PROTOCOLS FOR PUBUC KEY CRYPTOSYSTEMS
Ralph C. Merkle
ELXSi International
......
Sunnyvale, Ca.
ing both
Abstract
New cryptographic
take
full
protocols
Several
protocols
public key distribution and for
signatures
are
briefly
and
conventional
The reader is assumed to
which
liar
advantage of the unique pro-
evolving.
key
systems.
perties of public key cryptosystems
now
public
are
lic key cryptosystems, as
for
[1,10].
described
For many of the following
we
with
assume
there
called A and B, and an
ternative.
and
examples
opponent
attempt
systems
are
.
mining cryptographic protocols
distribution
for
and
tempt
key
A will
to
A and
functions
NSF
Grant
work was
ISL.
ENG
done
10173,
at
under
way
University
Inc,
fixed
where
been
B
A~s
B
will
at-
signature to a new
will need to apply one
function
to CACM.
122
have
a
one
F which can be applied to
any
size output.
[2,9,13,19].
submitted
way
to various arguments of vari-
discussion of
much of the work reported here was done.
An extended version has
Some-
attempt to evade a con-
forge
arguments of
The author would also like to ack-
nowledge the support of BNR
will
contracts.
ous sizes, so we assume we
and much of the
Stanford
E
contract.
and digital signatures us-
This work was partially supported
forge
tract he signed with B, or
briefly considered by exa-
A
to discover the keys, learn the
secrets,
times,
E.
will attempt to send secret mes-
B
sages and sign contracts, while
The special strengths of public key
in
are two communicants,
each other and with the conventional al-
1. Introduction
fami-
with the general ideas behind pub-
dig~tal
compared
be
one
size
and
produce
a
For a more complete
way
functions,
see
t,
i
p
The major drawback of this protocol
2. Centralized Key Distribution
is its vulnerability to both centralized
loss of security and centralized loss of
Centralized key distribution
conventional
encryption
of
bribery of personnel at the central site
handling
will compromise all users of the system.
key distribution in a mUlti-user network
Similarly, .destruction
environment before the discovery of pub-
keys
lic key distribution methods.
mechanism for all users.
Only con-
ventional encryption functions
used,
which
lic
need
(Presently known
systems
seems
almost
discovery of more efficient
ones
all
and
key
and
all
but
other system users somehow
must
the
previously
and
B
further
agreed
can
then
on
using
central keys.
communicate
with
the
only
functions.
improved
The
user
keys can be
This approach is
simple
conventional
and
used
solve
key distribution problem: some sort
between
A
tablish the original keys.
no
used
each user and the center to esThis problem
is nontrivial because no electronic communications can be used and
is
if
master
of key distribution method must be
the
assistance from the key distri-
This protocol
will
This protocol does not fully
the
bution center.
quires
be
center.
(encrypted)
by IBM (23).
a central key distribution center.
mon (session) key to A and B
center
still be stored securely (and
with
B,
Destruction
user keys are encrypted with a
stored anywhere.
key distribution center will send a com-
inexpensive
physical methods, e.g., registered mail,
re-
offer only moderate security.
encryption
of
Its use has been defended in
couriers
is
reasonably
although more expensive.
the literature [17,18,20].
I
I
the
deposit a conventional cryptographic key
If A wishes to communicate with
centers,
suitable provision made for its backup),
In centralized key distribution, A,
B,
more
single
master key by the
prob-
able.)
t,
!,
or
security can also
key
inevitable,
of
not affect the other centers.
I
Discovery of new public
reliability
key distribution can be in-
or compromise of a
Whether or not this will continue is not
now known.
central
distribution
each with its own keys [1].
systems.
cryptographic
the
key
and
creased by using two
pub-
key systems are less efficient than
conventional
security
centralized
of
the
destroys
The
be
presently offers a perfor-
mance advantage.
t
1
Theft of the central keys, or
was
functions
the only reasonable method
function.
using
123
The
use
secure,
The disadvantage of
is
3. Simple Public Key Distribution
this
protocol
that E might actively interfere with
the exchange of keys.
Worse yet, E
can
force a known k on both A and B.
This is the most basic
of
application
public key systems [1,5,6,7,8].
