I have just learned about using PGP/GPG for email encryption and one thing bugs me:
How is it possible that a message encrypted with somebody's public key can be decrypted only with that person's private key?
This concept of asymmetric encryption is not easy for me to understand. Simply said, I would expect that the process to encrypt with the public key should be unique and therefore be able to be reverted with the same key.
What's the key operation that ensures this is not possible?
The basic explanation is that you need both keys to make a complete encryption/decryption cycle.
Basically the encryption works with modulo arithmetic so that
$$c=m^a \mod n$$
and
$$m=c^b \mod n$$
where $a$ and $b$ are the public and private key of the algorithm. $m$ is the plain text message and $c$ s the ciphertext.
The most important thing about the formulas is
$$m=(m^a)^b \mod n = (m^b)^a \mod n$$
For this to work $a$, $b$ and $n$ must follow certain restrictions.
This is the basic idea behind RSA and other asymmetric encyption systems whereas you can make the operations more complex/different but the basic idea that using two different keys to complete the encryption/decryption cycle.
Since your problem seems to be with the principle of public key crypto rather than with the math itself, here is an analogy with a physical object that may help.
Take a key lock padlock as below:
To close the padlock, you don't need the key, just the padlock itself. To open you use the key.
Now, if Bob has a copy of Alice's padlock, he can send her a message secretly by putting it in a box and applying the padlock. Alice recovers the message by using the key.
To convert this analogy to public key crypto, just consider that the public key of the system is (a copy of) the open padlock and that the private key is the padlock's key.
This analogy is, of course, not perfect but it may help you to go beyond the apparent paradox of public-key crypto.
Magic!
Have a look at the wikipedia image from the PGP article. The magic behind how the whole thing works is through the RSA algorithm.
Let's say Alice wants to send an encrypted message to Bob. Bob generates a public and private key pair. How the key generation process works is through a whole bunch of mathematics.
Essentially, this is how RSA works.
The public key consists of $n$ and $e$ while the private key consists of $n$ and $d$. It is very difficult to derive the private key from the public key because prime factorization is a difficult problem.
The actual encryption of the data is done using a symmetric cipher and a completely random key. Alice then encrypts the random key with the RSA public key belonging to Bob and the encrypted key as well as the encrypted data is sent to Bob.
Bob decrypts the encrypted key using his private key and then decrypts the encrypted message with the decrypted key.
How Alice can be confident that she is using the public key belonging to Bob is a completely different problem involving complicated stuff like a web of trust.
I guess the canonical of public key crypto is RSA.
RSA is the consequence of a piece of number theory called Euler's Theorem, which says:
$a^{\varphi(n)} \equiv 1 \mod n$
where $\phi(n)$ is Euler's totient function. You can check the Wikipedia article for more information on it, but the important piece regarding RSA is that if $n = pq$, then $\varphi(n) = (p-1)(q-1)$.
The RSA cryptosystem consists of 3 values:
To encrypt with RSA, we compute:
$C = M^e \mod n$
To decrypt we compute:
$M = C^d \mod n$
That is, $M = C^d = (M^e)^d \mod n$
To see why this works, we need to look at the relationship between $e$, $d$, and $n$
We choose $e$ and $d$ such that:
$ed \equiv 1 \mod \varphi(n)$
$e$ and $d$ are multiplicative inverses $\mod \varphi(n)$.
That is, $ed$ is some multiple of $\varphi(n)$, plus $1$.
All we're really doing is taking advantage of Euler's theorem:
if
$a^{\varphi(n)} = 1 \mod n$
then
$a^{k\varphi(n)} = 1 \mod n$
$a^{k\varphi(n)+1} \equiv a \mod n$
$ed = k\varphi(n) + 1 \mod \varphi(n)$
$ed \equiv 1 \mod \varphi(n)$
Given $M^e \mod n$ it is difficult to compute $M$. This is known as the RSA problem and there is no known efficient solution.
Given $n$ and $e$, it is difficult to compute $d$. This is because to compute $d$, we need to know $\varphi(n)$. We cannot compute $\varphi(n)$ without knowing the factors of $n$.
The most efficient solution to these problem is integer factorization. This is where RSA gets its security.
Understand that RSA, simply, is a substitution algorithm. Instead of an alphabet of 26 letters, it becomes an alphabet of $N$ letters. The nature of the public exponent $e$ create a bijective mapping of $M$ to $C$, while the private exponent $d$ creates an inverse bijective mapping of $C$ to $M$, due to the $e$, $d$ pair creating a RSA Identity for each $N$.
If a random $d$ is not the modular multiplicative inverse of $e$, it will not create a RSA Identity. Further, it may, or may not, create a bijective mapping, but will not create the inverse bijective mapping needed to decrypt the message.
Note, there are multiple private exponents $d'$ that pair with $e$ which also create a RSA Identity, and will therefore decrypt the message, though these are equally as hard to find as $d$.
