Asymmetric cryptography, also known as public key cryptography, uses public and private keys to encrypt and decrypt data. The keys are simply large numbers that have been paired together but are not identical (asymmetric). One key in the pair can be shared with everyone; it is called the public key. The other key in the pair is kept secret; it is called the private key. Either of the keys can be used to encrypt a message; the opposite key from the one used to encrypt the message is used for decryption.
Many protocols like SSH, OpenPGP, S/MIME, and SSL/TLS rely on asymmetric cryptography for encryption and digital signature functions. It is also used in software programs, such as browsers, which need to establish a secure connection over an insecure network like the Internet or need to validate a digital signature. Encryption strength is directly tied to key size and doubling the key length delivers an exponential increase in strength, although it does impair performance. As computing power increases and more efficient factoring algorithms are discovered, the ability to factor larger and larger numbers also increases.
For asymmetric encryption to deliver confidentiality, integrity, authenticity and non-repudiability, users and systems need to be certain that a public key is authentic, that it belongs to the person or entity claimed and that it has not been tampered with nor replaced by a malicious third party. There is no perfect solution to this public key authentication problem. A public key infrastructure (PKI) -- where trusted certificate authorities certify ownership of key pairs and certificates -- is the most common approach, but encryption products based on the Pretty Good Privacy (PGP) model -- including OpenPGP -- rely on a decentralized authentication model called a web of trust, which relies on individual endorsements of the link between user and public key.
How asymmetric encryption works
Asymmetric encryption algorithms use a mathematically-related key pair for encryption and decryption; one is the public key and the other is the private key. If the public key is used for encryption, the related private key is used for decryption and if the private key is used for encryption, the related public key is used for decryption.
Only the user or computer that generates the key pair has the private key. The public key can be distributed to anyone who wants to send encrypted data to the holder of the private key. It's impossible to determine the private key with the public one.
The two participants in the asymmetric encryption workflow are the sender and the receiver. First, the sender obtains the receiver's public key. Then the plaintext is encrypted with the asymmetric encryption algorithm using the recipient's public key, creating the ciphertext. The ciphertext is then sent to the receiver, who decrypts the ciphertext with his private key so he can access the sender's plaintext.
Because of the one-way nature of the encryption function, one sender is unable to read the messages of another sender, even though each has the public key of the receiver.
Examples of asymmetric cryptography
RSA (Rivest-Shamir-Adleman) -- the most widely used asymmetric algorithm -- is embedded in the SSL/TSL protocols which is used to provide communications security over a computer network. RSA derives its security from the computational difficulty of factoring large integers that are the product of two large prime numbers.
Multiplying two large primes is easy, but the difficulty of determining the original numbers from the product -- factoring -- forms the basis of public key cryptography security. The time it takes to factor the product of two sufficiently large primes is considered to be beyond the capabilities of most attackers, excluding nation-state actors who may have access to sufficient computing power. RSA keys are typically 1024- or 2048-bits long, but experts believe that 1024-bit keys could be broken in the near future, which is why government and industry are moving to a minimum key length of 2048-bits.
Elliptic Curve Cryptography (ECC) is gaining favor with many security experts as an alternative to RSA for implementing public key cryptography. ECC is a public key encryption technique based on elliptic curve theory that can create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation.
To break ECC, one must compute an elliptic curve discrete logarithm, and it turns out that this is a significantly more difficult problem than factoring. As a result, ECC key sizes can be significantly smaller than those required by RSA yet deliver equivalent security with lower computing power and battery resource usage making it more suitable for mobile applications than RSA.
Uses of asymmetric cryptography
The typical application for asymmetric cryptography is authenticating data through the use of digital signatures. Based on asymmetric cryptography, digital signatures can provide assurances of evidence to the origin, identity and status of an electronic document, transaction or message, as well as acknowledging informed consent by the signer.
To create a digital signature, signing software -- such as an email program -- creates a one-way hash of the electronic data to be signed. The user's private key is then used to encrypt the hash, returning a value that is unique to the hashed data. The encrypted hash, along with other information such as the hashing algorithm, forms the digital signature. Any change in the data, even to a single bit, results in a different hash value.
