Public-Key Cryptography - Wikipedia
Public-Key Cryptography - Wikipedia
org/wiki/Public-key_cryptography
Public-key cryptography
Public-key cryptography, or asymmetric cryptography, is
the field of cryptographic systems that use pairs of related
keys. Each key pair consists of a public key and a
corresponding private key.[1][2] Key pairs are generated with
cryptographic algorithms based on mathematical problems
termed one-way functions. Security of public-key
cryptography depends on keeping the private key secret; the
public key can be openly distributed without compromising
security.[3]
Public key algorithms are fundamental security primitives in modern cryptosystems, including
1 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
2 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
associated with the public key. It also proves that the signature was prepared for that
exact message, since verification will fail for any other message one could devise
without using the private key.
One important issue is confidence/proof that a particular public key is authentic, i.e. that it is correct and
belongs to the person or entity claimed, and has not been tampered with or replaced by some (perhaps
malicious) third party. There are several possible approaches, including:
A public key infrastructure (PKI), in which one or more third parties – known as certificate authorities –
certify ownership of key pairs. TLS relies upon this. This implies that the PKI system (software,
hardware, and management) is trust-able by all involved.
A "web of trust" which decentralizes authentication by using individual endorsements of links between a
user and the public key belonging to that user. PGP uses this approach, in addition to lookup in the
domain name system (DNS). The DKIM system for digitally signing emails also uses this approach.
Applications
The most obvious application of a public key encryption system is for encrypting communication to
provide confidentiality – a message that a sender encrypts using the recipient's public key which can be
decrypted only by the recipient's paired private key.
Another application in public key cryptography is the digital signature. Digital signature schemes can be
used for sender authentication.
Non-repudiation systems use digital signatures to ensure that one party cannot successfully dispute its
authorship of a document or communication.
Further applications built on this foundation include: digital cash, password-authenticated key agreement,
time-stamping services and non-repudiation protocols.
Hybrid cryptosystems
Because asymmetric key algorithms are nearly always much more computationally intensive than
symmetric ones, it is common to use a public/private asymmetric key-exchange algorithm to encrypt and
exchange a symmetric key, which is then used by symmetric-key cryptography to transmit data using the
now-shared symmetric key for a symmetric key encryption algorithm. PGP, SSH, and the SSL/TLS family
of schemes use this procedure; they are thus called hybrid cryptosystems. The initial asymmetric
cryptography-based key exchange to share a server-generated symmetric key from the server to client has
the advantage of not requiring that a symmetric key be pre-shared manually, such as on printed paper or
discs transported by a courier, while providing the higher data throughput of symmetric key cryptography
over asymmetric key cryptography for the remainder of the shared connection.
Weaknesses
As with all security-related systems, it is important to identify potential weaknesses. Aside from poor
choice of an asymmetric key algorithm (there are few which are widely regarded as satisfactory) or too
short a key length, the chief security risk is that the private key of a pair becomes known. All security of
messages, authentication, etc., will then be lost.
Additionally, with the advent of quantum computing, many asymmetric key algorithms are considered
vulnerable to attacks, and new quantum-resistant schemes are being developed to overcome the
3 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
problem.[10]
Algorithms
All public key schemes are in theory susceptible to a "brute-force key search attack".[11] However, such an
attack is impractical if the amount of computation needed to succeed – termed the "work factor" by
Claude Shannon – is out of reach of all potential attackers. In many cases, the work factor can be
increased by simply choosing a longer key. But other algorithms may inherently have much lower work
factors, making resistance to a brute-force attack (e.g., from longer keys) irrelevant. Some special and
specific algorithms have been developed to aid in attacking some public key encryption algorithms; both
RSA and ElGamal encryption have known attacks that are much faster than the brute-force approach.[12]
None of these are sufficiently improved to be actually practical, however.
Major weaknesses have been found for several formerly promising asymmetric key algorithms. The
"knapsack packing" algorithm was found to be insecure after the development of a new attack.[13] As with
all cryptographic functions, public-key implementations may be vulnerable to side-channel attacks that
exploit information leakage to simplify the search for a secret key. These are often independent of the
algorithm being used. Research is underway to both discover, and to protect against, new attacks.
