lyzed tile possibilities of using some special algorithms .... x] (1), etc. With this cyclic boundary condition, the sequence xi (2) can then be ... 4" X 2 (1) -- 0 mod 3. 2, .... represented by one of the 256 gen- eralized ..... pected[ polynomial time. In our ... Wolfram, S. Algebraic properties of cellular automata. Commun. Math. Phys.
uch has b e e n written a b o u t the necessity of processing data in the e n c r y p t e d form. However, no satisfactory m e t h o d of processing e n c r y p t e d data has b e e n published to date. A h i t u b et al. [2] have analyzed tile possibilities o f u s i n g some special algorithms to a d d e n c r y p t e d data. 1;tivest et al. [10] have suggested the use o f a n algorithm based o n h o m o m o r p h i c functions for processing e n c r y p t e d data. T h e m a i n limitation of this algorithm is that such functions can be b r o k e n by solving a set of linear equations, as n o t e d by [2]. T h e public-key crytosystem described in [11] can be used te, multiply e n c r y p t e d data b u t c a n n o t be used to add e n c r y p t e d
It has b e e n stated that e n c r y p t i n g data based u p o n time-reversal t r a n s f o r m a t i o n s is efficient [12]. T h e idea o f the model is to e m p l o y a second o r d e r (in time) e q u a t i o n to e n c r y p t confidential data; the plaintext can be recovered by reversing the iterating steps. I n the n e x t section we review briefly the time-reversal transformation. T h i s will be followed by a n e x p l o r a t i o n of the possibilities o f using this idea to s u p e r i m p o s e encrypted data. We t h e n p r e s e n t two practical examples to highlight the m e t h o d , followed by a n e x a m i n a tion of the c o d e - b r e a k i n g a n d hom o m o r p h i c functions discussed by [2]. We also detail how the m o d e l can resist the cryptanalytic attack by data subtraction; the significance
where bi can be a n arbitrary backg r o u n d (which o f course can also be data to be processed) a n d pi are the data to be e n c r y p t e d (i.e., plaintext). I f there are n elements in X (e.g., a message with n characters), i r a n g e s f r o m 0 to n - 1. C o n s i d e r a very simple example. S u p p o s e we allow each xi (t) to take o n values 0, 1, 2 (i.e., k = 3) a n d want to e n c r y p t the message "00012"; in this example, n = 5, a n d x0 (1) = 0, Xl (1) = 0, x2 (1) = 0, x3 ( 1 ) = 1, x4 ( 1 ) = 2. S u p p o s e the e l e m e n t s o f o u r b a c k g r o u n d are a l l 0 (i.e.,x0 (0) = x] (0) = . . . = x4 (0) = 0) a n d we have arbitrarily picked o u r f u n c t i o n key f as
data a n d is t h e r e f o r e n o t a p p r o p r i ate for some practical applications such as b a n k transactions. Abadi, F e i g e n b a u m a n d Kilian [1] presented some g e n e r a l t h e o r e m s conc e r n i n g the p r o b l e m o f c o m p u t i n g with e n c r y p t e d data a n d f o r m u lated a f r a m e w o r k to prove precise statements a b o u t what a n encrypted instance hides a n d reveals; they also described e n c r y p t i o n schemes for some well-known functions. I n t]his article, we explore a way to s u p e r i m p o s e data in the encrypted form. S u p e r i m p o s i n g two sets o f n u m b e r s m e a n s that each set is multiplied by a c o n s t a n t a n d t h e n both sets are a d d e d together to obtain a final sum. T h a t is, if X a n d Y d e n o t e two sets of data, the superposition o f the data is given by Z -rX + sY where r a n d s are constants. Simply a d d i n g two sets of data (i.e., r = s = 1) or j u s t multiplying a set o f data by a c o n s t a n t (i.e., r or s = O) are special cases o f s u p e r i m p o s i n g data. O n the other h a n d , s u p e r i m p o s i n g data can be considered as a special kind of data processing.
of the arbitrary stressed.