Its
purpose is to allow A and B to agree
a
on
4. Authenticated Public Key Distribution
common key k without any prior secret
arrangements, even
all messages.
though
E
overhears
A randomly computes enci-
The now classic
phering and deciphering keys EA and
secure
and
between A and B is:
DA,
B picks the
sends EA to B (and E).
protocol
[1]
for
and authenticated communications
A and B generate EA
random key, k, and transmits EA(k) to
A
and EB and make them public, while keep-
(and
A
ing DA and DB secret.
E).
A computes DA(EA(k»
= k.
The public
enci-
then discards both EA and DA, and B discards EA. The key in future communica-
phering keys of all users are entered in
tions is k.
all
ticated access to EX for any user,
a conventional
If A and B wish to agree on a
further
It is used to
messages
using
encryption function.
finished
talking,
If they later
the
process
new key
Once A and B have
the
a
a
great
before
finished.
x.
com-
k, then each sends a (session)
others
public
key.
it
with
The two keys
thus agreed on are combined and used
to
encrypt further messages.
deal
to
simple,
and
At the end of this protocol, A and
recommend
it.
B have agreed on a common key, k, which
secret
materials
is both secret and authenticated.
A and B start communicat-
ing, and nothing is retained after
have
the
k~.
First, no keys and no
exist
o~
key
key to the other by enqrypting
conversation
repeated to agree
This protocol is very
has
mon
they both discard k.
resume
is
encrypt
a public file, allowing easy and authen-
This
they
protocol
weaknesses.
It is impossible for E
suffers
from
two
First, entries in the pub-
lic file might be altered.
This can
be
to compromise any keys either before the
dealt with both by good physical securi-
conversation takes place, or after it is
ty, or by using new protocols (see
over, for the keys exist only during the
tions
conversation.
entries in the public file.
124
5
and
sec-
6) for authenticating the
p
ECA can be published in
and
Second, secret deciphering keys can
be
magazines, and sent over all avail-
able
This problem must ultimately
lost.
newspapers
communication
channels:
blocking
its correct reception would be yery dif-
be solved by good physical security.
ficult.
If DCA is compromised, then
no
5. Public Key Distribution with Certifi-
it
is
longer. possible to authenticate the
users of the system and their public enciphering
keys.
The
certificates are
now worthless because the (unauthorized)
person
Kohnfelder [3] first suggested that
entries
who
has learned DCA can produce
false certificates at will.
in the public file be authenti-
cated by having a Central Authority (CA)
sign
them
with
He
DCA.
called such
signed entries certificates.
The protocol with
I
\
t
the
is
Au-
thentication
entries
in
each
other~s
col
assures
other~s
B
can
now
check
the
Key distribution with
the public file by checking
certificates.
This
can be compromised, resulting in
A and B that each has the
public enciphering key, and
public
certificates
was vulnerable to the criticism that DCA
proto-
wide loss of authentication.
not
system
This prob-
lem can be solved by using tree
enciphering key of some im-
authen-
tication [13].
poster.
Again, this
The security of this protocol rests
protocol
attempts
to
on the assumptions that the secret deci-
authenticate entries in the public file.
phering keys of A, B, and
However, instead of signing
been
compromised~
correct copies
signed
of
that
ECA
certificates);
not issued
deliberately
a
bad
CA
have
A and
(to
and
B
have
check
the
it
in
entire
trustworthy, or accidentally because
public
entry
file, this protocol ap-
public
file.
Even though H is
applied to the entire public
either
was
the
each
plies a one way hash function, H, to the
that CA has
certificate,
because
not
output
un-
long.
it
.....
called
was tricked.
125
..
~
same as the authenticated protocol,
except that A and
the
6. Public Key Distribution with
certificates
of
H
is
only
file,
the
100 or 200 bits
The (small) output of H will
be
the root, R, of the public file.
..
If all users .of the
all
know R,
syst~m
then
users can authenticate the correct-
ness of the (whole) public file by
puting
R
= H(public
to introduce
file
will
file).
changes
imply
into
Where F is a one way function.
com-
If A wishes to confirm
Any attempt
enciphering
the
the
public
R ; H(altered public
the
eliminates
bits long.
possibility of compromising DCA be-
the
harsh
glare
of
the
public
A can compute H(public file)
file.
of public
In a similar fashion,
scrutiny, and because making alterations
really
in the public file is effectively impos-
half of the public file, for
sible after it
has
..'
