}\) (rule 1). Then, \(\mathbf{m} = D \mathbf{c}. \qquad \square\)
Encryption and decryption require \(n^2\) operations (rule 2).
Inverting \(D\) from \(E\) is a challenging problem (rule 3).
\(E\) construction: Elementary row and column operations on the identity matrix \(I\).
- \(D\) construction: Inverse operations.
- \(K\): The binary encoding of the operations (rule 4).

This example is not practical, as the inversion of matrices has a complexity of \(n^3\), but it aids in understanding.

Public key distribution system

A system that allows two users \(A,B\) to securely exchange a key over an insecure channel.

Initially studied by Merkle [6], however, the proposed solution has several issues [4, pp. 648–649].

Groups

A group is a set \(G\) with an operation \(\circ\) satisfying:

Closure: \(a \circ b \in G\)
Associativity: \((a \circ b) \circ c = a \circ (b \circ c)\)
Identity: \(\exists e \in G : a \circ e = a\)
Inverse: \(\forall a \in G, \exists a^{-1} \in G : a \circ a^{-1} = e\)

For example:\((\mathbb{Z}_p^{*}, \times \mod p)\): The non-zero integers modulo a prime \(p\) under multiplication.

Cyclic groups

A group is cyclic if there exists a generator/primitive element \(g\) such that \[\forall x \in G, \exists k : x = g^k.\]

Discrete logarithm problem

let \(\mathbb G=(\mathbb{Z}_p^{*}, \times \mod p)\) a cyclic group of the non-zero integers modulo a prime \(p\) under multiplication.

Let \[Y = a^X \mod p, \quad 1 \leq X \leq p-1\]

where \(a\) is a member of \(\mathbb G\). \(X\) is \(Y\)’s discrete logarithm with base \(a\), \(\mod p\).

In other words, \[X = \log_a Y \mod p, \quad 1 \leq Y \leq p-1.\]

Calculating \(Y\) is straightforward, requiring at most \(2\log_{a} p\) multiplications [7, pp. 398–422]. For example, if \(X = 18\), we have \[Y = a^{18} = (((a^2)^2)^2)^2 \times a^2 \mod p.\]

Conversely, deriving \(X\) from \(Y\) is challenging, as it requires \(p^{1/2}\) operations for well-chosen \(p\) [8, pp. 575–576].

Diffie-Hellman Key Exchange

A ‘public key distribution system’ implementation

It requires only a single key exchange—unlike Merkle’s method [6].
The effort for a cryptanalyst to break it increases exponentially compared to the effort required by regular users.

It relies on the computational difficulty of the discrete logarithm problem.

DHKE Protocol

Each user secretly and independently generates a random number \(X_i \in \left\{ 1,2, \dots, p-1 \right\}=\mathbb{Z}_p^{*}\), where \(p\) is a prime and \(g\) is the generator.
The user computes \(Y_i = g^{X_i} \mod p\) and publishes it.
When users \(i\) and \(j\) wish to communicate, they use the key \(K_{ij}=g^{X_i X_j} \mod p\).
- User \(i\) derives the key using \(Y_j = g^{X_j} \mod p\): \[K_{ij}=Y_j^{X_i}=\left( g^{X_j} \right)^{X_i} = g^{X_j X_i}=g^{X_i X_j}\mod p.\]

One-way authentication

One-way authentication/Digital signatures

A system where a digital signature can be easily recognized as authentic, but cannot be forged by anyone other than the actual signer.

Since every digital signal can be copied, a digital signature must be identifiable without being disclosed.

One-way functions

A function \(f\) is called a one-way function when for every \(x\) in its domain, we can easily compute \(f(x)\), but for almost all \(y\) in its range, it is computationally infeasible to solve for \(y = f(x)\).

Example: Polynomials. Finding the root \(x_0\) of \(p(x) = y\) is difficult, whereas evaluating \(x_0\) as a solution is straightforward.

