SYSterns are briefly considered by exa- mining cryptographic protocols for key distribution and digital signatures us-. This work was partially supported under.
PROTOCOLS
FOR PUBLIC KEY CRYPTOSYSTEMS
Ralph C. Merkle ELXSi
International
Sunnyvale,Ca.
ing both Abstract
New Cryptographic take
full
public
key
and
systems. protocols
The reader is assumed to
which liar
advantage of the unique proare
lic key cryptosystems,
now
for
[1,10]
Several
public key distribution signatures
are
protocols and for
briefly
we
with
each other and with the conventional
as
there
assume
and
ternative.
B
examples
are two communicants, opponent
attempt
A
E
will
to discover the keys, learn the
secrets, times,
E.
will attempt to send secret mes-
sages and sign contracts, while 1. Introduction
in
.
called A and B, and an
al-
fami-
described
For many of the following
digital
compared
be
with the general ideas behind pub-
perties of public key cryptosystems evolving.
conventional
and A
forge
will
contracts.
Some-
attempt to evade a con-
The special strengths of public key tract he signed with B, or SYS terns are
B
will
at-
briefly considered by exatempt
mining cryptographic
for
protocols
to
forge
A’s signature to a new
key contract.
distribution
and digital signatures usA and B will need to apply one functions
to various arguments of vari-
under
ous
so we assume
and much of the
way
This work was partially supported NSF
Grant
work was ISL.
done
10173, at
Stanford
The author would
nowledge much
ENG
the support
of the work
also
University like
of BNR
reported
An extended version has
way
Inc,
fixed
where
[2,9,13,19].
submitted
122 IEEE
we
have
a
one
F which can be applied to any
size output.
discussion of
to CACM.
CH1522-2C/80/OOOO-O122$O0.75@1980
function
arguments of
to ack-
here was done. been
sizes,
one
size
and
produce
a
For a more complete way
functions,
see
The major drawback of this protocol 2. Centralized ~
Distribution is its vulnerability
to both centralized
loss of security and centralized loss of Centralized conventional
key distribution
encryption
of
bribery of personnel at the central site
handling
will compromise all users of the system.
in a multi-user network
Similarlyr destruction
environment before the discovery of pub-
keys
lic key distribution methods.
mechanism
Only con-
ventional encryption functions used,
which
lic
need
(Presently known
cryptographic
systems
Discovery of new public
seems
almost
discovery of more efficient
ones
all
and prob-
key
all
with
but
key
B,
the
single
centers,
Destruction will
center
must
be
improved
center.
The
master
still be stored securely
the
(encrypted)
user
This approach is
This protocol does not fully
the
solve
mon (session) key to A and B
of key distribution method must be
agreed
and
B
further
can
then
on
central keys,
communicate
with
the A no
only
functions.
is nontrivial because no electronic com-
simple
conventional
and
inexpensive
physical methods, e.g., registered mail,
re-
offer only moderate security.
encryption
of
Its use has been defended in
the literature
This problem
munications can be used and is
used
each user and the center to es-
tablish the original keys.
bution center.
quires
key distribution problem: some SOrt
between
assistance from the key distri-
This protocol
used
by IBM [23].
the
prf2ViOUSly
(and
keys can be
key distribution center will send a comusing
if
user keys are encrypted with a
stored anywhere.
a central key distribution center.
If A wishes to communicate with
more
or
suitable provision made for its backup) ,
other system users somehow
deposit a conventional cryptographic
of
key distribution can be in-
master key by the
In centralized key distribution, A, and
reliability
Security can also
able. )
B,
and
not affect the other centers.
key
inevitable,
security
or compromise of a
systems.
central
distribution
key
each with its own keys [1].
Whether or not this will continue is not now known.
the
creased by using two
pub-
the
of
for all users.
centralized
key systems are less efficient than
conventional
destroys
The
be
presently offers a perfor-
mance advantage.
Theft of the central keys, or
function.
was
functions
the only reasonable method key distribution
using
couriers
is
reasonably
although more expensive.
[17,18,20].
123
The
use
secure,
The disadvantage of is 3.
Simple Public ~
this
protocol
that E might actively interfere with
Distribution the exchange of keys.
