4

As I understand, we choose the public and private keys to be mutual inverses. However, it is possible that, in a group, there can be numbers which are their own inverses. E.g. Consider p = 7, q = 3. n = 21, phi(n) = 12. For the group G = {s | gcd(s,21) = 1} there are four numbers 1, 8, 13 and 20 which are their own inverses.

In such a case, it is possible to choose these numbers as both private and public keys. Isn't it?

Let me know if I have understood this correctly.

Gilles 'SO- stop being evil'
  • 19,134
  • 4
  • 50
  • 92
Girisha Shankar
  • 69
  • 5
  • 1
    You seem to be specifically discussing RSA, and not looking at how keys are generated. There are other public-key cryptosystems where the dissymmetry between private keys and public keys is more obvious because they're different mathematical objects. – Gilles 'SO- stop being evil' Jul 09 '19 at 11:48
  • Recommended reading (not 100% duplicates, but close): https://crypto.stackexchange.com/questions/43894/asymmetry-between-public-key-and-private-key-digital-signatures-use-the-private and https://crypto.stackexchange.com/questions/2541/do-public-private-pairs-work-both-ways – Gilles 'SO- stop being evil' Jul 09 '19 at 11:53
  • Note that, in the case of RSA, if the public exponent is small (specifically, smaller than the squareroot of one of the prime factors), then the private exponent will always be larger (except for the trivial case of $e=d=1$); for example, for 1024 bit RSA modulus (2 prime), if the public exponent is smaller than 256 bits, this will always be true. Hence, this is not something we need to worry about in practice. – poncho Jul 09 '19 at 12:16

1 Answers1

10

That's correct. In some cases, you could, if you really wanted, make a public key equal the private key. It would completely negate the benefit of using a public key cryptosystem, though, because access to the public key would imply access to the private key. It would turn it into a crappy symmetric scheme.

As noted in comments, most common RSA implementations set the public exponent to a fixed value, usually a Fermat prime like 3 or 65537. In that case, for an appropriately-sized modulus, there is no chance for the private exponent to equal the public exponent. The private exponent is always larger.

forest
  • 15,253
  • 2
  • 48
  • 103
  • Yes, I would think as much. Do the popular implementations take care of this duplication while generating the key pairs? – Girisha Shankar Jul 09 '19 at 08:00
  • 2
    @GirishaShankar They don't take it into account explicitly because it can't happen. The public key is always a small, fixed number (usually 65537, sometimes 3, hardly ever anything else) and the private key can't be that small. – Gilles 'SO- stop being evil' Jul 09 '19 at 11:49
  • @Gilles Are you sure the public key is a fixed number? So everyone has the same public key? What cryptosystem are you talking about? How does it distinguish between different private keys if the public key is always e.g. 65537? –  Jul 09 '19 at 18:46
  • 2
    @NicHartley More precisely, I'm talking about the public exponent (usually written $e$), which is part of the public key. The question uses “public key” in that sense, since it talks about the “public key” and “private key” being mutual inverses. There's a way to look at RSA which makes the two exponents the keys, but it requires defining the modulus $n$ as a parameter which must only ever be used once, which is a complicated way to look at it. A more practical way to describe RSA is that the public key is $(n,e)$ and the private key is $(n,d)$. $e$ is usually 65537 but $n$ is unique. – Gilles 'SO- stop being evil' Jul 09 '19 at 18:55
  • 1
    @Gilles That's true, but, if you really tried, you could make $e = d$. – forest Jul 12 '19 at 05:16
  • @forest You could, but then you'd be rolling your own RSA variant and you'd have to write your own software to generate the key. None of the “recognized” RSA variants allow $d=e$. – Gilles 'SO- stop being evil' Jul 12 '19 at 08:31
  • 1
    @Gilles You're right, but OP didn't ask about standard implementations of RSA, just whether or not it's possible in theory (which it is). – forest Jul 12 '19 at 08:47