4

This may sound weird: What if I don't let others know my public key, then use my private key to encrypt, and the public key to decrypt? Is this secure? Let me explain a little bit:

Common usuage: use private key to sign and disclose public key, then others can vefriy the data signature use public key

Weird usage: use private key to encrypt and don't disclose public key, in other end use public key to decrypt. notice here I will not disclose private key either so it's not swap In second scenario, if I can keep both keys secure(I mean don't disclose to otheres), does it secure?

Gerry
  • 113
  • 1
  • 6
  • 5
    from a mathematical point of view exponent $d$ and $e$ can be swapped, but if you use a common software library to generate your key, public exponent $e$ is usually chosen equal to 65537, so if you swap them you'll put your key under jeopardy. – ddddavidee Sep 08 '15 at 15:06
  • 1
    It works, but you still have to distribute a public key in order to let know to the others how to encrypt messages in a way that only you can decrypt... however, you should take a look at this question also... it seems to me that your question may be a duplicate – pa5h1nh0 Sep 08 '15 at 16:13
  • Hi pa5h1nh0, thanks for your link, that one is not a duplicate , I read that link before I post this one. "but you still have to distribute a public key in order to let know to the others how to encrypt messages in a way that only you can decrypt"---------No, I don't need to if I don't need others send encrypted message to me – Gerry Sep 08 '15 at 22:14

3 Answers3

10

No, you generally cannot swap the public and private keys.

Your public key consists of a public exponent and a modulus. The modulus should be known to the person doing the encryption. The public exponent - in general - is a relatively small prime such as 3 or 65537 (Fourth number of Fermat). So given the modulus all an attacker has to do is guess the public key. It's very easy to factor pretty small exponents (I've written software to generate public keys given a private key). The exponent of the private key on the other hand consists of a number that is about as large as the modulus. It cannot be easily factored; the security of RSA relies on this fact.

Currently the majority of software uses RSA with a small public exponent. It is however possible to create an RSA exponent that is the same size as the private exponent. In that case you would have something close to two private keys. Note however that the public key is generally not required to be private. So software may not protect the public key as much as the private key (with regards to e.g. side channel analysis). Sometimes the software may also use padding required for signature generation instead of those for encryption if you present it a public key - mainly due to some weird signature functions required for SSLv3 and TLS 1.0.

So even if your software would accept the public key - RSA is modular exponentiation after all - then by all practical means it not going to be secure.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
1

If you keep both keys secret and use a random public exponent, you can use the private key to encrypt and the "public key" to decrypt. However, that is not necessarily a very good idea.

With both keys secret you would be better off using symmetric encryption, like AES. It is faster, more space efficient and requires only one key. You would probably need to use symmetric encryption anyway, in hybrid encryption with RSA, so you are not losing any security or trusting any additional algorithms.

Alternatively, if you want to use an RSA keypair, just use the public key to encrypt and the private key to decrypt. That lets you use a small public exponent, which normal tools will generate, making encryption faster.

otus
  • 32,132
  • 5
  • 70
  • 165
  • I agree that one should just use symmetrci crypto here but I would prefer the default recommendation to be some AEAD cipher. :) – Elias Feb 13 '20 at 17:41
0

"Currently the majority of software uses RSA with a small public exponent"

If that is true, then the majority of the software is compromised. From https://www.tutorialspoint.com/cryptography/public_key_encryption.htm

"The strength of RSA encryption drastically goes down against attacks if the number p and q are not large primes and/ or chosen public key e is a small number."

nomail
  • 1
  • 1
    Don't worry, they are chosen as small as possible (and with low Hamming weight) for efficiency but big enough to avoid those attacks. – Elias Feb 13 '20 at 17:41
  • @Elias+ actually that tutorial is just wrong. If you use proper padding even e=3 is safe: https://crypto.stackexchange.com/questions/8454/what-security-authorities-and-standards-reject-e-3-in-rsa also https://crypto.stackexchange.com/questions/109/rsa-with-small-exponents And if you stupidly use 'textbook' RSA without padding on small plaintext, like they show, even fairly large e is NOT secure. – dave_thompson_085 Feb 14 '20 at 02:26