Worse yet, E
can
force a known k on both A and B. application
This is the most basic of
public key systems
Its
[1,5,6,7,8].
purpose is to allow A and B to agree
on 4. Authenticated
a
Public ~
Distribution
common key k without any prior secret though
arrangements, even all messages.
overhears
keys EA and
then
A computes
E).
‘A “
between A and B is:
It is used to using
to
A
and EB and make them public, while keep-
= k.
A
ing DA and DB secret.
is
al1
the
have
mon
conversation
the
com-
k, then each sends a (session)
others
public
key.
it
with
The two keys
thus agreed on are combined and used
to
encrypt further messages.
great
deal
Firstr no keys and no before
to
simple,
and
recommend
it.
secret
At the end of this protocol, A B
materials
finished.
and
have agreed on a common key, k, which
is both secret and authenticated.
A and B start communicat-
ing, and nothing is retained after have
key
key to the other by encrypting
repeated to agree on a
This protocol is very
exist
enci-
If A and B wish to agree on a
new key k“.
a
The public
ticated access to EX for any user, X.
a conventional
Once A and B
resume
process
encrypt
they both discard k.
talking,
If they later
has
A and B generate EA
a public filer allowing easy and authen-
encryption function.
the
and authenticated communications
The key in future communica-
both
messages
finished
for
phering keys of all users are entered in
tions is k. further
DA(EA(k))
[1]
protocol
EA and DA, and B dis-
discards
cards
secure
DA,
B picks the
sends EA to B (and E).
random key, k, and transmits EA(k) (and
The now classic
A randomly computes enci-
phering and deciphering and
E
This
they
protocol
weaknesses.
It is impossible for E
suffers
from
two
Firstr entries in the pub-
lic file might be altered.
This can
be
to compromise any keys either before the
dealt with both by good physical securi-
conversation
ty, or by using new protocols
takes place, or after it is
over, for the keys exist only during the
tions
conversation.
entries in the public file.
124
5
and
(see
6) for authenticating
secthe
Secondr secret deciphering be
lost.
can be published in newspapers ‘CA magazines, and sent over all avail-
and
keys can
able
This problem must ultimately
communication
channels:
blocking
its correct reception would be very dif-
be solved by good physical security.
ficult. If DCA is compromised, then no 5.
Public ~
Distribution with Certifi-
longer
it
is
possible to authenticate the
users of the system and their public en-
cates ciphering
keys.
The
certificates are
now worthless because the (unauthorized) Kohnfelder entries
them
with
He
DCA.
who
‘as learned ‘CA can produce false certificates at will.
in the public file be authenti-
cated by having a Central Authority sign
person
[3] first suggested that
(CA)
called such
signed entries certificates. 6.
The protocol with
certificates
Public ~
Distribution —— with Tree — Au-
is thentication
the
same as the authenticated protocol, now
except that A and B can entries
in
This
Key distribution with
A
assures
can be compromised, resulting in
and B that each has the
wide loss of authentication.
not
tication
poster.
authen-
[13].
Again, this
The security of this protocol rests
CA system
This prob-
lem can be solved by using tree
enciphering key of some im-
public
certificates
was vulnerable to the criticism that D
proto-
other’s public enciphering key, and the
the
the public file by checking
each other’s certificates. col
check
protocol
attempts
to
on the assumptions that the secret deci-
authenticate entries in the public file.
phering keys of A, B, and
However, instead of signing
been
compromised;
correct copies signed
of
that ‘CA
certificates) ;
not issued deliberately
a
bad
CA A (to
and
have and
it
in
B have
check
entire
trustworthy, or accidentally because
public
entry
file, this protocol ap-
public
file.
Even though H is
applied to the entire public
either
was
the
each
plies a one way hash function, H, to the
the
that CA has
certificate,
because
not
output
un-
long.
it
called
was tricked.
125
of
H
is
only
100
file, or
The (small) output of H
200
will
the bits
be
the root, R, of the public file.
then
If all users of the system know R,
users can authenticate the correct-
all
ness of the (whole) public file by R = H(public file).
puting
to introduce file
will
into
changes imply
R
Where F is a one way function.
com-
Any attempt
enciphering
the
the
public
eliminates
bits
key exists.
to
the
harsh
public
long.