high
degree
of
been
published,
assurance
that
it is
it
is
possible
publi~
The essence of tree
to
authenticate
file
by
en-
All A needs to know is the first quarter
of
public file (which has YB), and
H(second quarter of public file).
using
the
Y
= public
file
the
By applying this concept recursive-
authentication
ly,
A can confirm YB in the public file
knowing only R, 1092 n intermediate
entire public
file by Rdivide and conquer.- If we
fine
de-
values,
and YB itself. The information
needed to authenticate YB, given :hat R
= Yl ,
Y2 ,
Yn'
(so the ith entry in the public file is
has
denoted Yi' and B#s entry is YB); we can
along the path from
define H(public file)
= H(!)
already
been
authenticated,
to YB and will
called the authentication path.
as:
R
These definitions
H(!) = F( H(first half of !),
H(second half of
=
to
Merkle#s -tree authentication,- [13].
is
all of the first
H(second quarter of public file)
in the public file without having
to know the whole
know
not
F( H(first quarter of public file),
selectively authenticate individual
tries
to
H(first half of public file)
This method is impractical as statFortunately,
need
A does
a
correct can be attained.
ed.
file,
only knew half the entries in the public
Because the public file wi.ll be subto
then A need only know
knowing only this information, and yet A
cause no secret deciphering key exists.
jected
half
public
(which is where YB appears) and H(second
half of public file) which is only 100
file), an easily detected fact.
This method effectively
first
key,
B#s
are
lies
be
illustrated
in figure 1, which shows the authentica-
!) )
tion path for Ys .
126
----------------------------The
For a more detailed discussion
the
has
user
is
method
protocol
compromise DA or OS.
A
an authentication path which can be
A user's
of
is
to
security
thus dependent on himself and no one
else.
used to authenticate user A's public enciphering
practical
this
compromising
reader is referred to [13].
Using tree authentication,
only
key, provided only that R has
already been authenticated.
An "authen7. Digital Signatures
tication path" is a new form of certificate, with ECA replaced by R.
This protocol can only be
comprom-
The use of public key cryptosystems
if: DA or Os is compromised, or if
ised
R is not correctly known by A or
S,
to
or
gested
if there is a false and misleading entry
gested
The latter two are
easily
detect-
been
tocol with any other legitimate user who
will
pidly
detected.
In
users
concerned
with
simple
each
user
the
file
is
both
be
ra-
a
few
correctness
can
practice,
properties,
appears
users
can
examining
suggested
share several
common.
by
b ased
Lamport
the
on methods
and Diffie
whether
based
of
These
common
the
properties
in
properties
are
f ollowing
now
classic example.
i.e.,
A wishes to place a purchase
with
indivi-
his
stock
broker
S.
order
A, on the
Riviera, cannot send a written order
then verify that their
rest
important
best illustrated by
S
own entry is correct, and need not bother
tech'
nlques
implementation.
tic computations, or on other techniques
once and once
only in the entire public file;
dual
attractive
public key cryptosystems, on probabilis-
public file satisfies
global
name
[1] •
on conventional encryption functions, on
public
false or misleading entries can
some
Hellman
Digital signatures,
open to public scrutiny and unalterable,
that
and
[l,24}, Rabin [15}, and Merkle (13).
be
quickly detected.
verify
Diffie
other than public key cryp t osystems have
they will be unable to complete the pro-
has the correct R, a fact that
an
Signature
If either A or S has the wrong R,
Secause the
by
digital signatures was sug-
Rivest, Shamir and Adleman [8) have sug-
in the public file.
able.
provide
in
New York in time.
All that A can
quickly send to S is information,
the public
a
file.
sequence
l.e.,
.
of bits, but S is concerned
that A may later disclaim the order.
127
to
A
must somehow generate a sequence of bits
(a digital signature)
vince
whlch
will
disputes
con-
understand
B (and if need be a judge) that A
authorized the order.
It must
be
than
A)
to
generate
it
(to
Failure
to
this point has led to confu-
sion in the literature [17,20].
easy
We now
for B to validate the digital signature,
but impossible for him (or anyone
different.
~
turn
to
specific
digital
signature protocols.
other
prevent
charges that B was dabbling in the market illegally with
A~s
8.
money).
~
Conventional Signature Protocol
There are digital signature schemes
which
do
not
tosystems but it will be convenient
tationally
to
let
a
signature
relies
no-
will
on the observation that if A and
B trust some central authority
A sign message m by
computing the signature, DA(m).
ing
A conventional ftsignature W protocol
involve public key cryp-
if
Check-
an
illegible
municating with CA, then A can "sign n
then be done by
invalid.
