problem means only that its solution is hard in the worst case. We don’t know how to construct one graph in wich there is a Hamiltonian circuit but it is hard to find. It is a natural idea to try to generate the graph by random selection. If we chose it randomly from among all n-point graphs then it can be shown that in it, with large probability, it is easy to find a Hamiltonian circuit. If we chose a random one among alln-point graphs withm edges then the situation is similar both with too largemand with too smallm. The case m =nlogn at least seems hard. In some cases, one can show that certain randomized constructions yield instances of NP-hard problems that are hard with high probability (in the sense that if one could solve a random instance in polynomial time with non-negligible probability, then we could solve all instances in randomized polynomial time). These studies are beyond the scope of this book.
10.3
Public-key cryptography
In this section, we describe a system that improves on the methods of classical cryptography in several points. Let us note first of all that the system intends to serve primarily civil rather than military goals. For using electronic mail, in particular, if we use it for electronic commerce, we must recreate some tools of traditional correspondence like envelope, signature, company letterhead, etc.
The system hasN≥2 participants. Every participant has a public keyei(she will publish
it e.g. in a phone-book-like directory) and a secret key di known to herself only. There is,
further, a publicly known encoding/decoding function that computes from every messagex
and (secret or public) keyea messagef(x, e). (The messagexand its code must come from some easily specifiable setH; this can be e.g.{0,1}nbut can also be the set of residue classes
modulom. We assume that the message itself contains the names of the sender and receiver also in “human language”.) For everyx∈H and everyiwith 1≤i≤N, we must have
f(f(x, ei), di) =f(f(x, di), ei) =x. (10.1)
If participant iwants to send a message toj then she sends the messagey =f(f(x, di), ej)
instead. From this,j can compute the original message by the formulax=f(f(y, dj), ei).
For this system to be useable, trivially it must satisfy (C1) f(x, ei) can be computed efficiently fromxandei.
The security of the system will be guaranteed by
(C2) f(x, di) cannot be computed efficiently even in the knowledge ofx, ei and an arbitrary
By “efficient”, we mean polynomial time, but the system makes sense under other resource- bounds too. A functionf with the above properties will be called atrapdoor function.
Condition (C1) guarantees that if participant i sends a message to participant j then she can encode it in polynomial time and the addressee can decode it in polynomial time. Condition (C2) can be interpreted to say that if somebody encoded a message x with the public key of a participantiand then she lost the original then no coalition of the participants can restore the original (efficiently) if i is not among them. This condition provides the “security” of the system. It implies, besides the classical requirement, a number of other security conditions.
10.3.1 Onlyj can decode a message addressed toj.
Proof. Assume that a band k1, . . . , kr of unauthorized participants finds the message
f(f(x, di), ej), and knows even who sent it to whom. Suppose that they can compute x
efficiently from this. Thenk1, . . . , kranditogether could computexalso fromf(x, ej). Let,
namely,z=f(x, ej); then k1, . . . , kr and iknows the messagef(x, ej) =f(f(z, di), ej) and
thus using the method ofk1, . . . , kj, can computez. But from this, they can computexby
the formulax=f(z, di), which contradicts condition (C2). ¤
The following can be verified by similar reasoning:
10.3.2 Nobody can forge a message in the name ofi, i.e. participantj receiving a message that he can successfully decode using the public key of i (and his own private key), can be sure that the message could have been sent only by i.
10.3.3 j can prove to a third person (e.g. in a court of justice) that i has sent the given message; in the process, the secret elements of the system (the keysdi) need not be revealed.
10.3.4 j cannot change the message (and have it accepted e.g. in a court as coming from
i) or send it in the name ofi to somebody else.
It is not at all clear, of course, whether trapdoor functions exists. Several such function have been proposed; many of the proposed systems turned out insecure later on—the corre- sponding complexity conditions were not true.) In the next subsection, we describe one such system that is one of the earliest, and is most widely used (and of course, to our current knowledge, is secure).