As discussed in [12], cyclic b o u n d ary conditions s h o u l d be employed. T h a t is, the arithmetic o n the i n d e x j o f x j (t) is d o n e m o d n; if the value o f j is smaller t h a n 0 or larger t h a n n - 1, we have to m a k e the transf o r m a t i o n j ---~j m o d n; in the above example, x - i (1) = x4 (1), x6 (1) = x] (1), etc. With this cyclic b o u n d a r y condition, the sequence xi (2) can t h e n be calculated by
~
~
background
is
Time Reversal Transformations I n o n e d i m e n s i o n a l cases, a vector X can be t r a n s f o r m e d to a new vector X* by a f u n c t i o n (key) f according to a n e q u a t i o n in the form xi(t 4" 1) = f[{xi (t)}] m o d k.
--xi (t-- 1)
f[{xi (t)}] = 2x2i-l (t) + 2xi (t) + xi+2 (t).
(1) I n e q u a t i o n (1), xi is the i-th elem e n t o f the vector X a n d can take o n k discrete values; t labels the t-th (t = 0, 1, 2 . . . . ) copy o f the seq u e n c e xi, namely, xi (0), xi (1) . . . . xi (t) . . . T h e key f[{xi}] which det e r m i n e s the t r a n s f o r m e d data X* is a f u n c t i o n o f xi a n d its n e i g h b o r i n g elements. T h e most i m p o r t a n t p r o p e r t y o f e q u a t i o n (1) is that it possesses time-reversal s y m m e t r y [12]. It can be iterated for an arbitrary n u m b e r o f time steps provided that two initial conditions are given: x i (0) = bi,
x I (1) = pi, (2)
xi (2) = f[{xi (1)}]
-xi(0)
mod 3.
Thus x0 (2) = 2x'2-1 (1) + 2x0 (1) 4" X 2 ( 1 ) - - 0 mod 3 2,
and xl (2) = 2x20 (1) + 2xl (1) +x3 (1)-0 rood 3 =
1.
Similarly, X 2 (2) = 2, x3 (2) = 2, a n d x4(2 ) = 0. T h e n e x t time sequence xi (3) is o b t a i n e d by
K. W. Yu and Tong Lai Yu
-x2
(2)
p r o v i d e d that the key is a linear f u n c t i o n o f its a r g u m e n t s . This is basically the principle o f superposition which is often used in m a n y fields of physical science (see Discussion section). For example, let us assume that
Let Z = rX + sY where r a n d s are arbitrary integers. We have
X i (3) = f [ { x i (2)}]
mod 3
a n d so on. Decryption is o b t a i n e d by reversi n g the steps of iterating e q u a t i o n (1) as it can be expressed in the form
zi(t+ 1)=rxi(t+
1)+syi(t+
1) (4a) = rf[{xi (t)}] + sf[{yi (t)}] - (rxi (t - 1) + syi (t - 1)). (4b)
P I f f is a l i n e a r f u n c t i o n of its arguments, it is obvious that e q u a t i o n (4) can be expressed as
Xi (t -- 1) = f[{xi (t)}] - - X i ( t + 1) m o d k. I f m specified elements are allowed 1:o be utilized to construct the key f, the total possible n u m b e r of choice,; o f f is N = k kin. For examale, if a plaintext consists of 20 characters, each o f which is represented by o n e o f the 256 d i f f e r e n t generalized A S C I I code (i.e., k = 256), a n d 3 specified elements are allowed to be used to construct f, there exist 2562563 distinct functions. As a n o t h e r example, if a data block contains 64 bits a n d all of the bits are allowed to be utilized to construct the function, the n u m b e r o f choices of functions is 2264. T h e s e are truly astronomical n u m b e r s a n d n o o n e can o b t a i n the key by triala n d - e r r o r . T h e properties of the arbitrary b a c k g r o u n d a n d arbitrary n u m b e r of iterations e n h a n c e the security of the scheme.
T Bp BT C1
zi (t + 1) = f[{zi (t)}] - zi (t - 1) with initial conditions zi ( 0 ) = rxi (0) + syi (0) zi (l) = rxi (1) + syi (l),
C2
(5) T1 so that z i satisfies the time-reversal t r a n s f o r m a t i o n s with given initial conditions. Equations (4) a n d (5) imply that we can always s u p e r i m pose data in the e n c r y p t e d form a n d o b t a i n the r e s u l t a n t plaintext by reversing the iterating time-steps :IGURE
1
Data Is added in the encrypted form; the plain data is obtained by reversing Iterating the encrypted sums.