This
notation
is
a
by sending it to CA and
to
adjudicate
disputes.
This approach is defended by some [17].
as
This protocol
somewhat
misleading because the actual method
simply
relying on CA
message (random
bits) then the signature is rejected
and
A and B have a secure method of com-
message
produces
CA,
weaknesses
of
is
subject
to
the
of centralized key distribu-
tion (described earlier).
generating and validating signatures can
be very different from this model; it is
retained
because it is widely known"and
because we will not discuss the
ences
differ-
among different digital signature
methods, only their common properties.
Digital signature protocols are naturally
parts:
a
method of signing messages used by A,
a
method
divided
for
three
method
for
resolving
used by the judge.
It is im-
portant to note that two protocols
differ
9.
only
The first public key based
signature
that
protocol
having A sign
in the method of resolving
DA(m)
128
m
The Basic Digital Signature Protocol
authenticating °a signature
used by B, and a
disputes,
into
and
[1],
message
digital
proceeded
m by
by
computing
giving it to B as the signed
1
°
pi
message.
B (or
a
judge)
m,
thus
can
been confused with each other
compute
confirming
correctness of the signed message.
key digital signature protocol has actu-
A is
held responsible for a signed message if
ally
and only if it can be verified by apply-
failed to consider the first protocol at
ing A's public enciphering key to it.
all.
This
protocol
on
[16,17,20]
public file
with.
can
two
have
of
been
tampered
authenticating
key
distribution
the
and
signed
message.
I
should
be
For this reason, some
this
and
made
that
A will
The major
be
second
difference
A's signing key is compromised.
physical
problem
be left holding the bag if
Clear-
condition is unlikely before he will
this
be
willing to use this protocol.
is to alter the dispute resolu10.
tion protocol so
that
responsible
his
for
secret deciphering
A is
not
signature
key
is
held
The Time-Stamp Protocol
if his
compromised
A protocol that would
and made public.
report
The fact that altering the
messages signed after the reported
di&pute
yet
protocol has not been fully appreciated,
of signatures made before
and
loss
preceding
two
allow
protocols have
129
A to
loss or theft of DA and disclaim
resolution procedure creates a different
the
proto-
ly, B must be given assurances that this
security for DA• The loss to A if DA is
compromised can be substantial.
A different method of solving
B will
in the second
if he can
good
the
protocol and the first is in the
division of risk:
only
between
col
very
know
the case.
agree to this digital signature protocol
provide
not
easy to design a system in which this is
public.
can sign any message they desire
It seems clear
protocol
DA, then he is unable to disavow his
signature under this protocol.
It is
his secret deciphering
compromised
the
is inadequate.
protocols, solve this
with A's compromised D , and A will
A
held responsible.
1
disavow
If we assume that A does
recourse
Anyone
effectively
critics have argued that
under
A second criticism is that A has no
I
of this second protocol, and
public
problem.
key
been
If we.assume that A knows DA, then
under the second protocol A can make DA
criticized
grounds: First, the
might
Methods
be
public file, discussed previously
it
this
Some criticism of "the" public
reason.
the
for
loss
force A to acknowledge the validity
must
the
reported
involve the concept of time.
We introduce
time
protocol
using time-keepers who can
by
into
digitally time-stamp
to
them.
have
We
agreed
following
information
been dealt with fairly.
The major disadvantage of this pro-
given
tocol,
assume that both A and B
on
time-keepers
the
a
whose
set
of
tal signature protocol, is the
acceptable
a
accepted in dispute resolution.
lost,
then
DA
been
answering
queries
responsible
about
the
increases
for
bility.
current
If
expense
this role is played by the
i.e.,
thority,
CA.
CA
will
sign
the
au-
messages
is
B
time-stamp
central
in
real
These requirements force the use
status of D , i.e., has it been lost or
A
not.
For simplicity, we shall assume
t
presumably
of a communications network, which
he must report this fact to
some agent who will be
validity-check,
time.
has
require-
ment that B obtain both a time-stamp and
time-stamps will be
If A can report that
as compared with the basic digi-
both
and decreases relia-
willing
to
obtain
the
and the validity-check after
transaction
within
a
completed,
has
been
few
days, an off-line
system can be used.