Problem interrelations and trap doors

Trap Doors / Trap-Door One-Way Functions

Functions that appear one-way but can be easily inverted due to specific information.

Given only an algorithm for the forward function from \(x \to f(x)\), it is computationally infeasible to find an easily computable inverse.

Only with specific trap-door information can we compute the inverse.

Claims

Claim 1

A cryptosystem secure against a known plaintext attack can produce a one-way function

Let \(S_K\) be such a cryptosystem. We define \(P=P_0\) and a function \(f:\{K\}\to \{C\}\) such that \(f(X)=S_X(P_0)\).

The function \(f\) is one-way since solving for \(X\) given \(f(X)\) is equivalent to cryptanalyzing the key recovery problem from a specific plaintext-ciphertext pair. Thus, knowing \(f\) is equivalent to knowing \(\{S_K\}, P_0\).

Claim 2

A public key cryptosystem can create a one-way authentication system

If user \(A\) wants to send a signed message \(M\) to user \(B\), then

\(A\) sends \(D_A(M)\), where \(E_A,D_A\) are \(A\)’s keys in the PKC.
User \(B\) verifies \(E_A(D_A(M))=M\), confirming it was signed by \(A\).
- \(B\) retains \(D_A(M)\) as proof.

Given \(E\), we have an algorithm to convert plaintext into cryptograms. In other words, a PKC is a set of trap-door one-way functions.

Claim 3

A trap-door cryptosystem can generate a public key distribution system

\(B\) publishes the trap-door cryptosystem while keeping the trap-door information secret.
\(A\) selects a random key and sends a plaintext-cryptogram pair to \(B\), who uses the trap-door to retrieve the key, which both now possess.

https://kchousos.github.io/directions-cryptography

References

[1]

J. Ellis, “The Story of Non-Secret Encryption.” [Online]. Available: https://www.cryptome.hope-tindall.org/ellisdoc.htm

[2]

B. Schneier, “The Secret Story of Nonsecret Encryption.” [Online]. Available: https://www.schneier.com/essays/archives/1998/04/the_secret_story_of.html

[3]

C. E. Shannon, “Communication theory of secrecy systems,” The Bell system technical journal, vol. 28, no. 4, pp. 656–715, 1949, Available: https://ieeexplore.ieee.org/abstract/document/6769090/

[4]

W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Inform. Theory, vol. 22, no. 6, pp. 644–654, Nov. 1976, doi: 10.1109/TIT.1976.1055638.

[5]

R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978, doi: 10.1145/359340.359342.

[6]

R. C. Merkle, “Secure communications over insecure channels,” Commun. ACM, vol. 21, no. 4, pp. 294–299, Apr. 1978, doi: 10.1145/359460.359473.

[7]

D. E. Knuth, The Art of Computer Programming, vol. 2: Semi–Numerical Algorithms. Pearson Education, 1969.

[8]

D. E. Knuth, The Art of Computer Programming, vol. 3: Sorting and Searching. Pearson Education, 1973.

New Directions in Cryptography

Introduction

Definitions

Cryptosystems

Definitions

Cryptosystems

Definitions

Security

Definitions

Attack models

Challenge

Contributions

Contributions

Definitions

Conventional cryptography

Cryptography goals

Classic cryptographic system

Public key cryptography

Public key cryptography

Public key cryptosystem

Formal definition

Public key distribution system

Groups

Cyclic groups

Discrete logarithm problem

Diffie-Hellman Key Exchange

A ‘public key distribution system’ implementation

DHKE Protocol

One-way authentication

One-way authentication/Digital signatures

One-way functions

Problem interrelations and trap doors

Trap Doors / Trap-Door One-Way Functions

Claims

Claim 1

A cryptosystem secure against a known plaintext attack can produce a one-way function

Claim 2

A public key cryptosystem can create a one-way authentication system

Claim 3

A trap-door cryptosystem can generate a public key distribution system

References

Thank You!