*** Welcome to piglix ***

Massey-Omura cryptosystem


In cryptography, a three-pass protocol for sending messages is a framework which allows one party to securely send a message to a second party without the need to exchange or distribute encryption keys. Such message protocols should not be confused with various other algorithms which use 3 passes for authentication.

It is called a three-pass protocol because the sender and the receiver exchange three encrypted messages. The first three-pass protocol was developed by Adi Shamir circa 1980, and is described in more detail in a later section. The basic concept of the Three-Pass Protocol is that each party has a private encryption key and a private decryption key. The two parties use their keys independently, first to encrypt the message, and then to decrypt the message.

The protocol uses an encryption function E and a decryption function D. The encryption function uses an encryption key e to change a plaintext message m into an encrypted message, or ciphertext, E(e,m). Corresponding to each encryption key e there is a decryption key d which allows the message to be recovered using the decryption function, D(d,E(e,m))=m. Sometimes the encryption function and decryption function are the same.

In order for the encryption function and decryption function to be suitable for the Three-Pass Protocol they must have the property that for any message m, any encryption key e with corresponding decryption key d and any independent encryption key k,  D(d,E(k,E(e,m))) = E(k,m). In other words, it must be possible to remove the first encryption with the key e even though a second encryption with the key k has been performed. This will always be possible with a commutative encryption. A commutative encryption is an encryption that is order-independent, i.e. it satisfies E(a,E(b,m))=E(b,E(a,m)) for all encryption keys a and b and all messages m. Commutative encryptions satisfy D(d,E(k,E(e,m))) = D(d,E(e,E(k,m))) = E(k,m).

The Three-Pass Protocol works as follows:

The receiver can now decrypt the message using the key q, namely D(q,E(r,m))=m the original message.

Notice that all of the operations involving the sender's private keys s and t are performed by the sender, and all of the operations involving the receiver's private keys r and q are performed by the receiver, so that neither party needs to know the other party's keys.


...
Wikipedia

...