Merkle's Puzzles - Everything2.com

Ralph Merkle is best known today for his research and development in nanotechnology; one must only scan his list of published papers to see his enthusiasm for what has long been a mainstay of modern science fiction, but is every day coming closer to realization. Perhaps with more scientists like Merkle, we can see this astounding technology reach fruition in our lifetimes; but this is not about molecular manufacturing, this is about, of all things, cryptography.

Ralph's webpage mentions that one of his main interests outside of nanotech is cryptography, including digital signatures and one-way hash functions. Considering that his invention of the self-titled "Merkle's Puzzles" in 1974 laid the groundwork for public key cryptography and, thus, infinitely more secure forms of digitally signing documents and secure communication, it seems at least a little bit ironic that he would only label his interest as a "hobby." If cryptography is just something he does in his spare time, we should be seeing nanites in active use any minute now.

The importance of Merkle's Puzzles lies in the fact that it gave birth to one of modern crypto's most astounding and important breakthroughs: public key cryptography. It was the subject of his term paper, titled "Secure Communication Over Insecure Channels," for a course in computer security that he took at UC Berkeley in his senior year for an undergraduate degree in computer science. His professor could not make heads or tails of it, and Merkle ended up dropping the class. So much for his genius, but what I find funnier is that the Puzzle system is so inefficient and, surprisingly, insecure that it would have been considered almost unusable even then, before the advent of DES.

The system works like this: Assume that Alice and Bob are the two participants in the protocol and Eve is the eavesdropper, an outside party initiating a passive attack¹.

Alice and Bob agree on a symmetric algorithm².
Alice generates a large number (over a million, at least) number of messages of the form, "This is my index, X, and my puzzle is Y." Each of the messages is encrypted with a 20-bit key.
Alice sends all the encrypted messages to Bob.
Bob picks a random message and brute forces it to get the key.
Bob sends the plaintext X and Y to Alice.
Bob and Alice happily communicate using the 20-bit key.

It is not impossible for Eve to recover the key that Alice and Bob are now using, it will just take much longer for her to find. (Actually, except for one time pads, there are no impossible ciphers, there are only ones that require ludicrous amounts of time and computing power to break.) Whereas Bob only has to brute force one message, Eve has to brute force all of them. The plaintext X and Y that Bob sends back does Eve no good, and she presumably does not know the exact layout of the message; even if she did, it would still be a chosen-ciphertext attack³ to over a million messages because she'd only have one message in cleartext. Considering the fact that the key has to be short to make this protocol even vaguely efficient, cracking a million messages does not take too much time. Let's look at some examples:

Assume there are 2²⁰ (about a million) messages, it takes 2²⁰ operations to get the key, and a computer can perform 2²⁰ operations per second. Bob takes 1 second to recover the key to a message. Eve takes 12 days.
Now make that 2³⁰ (about a billion) messages. Bob still only takes a second to get the key, and it will take Eve 34 years.

The problem with the Puzzles is that increasing the complexity also vastly increases the inefficiency. 2²⁰ messages is probably the most realistic amount that would be generated, as even that much encrypted data would take a long time to transmit over a fast connection. That would mean Eve could have the key within 12 days (Remember, she is trying random keys and could easily accidentally stumble upon the right key for the right message on the first try.), which is extremely insecure by most standards. Increasing the length of the key would make Bob's life harder, too. Merkle's Puzzles is ingenious, but just not worth implementing.

The professor never understood Merkle's paper, but it obviously made its way around and most likely ended up in the hands of Whitfield Diffie and Martin Hellman, the two people credited with creating public key cryptography. This kind of cryptography is usually used to encrypt a session key⁴ to use with a symmetric algorithm; this idea of encrypting a session key was first introduced in the Puzzles.

Some of the terms I use are, surprisingly, not noded yet; at least, I can't find them. To make this more understandable, I will be defining some of the terms here.

¹In cryptography, when someone listens in on the exchanges between two or more parties to gather information, but does not actively disrupt the protocol. Eavesdropping.
²An algorithm that uses the same key to encrypt and decrypt a message. Think of it as a locked box: You have one key, and you use it to put things in the box and take them out. Compare to public key cryptography.
³Using a large number of encrypted messages and trying to obtain the key (and possible the algorithm) used to encrypt them.
⁴A key for a symmetric algorithm that is only used for one conversation. This is like using the locked box described above, but every time you put something in and take something out, you throw away the key and recore the lock.

Sources:
Applied Cryptography by Bruce Schneier: ISBN 0-471-11709-9
http://www.merkle.com

Everything2 Crypto Project	Mother Hitton's Littul Kittons	public key cryptography	Ralph Merkle
One Time Pad	digital signature	Riddle of the blue eyes	The Bizaar Riddle
Whitfield Diffie	Applied Cryptography	brute force	Cryptography
nanite	The Solution to the Fox Chicken Grain Riddle	Mi-24 Hind	Illumination riddle: Wheel
Difficult Riddle	plaintext	symmetric encryption	cipher
key	Cryptology	encrypt	algorithm