A communication is said to be insecure where data is transmitted in a manner that allows for interception
(also called "sniffing"). These terms refer to reading the sender's private data in its entirety. A
communication is particularly unsafe when interceptions can not be prevented or monitored by the
sender.[14]
A man-in-the-middle attack can be difficult to implement due to the complexities of modern security
protocols. However, the task becomes simpler when a sender is using insecure media such as public
networks, the Internet, or wireless communication. In these cases an attacker can compromise the
communications infrastructure rather than the data itself. A hypothetical malicious staff member at an
Internet Service Provider (ISP) might find a man-in-the-middle attack relatively straightforward.
Capturing the public key would only require searching for the key as it gets sent through the ISP's
communications hardware; in properly implemented asymmetric key schemes, this is not a significant
risk.
In some advanced man-in-the-middle attacks, one side of the communication will see the original data
while the other will receive a malicious variant. Asymmetric man-in-the-middle attacks can prevent users
from realizing their connection is compromised. This remains so even when one user's data is known to
be compromised because the data appears fine to the other user. This can lead to confusing disagreements
between users such as "it must be on your end!" when neither user is at fault. Hence, man-in-the-middle
attacks are only fully preventable when the communications infrastructure is physically controlled by one
or both parties; such as via a wired route inside the sender's own building. In summation, public keys are
easier to alter when the communications hardware used by a sender is controlled by an attacker.[15][16][17]
4 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
One approach to prevent such attacks involves the use of a public key infrastructure (PKI); a set of roles,
policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and
manage public-key encryption. However, this has potential weaknesses.
For example, the certificate authority issuing the certificate must be trusted by all participating parties to
have properly checked the identity of the key-holder, to have ensured the correctness of the public key
when it issues a certificate, to be secure from computer piracy, and to have made arrangements with all
participants to check all their certificates before protected communications can begin. Web browsers, for
instance, are supplied with a long list of "self-signed identity certificates" from PKI providers – these are
used to check the bona fides of the certificate authority and then, in a second step, the certificates of
potential communicators. An attacker who could subvert one of those certificate authorities into issuing a
certificate for a bogus public key could then mount a "man-in-the-middle" attack as easily as if the
certificate scheme were not used at all. In an alternative scenario rarely discussed, an attacker who
penetrates an authority's servers and obtains its store of certificates and keys (public and private) would be
able to spoof, masquerade, decrypt, and forge transactions without limit.
Despite its theoretical and potential problems, this approach is widely used. Examples include TLS and its
predecessor SSL, which are commonly used to provide security for web browser transactions (for
example, to securely send credit card details to an online store).
Aside from the resistance to attack of a particular key pair, the security of the certification hierarchy must
be considered when deploying public key systems. Some certificate authority – usually a purpose-built
program running on a server computer – vouches for the identities assigned to specific private keys by
producing a digital certificate. Public key digital certificates are typically valid for several years at a time,
so the associated private keys must be held securely over that time. When a private key used for certificate
creation higher in the PKI server hierarchy is compromised, or accidentally disclosed, then a "man-in-the-
middle attack" is possible, making any subordinate certificate wholly insecure.
Examples
Examples of well-regarded asymmetric key techniques for varied purposes include:
5 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
▪ NTRUEncrypt cryptosystem
▪ Kyber
▪ McEliece cryptosystem
▪ S/MIME
▪ GPG, an implementation of OpenPGP, and an Internet Standard
▪ EMV, EMV Certificate Authority
▪ IPsec
▪ PGP
▪ ZRTP, a secure VoIP protocol
▪ Transport Layer Security standardized by IETF and its predecessor Secure Socket Layer
▪ SILC
▪ SSH
▪ Bitcoin
▪ Off-the-Record Messaging
History
During the early history of cryptography, two parties would rely upon a key that they would exchange by
means of a secure, but non-cryptographic, method such as a face-to-face meeting, or a trusted courier.
This key, which both parties must then keep absolutely secret, could then be used to exchange encrypted
messages. A number of significant practical difficulties arise with this approach to distributing keys.
