By combining the capability of this invention to store
information in the ciphertext during the process of encryption
with dynamical system composition, we arrive at a very powerful
method to be called partial encryption/decryption. Nearly
any prior-art encryption process 
can be composed
with another prior-art encryption process 
to act on a message 
to
produce a doubly-encrypted message 
. An entity 
in possession of the decryption method 
corresponding to
the encryption process , but not the decryption method
corresponding to the encryption process can act on
the doubly-encrypted message to recover 
. However,
since does not possess , it gains
no information by doing so. If in the same
situation and are encryption
methods designed according to this invention, by contrast,
then by applying to the doubly-encrypted message,
A recovers information which was stored during
encryption with with . can still not read the message
since it remains encrypted,
but may have gained information useful for the
further processing of the singly-encrypted message .
Thus has partially
decrypted the doubly-encrypted message .
Partial encryption enables information of different levels of security and/or destined for different uses to be encrypted into the same ciphertext. This property has many applications. Here three such applications will be described.
Assume that two users A and B
share a secret key 
and wish to communicate with each other
over a computer network composed of many nodes. Since even
the address to which a message is being sent may need
to be securely protected, they do not want any unauthorized
nodes to be able to communicate their messages, though many
nodes may be able to intercept their message. There should
be no node that can actually read the message. To authorize
a node to send a message from A to B, A gives another key
to the node, N. To each key, , there is a corresponding
encryption method 
which involves application some number of
times of the dynamical system described by .
To send a message to B, A first encrypts with and then
with 
. During encryption with , A inserts B's address
in the dynamical I/O. Any node other than the authorized node
which intercepts the ciphertext
will not know where the message is to be sent. The authorized node,
however, can apply to extract the address (by not the message
itself) and can then direct the message encrypted under to B.
While the authorization task discussed above required the use
of but two keys, other authorization applications employing the
same method of partial encryption/decryption may require
the use of many keys. As an example,
let us assume that a firm distributes a data
base composed of records 
each encrypted
under a key 
and then another key . A buyer
of the data base receives the key , but not the other keys
. By applying to any record in the data base,
the buyer can decrypt some general descriptive information about
the record, a price, and a record identification number. If
the buyer decides that he is willing to pay the firm the price
indicated in order to obtain the full information in the record,
he can send the appropriate fee along with the record identification
number to the firm, which will then furnish the key needed to
fully decrypt the record.
One way in which a private-key cryptographic
system, such as the present invention, can be used for
authentication has been described by Merkel
(R.C. Merkel, Protocols for Public-Key Cryptosystems,
(1980 Symp. on Security and Privacy, IEEE Computer Society, 1980) ).
In Merkel's scheme, Two users A and B communicate signed messages
to each other using a trusted third party S. S is an authentication
server. For instance, A could be the holder of a bank-machine card,
B the bank issuing the card, and S a company under contract to authenticate
back machine usage. Each user A and B shares a secret key, and 
with S. To send an authenticated message, M, to B, A encrypts
M under and sends the ciphertext to B. B, in turn, sends
the ciphertext to S. S decrypts M with , re-encrypts M with
and sends the new ciphertext to B, who is finally able to
decrypt it. The message is considered to be authenticated since
S is trusted by both A and B to be the only party capable of
encrypting and decrypting with both and .
B cannot even read the message unless S has vouched for
its authenticity. One of
the problems with this scheme is that the trust in S must be absolute.
That is, S is trusted with handling and not revealing to others
plaintext generated by both A and B. In Merkel's scheme S could
forge either A's or B's signature on plaintext of its choosing.
A student is applying for a grant from a government agency. He needs a letter of recommendation from a professor at a different college. The student is responsible for transmitting the message to the granting agency, and verifying that it did indeed come from said professor. Only the granting agency, and not the student should not be able to read the letter of recommendation. All transmission of information is to be via insecure electronic mail.
This problem is handled as follows. Two keys are required, one
is used only for authentication, the other only for
secrecy. The student and the professor share the authentication
key 
and the professor and the granting agency share
the secrecy key 
. The professor sends his letter to
the student encrypted first with and then with .
During encryption with , the professor signs the
letter by placing information identifying himself to the student
in the dynamical input, and then sends the doubly-encrypted letter to
the student. The student partially decrypts with
the letter, satisfies himself that the message did indeed come from
the professor. He the sends the singly encrypted message to the
granting agency, which fully decrypts it using .
These problems can be solved by a variant of the secure computer mail
system described above. In the computer mail system, only the sender
of a message had to communicate a secret key to an intermediary, in
this authentication scheme, both A and B share a secret key with
the intermediary.
Assume now that users A and B share a secret key with each other,
and, in addition, A shares a secret key with the intermediary S,
and B shares a secret key with the intermediary S.
is used only for secrecy
of communication between A and B, and and are used
only for authentication of the communication between A and B.
This works as follows. To send an authenticated message M to B, A encrypts
first with , and then with . During encryption with
, A inserts authentication information into the dynamical I/O.
A sends the doubly-encrypted message 
to B. B
cannot decrypt the message since B is not in possession of .
To authenticate
the message B sends the ciphertext it has received, , to S.
S applies to recover the authentication information in the dynamical
I/O. S is then left with the ciphertext 
which it cannot
read, since it is not in possession of .
S then encrypts with to produce 
.
Advantageously, S can insert information into the dynamical I/O
during this encryption attesting its authentication of the message.
S then sends 
to B, who is able to decrypt both
S's attestation, and A's message.
User A, a client of the US bank B, travels to foreign country and while there can only communicate with the bank B via an insecure bank machine.
There is a server S in the US who purpose is to 1) validate A's signature in his absence, 2) issue communication receipts to both communicating parties, 3) maintain a log of communication which will be legal evidence should either party sue concerning their communication, and 4) issue electronic receipts to be used by a judge in settling disputes between A and B regarding their communication.
Key Exchange: Before leaving on the trip: A and B share secret key K,
A and S share and B and S share .