T2
= plaintext (confidential data) = transaction (to be a d d e d to P) = b a c k g r o u n d for P = b a c k g r o u n d for T = ciphertext o b t a i n e d f r o m P a n d Bp = ciphertext o b t a i n e d f r o m C~ a n d P = transcipher obtained from T a n d BT = t r a n s c i p h e r o b t a i n e d from TI and T
Z1 = C l + T I Z 2 = C 2 q- T 2
T h e confidential data Z = P + T a n d the c o r r e s p o n d i n g b a c k g r o u n d Bz can be o b t a i n e d f r o m Zl a n d Z2 by reversing iterating e q u a t i o n (5). (Sometimes we can use the backg r o u n d Bz -- Bp + BT as a critical check o n the correctness o f the cal-
Superimposing Data I n the following discussions, we always p e r f o r m m o d k operations, k b e i n g the n u m b e r o f states o f each e l e m e n t in the plaintext or ciphertext. For c o n v e n i e n c e o f writing, we omit m o d k in the equations. Let us consider two vectors X a n d Y which are e n c r y p t e d according to the time-reversal-symmetry equations xi (t + 1)
=
f[{xi} ] -
with initial conditions xi (1) = pi,
x i
(t - 1)
X i (0)
=
bi, (3a)
yi (t + 1) = f[{yi}] -- yi (t -- 1) with initial conditions yi ( 0 ) = fli, yi (1):= 'B"i-
(3b)
~O
February 1991/Vo1.34,No.2/COMMUNICATIONS OF THE ACM
culations.) This concept is depicted clearly in Figure 1. U n d e r the constraint that the key f has to be a linear function o f its arguments, the n u m b e r o f choices (N) of f has been largely reduced. T h e total n u m b e r o f distinct keys is N = k L+ 1 where L is the n u m b e r o f elements allowed to be used to construct f, and k is the n u m b e r of states of each element. However, in many applications, N is still large enough to secure the operation. For example, if a plaintext consists of 20 characters, each o f which is represented by one o f the 256 generalized ASCII codes, the possible n u m b e r o f linear functions that can be constructed is 25621 (=2168); this is still an astronomical n u m b e r and the key cannot be broken by trial and error. T h e arbitrary backgrounds may be used to enhance the security o f the system; in this example there exist 2562o different backgrounds. In practice, the backg r o u n d may be just another plaintext. In case high security is required, one can generate the b a c k g r o u n d by a r a n d o m n u m b e r generator; the penalty here is that it will take twice the a m o u n t of time to process a fixed amount of data when c o m p a r e d to the case using plaintexts as backgrounds. As another example, the n u m b e r o f linear functions that can be constructed from a block o f 64 bits is 265 bits; the n u m b e r is not as large as before but breaking the key now requires tremendous effort. We will now present two practical examples to illustrate the applications o f the model. Interested readers are encouraged to obtain the source code (written in C) and associated figures o f these examples from the authors.