In a similar fashion,
A
really
in the public file is effectively impos-
half of the public file, for
high
degree
has
of
been
published,
assurance
that
it is
selectively authenticate
possible
individual
to know the whole public file
by
Merkle*s “tree authentication,” ‘l’heessence to
is
of tree
authenticate
:
all of the first
the
All A needs to know is the first quarter of
using
[131.
public file (which has YB), and
By applying this concept recursively ,
public
de-
= public file = Yl, Y2, ... Yn,
(so the ith — entry in the public file
the
H(second quarter of public file).
authentication entire
A can confirm YB in the public file R,
log2
Knowing
only
values,
and YB itself.
n
intermediate
The information
needed to authenticate YB, given that
is
has
already
been
authenticated,
denoted Yi, and B’s entry is YB); we can
along the path from R to YB and will
define H(public file) = H(x) as:
called the authentication path. These definitions
H(z)
)
to en-
file by “divide and conquer.” If we fine
know
H(second quarter of public file)
in the public file without having
tries
to
not
F( H(first quarter of public file),
is
it
need
does
H(first half of public file) =
This method is impractical as statFortunately,
100
a
~orrect can be attained.
ed.
only
A can compute H(public file)
scrutiny, and because making alterations
sible after it
filet
file.
of public
glare
the
only knew half the entries in the public
Because the public file will be subjected
of
knowing only this information, and yet A
possibility of compromising DCA be-
cause no secret deciphering
half
public
then A need only know
half of public file) which is
file), an easily detected fact.
the
first
key,
B-s
(which is where YB appears) and Ii(second
# H(altered public
This method effectively
to confirm
If A wishes
= F( H(first half of ~),
are
R
lies be
illustrated
in figure 1, which shows the authentica-
H(second half of ~) )
tion path for Y5.
126
The For a more detailed discussion
only
practical
method
of
the compromising
this
protocol
is
to
reader is referred to [13]. compromise DA or DB. user
Using tree authentication,
is has
A user’s
A
security
thus dependent on himself and no one
an authentication path which can be else.
used to authenticate user A*s public enciphering
key, provided only that R has An “authen-
already been authenticated.
7. Digital Signatures
tication path” is a new form of certificate, with ECA replaced by R. comprom-
This protocol can only be
The use of public key cryptosystems if: DA or D~ is compromised, or if
ised
R is not correctly known by A or
B,
to
provide
digital signatures was sug-
or gested
by
Diffie
and
Hellman
[11.
if there is a false and misleading entry Rivest, Shamir and Adleman
[8] have sug-
in the public file. gested easily
The latter two are
an
attractive
implementation.
detectSignature
techniques
based
on methods
If either A or B has the wrong R,
able.
other than public key cryptosystems have they will be unable to complete the probeen
suggested
by
Lamport
and Diffie
tocol with any other legitimate user who [1,241~ Rabin [151, and Merkle has the correct R, a fact that
will
[13].
be Digital signatures,
whether
based
quickly detected. on conventional encryption functions, on Because the
is
file
public
both public key cryptosystemsr on probabilis-
open to public scrutiny and unalterable, tic computations, or on other techniques false or misleading entries can
be
ra-
a
few
correctness
can
share several pidly
detected.
In
users
concerned
with
practice,
common.
important
These
common
best illustrated by verify
that
the
the
properties
in
properties
are
following
now
public file satisfies classic example.
some
simple
each
user
global
properties
i.e., A wishes to place a purchase
name
appears
order
once and once with
only in the entire public file;
his
stock
broker
B.
A, on the
indiviRiviera, cannot send a written order
dual
users
can
to
then verify that their B
in
New York in time.
All that A can
own entry is correct, and need not bothquickly send to B is information, er
examining
the
rest
of
i.e.,
the public a
sequence
of bits, but B is concerned
file. that A may later disclaim the order.
L27
A
somehow generate a sequence of bits
must
(a digital signature) vince
which
will
disputes
con-
understand
B (and if need be a judge) that A
authorized the order.
be
It must
than
A)
to
generate
it
(to
different.
Failure
to
this point has led to confu-
sion in the literature
easy
We now
for B to validate the digital signature, but impossible for him (or anyone
are
to
turn
[17,20].
specific
digital
signature protocols.
other prevent
charges that B was dabbling in the mark8. ~ Conventional
et illegally with A’s money) .