This modified
pro-
stating that A's secret deciphering
key
tocol
has
the
fail-soft protocol during communications
not
been
current
compromised
These
time.
as
signed
of
messages
outages,
will be called "validity-checks."
message
keeper
time
A
B
stamp
then
has
used
by B either as a
or as the standard protocol if
Off-line operation is
m by computing DA(m) and
sending it to B.
be
communication costs are too high.
In the time stamp protocol, user
signs
could
a
more
time-
the
A might
loss
of
have
DA
recently
and
about
has already been reported lost B rejects
secret
the signature, otherwise he accepts.
risk should be minimal.
holds
that
a
resolution,
the
applying
physical
deciphering
keys
security
for
is good, this
judge
checked
11.
A's public enciphering key
AND it has been
time-stamped
any reported loss of DA•
This protocol provides
assurance
If
message has been validly
signed if and only if it can be
by
it.
reported
B would not know
tains a validity-check from CA.
In dispute
ahd
reliable, but it exposes B to some
risk:
the message and ob-
cheaper
prior
Witnessed Digital Signatures
to
If the value of
very
good
high
to all parties that they have
enough,
it
a
transaction
is
might be desirable to
have a witness physically confirm that A
130
signed message m.
The witness, W, would
vious solution is for updates to be
di-
compute DW("I, W, physically saw A agree
gitally signed by an appropriate network
to
administrator,
and
sign message m.n).
necessary for A and B to
It would be
agree
in
ad-
risk.
B~s
the
nodes
to
ecuting them.
The primary advantage of this
is that it reduces
for
check the digital signature prior to ex-
vance on acceptable witnesses.
tocol
and
pro-
This
The
another
example
leads
ap~lication
of
naturally
to
digital signa-
primary disadvantage is that it forces A
tures in operating system
to
major risk to the security of an operat-
find
a (physically present) witness
to confirm the transaction.
ing system is the possibility
system
code
Digital Signature Applications
it
was
executing
door into the operating system that lets
them
do anything they please.
against this possibility, the
all
applications
of
digital
system
To guard
operating
could refuse to execute any code
signatures involve contracts between two
in privileged mode unless that code
potentially disputing parties.
been
signatures
are
the
yesterday: someone might have put a trap
~
Involving Dispute
Not
that
A
that it is executing today
is not the same that
12.
security.
Digital
also an ideal method of
properly
signed.
had
Carried to its
logical conclusion, the operating system
broadcasting authenticated messages from
would
a central source which must be confirmed
privileged programs each time they
by many separate recipients, or
loaded into central memory If this check
edly
repeat-
confirmed by the same recipient at
different times to insure that the
is
mes-
be
application
physically
digital
signature of
were
would
for any software changes
The
incapable
machine
would
be
of executing code
was
signed.
would be clearly undesir-
If privileged programs are digital-
able for any node to start executing the
ly
wrong
nally wrote them, as well as by
software.
it
in privileged mode unless that code
to individual nodes of a .communications
It
impossible
to subvert it.
the distribution of network software
network.
the
were implemented in hardware,
sage has not been modified.
One example of such an
check
On the other hand, it
signed
by the programmer who origivarious
is very desirable to send updates to the
supervisory
nodes
is physically unable to execute unsigned
over the network itself.
The ob-
131
levels, and if the computer.
15.
code in privileged mode, then it is possible to have
the
complete
privileged
assurance
since
course,
mean
that
secure,
been
1.
modi-
this
the
but
the
does
W.,
and
Hellman,
M.
New
IEEE Trans.
on Inform. IT-22, 6(Nov. 1976), 644-654.
programmer.
is
2.
Evans A., Kantrowitz, W., and Weiss,
does eliminate a major
E.
A user authentication system not re-
system
quiring secrecy in the computer.
class of worries.
Comm.
ACM 17, 8(Aug. 1974),437-442.
3.
13.
Conclusions
Kohnfelder, L.M. Towards a practical
cryptosystem.
public-key
number of cryptographic protocols.
4.
Cer-
Lipton, S.M., and Matyas, S.M.
ing
sible;
safeguarded.
what
EE
a
tainly, these are not the only ones poshowever, they are valuable tools
to the system designer:
MIT
thesis.
Bachelor~s
This paper has briefly described
the
digital
signature
Mak-
legal--and
Data Communications
(Feb.
