ABSTRACT
A previously unrecognized class of secure communications problems arose in the late 1960’s in the design of systems to verify international compliance with treaties limiting arms production or testing. † Since that time several other problems of the same generic type have arisen, such as the IAEA (international Atomic Energy Agency) RECOVER system that monitors worldwide power reactors to control fissile materials. In all of these applications a collection of sensors ‡ is to be emplaced in a physically secure, but unattended, installation to collect data that would with high confidence reveal noncompliance with the terms of a treaty or licensing agreement. This data must then be transmitted to the monitor (receiver) over a public communications channel. In seme instances this “channel” may simply consist of the periodic delivery by the host for the sensor emplacement of recordings of data purportedly taken by the monitor’s sensors, while in others it may be a conventional communications link such as a 106land line, a microwave link, a COMSAT channel, etc. From the viewpoint of the monitor, an opponent, usually assumed to be the host for the sensor emplacement but possibly a third party desiring to undermine the treaty arrangements, may either modify incriminating messages to innocuous ones or else introduce spurious incriminating messages to mislead the monitor into erroneously reporting violations. This latter tactic is especially significant when only a negotiated, but limited, number of on-site verification inspections are permitted the monitor. Obviously (again from the monitor’s viewpoint), the probability of having either an altered or counterfeit message be accepted as authentic can be made as small as desired by block encrypting the data from the sensors along with a sufficient number of message identifiers, such as time, date, message number, etc., prior to transmission. This is accomplished, however, at the expense of concealing the content of the message from the host. Such secrecy is generally intolerable to the host (and perhaps to third parties) since the monitor could then cheat on the terms of the agreement by transmitting information concealed in the cipher other than that agreed to. In other words, for such a system to be acceptable, the plaintext message consisting of the output of the sensors as well as the identifying information must be legible to the host at least — and perhaps to specified third parties. Conversely, for the system to be acceptable to the monitor this exposure of the message content should not increase the probability of an opponent, whether the host or a third party, having either a modified or substitute message be accepted as authentic.