Foreign Exchange T h e first example we consider is the conversion o f U.S. dollars to Japanese yen in units o f 100 dollars, assuming that 100 dollars are worth 12,689 yen. T h e n u m b e r of U.S. dollars to be converted is confidential, while the exchange rate is known to the public. Two dollar
accounts are represented by texts, each o f which consists of 14 characters, one being the background of the other. For convenience o f discussion and data manipulation, we shift each o f the ASCII codes by 48 (ASCII code for '0') so that the character '0' is represented by code 0, ' 1' by 1 and so on. T h e key function (arbitrarily picked) that has been used is f[{xi}] = 2xi + 9xi + 2 -- 17xi+9. (6) T h e data is iterated for 10 (an arbitrarily picked number) times. T h e multiplication o f the encrypted data by a constant is just like an ordinary n u m b e r multiplication which consists o f operations multiply, shift and add; consider a simple example of decimal multiplication, say, 34 x 12; we obtain the product in several steps: 1. multiply 34 by 1 to obtain 34; 2. shift-left the product 34 one digit to obtain the partial product 340; 3. multiply 34 by 2 to obtain 68; 4. a d d the partial products 340 and 68 to obtain the final product 408. To multiply encrypted data, we do exactly the same thing except that we have to use rotate-left instead o f shift-left because cyclic b o u n d a r y conditions have been used (the shift-left operation would cause the
COMMUNICATIONSOFTHEACM/February 1991/Vol.34, No.2
loss o f leftmost digits); in the example, the four leftmost digits o f the plaintext and b a c k g r o u n d are 0; when an operation "rotate-left" is p e r f o r m e d , a '0' is then rotated into the rightmost position; this is equivalent to the "shift-left" operation which introduces a '0' in the rightmost position in the above example o f decimal multiplication. We should also note that the encryption operation and digit-rotation commute with each other. In other words, digit-rotation is compatible with the cyclic b o u n d a r y condition. Therefore, we will obtain the same result whether we p e r f o r m the encryption f i r s t - - t h e n rotate, or we rotate the d i g i t s - - t h e n encrypt. Thus, the multiplication o f the encrypted data by 12,689 is perf o r m e d in several steps: 1. Multiply each digit o f the encrypted data by 1 and rotate the product left by four digits. 2. Multiply each digit o f the encrypted data by 2 and rotate the product left by three digits. 3. Multiply each digit o f the encrypted data by 6 and rotate the product left by two digits. 4. Multiply each digit o f the encrypted data by 8 and rotate the product left by one digit. 5. Multiply each digit o f the encrypted data by 9. 6. A d d the results obtained in steps 1-5; the sum is the encrypted product. T h e encrypted p r o d u c t obtained in step 6 can be decrypted by reversing the process o f iterating equation (5). O f course, the arithmetic is p e r f o r m e d in modulo 256; the adj u s t m e n t required in o r d e r to express the decrypted product in decimal form is straightforward. Here, the sum o f the digits o f the multiplier 12,689 is 26 which, when multiplied by 9 (the largest decimal digit), will give a value smaller than 256 and thus will not cause overflow. In case the sum is larger than or equal to 29 (which is the smallest integer when multiplied by 9 to obtain a value larger than 256), one has to divide the multiplier into two
S 1
or m o r e g r o u p s o f d i g i t s - - e a c h g r o u p will contribute to a sum less t h a n 29; or one can choose a larger value for the n u m b e r of possible states k. For example, if k is chosen to be 216 (a 16-bit wordsize), o n e can have a multiplier that has m o r e t h a n o n e t h o u s a n d decimal digits without causing a n overflow in the multiplication; such a wide r a n g e covers all practical problems.
Adding Bonuses to Salaries I n this example, we want to add the b o n u s e a r n e d by each o f the employees o f a c o m p a n y to his or h e r a n n u a l salary. A plaintext consists of two. employees' salaries in dollars; the l e n g t h o f each text is 14 characters (including blanks a n d decimal digits); data f o r m e d from the salaries of two other employees serve the former's b a c k g r o u n d . T h e r e f o r e , the data of f o u r employees are processed at the same time. Bonuses have to be a d d e d to salaries. T h e f u n c t i o n key that we have used (arbitrarily picked) in e n c r y p t i o n a n d d e c r y p t i o n is f[{xi}] = x i - 3 + 7xi+2 -I- 63xi+ 5.
reversal e q u a t i o n becomes xi(t + 1) = f[{xi(t)}] 1) r o o d 4 .
-xi(t-
(8) Suppose we express f in the form f[{xi(t)} = f(xi, Xi+l) = a 0 + a l x i + a 2 x i + 1.
