Public key decryption mathematical analogy

Question

To clarify, I'm talking about digital-signatures, not public key encryption.

When I encrypt something with a private key, then it should be decryptable with a public key, as I've understood how asymetric cryptography works.

So, if 654 * 987 * 123 = 79.396.254, there are countless sums that could lead to that 79 million answer, that explains private key encryption to me, and can be applied to superficially explain how digital signing works.

But how do you verify with a public key, that it was signed with their private key?

I'm looking for the simplest mathematical way to explain this, perhaps using a similar mathematical analogy.

I'm not looking for a super in-depth explanation, but a superficial analogy for it.

Answer 1

Ok, here's a toy example (which really doesn't work) of a simple signature scheme, which you can use as an analogy of a real system:

Suppose the signer Alice picks three integers $b, c, p$, and computes $a = b \times c \bmod p$. She then publishes $a, b, p$ as her public key, and keeps $c, p$ as her private key.

Then, when Alice wants to sign a message $M$, she computes $S = c \times M \bmod p$, and publishes $S$ as the signature.

So, when verifier Bob gets the message $M$, the signature $S$, and Alice's public key, he verifies whether $a \times M \bmod p$ and $b \times S \bmod p$ are the same; if the signature is valid, then $a \times M \bmod p = (b \times c) \times M \bmod p = b \times (c \times M) \bmod p= b \times S \bmod p\ $, and so equality would hold.

The points I am hoping to make in this analogy:

• The signature is not necessarily an 'encoding' of the message

• Instead, the signature and the message satisfy some relationship (in concert with the public key)

• It's not obvious how to create a signature for a given message with only the public key (actually, my example falls down a bit here)

• The private key contains the 'secret sauce' that makes generating such signatures easy

Now, this doesn't work as an actual signature scheme, even with large numbers, because we know how to compute $a \times b^{-1} \bmod p$, which is $c$, however the method isn't immediately obvious to someone new to the field.

Answer 2

To decode from a public-key encoded message, you need the secret private key. Anyone else cannot do it. For the mathematical details how this is possible, you need to analyse the respective asymmetric cryptographic algorithms.

There are several different asymmetrical encryption algorithms, including RSA and ElGamal, see the Wikipedia links for an explanation of the algorithms behind them.

P.S. I don't think that an analogy can explain this well; just do examples with small numbers by hand to get a feeling of the algorithm and think why it is hard with large numbers.

Answer 3

An analogy might not be that helpful but an example for example with RSA signatures.

RSA Signatures work like this:

s = m^d mod N

where s is the signature, m the message and d the private key. (See example below.

Verification works like this:

m' = s^e mod N

where s is still the signature and e is the publicly known and trusted public key. If m' = m holds true the signature is valid.

The one who wants to verify the signature needs both the signature and the message (hence m and s). This the nature of the public key is to be publicly available, ideally from a trusted party, one has all three values to verify the signature. The private key should only known by the person who created the signature and therefor he/she is the only person who can create the signature to the given message (assumed the cryptographical primitives are considered secure).

This is a complete example on how this works (with small numbers to understand is, it if obviously not secure in these dimensions) I assume you have know how RSA works, if not search for RSA explained and pick any match.

Party A                                                    Party B
p = 11, q = 3, N = 33
Phi(N) = (11-1)*(3-1) = 20
Choose e = 7
Calculate d = e^-1 = 7^-1 = 3 mod 20

                                       (N=33, e=7)
                                      ------------>        Setup completed
Choose message m = 8
s = m^d = 8^3 = 17

                                       (m=8, s=17)
                                      ------------>
                        (Note here that s can only be calculated by A
                       since only A knows d and the RSA problem is hard)

                                                           m' = s^e = 17^7 = 8 mod 33
                                                           m = m' => Signature is valid

                                                           B knows that m has been send by A
                                                           and only by A (as does everyone
                                                           else who has knowledge about
                                                           m, s, e and N

The crucial part is that every public key e has only one matching d (modulus Phi(N)) for a correct set of RSA Parameter and for sufficient strong bit lengths an attacker would have to guess/calculate the secret d which ought to be sufficient hard that such a guess/calculation is only successfully with a negligible probability.