Signature Protocol
There are digital signature schemes which
do
not
tosystems but it will be convenient tationally
to
let
a
signature
will
an
illegible
If
This
notation
is
generating
and validating signatures can
simply
relying on CA
CA,
to
This protocol weaknesses
of
and
a
by sending it to CA and adjudicate
disputes.
This approach is defended by some
somewhat
because the actual method
that if A and
A and B have a secure method of com-
message
as
misleading
on the observation
municating with CA, then A can “signw
(random
bits) then the signature is rejected invalid.
if
Check-
EA(DA(m))
message
“signature” protocol
B trust some central authority
then be done by
computing m = EA(DA(m)). produces
relies
ro-
A sign message m by
computing the signature, DA(m) . ing
A conventional
involve public key cryp-
is
subject
of centralized
[17’].
to
the
key distribu-
tion (described earlier).
be very different from this model; it is retained
because it is widely known and
because we will not discuss the ences
differ-
among different digital signature
methods, only their common properties. Digital signature protocols are naturally
parts:
a
method of signing messages used by A,
a
method
divided
for
three
authenticating
used by B, and a disputes,
into
method
for
resolving
used by the judge.
It is im-
only
The Basic Digital Signature Protocol ——
a signature
portant to note that two protocols differ
9.
The first public key based signature
that
protocol
having A sign
in the method of resolving
DA (m)
128
and
[1],
message
m
digital
proceeded by
by
computing
giving it to B as the signed
message.
B
EA(DA(m))
(or
=
a
judge)
m,
thus
can
been confused with each other
compute
confirming
the
correctness of the signed message.
for
this
Some criticism of “the” public
reason.
key digital signature protocol has actu-
A is
held responsible for a signed message if
ally
and only if it can be verified by apply-
failed to consider the first protocol at
ing A’s public enciphering key to it.
all.
This
protocol
[16,17,20]
on
public file with.
can
two
have
of
been
public file, discussed previously key
distribution
under
tampered
authenticating
the
and
signed
message.
protocols, solve this
should
be
compromised
and
made
this
the case. The major
be
second A
will
difference
in the second
col
if he can
A’s signing key is compromised.
security for
very
good
physical
A“ The loss to A if DA is compromised can be substantial.
problem
B
will
be left holding the bag if
Clear-
condition is unlikely before he will willing
this
be
to use this protocol.
is to alter the dispute resolu10.
tion protocol so
that
responsible
his
for
secret deciphering
A
is
not
signature
key
is
The Time-Stamp Protocol ——
held if his A protocol that would
compromised
and made public.
report
The fact that altering the
messages signed after the reported
dispute
yet
protocol has not been fully appreciated,
of signatures made before
and
loss
preceding
two
allow
protocols have
129
A
to
loss or theft of DA and disclaim
resolution procedure creates a different
the
proto-
ly, B must be given assurances that this
D
A different method of solving
the
protocol and the first is in the
division of risk:
only
between
agree to this digital signature protocol provide
know
easy to design a system in which this is
held responsible. that
not
then he is unable to disavow his A’ It is signature under this protocol.
can sign any message they desire
seems clear
protocol
D
public.
will
the
is inadequate.
his secret deciphering
with A’s compromised D A, and A
It
disavow
DA
For this reason, some
critics have argued that
under
A second criticism is that A has no
Anyone
effectively
If we assume that A does
recourse
then
the second protocol A can make
public
problem.
key
of this second protocol, and
If we assume khat A knows DA,
criticized
grounds: First, the
might
Methods
be
been
loss
force A to acknowledge the validity
must
the
reported
involve the concept of time.
into
the
following
We introduce
time
protocol
using time-keepers who can
by
digitally time-stamp to
them.
have
We
agreed
The major disadvantage of this pro-
given
tocol ,
assume that both A and B on
a
whose
time-keepers
information
been dealt with fairly.
set
of
tal signature protocol, is the
acceptable
a
accepted in dispute resolution.
then
lost,
answering
‘A
been
he must report this fact to
some agent who will be queries
the
not.
For
this role is played by the thority,
CA.