Anticipation
In his 1874 book The Principles of Science, William Stanley Jevons[18] wrote:
Can the reader say what two numbers multiplied together will produce the number
8616460799?[19] I think it unlikely that anyone but myself will ever know.[20]
Here he described the relationship of one-way functions to cryptography, and went on to discuss
specifically the factorization problem used to create a trapdoor function. In July 1996, mathematician
Solomon W. Golomb said: "Jevons anticipated a key feature of the RSA Algorithm for public key
cryptography, although he certainly did not invent the concept of public key cryptography."[21]
Classified discovery
In 1970, James H. Ellis, a British cryptographer at the UK Government Communications Headquarters
(GCHQ), conceived of the possibility of "non-secret encryption", (now called public key cryptography),
6 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
but could see no way to implement it.[22][23] In 1973, his colleague Clifford Cocks implemented what has
become known as the RSA encryption algorithm, giving a practical method of "non-secret encryption",
and in 1974 another GCHQ mathematician and cryptographer, Malcolm J. Williamson, developed what is
now known as Diffie–Hellman key exchange. The scheme was also passed to the US's National Security
Agency.[24] Both organisations had a military focus and only limited computing power was available in
any case; the potential of public key cryptography remained unrealised by either organization:
I judged it most important for military use ... if you can share your key rapidly and
electronically, you have a major advantage over your opponent. Only at the end of the
evolution from Berners-Lee designing an open internet architecture for CERN, its adaptation
and adoption for the Arpanet ... did public key cryptography realise its full potential.
—Ralph Benjamin[24]
These discoveries were not publicly acknowledged for 27 years, until the research was declassified by the
British government in 1997.[25]
Public discovery
In 1976, an asymmetric key cryptosystem was published by Whitfield Diffie and Martin Hellman who,
influenced by Ralph Merkle's work on public key distribution, disclosed a method of public key
agreement. This method of key exchange, which uses exponentiation in a finite field, came to be known as
Diffie–Hellman key exchange.[26] This was the first published practical method for establishing a shared
secret-key over an authenticated (but not confidential) communications channel without using a prior
shared secret. Merkle's "public key-agreement technique" became known as Merkle's Puzzles, and was
invented in 1974 and only published in 1978. This makes asymmetric encryption a rather new field in
cryptography although cryptography itself dates back more than 2,000 years.[27]
In 1977, a generalization of Cocks' scheme was independently invented by Ron Rivest, Adi Shamir and
Leonard Adleman, all then at MIT. The latter authors published their work in 1978 in Martin Gardner's
Scientific American column, and the algorithm came to be known as RSA, from their initials.[28] RSA
uses exponentiation modulo a product of two very large primes, to encrypt and decrypt, performing both
public key encryption and public key digital signatures. Its security is connected to the extreme difficulty
of factoring large integers, a problem for which there is no known efficient general technique (though
prime factorization may be obtained through brute-force attacks; this grows much more difficult the larger
the prime factors are). A description of the algorithm was published in the Mathematical Games column
in the August 1977 issue of Scientific American.[29]
Since the 1970s, a large number and variety of encryption, digital signature, key agreement, and other
techniques have been developed, including the Rabin cryptosystem, ElGamal encryption, DSA and ECC.
See also
▪ Books on cryptography ▪ PGP word list
▪ GNU Privacy Guard ▪ Post-quantum cryptography
▪ Identity-based encryption (IBE) ▪ Pretty Good Privacy
▪ Key escrow ▪ Pseudonym
▪ Key-agreement protocol ▪ Public key fingerprint
7 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
Notes
1. R. Shirey (August 2007). Internet Security Glossary, Version 2 (https://datatracker.ietf.org/
doc/html/rfc4949). Network Working Group. doi:10.17487/RFC4949 (https://doi.org/10.
17487%2FRFC4949). RFC 4949 (https://datatracker.ietf.org/doc/html/rfc4949).
Informational.
2. Bernstein, Daniel J.; Lange, Tanja (14 September 2017). "Post-quantum cryptography"
(http://www.nature.com/articles/nature23461). Nature. 549 (7671): 188–194.
Bibcode:2017Natur.549..188B (https://ui.adsabs.harvard.edu/abs/2017Natur.549..188B)
. doi:10.1038/nature23461 (https://doi.org/10.1038%2Fnature23461). ISSN 0028-0836
(https://www.worldcat.org/issn/0028-0836). PMID 28905891 (https://pubmed.ncbi.nlm.
nih.gov/28905891). S2CID 4446249 (https://api.semanticscholar.org/CorpusID:4446249)
.
3. Stallings, William (3 May 1990). Cryptography and Network Security: Principles and
Practice (https://books.google.com/books?id=Dam9zrViJjEC). Prentice Hall. p. 165.
ISBN 9780138690175.
4. Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (October 1996). "8: Public-
key encryption". Handbook of Applied Cryptography (https://cacr.uwaterloo.ca/hac/about
/chap8.pdf) (PDF). CRC Press. pp. 283–319. ISBN 0-8493-8523-7. Retrieved 8 October
2022.
5. Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (October 1996). "8: Public-
key encryption". Handbook of Applied Cryptography (https://cacr.uwaterloo.ca/hac/about
/chap11.pdf) (PDF). CRC Press. pp. 425–488. ISBN 0-8493-8523-7. Retrieved 8 October
2022.
6. Bernstein, Daniel J. (1 May 2008). "Protecting communications against forgery".
Algorithmic Number Theory (https://cr.yp.to/antiforgery/forgery-20080501.pdf) (PDF).
Vol. 44. MSRI Publications. §5: Public-key signatures, pp. 543-545. Retrieved 8 October
2022.
7. Alvarez, Rafael; Caballero-Gil, Cándido; Santonja, Juan; Zamora, Antonio (27 June 2017).
"Algorithms for Lightweight Key Exchange" (https://www.ncbi.nlm.nih.gov/pmc/articles
/PMC5551094). Sensors. 17 (7): 1517. doi:10.3390/s17071517 (https://doi.org/10.3390%
2Fs17071517). ISSN 1424-8220 (https://www.worldcat.org/issn/1424-8220).
PMC 5551094 (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5551094).
PMID 28654006 (https://pubmed.ncbi.nlm.nih.gov/28654006).
8. "Asymmetric encryption" (https://www.ionos.com/digitalguide/server/security/public-k
ey-encryption/). IONOS Digitalguide. Retrieved 2 June 2022.
9. Mihir, Bellare; Goldwasser, Shafi. "Chapter 10: Digital signatures" (https://cseweb.ucsd.
edu/~mihir/papers/gb.pdf#page=168) (PDF). Lecture Notes on Cryptography.
10. Escribano Pablos, José Ignacio; González Vasco, María Isabel (April 2023). "Secure post‐
quantum group key exchange: Implementing a solution based on Kyber" (https://ietres
earch.onlinelibrary.wiley.com/doi/10.1049/cmu2.12561). IET Communications. 17 (6):
758–773. doi:10.1049/cmu2.12561 (https://doi.org/10.1049%2Fcmu2.12561).
hdl:10016/37141 (https://hdl.handle.net/10016%2F37141). ISSN 1751-8628 (https://ww
w.worldcat.org/issn/1751-8628). S2CID 255650398 (https://api.semanticscholar.org/Cor
pusID:255650398).
8 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
11. Paar, Christof; Pelzl, Jan; Preneel, Bart (2010). Understanding Cryptography: A Textbook
for Students and Practitioners (http://www.crypto-textbook.com). Springer.
ISBN 978-3-642-04100-6.
12. Mavroeidis, Vasileios, and Kamer Vishi, "The Impact of Quantum Computing on
Present Cryptography" (https://arxiv.org/abs/1804.00200), International Journal of
Advanced Computer Science and Applications, 31 March 2018
13. Shamir, Adi (November 1982). "A polynomial time algorithm for breaking the basic
Merkle-Hellman cryptosystem" (https://ieeexplore.ieee.org/document/4568386). 23rd
Annual Symposium on Foundations of Computer Science (SFCS 1982): 145–152.
doi:10.1109/SFCS.1982.5 (https://doi.org/10.1109%2FSFCS.1982.5).
14. Tunggal, Abi (20 February 2020). "What Is a Man-in-the-Middle Attack and How Can It
Be Prevented - What is the difference between a man-in-the-middle attack and
sniffing?" (https://www.upguard.com/blog/man-in-the-middle-attack#mitm-sniffing).
UpGuard. Retrieved 26 June 2020.
15. Tunggal, Abi (20 February 2020). "What Is a Man-in-the-Middle Attack and How Can It
Be Prevented - Where do man-in-the-middle attacks happen?" (https://www.upguard.c
om/blog/man-in-the-middle-attack#where). UpGuard. Retrieved 26 June 2020.
16. martin (30 January 2013). "China, GitHub and the man-in-the-middle" (https://en.greatfi
re.org/blog/2013/jan/china-github-and-man-middle). GreatFire. Archived (https://web.a
rchive.org/web/20160819165216/https://en.greatfire.org/blog/2013/jan/china-github-a
nd-man-middle) from the original on 19 August 2016. Retrieved 27 June 2015.
17. percy (4 September 2014). "Authorities launch man-in-the-middle attack on Google" (ht
tps://en.greatfire.org/blog/2014/sep/authorities-launch-man-middle-attack-google).