1978), 41-52.
they illustrate
can be achieved and provide feasi-
ble solutions to problems
of
5.
recur$ing
McEliece, R.J.
based
tosystem
interest.
Further constructive work
in
theory.
this
A public-key
on
and Feb. 1978), 42-44.
14.
6.
ACKNOWLEDGEMENTS
over
au-
algebraic
crypcoding
DSN Progress Report, JPL, (Jan.
area is very much needed.
It is a great pleasure for the
Merkle,
R.
Insecure
Secure
Communications
Channels.
Comm. ACM 21,
4(Apr. 1978), 294-299.
thor to acknowledge the pleasant and informative conversations he had with
Dov
7.
Raynold
Kahn
Loren
Merkle, R., and Hellman, M.
information
Andelman, Whitfield Diffie, Martin Hellman,
I
:1
I
not necessarily
operating
it
Diffie,
directions in cryptography.
they were given there final
checkout and signed by
Of
that
programs running on the
computer Tight now have not
fied
BIBLIOGRAPHY
Kohnfelder,
knapsacks.
and
signatures in trapdoor
IEEE Trans. on
24, 5(Sept. 1978), 525-530.
Frank Olken, and Justin Reyneri.
132
Hiding
Inform.
IT-
•
8.
man,
Rives t, R.L ., Shamir, A., a nd
L.
16 .
Ad l e -
Sa lt ze r, J. On Digital
Signatures,
private communication .
A method f or obtaining digital
sig natur es and public - key cryptosystems.
17.
Comm . ACM 21 , 2 (Feb . 1978) , 120-1 26 .
Popek G.J. and Klin e , C . S.
tion
9.
Wilkes, M. V. , Time- Sharing
Protocols ,
Encryp-
Public Key Algori thms,
and Digital Sig natur es in Computer
Computer
Net-
works ; in Foundations of Secu r e Computa-
Systems . El sev i e r, New York, 1972.
tion pp . 133-153 .
10 .
Diffie ,
W.,
and
Hellman ,
M.E. ,
Privacy and authenticat i o n: an introduc -
18.
tion to cryptography, Proc e edings of the
US ing
IEEE
Needham R. M.
Encryptio n
Schroeder,
M.D .
for Authenticatio n in
Large Networks o f Comput ers .
Vo l. 67, No.3, Ma r . 1979 pp . 397 -
CACM 21,12
Dec . 1978 pp . 993 - 999 .
42 7.
11. Squires, J.
pho ne s,
Russ
Ch ic ago
U. S,
19 .
Me r kl e , R. Secrecy, authentication ,
pp. 123, J u ne
a nd
public key sys tems .
monitor
Tribune
of
S tanford El ec .
Eng . Ph . D. Thesis , ISL SEL 79 - 017 , 1979.
25, 1975.
12. Davi s , R. Remedies sought to
20 .
defeat
Popek , G. J ., and Klin e ,
Soviet eavesdropping on microwave links,
crypt ion
Microwave Syst ., vo l. 8 , no. 6 , pp .
Computing Surveys
1 7-
and
C.S.
En-
Secure Compu ter networks.
11 ,4
Dec.
1979
pp.
331- 356 .
20, Ju ne 1978.
13.
a nd
Merkle , R.C.
A
certified
2 1.
digi tal
Simmons, G.J . Symmetric
me tric
signatur e, to appear, CACM.
Encryption .
and
Computing
AsymSurveys
11,4 Dec. 1979 pp . 305-3 30.
14.
Kahn,
D.
The
Code br eake rs,
New
22.
York: Macmillan. 1967 .
Lamport , L. Time, clocks,
and
the
o rdering of eve nts in a distributed sys 15.
Rab in,
M.O. ,
Digitalized
t ern.
5ig na-
tures, in Foundation s o f Secure Computati on , ed . DemilIo ,
R. A.,
et.
a].
pp.
155-166.
133
CACM 21,7 Jul 1978 pp . 558 - 565.
23.
Ehrsam, W.F., Matyas, S.M.,
C.H., and Tuchma~ W.L.
key management scheme
the
Meyer,
A cryptographic
for
implementing
data encryption standard.
IBM sys.
Jour. 17,2 1978 pp. 106-125.
24. Lamport,
L.,
Constructing
digital
signatures from a one way function.
SRI
Int1. CSL - 98
no.
1
134