This attribute enables others to validate the integrity of the data by using the signer's public key to decrypt the hash. If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn't changed since it was signed. If the two hashes don't match, the data has either been tampered with in some way -- indicating a failure of integrity -- or the signature was created with a private key that doesn't correspond to the public key presented by the signer -- indicating a failure of authentication.
A digital signature also makes it difficult for the signing party to deny having signed something -- the property of non-repudiation. If a signing party denies a valid digital signature, their private key has either been compromised or they are being untruthful. In many countries, including the United States, digital signatures have the same legal weight as more traditional forms of signatures.
Asymmetric cryptography can be applied to systems in which many users may need to encrypt and decrypt messages, such as encrypted email, in which a public key can be used to encrypt a message, and a private key can be used to decrypt it.
The SSL/TSL cryptographic protocols for establishing encrypted links between websites and browsers also make use of asymmetric encryption.
Additionally, Bitcoin and other cryptocurrencies rely on asymmetric cryptography as users have public keys that everyone can see and private keys that are kept secret. Bitcoin uses a cryptographic algorithm to ensure that only the legitimate owners can spend the funds.
In the case of the Bitcoin ledger, each unspent transaction output (UTXO) is typically associated with a public key. So if user X, who has an UTXO associated with his public key, wants to send the money to user Y, user X uses his private key to sign a transaction that spends the UTXO and creates a new UTXO that's associated with user Y's public key.
Asymmetric vs. symmetric cryptography
The main difference between these two methods of encryption is that asymmetric encryption algorithms makes use of two different but related keys -- one key to encrypt the data and another key to decrypt it -- while symmetric encryption uses the same key to perform both the encryption and decryption functions.
Another difference between asymmetric and symmetric encryption is the length of the keys. In symmetric cryptography, the length of the keys -- which is randomly selected -- are typically set at 128-bits or 256-bits, depending on the level of security that's needed.
However, in asymmetric encryption, there has to be a mathematical relationship between the public and private keys. Because hackers can potentially exploit this pattern to crack the encryption, asymmetric keys need to be much longer to offer the same level of security. The difference in the length of the keys is so pronounced that a 2048-bit asymmetric key and a 128-bit symmetric key provide just about an equivalent level of security.
Additionally, asymmetric encryption is slower than symmetric encryption, which has a faster execution speed.
History of asymmetric cryptography
Whitfield Diffie and Martin Hellman, researchers at Stanford University, first publicly proposed asymmetric encryption in their 1977 paper, "New Directions in Cryptography." The concept had been independently and covertly proposed by James Ellis several years earlier, while he was working for the Government Communications Headquarters (GCHQ), the British intelligence and security organization. The asymmetric algorithm as outlined in the Diffie-Hellman paper uses numbers raised to specific powers to produce decryption keys. Diffie and Hellman had initially teamed up in 1974 to work on solving the problem of key distribution problem.
The RSA algorithm, which was based on the work of Diffie, was named after its three inventors -- Ronald Rivest, Adi Shamir and Leonard Adleman. They invented the RSA algorithm in 1977, and published it in Communications of the ACM in 1978.
Today, RSA is the standard asymmetric encryption algorithm and it's used in many areas, including TLS/SSL, SSH, digital signatures and PGP.
Benefits and disadvantages of asymmetric cryptography
The benefits of asymmetric cryptography include:
- the key distribution problem is eliminated because there's no need for exchanging keys.
- security is increased as the private keys don't ever have to be transmitted or revealed to anyone.
- the use of digital signatures is enabled so that a recipient can verify that a message comes from a particular sender.
- it allows for non-repudiation so the sender can't deny sending a message.
- it's a slow process compared to symmetric crytography, so it's not appropriate for decrypting bulk messages.
- if an individual loses his private key, he can't decrypt the messages he receives.
- since the public keys aren't authenticated, no one really knows if a public key belongs to the person specified. Consequently, users have to verify that their public keys belong to them.
- if a hacker identifies a person's private key, the attacker can read all of that individual's messages.