(9~ Since k = 4, possible values o f a0, a b a2 = 0, 1, 2, 3; there are k L+l = 43 = 64 such functions. C o n s i d e r some matrix elements of three successive time steps: xi(t-1)
0
0
0
0
0
xi(t)
0
1
1
2
0
x i ( t + l)
2
0
1
1
3
0
0 0 (10a) 2 1 3 (lOb) 2 2 3 (10c)
(7). Code Breaking I n o r d e r for a m o d e l to be used safely to e n c r y p t data, we have to study how or u n d e r what conditions it can be b r o k e n . A l t h o u g h h o m o m o r p h i c functions are susceptible to code b r e a k i n g [2], we n e e d t h e m for s u p e r i m p o s i n g encrypted data. As a n example, let us consider the following simple case o n how the key can be b r o k e n by solving a set of linear equations. C o n s i d e r the case in which the n u m b e r o f states is k = 4, a n d the n u m b e r o f elements utilized to construct the f is L = 2. T h e time-
1 ~2
Code Breaking by Data Subtraction One common technique employed by c r y p t o g r a p h e r s to break a c i p h e r key is to subtract o n e ciphertext f r o m a n o t h e r . We illustrate this t e c h n i q u e with a n e x a m p l e given by [6]. T h e V e r n a m c i p h e r generates a ciphertext bit stream by: ci = ki - mi
mod 2 (12)
T h e elements o f x i ( t - 1) are p u r posely set to 0 for c o n v e n i e n c e o f discussion. By picking u p some elements in (10) a n d substituting t h e m into equations (8) a n d (9), we obtain the following s i m u l t a n e o u s equations.
(7) Again the data is iterated for 10 times a n d the A S C I I codes are shifted by 48. T h e data are a d d e d together in e n c r y p t e d form; the s u m is decrypted by reversing iterating the e n c r y p t e d values ten times u s i n g the same f u n c t i o n shown in
positor who is m a n i p u l a t i n g his or h e r b a n k account. T h e r e f o r e , to avoid the guessing of xi(t - 1) correctly, it is advisable to iterate equation (1) several times (note that the total n u m b e r o f iterations perf o r m e d in the e n c r y p t i o n is also confidential). If x i ( t - 1 ) is u n k n o w n , the above m e t h o d is n o l o n g e r applicable. T o m a k e the code b r e a k i n g difficult, o n e can choose a reasonably large k a n d L.
F r o m x], x 2 a n d x5 we have 2 = a0 + a2 lnod 4.
(11a) O=ao+al
+a2
mod4.
(11b) 3 = a0 + 2a2
where M = m l m 2 . . . d e n o t e s a plaintext bit stream; K = klk 2 . . . a key bit stream a n d C = ClC2 . . . d e n o t e s the ciphertext bit stream. (Note that in m o d 2 arithmetic, addition a n d subtraction are equivalent a n d are both equal to the bin a r y exclusive O R operation.) Suppose a n o t h e r plaintext bit stream M' is e n c i p h e r e d in the same way: ci' = ki - mi'
mod 2
(13)
m o d 4.
(11c) Solving the s i m u l t a n e o u s equations (11), we obtain a0 = 1, al = 2 a n d a2 = 1, a n d thus the key f is determ i n e d . F r o m this example, o n e can see that code b r e a k i n g is relatively easy to accomplish by solving a set of s i m u l t a n e o u s linear equations o f o r d e r L + 1 i f xi(t - 1) is k n o w n . O f course, in o u r m o d e l xi(t - 1) is confidential; only two consecutive e n c r y p t e d texts are k n o w n to the public. However, x i ( t - 1) can be o u r plaintext a n d may be k n o w n by o t h e r methods. For example, the first plaintext to be sent to a comp u t e r user may consist of "Please Login"; or sometimes the plaintext is j u s t the i n p u t data o f a b a n k de-
By subtracting (13) f r o m (12), we obtain Ci" = Ci -- Ci I = mi'
-- m i
mod
2
(14) T h e stream C" is t h e r e f o r e equivalent to a stream g e n e r a t e d by the e n c i p h e r m e n t o f message M with message (key) M' [6] a n d may be b r o k e n if the messages are partially k n o w n ; the key could t h e n be obtained by ki = ci + mi (mod 2). O u r m o d e l is safe u n d e r this attack for the following reasons. Such a t e c h n i q u e w h e n a p p l i e d to the c u r r e n t model would c o r r e s p o n d to subtracting (3b) from (3a):
February 1991/Vo1.34, No,2/COMMUNICATIONSOF THE A C M
security o f the model needs to be examined in further detail. Any interested r e a d e r is urged to find a way to break the model. I f the method can withstand various attacks for a sufficient length o f time, it may be used with a certain a m o u n t of confidence.
xi(t + 1) - yi(t + 1) = (f[{xi(t)}] - f[{yi(t)}]) + yi(t - 1) - x i ( t - 1).
