3

I understand that private and public keys are mathematically related and data encrypted with one key can only be decrpyted with other. My question is that private key is always used to encrypt data whereas public key is always used to de-crypt it? Or can be be vice-vera and if so can you give some example application where its used in other direction (public key to encrypt and private key to decrypt)?

palm snow
  • 2,392
  • 4
  • 29
  • 49
  • Related and may solve your problem: http://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature – Dante May Code Mar 29 '11 at 02:48

4 Answers4

10

Encryption is about keeping some data confidential; the data is transformed into an opaque blob and the reverse operation requires something that the attacker does not know, i.e. a "secret" or "private" information. The whole point of encryption is that decryption cannot be done with only public information; hence decryption uses the private key. However, there is no problem in letting anybody encrypt data, thus encryption can use the public key.

There are some algorithms (in practice, only one: RSA) which, from a casual glance, appear to be "revertible": you might think about using the private key for encryption, and the public key for decryption. As explained above, there goes confidentiality (if the decryption key is public, then anybody can decrypt, hence the encrypted data cannot be considered as confidential anymore). Such a "reversed encryption" may be used as the basis for a digital signature algorithm, in which there is no notion of confidentiality, but, instead, of verifiable proof of key owner action.

However there is more to RSA than the modular exponentiation. RSA encryption first transforms the input message into a big integer through an operation called "padding". RSA signature generation first transforms the input message into a big integer through another operation which is also called "padding"; but this is not at all the same padding. Padding is essential for security, and the needed characteristics are quite distinct between encryption and signature. For instance, an encryption padding needs a high level of added randomness, whereas a signature padding requires a lot of redundancy (and a hash function, in order to accommodate long input messages).

Talking of signatures as "encryption with the private key" is the way the RSA standard historically put it (hence names such as "md5WithRSAEncryption"), but it is inaccurate (paddings are, and must be, different) and overly specific (it applies only to RSA, not El Gamal, DSA, Diffie-Hellman, NTRU...). This is just a widespread confusion.

Thomas Pornin
  • 72,986
  • 14
  • 147
  • 189
1

If I want to send you a secure message, I would encrypt the message with your public key. That way, only you (knowing the private key) can decrypt it.

Greg Hewgill
  • 951,095
  • 183
  • 1,149
  • 1,285
1

Not only can you use a public key for encryption, that is actually the normal mode of operation when you are encrypting for secrecy. This makes sense - anyone can encrypt with the public key, and only the proper recipient can decrypt using their private key.

In many public key systems, signing is mathematically similar to the opposite case - "encrypting with the private key" - but note that the signing operation is fundamentally distinct from the encryption operation. For example, with RSA, signing must use an invariant, verifiable padding method, whereas encryption should use random padding.

caf
  • 233,326
  • 40
  • 323
  • 462
  • Actually, signing is more similar to _decrypting_ with the private key. But, as you say, they are still fundamentally distinct and have major important differences. And anyway, that's only true for RSA. – forest Mar 21 '19 at 21:35
-1

It's interchangeable.

Digital Signature -> Private key encrypts, public key decrypts so to verify sender.

Send a message -> Public key encrypts, private decrypts and owner reads the message.

EDIT: People seem to disagree with the "Interchangeable" definition. I need to clarify that I am talking about the mathematical perspective of the operation, not what is best in terms of security. Ofc, you should use keys for their intended operation.

However, Henrick Hellström response in SO thread explains why they are interchangeable mathematically : Are public key and private key interchangeable?

Spyros
  • 46,820
  • 25
  • 86
  • 129
  • 5
    No, it is not interchangeable. With a digital signature, the private key **signs** and the public key **verifies**. Signature and decryption work differently, and encryption and verification work differently. – Gilles 'SO- stop being evil' Mar 19 '19 at 01:58
  • It absolutely is interchangeable. You can use the public key to sign and the private to verify too if you want to. Signing and encrypting do not work differently. They are the EXACT same operations, they are just using the keys in different ways. – Spyros Mar 20 '19 at 02:09
  • 5
    Seriously, no, this is completely wrong. Please read up about [how OAEP (encryption with RSA) differs from PSS (signature with RSA)](https://tools.ietf.org/html/rfc8017). Compare [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) (signature) with [ECIES](https://en.wikipedia.org/wiki/Integrated_Encryption_Scheme) (encryption). Read up on [RSA key generation](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.186-4.pdf) (§B.3.1) and notice how the public and private exponents are created differently. Or even just read Thomas's answer here. – Gilles 'SO- stop being evil' Mar 20 '19 at 14:22
  • 3
    This is a commonly repeated fallacy: This is only remotely close to true in textbook RSA (and maybe one other scheme), which is one of the only schemes non-crypto people are even aware of. With *most* signature schemes you could not use the private key operation for encryption even if you tried, and there are plenty of public-key encryption schemes that similarly can't be used for signatures. Please stop propagating this fallacy. – Ella Rose Mar 20 '19 at 15:02
  • 1
    Read from Cornell University [Signing is Not RSA Decryption](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php) – kelalaka Mar 20 '19 at 15:40
  • So, RSA is m^e mod N = c and c^d mod N = m where e, d can be interchanged to produce the exact same results, but the operation is not interchangeable ? – Spyros Mar 21 '19 at 15:05
  • @kelalaka, the article you mention concludes : "In the abstract world of textbooks, RSA signing and RSA decryption do turn out to be the same thing. In the real world of implementations, they are not.". Therefore, the operations are interchangeable. I am not talking about best security practice here obviously. – Spyros Mar 21 '19 at 15:08
  • @Gilles, Thomas answer refers to padding, which doesn't really change the outcome of the core operations. Again, I am not talking best practices or RFCs, I get that. But when I can get a message and use either the private or public key to encrypt or vice versa, producing the same results, I don't get how that is not interchangeable. – Spyros Mar 21 '19 at 15:18
  • 2
    @Spyros RSA has not been mentioned in the question at all. For a general public key encryption scheme trying to "encrypt with a private key" does not even make syntactical sense. And finally, RSA by itself is neither an encryption scheme nor a digital signature scheme. It is a trapdoor permutation which can be used to construct both of those things. – Maeher Mar 21 '19 at 18:09
  • 3
    @Spyros **You are incorrect**. You are making the assumption that an RSA operation is nothing more than application of the RSA trapdoor permutation (modular exponentiation using the product of two random prime numbers as the modulus). That is not the case, not only because signing, encryption, and decryption use different sources of exponents, but because the padding (which makes the cryptosystem secure) is _completely_ different. – forest Mar 21 '19 at 18:15
  • 1
    Also, you're assuming RSA is the only asymmetric cryptographic algorithm. It is not, and it isn't even the most popular. Right now, numerous cryptographic professionals and people very well-versed in cryptography are telling you that your understanding is wrong. Perhaps you should reflect on that. – forest Mar 21 '19 at 18:58
  • @forest, I completely understand where you are coming from, you are right indeed. I was thinking of the inverse RSA modulo and the core RSA encryption/decryption when i said this. Mathematically speaking I think it's still a fair statement, at least for RSA. But yeah, I am not scared to say I am wrong. I am. Tough life :) – Spyros Mar 22 '19 at 19:20