18

I'm wondering if I can have multiple public keys for a private key.

Can this be done? If so, what are the security issues!?

If I generate multiple key pairs based on the same initial values (with no initial vector), shouldn't the keys be "compatible"?

Nakilon
  • 34,866
  • 14
  • 107
  • 142
André Moreira
  • 1,669
  • 4
  • 21
  • 35
  • This isn't immediately obvious to me what you mean. Which method were you thinking: RSA, DSA, ECC? I don't know ECC but I doubt it's possible for the first two. – Rup Jun 23 '10 at 08:54
  • 1
    IMHO, from the same algorithm and the same private key, you should get the same public key every time. – Piskvor left the building Jun 23 '10 at 09:05
  • Also worth reading is Henrick Hellström's answer at http://stackoverflow.com/questions/9375044/can-we-have-multiple-public-keys-with-a-single-private-key-for-rsa – cwd Aug 05 '14 at 03:28

4 Answers4

12

In all asymmetric crypto-systems I can think off, there is a 1-1 correspondence between the public key and the private key: given the private key you can uniquely determine the public key and given the public key you can uniquely determine the private key (but it should of course be computationally infeasible to determine the private key from the public key).

However given one of the usual asymmetric schemes you can easily create such a scheme: To create a private key with n public keys, just generate n public-private keypairs in the normal scheme and define the "private key" to be the collection of the private keys. When signing just sign with all the private keys, when verifying try to verify one of the signatures. Encryption is the usual operation and decrypting should try to decrypt with all the keys (one of them should work).

Rasmus Faber
  • 48,631
  • 24
  • 141
  • 189
  • I would use the phrase: Given the public key, you can verify that the private key is the one and only possible private key. – Slartibartfast Jun 24 '10 at 23:26
  • @Slartibartfast: While that is also true, you can always calculate the private key - it will just take a long time: if nothing else, you can try all the possible keys, but most crypto-systems have faster algorithms than that. – Rasmus Faber Jan 13 '11 at 17:47
  • 1
    @Skywinder: The algorithm described in that link is different than the algorithm I describe above. It is possibly much smarter, but it relies on a more complex security proof. – Rasmus Faber Sep 09 '19 at 04:55
  • @RasmusFaber thanks for the clarification. One additional question according to your scheme: "generate n public-private keypairs " - is easy via `ssh-keygen` but can you clarify, how to "define the "private key" to be the collection of the private keys." - how to do this? – skywinder Sep 11 '19 at 11:31
7

This is not possible with standard algorithms.

If you look at how key pairs are generated in RSA, you select a public key first by specifying the public exponent, then generate the private key.

I can't think of a use-case for multiple public keys. They are public and you can get any of them so it doesn't really improve security.

ZZ Coder
  • 74,484
  • 29
  • 137
  • 169
1

It isn't clear why you think you need multiple public keys. It may help you to learn that if something is encrypted with the public key, it cannot be decrypted using the same public key.

If there are three people (A,B,C) with your public key, B and C cannot read a message encrypted by A, but you (with the private key) can.

If you want to be able to send a message that only one of A, B, or C can read, they should each have a private key, and share their public key with you.

It sounds like you want to treat public keys like private keys, and that's probably a bad plan.

Slartibartfast
  • 1,694
  • 9
  • 8
-1

Private/Public keys have a 1-1 relationship, and so it's not possible to have more than one public key for a given private key.

However, you can have 3 separate certificates for the same public key, if that's the type of thing you're looking for.

Shawn D.
  • 7,895
  • 8
  • 35
  • 47