style="font-size:15px;"> Imagine we're back in ancient Rome, that Anthony wants to send a secret to Brutus, and the only communications channel available is an untrustworthy courier (say, a slave belonging to Caesar). Anthony can take the message, put it in a box, padlock it, and get the courier to take it to Brutus. Brutus could then put his own padlock on it too, and have it taken back to Anthony. He in turn would remove his padlock, and have it taken back to Brutus, who would now at last open it.
Exactly the same can be done using a suitable encryption function that commutes, that is, has the property that . Alice can take the message and encrypt it with her key to get which she sends to Bob. Bob encrypts it again with his key getting . But the commutativity property means that this is just , so Alice can decrypt it using her key getting . She sends this to Bob and he can decrypt it with , finally recovering the message .
How can a suitable commutative encryption be implemented? The one-time pad does indeed commute, but is not suitable here. Suppose Alice chooses a random key and sends Bob while Bob returns and Alice finally sends him , then an attacker can simply exclusive-or these three messages together; as = 0 for all , the two values of and both cancel out, leaving the plaintext .
The discrete logarithm problem comes to the rescue. If the discrete log problem based on a primitive root modulo is hard, then we can use discrete exponentiation as our encryption function. For example, Alice encodes her message as the primitive root , chooses a random number , calculates modulo and sends it, together with , to Bob. Bob likewise chooses a random number and forms modulo p, which he passes back to Alice. Alice can now remove her exponentiation: using Fermat's theorem, she calculates and sends it to Bob. Bob can now remove his exponentiation, too, and so finally gets hold of . The security of this scheme depends on the difficulty of the discrete logarithm problem. In practice, it can be tricky to encode a message as a primitive root; but there's a simpler way to achieve the same effect.
5.7.2.2 Diffie-Hellman key establishment
The first public-key encryption scheme to be published, by Whitfield Diffie and Martin Hellman in 1976, has a fixed primitive root and uses modulo as the key to a shared-key encryption system. The values and can be the private keys of the two parties.
Let's walk through this. The prime and generator are common to all users. Alice chooses a secret random number , calculates and publishes it opposite her name in the company phone book. Bob does the same, choosing a random number and publishing . In order to communicate with Bob, Alice fetches from the phone book, forms which is just , and uses this to encrypt the message to Bob. On receiving it, Bob looks up Alice's public key and forms which is also equal to , so he can decrypt her message.
style="font-size:15px;"> Imagine we're back in ancient Rome, that Anthony wants to send a secret to Brutus, and the only communications channel available is an untrustworthy courier (say, a slave belonging to Caesar). Anthony can take the message, put it in a box, padlock it, and get the courier to take it to Brutus. Brutus could then put his own padlock on it too, and have it taken back to Anthony. He in turn would remove his padlock, and have it taken back to Brutus, who would now at last open it.