CA
central sign
will
and decreases relia-
expense
B
is
the
transaction
i.e.,
messages
to
willing
obtain
and the validity-check
time-stamp
au-
both
increases
If
we shall assume
simplicity,
real
network, which
current or
in
of a communications
bility.
status of DA, i.e., has it been lost
presumably
These requirements force the use
for
responsible
about
validity-check,
time. has
require-
ment that B obtain both a time-stamp and
time-stamps will be
If A can report that
as compared with the basic digi-
within
a
the after
has
been
few
days, an off-line
system can be used.
completed,
This modified
pro-
stating that A-s secret deciphering
key
tocol
has
the
fail-soft protocol during communications
not
been
current
compromised These
time.
as
signed
of
messages
outages,
will be called “validity-checks. ”
message
keeper
A
B
time
stamp
then
has
a
more
time-
If
from CA.
by B either as a
or as the standard protocol if
the
DA
A might loss
about
of
it.
have and
‘A If
recently
physical
secret
the signature, otherwise he accepts.
risk should be minimal.
holds
that
a
resolution,
the
applying
for
is good, this
checked
time-stamped
prior
11.
key
This protocol
provides
Witnessed Digital Signatures
to
any reported loss of DA.
assurance
keys
security
judge
A’s public enciphering
AND it has been
deciphering
reported
message has been validly
signed if and only if it can be by
ahd
B would not know
has aiready been reported lost B rejects
In dispute
cheaper
reliable, but it exposes B to some
risk:
the message and ob-
tains a validity-check
used
Off-line operation is
m by computing DA(m) and
sending it to B.
be
communication costs are too high.
In the time stamp protocol, user signs
could
If the value of very
good
high
to all parties that they have
enough,
it
a
transaction
is
might be desirable to
have a witness physically confirm that A
130
signed message m.
The witness, w, would
vious solution is for updates to be
di-
compute DW(”I, W, physically
saw A agree
gitally signed by an appropriate network
to
It would be
administrator,
and
sign message m.”) .
necessary for A and B to
agree
in
ad-
to
is that it reduces B’s risk.
find
pro-
example
leads
application
of
This
The
another
is that it forces A
tures in operating system
a (physically present) witness
code
to
Applications
to
digital signasecurity.
A
the
that
that it is executing today
is not the same that Signature
naturally
ing system is the possibility system
Digital
nodes
major risk to the security of an operat-
to confirm the transaction.
12.
the
ecuting them.
The primary advantage of this
primary disadvantage
for
check the digital signature prior to ex-
vance on acceptable witnesses.
tocol
and
it
was
executing
yesterday: someone might have put a trap
Not
door into the operating system that lets Involvinq Dispute them
do anything they please.
against this possibility, Not
all
applications
of
digital
system
the
To guard operating
could refuse to execute any code
signatures involve contracts between two
in privileged mode unless that code
potentially disputing parties.
been
signatures
Digital
also an ideal method of
are
properly
signed.
had
Carried to its
logical conclusion, the operating system
broadcasting authenticated messages from
would
a central source which must be confirmed
privileged programs each time they
by many separate recipients, or
loaded into central memory If this check
edly
repeat-
confirmed by the same recipient at
different times to insure that the
is
mes-
be
network.
It
application
physically
communications
ly
On the other hand, it
over the network itself.
it
were
would
for any software changes The
incapable
machine
would
be
of executing code was
If privileged programs are digitalsigned
by the programmer who origi-
nally wrote them, as well as by
is very desirable to send updates to the nodes
signature of
signed.
would be clearly undesir-
software.
digital
in privileged mode unless that code
abl~ for any node to start executing the wrong
impossible
to subvert it.
the distribution of network software
to individual nodes of a
the
were implemented in hardware,
sage has not been modified. One example of such an
check
supervisory
The ob-
various
levels, and if the computer
is physically unable to execute unsigned
131
15.
code in privileged mode, then it is poscomplete
sible to have the
privileged
assurance
this
course,
mean
that
secure,
been
1.
modi-
the
but
the
does
W.,
and
Hellman,
in cryptography.
M.
New
IEEE Trans.
on Inform. IT-22, 6(Nov. 1976), 644-654.
programmer.
not necessarily is
2.
Evans A., Kantrowitz, W., and Weiss,
does eliminate a major
E.
A user authentication
system
operating
it
Diffie,
directions
they were given there final
since
checkout and signed by Of
that
programs running on the
computer “right now have not fied
BIBLIOGRAPHY
system not re-
quiring secrecy in the computer.
class of worries.
Comm .
ACM 17, 8(Aug. 1974), 437-442.
3. 13.
