4

In public key cryptosystem, there are often two keys (pub and pri) and two functions (Enc and Dec) such that:

Enc(pub, m) = c
Dec(pri, c) = m

Usually pub and pri are generated as a matching key pair and used together. However, given a ciphertext c, without knowing pri, is it possible to successfully decrypt it into the original plaintext m with a different private key pri' other than pri?

Edit. We do not consider equivalent keys. For example, private keys differing by $\lambda(n)$ in RSA. Because they give identical decryption results for all ciphertexts. In other words, they give identical mappings between plaintext and ciphertext. But still using RSA as an example, there are some other interesting numbers:

$$(p_0,q_0,e_0,d_0)=(17,41,7,23)$$ $$(p_1,q_1,e_1,d_1)=(29,23,5,185)$$ $$m=6$$ $$c_0 = m^{e_0} (\text{mod} \; n_0) = 439$$ $$c_1 = m^{e_1} (\text{mod} \; n_1) = 439$$

In this example, the person with key pair 1 can decrypt a message encrypted using key pair 0. How do we know if there are other messages that are encrypted into the same ciphertext using either key pair? How do we know, in general, how close are two given key pairs? Informally, "close" is defined by the number of messages encrypted into the same ciphertext using either key pair.

Cyker
  • 759
  • 6
  • 17

2 Answers2

7

No, it's not possible. If it was possible it would have a devastating impact on asymmetric cryptography in general.

Most asymmetric cryptosystems rely on mathematically problems that cannot be solved in polynomial time (such as integer factorization, or discrete logarithm).

Let's look at RSA: you choose your $K_{pub} = (n,e)$ and $k_{priv} = (d)$ with $e \in \{1,2,\dotsc , \Phi(n) - 1\}$ to fulfill the following equations:

$$\Phi(n) = (p - 1) \cdot (q - 1)$$ $$\operatorname{gcd}(e, \Phi(n)) = 1$$ $$d \cdot e \equiv 1 \bmod \Phi(n)$$

Every element in a group can have one inverse element at maximum, you can not find a $d'$ for which:

$$d' \cdot e \not\equiv 1 \bmod \Phi(n)$$

So instead of:

$$d_{k_{priv}}(y) = d_{k_{priv}}(e_{k_{pub}}(x)) = (x^e)^d \equiv x^{de} \equiv x \bmod n$$

you will compute:

$$d_{k'_{priv}}(y) = d_{k'_{priv}}(e_{k_{pub}(x)}) = (x^e)^{d'} = x^{d'e} \equiv m' \not\equiv m \bmod n$$

So you will be able to compute the decryption with a different $d'$, but your result $m'$ will have nothing in common with the original $m$.

Jerre
  • 116
  • 2
1

Theoretically, decrypt a text with a different secret key (also known as symmetric cryptography) should be impossible. This is why you use the secret key to encrypt using an algorithm and after, you use the same secret key to decrypt the text applying the reverse algorithm.

If you talk about the public key system, also known as asymmetric cryptography, it is impossible too because when you encrypt a text using the public key, you can only decrypt the text using its public key pair. The same occurs if you encrypt a text using the public key, the only key that can decrypt that text is the related private key.

A detail about your question, the secret key is a part of the symmetric cryptography or private cryptography. Normally, the exact key names in public cryptography are 'public key' and 'private key'. However, sometimes the 'private key' is called 'secret key' too.

CGG
  • 229
  • 1
  • 9
  • 16