GreatFire. Retrieved 26 June 2020.
18. Jevons, William Stanley, The Principles of Science: A Treatise on Logic and Scientific Method
(https://archive.org/stream/principlesofscie00jevorich#page/n166/mode/1up) p. 141,
Macmillan & Co., London, 1874, 2nd ed. 1877, 3rd ed. 1879. Reprinted with a foreword
by Ernst Nagel, Dover Publications, New York, NY, 1958.
19. This came to be known as "Jevons's number". The only nontrivial factor pair is 89681 ×
96079.
20. Principles of Science (https://archive.org/stream/principlesofscie00jevorich#page/n165/
mode/2up), Macmillan & Co., 1874, p. 141.
21. Golob, Solomon W. (1996). "On Factoring Jevons' Number" (https://semanticscholar.org
/paper/0b3e9a0c0e8bf84413f49d3a4585c207f58da70e). Cryptologia. 20 (3): 243.
doi:10.1080/0161-119691884933 (https://doi.org/10.1080%2F0161-119691884933).
S2CID 205488749 (https://api.semanticscholar.org/CorpusID:205488749).
22. Ellis, James H. (January 1970). "THE POSSIBILITY OF SECURE NON-SECRET DIGITAL
ENCRYPTION" (https://cryptocellar.org/cesg/possnse.pdf) (PDF).
23. Sawer, Patrick (11 March 2016). "The unsung genius who secured Britain's computer
defences and paved the way for safe online shopping" (https://www.newindianexpress.
com/world/2016/mar/12/The-Anonymous-Researcher-Who-Held-the-Key-to-Cyber-Sec
urity-910751.html). The Telegraph.
24. Espiner, Tom (26 October 2010). "GCHQ pioneers on birth of public key crypto" (https://
www.zdnet.com/article/gchq-pioneers-on-birth-of-public-key-crypto/). www.zdnet.com.
25. Singh, Simon (1999). The Code Book. Doubleday. pp. 279 (https://archive.org/details/cod
ebookevolutio00sing/page/279)–292.
9 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
References
▪ Hirsch, Frederick J. "SSL/TLS Strong Encryption: An Introduction" (http://httpd.apache.o
rg/docs/2.2/ssl/ssl_intro.html#cryptographictech). Apache HTTP Server. Retrieved
17 April 2013.. The first two sections contain a very good introduction to public-key
cryptography.
▪ Ferguson, Niels; Schneier, Bruce (2003). Practical Cryptography. Wiley.
ISBN 0-471-22357-3.
▪ Katz, Jon; Lindell, Y. (2007). Introduction to Modern Cryptography (https://archive.org/det
ails/Introduction_to_Modern_Cryptography). CRC Press. ISBN 978-1-58488-551-1.
▪ Menezes, A. J.; van Oorschot, P. C.; Vanstone, Scott A. (1997). Handbook of Applied
Cryptography (https://archive.org/details/handbookofapplie0000mene). Taylor &
Francis. ISBN 0-8493-8523-7.
▪ IEEE 1363: Standard Specifications for Public-Key Cryptography (https://web.archive.or
g/web/20081119061833/http://grouper.ieee.org/groups/1363/)
▪ Christof Paar, Jan Pelzl, "Introduction to Public-Key Cryptography" (https://archive.toda
y/20121208212741/http://wiki.crypto.rub.de/Buch/movies.php), Chapter 6 of
"Understanding Cryptography, A Textbook for Students and Practitioners". (companion
web site contains online cryptography course that covers public-key cryptography),
Springer, 2009.
▪ Salomaa, Arto (1996). Public-Key Cryptography (2 ed.). Berlin: Springer. 275.
doi:10.1007/978-3-662-03269-5 (https://doi.org/10.1007%2F978-3-662-03269-5).
ISBN 978-3-662-03269-5. S2CID 24751345 (https://api.semanticscholar.org/CorpusID:24
751345).
External links
▪ Oral history interview with Martin Hellman (http://conservancy.umn.edu/handle/11299
/107353), Charles Babbage Institute, University of Minnesota. Leading cryptography
scholar Martin Hellman discusses the circumstances and fundamental insights of his
invention of public key cryptography with collaborators Whitfield Diffie and Ralph
10 of 11 12/09/2023, 17:39
Public-key cryptography - Wikipedia https://en.wikipedia.org/wiki/Public-key_cryptography
11 of 11 12/09/2023, 17:39