Kohnfelder, L.M. Towards a practical
Conclusions
public-key Bachelor’s This paper has briefly described number of cryptographic
protocols.
a 4.
Cer-
Liptonr S.M., and Matyas, S.M.
ing
sible;
safeguarded.
what
however, they are valuable tools
the
digital
signature
Mak-
legal--and
Data Communications
(Feb.
1978), 41-52.
they illustrate
can be achieved and provide feasi-
ble solutions to problems
5.
recurring
of
McEliece, R.J. based
tosystem
interest. Further constructive work
in
theory.
this
A
public-key
on
algebraic
crypcoding
DSN Progress Report, JPL,
(Jan.
and Feb. 1978), 42-44.
area is very much needed. 14.
EE
thesis.
tainly, these are not the only ones pos-
to the system designer:
MIT
cryptosystem.
ACKNOWLEDGEMENTS
6.
over It is a great pleasure for the
au-
Merkle,
R.
Insecure
Secure
Communications
Channels.
COmm. ACM 21,
4 (Apr. 1978), 294-299.
thor to acknowledge the pleasant and informative conversations
he had with
7.
Dov
information
Andelmanr Whitfield Diffie, Martin Hellman,
Raynold
Kahn
Loren
Merkle, R., and Hellman, M.
Kohnfelder,
knapsacks.
and
signatures in trapdoor
IEEE Trans. on
24, 5(Sept. 1978), 525-530.
Frank Olken, and Justin Reyneri.
132
Hiding
Inform.
IT-
8.
man,
L.
16.
Adle-
Rivest, R.L., Shamir, A.t and
Saltzer, J. On Digital
Signatures,
private communication.
A method for obtaining digital
signatures and public-key cryptosystems. 17
Comm. ACM 21, 2(Feb. 1978), 120-126.
●
Popek G.J. and Kline, C.S.
tion 9.
Wilkes, M.V., Time-Sharing
Enc ryp-
Public Key Algorithms,
Protocolsr
and Digital Signatures in Computer
Computer
Net-
works; in Foundations of Secure Computa-
Systems. Elsevier, New York, 1972.
tion pp. 133-153. 10.
Diffie,
W.,
and
Hellman,
Privacy and authentication:
M.E., 18.
an introduc-
and
Needham R.M.
tion to cryptography, Proceedings of the
Using
IEEE
Large Networks of Computers.
Vol. 67, No. 3, Mar. 1979 pp. 397-
M.D.
for Authentication
in
CACM 21,12
Dec. 1978 pp. 993-999.
427.
11. Squires, J. phones,
Russ
Chicago
monitor
Tribune
Us.
of
pp. 123, June
19.
Merkle, R. Secrecy, authentication,
and
public key systems.
Stanford Elec.
Eng. Ph.D. Thesis, ISL SEL 79-017, 1979.
25, 1975.
12. Davis, R. Remedies sought to
20.
defeat
Microwave Syst., vol. 8, no. 6, pp.
Popek, G.J., and Kline,
cryption
Soviet eavesdropping on microwave links,
and
C.S.
En-
Secure Computer networks.
Computing Surveys
17-
11,4
1979
Dec.
pp.
331-356.
20, June 1978.
13.
Encryption
Schroeder,
Merkle, R.C.
A
certified
21.
digital
Simmons, G.J. Symmetric
metric
signature, to appear, CACM.
Encryption.
and
Computing
AsymSurveys
11,4 Dec. 1979 pp. 305-330. 14.
Kahn,
D.
The
Codebreakers,
New 22.
York: Macmillan. 1967.
Lamport, L. Time, clocks,
and
the
ordering of events in a distributed sys15.
Rabin,
M.O.
,
Digitalized
tem.
signa-
turesr in Foundations of Secure Computation, ed. Demillo,
R.A.,
et.
al .
pp.
155-166.
133
CACM 21,7
Jul
1978 pp. 558-565.
23.
Ehrsam, W.F., Matyas, S.M.,
C.H., and !l?uchman,W.L. key management scheme the
24.
A cryptographic for
implementing
data encryption standard.
Jour. 17,2 1978PP.
Lamport,
IBM
SYS.
106-125.
Constructing
L.,
Meyer,
digital
signatures from a one way function.
SRI
Intl. CSL - 98
Y1
‘2
Y’3
Y4 FIG. I
134