05) First, the term (f[{xi(t)}] - f[{yi(t)}]) in (15) does not vanish in general. Even if it vanishes u n d e r some very special cases, unlike the Vernam cipher, y i ( t - 1) and x i ( t - 1) are not plaintexts as long as several iterations have been performed. Therefore, to secure the code from being broken by data subtraction, it is again better to iterate equation (1) several times to obtain the ciphertexts. From these discussions, we can see the important role played by the arbitrary iterations. T h e iterations insulate a ciphertext from the corresponding plaintext. This renders the standard code breaking by subtraction technique inapplicable here.
The Arbitrary Background If one still worries that there may exist some currently unknown method which can break the key by knowing part of the plaintexts, one can further secure the system by making use o f the arbitrary background. Each time a plaintext is enciphered, a r a n d o m background is used. Now each ciphertext consists of some r a n d o m elements and one cannot obtain the key o f something which is random; on the other hand, one cannot decompose the r a n d o m elements without knowing the key. Thus interception of the ciphertext may not reveal anything new about the plaintext message. We should note that unlike the one-time pad model [6], the receiver does not need to have any knowledge about the r a n d o m backgrounds in o r d e r to decipher the ciphertexts. Thus, the r a n d o m backgrounds can be generated by any convenient and secure method. As mentioned by [11], no technique exists to prove an encryption scheme is secure; the only test available is to see whether anyone can think of a way to break it. At the moment, we have not found a simple way to break the model. T h e
Discussions
Superimposing encrypted data based upon time-reversal transformations
COMMUNICATIONSOFTHE ACM/February 1991/Vol.34, No,2
can be very easily implemented
From these two examples, one can see that superimposing encrypted data based u p o n time-reversal transformations can be very easily i m p l e m e n t e d in solving practical problems. Due to the a b u n d a n t choice of functions, the method may have the potential o f acquiring high s e c u r i t y - - a f t e r a certain number o f iterations, information from one region diffuses into another region and gets mixed up there. This is similar to the case where none can tell the original distribution o f the color from a colored mixture [12]. This p r o p e r t y is also the main difference between the current model and many of the traditional encryption models; the current model mixes both time and spatial correlations of the information; this p h e n o m e n o n may be reg a r d e d as diffusion [6]. It makes discerning meaningful patterns from ciphertexts a complicated and difficult process; the p h e n o m e n o n also makes it difficult to obtain significant information o f the plaintexts by analysing the symbol occurrence frequency o f the ciphertexts. T h e fact that two ciphertexts can be superimposed while each retains its original pattern is analogous to the superposition o f waves. T h e music p r o d u c e d by a piano, when superimposed with the sound produced by a singer, forms a wave; our ears are capable o f resolving the components. W h e n several laser beams o f different colors meet, a new color is formed at the intersecting region; yet when they pass t h r o u g h each other, the original color o f each beam is preserved. T h e coincidence o f the similarities between the superposition of the encrypted data and the waves is not surprising when one recognizes
53
that a traveling wave W(x,t) is described by the following equation:
the model have been obtained by Martin et al. [8].
