Partial Encryption/Decryption

By combining the capability of this invention to store information in the ciphertext during the
process of encryption with dynamical system composition, we arrive at a very powerful method
to be called partial encryption/decryption. Nearly any prior-art encryption process can be
composed with another prior-art encryption process to act on a message to produce a
doubly-encrypted message . An entity in possession of the decryption method
corresponding to the encryption process , but not the decryption method corresponding to
the encryption process can act on the doubly-encrypted message to recover .
However, since does not possess , it gains no information by doing so. If in the same
situation and are encryption methods designed according to this invention, by contrast, then
by applying to the doubly-encrypted message, A recovers information which was stored during
encryption with with . can still not read the message since it remains encrypted, but may
have gained information useful for the further processing of the singly-encrypted message
. Thus has partially decrypted the doubly-encrypted message .

Partial encryption enables information of different levels of security and/or destined for different
uses to be encrypted into the same ciphertext. This property has many applications. Here three
such applications will be described.

Authorization

Assume that two users A and B share a secret key and wish to communicate with each other
over a computer network composed of many nodes. Since even the address to which a message
is being sent may need to be securely protected, they do not want any unauthorized nodes to be
able to communicate their messages, though many nodes may be able to intercept their message.
There should be no node that can actually read the message. To authorize a node to send a
message from A to B, A gives another key to the node, N. To each key, , there is a
corresponding encryption method which involves application some number of times of the
dynamical system described by . To send a message to B, A first encrypts with and then
with . During encryption with , A inserts B's address in the dynamical I/O. Any node
other than the authorized node which intercepts the ciphertext will not know where the message
is to be sent. The authorized node, however, can apply to extract the address (by not the
message itself) and can then direct the message encrypted under to B.
Multi-Key Authorization

While the authorization task discussed above required the use of but two keys, other
authorization applications employing the same method of partial encryption/decryption may
require the use of many keys. As an example, let us assume that a firm distributes a data base
composed of records each encrypted under a key and then another key
. A buyer of the data base receives the key , but not the other keys . By
applying to any record in the data base, the buyer can decrypt some general descriptive
information about the record, a price, and a record identification number. If the buyer decides
that he is willing to pay the firm the price indicated in order to obtain the full information in the
record, he can send the appropriate fee along with the record identification number to the firm,
which will then furnish the key needed to fully decrypt the record.

Authentication

One way in which a private-key cryptographic system, such as the present invention, can be used
for authentication has been described by Merkel (R.C. Merkel, Protocols for Public-Key
Cryptosystems, (1980 Symp. on Security and Privacy, IEEE Computer Society, 1980) ). In
Merkel's scheme, Two users A and B communicate signed messages to each other using a trusted
third party S. S is an authentication server. For instance, A could be the holder of a bank-
machine card, B the bank issuing the card, and S a company under contract to authenticate back
machine usage. Each user A and B shares a secret key, and with S. To send an
authenticated message, M, to B, A encrypts M under and sends the ciphertext to B. B, in
turn, sends the ciphertext to S. S decrypts M with , re-encrypts M with and sends the
new ciphertext to B, who is finally able to decrypt it. The message is considered to be
authenticated since S is trusted by both A and B to be the only party capable of encrypting and
decrypting with both and . B cannot even read the message unless S has vouched for
its authenticity. One of the problems with this scheme is that the trust in S must be absolute. That
is, S is trusted with handling and not revealing to others plaintext generated by both A and B. In
Merkel's scheme S could forge either A's or B's signature on plaintext of its choosing.

Two-Key Authentication
A student is applying for a grant from a government agency. He needs a letter of
recommendation from a professor at a different college. The student is responsible for
transmitting the message to the granting agency, and verifying that it did indeed come from said
professor. Only the granting agency, and not the student should not be able to read the letter of
recommendation. All transmission of information is to be via insecure electronic mail.

This problem is handled as follows. Two keys are required, one is used only for authentication,
the other only for secrecy. The student and the professor share the authentication key and
the professor and the granting agency share the secrecy key . The professor sends his letter
to the student encrypted first with and then with . During encryption with , the
professor signs the letter by placing information identifying himself to the student in the
dynamical input, and then sends the doubly-encrypted letter to the student. The student partially
decrypts with the letter, satisfies himself that the message did indeed come from the
professor. He the sends the singly encrypted message to the granting agency, which fully
decrypts it using .

Three-Key Authentication.

These problems can be solved by a variant of the secure computer mail system described above.
In the computer mail system, only the sender of a message had to communicate a secret key to an
intermediary, in this authentication scheme, both A and B share a secret key with the
intermediary. Assume now that users A and B share a secret key with each other, and, in
addition, A shares a secret key with the intermediary S, and B shares a secret key with
the intermediary S. is used only for secrecy of communication between A and B, and and
are used only for authentication of the communication between A and B. This works as
follows. To send an authenticated message M to B, A encrypts first with , and then with
. During encryption with , A inserts authentication information into the dynamical I/O. A
sends the doubly-encrypted message to B. B cannot decrypt the message since
B is not in possession of . To authenticate the message B sends the ciphertext it has received,
, to S. S applies to recover the authentication information in the dynamical
I/O. S is then left with the ciphertext which it cannot read, since it is not in possession
of . S then encrypts with to produce . Advantageously, S can
insert information into the dynamical I/O during this encryption attesting its authentication of the
message. S then sends to B, who is able to decrypt both S's attestation, and A's
message.
Three-Key Authentication with Registration and Electronic Receipts.

User A, a client of the US bank B, travels to foreign country and while there can only
communicate with the bank B via an insecure bank machine.

There is a server S in the US who purpose is to 1) validate A's signature in his absence, 2) issue
communication receipts to both communicating parties, 3) maintain a log of communication
which will be legal evidence should either party sue concerning their communication, and 4)
issue electronic receipts to be used by a judge in settling disputes between A and B regarding
their communication.

Key Exchange: Before leaving on the trip: A and B share secret key K, A and S share and B
and S share .