A KEY DISTRIBUTION PARADOX

The so called, Rabin ''paradox'' is a proof that a given signature system, which is secure under ciphertext only attack is insecure under chosen message attack. The construction that is used to prove the first clause is also used to prove the second. For several years it was believed to be inherent to public key signature systems. A similar problem existed for public key cryptosystems (under chosen ciphertext attack). Trap-door functions were inherent in the construction of the ''paradox.'' In 1984 Goldwasser, Micali and Rivest constructively showed that one can overcome the ''paradox.'' Naor and Yung (1989) resolved the similar problem for public key cryptosystems. Both solution actually solve two problems. They resolve the ''paradox,'' with the strictest definition of security (for a cryptosystem it amounts to the demand that for a given cryptogram c and two messages m0, m1 it should be infeasible to decide whether c resulted from mo or mi with probability significantly greater than half). Both solutions are very complicated. We show that a similar ''paradox'' exists for many key distribution systems, even if non-trapdoor one way functions are used (like in the Diffie-Hellman variations). Using the simple basic definition of security (given the messages exchanged during the protocol it should be impossible to find the resulting session key in probabilistic polynomial time) we show a simple and practical key distribution system which is provably free of the paradox.