Conclusions
02W/0t 2 = c2 02W/0x 2
We have discussed the possibilities of applying time-reversal transformations to superimpose data in where c = velocity of light. U p o n encrypted forms; it turns out that discrefizing equation (16) with W ---> the method is simple and straightx, x --* i, t --->t, one can immediately forward to implement. T h e abunsee that the resulting discretized dance of choice of the keys, the arequation is in exactly the same form bitrary n u m b e r of iterations and as the encryption equation (1). (In the property of arbitrary backthis example, f[{xi}]= c2(xi+l + grounds may make the operations xi-]) + 2(1 - c2)xi.) It is well known safe. Two practical examples have that any linear combination of the been presented to highlight the solutions to (16) is also a solution to model. T h e presentation here may (16). shed light on the study of processT h e work presented here does ing encrypted data. [ ] not contradict the general theorems about encrypted-data computation discussed by [1]. Abadi et al. References 1. Abadi, M., Feigenbaum, J., and showed that if a function g(x) is Kilian, J. On hiding information computable in the expected polyfrom an oracle. J. Comput. Syst. Sci. nomial time, then g(x) is encryp39 (1989), 21-50. table hiding x. T h a t is, one can al2. Ahitub, N., Lapid, Y., and Neuways find an encryption scheme for mann, S. Processing encrypted data. Commun. ACM 30, 9 (Sept. which one cannot infer anything 1987), 777. about x when it is processed in encrypted f o r m - - p r o v i d e d the "data3. Bennett, C.H., Brassard, G., and processing" is computable in exRobert, J. Privacy amplification by public discussion. SIAM J. Comput. pected[ polynomial time. In our 17 (Apr. 1988), 210-229. model, the g(x) involves only simple 4. Brassard, G., Chaum, D., and multiplication and addition (i.e., Crepeau, C. Minimum disclosure superimposing data) which is comproofs of knowledge. J. Comput. putable \in expected polynomial Syst. Sci. 37 (1988), 156-189. time. Hence it is reasonable that a 5. Chaum, D. Security without identisafe encryption scheme exists. fication: Transaction systems to T h e scheme presented here may make Big Brother obsolete. Combe particularly useful in banking mun. ACM 28 (Oct. 1985), 1030securky. Most bank transactions 1044. 6. Denning, D.E. Cryptography and Data only involve numerical addition Security. Addison-Wesley, Reading, and multiplication. While a banking Mass. 1983. system wants to protect its security 7. Denning, D.E., and Denning, P.J. from individuals, an individual also Data security. ACM Comput. Surv. wants to protect his or her own in11, 3 (Sept. 1979), 227. terest from the bank [5]. If a cus8. Martin, O., Odlyzko, A.M., and tomer's account is processed in enWolfram, S. Algebraic properties of crypted form, it is possible to hide cellular automata. Commun. Math. certain desired information from Phys. 93 (1984), 219-258. the bank [1, 3, 4, 5]. 9. Popek, G.J., and Kline, C.S. EnI n closing, we would like to mencryption and secure computer nettion that the model presented can works. ACM Comput. Surv. 11, 4 be further analyzed with algebraic (Dec. 1979), 331. techniques. To perform theoretical 10. Rivest, R.L., Adleman, L., and Deranalysis, it may be better to analyse touzos, M.L. On data banks and prithe model in Galois Fields, say, vacy homomorphisms. In Foundations of Secure Computations, R.A. GF(28); some properties related to (16)
S4
DeMillo, D.P. Dobkin, A.K. Jones, and R.J. Lipton, Eds., Academic Press, N.Y., 1978, 169-179. 11. Rivest, R.L., Shamir, A., and Adleman, L. A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21 (Feb. 1978), 120-126. 12. Yu, K.W., and Yu, T.L. Data encryption based upon time reversal transformations. Comput. J. 32, 3 (June 1989), 241-245. CR Categories and Subject Descriptors: E.3 [Data]: Data Encryption--data
encryption standard (DES); public key cryptosystems General Terms: Algorithms, Security Additional Key Words and Phrases:
Bank transactions, cryptography, data security, privacy, time-reversal transformations. About the Authors
K.W. YU is a lecturer in the Department of Applied Physics at Hong Kong Polytechnic, Hung Hom, Kowloon, Hong Kong. His research concentrates on information science, computational physics and condensed matter physics. Author's Present Address: Department of
Physics, The Chinese University of Hong Kong, Shatin, Hong Kong, China. TONG LAI YU is an assistant professor of Computer Science at California State, San Bernardino and a technical consultant to Ah Shui Neurocomputing Inc. His current research interests include neural network theories and applications, parallel computing, pattern recognition, speech processing, data encoding, computer hardware education and Chinese language processing. Author's Present Address: Department of
Computer Science, California State University, 5500 University Parkway, San Bernardino, CA 92407. ptongyu@calstate Permissionto copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is giventhat copying is by permission of the Association for ComputingMachinery.To copyotherwise, or to republish, requires a fee and/or specific permission. © 1991ACM0002-0782/90/200-048 $1.50
February 1991/Vol.34, No.2/COMMUNICATIONSOF THE ACM
