In RSA, can any of the two keys be used for both encryption and decryption?

  • I know RSA has the concept of "public" and "private" key and one key is used for "encryption" and another for "decryption", but I am confused if both keys can be used for both purposes.. I mean, what you encrypt with any of them, you can decrypt of the other.

  • There are many incorrect wordings/usages here.

    RSA is merely the one public-key cryptosystem that can support both encryption and signature naively in the almost same type of operation.

    TextBook RSA

    What confuses the people is the Textbook RSA which is simply c = m^e mod n for encryption and m= c^d mod n for decryption, whereas sign = hash(m)^d mod n for signature and verify(m,sign) that calculates hash(m) and checks that hash(m) == sign^e mod n.

    Both are insecure as you can see that you can multiply the ciphertexts, or .. ( this is a very long story; start from reading Twenty Years of Attacks on the RSA Cryptosystem for more attacks from Dan Boneh).

    RSA encryption

    RSA encryption requires padding to be secure. PKCS#5v1.5 and Optimal Asymmetric Encryption Padding (OAEP) are the paddings that must be used. The former had lots of attacks due to incorrect implementations. The latter is much easier to implement. They are both proved to be secure so the only problem is the implementations.

    RSA signatures

    RSA signature requires padding to be secure, too. This time the padding is a Probabilistic Signature Scheme and designed for signatures.

    RSA sign!=RSA decryption

    Don't use/say that RSA decryption is a signature. It is not. The signatures algorithm consists of two algorithms; sign and verify. During the sign operation, PSS be part of it.

    For a detailed reading see from Cornell University page; RSA Signing is Not RSA Decryption

    Don't use one RSA key for more than one purpose

    Don't use the same RSA public-private key for more than one purpose. Use either for enc/dec or sign/verify. If you need both, you two different public/private key pairs where the modulus is distinct.

    Public key is not for encryption

    Public key cryptosystems are slow compared to private key cryptosystems. Therefore we prefer a hybrid cryptosystem where the public key is used for key exchange and the private key is used for encryption. Examples are;

    • RSA-KEM for Key encapsulation Mechanism and AES-GCM for Data Encapsulation Mechanism
    • DHKE for key establishment and ChaCha20-Poly1305 for data encapsulation mechanism

    Where RSA is used today?

    In today's security, RSA is mostly used for the signature. Although RSA-KEM is promising for key encapsulation there is no standard for that, we use Elliptic Curve Diffie-Hellman most of the time.

Log in to reply

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2