公钥可以具有与私钥不同的长度（加密）吗？ [英] Can a public key have a different length (encryption) than the private key?

问题描述

我有一个1024位的私钥，并使用它来生成一个公钥。
这是否自动意味着我的公钥也有1024加密？或者它可以是较小的加密大小？ （512，256 ...）

PS：我最感兴趣的是RSA的模数（n）的大小键。大小通常为1024或2048位。但我很高兴看到这引发了讨论，这一切都让我对密码学感兴趣。

解决方案

不。

但是，对于某些公钥加密实现，例如 OpenPGP ，将使用分配给不同任务的子项创建键。这些子项可以是彼此不同的大小，也可以是用于创建它们的主密钥。在这些情况下，公钥数据将指示主密钥的密钥大小以及将与相应私钥数据匹配的子密钥。

许多其他公共关键实施不使用子密钥（例如 TLS ），因此您只能看到单个密钥大小。

您将看到的密钥大小的唯一变化是当非对称加密与对称加密结合使用时，加密。对称加密（会话密钥）将更小，但它使用完全不同的算法（例如AES，TWOFISH等），并且不是公钥的一部分（除了在OpenPGP中，其中对称密码偏好可以被保存，因为它不利用现场连接建立对称加密的通信和交换会话密钥数据）。

编辑：公共和私人密钥数据之间的关系的更多细节证明大卫错了）

指向RSA是非常好和好，但它取决于密钥交换协议，我们去 Diffie-Hellman密钥交换和原始专利，现已过期。这两种方法都有密钥交换方法以及公钥和私钥之间的关系的例子和解释。

实现这种关系的算法，包括 RSA 和 El-Gamal ，都会同时创建公钥和私钥。具体地，通过创建私钥然后生成公钥。公钥继承了构成它的私钥的所有特征。通过以某种方式生成独立于私钥的公钥的 only 方式来获得两个组件之间的不匹配的详细信息。当然，问题在于它们不再是密钥对。

RSA和El-Gamal的密钥生成描述解释了公钥和私钥，并且具体地，公钥的所有组件是私钥的一部分，但是私钥包含解密数据和/或签名数据所需的附加数据。在El-Gamal中，公共分量是G，q，g和h，而私有分量是G，q，g，h和x。

现在，缺少提及算法中的密钥对的位大小，是的，这是真的，但是它们的每个实际实现在生成私钥时将所选择的密钥大小合并为常数之一。下面是在GnuPG中生成密钥的相关代码（在选择所有选项之后，包括选择密钥大小和指定密码）：

  static int 
 do_create（int algo，unsigned int nbits，KBNODE pub_root，KBNODE sec_root，
 DEK * dek，STRING2KEY * s2k，PKT_secret_key ** sk，u32 timestamp，
 u32 expiredate， int is_subkey）
 {
 int rc = 0; 
 
 if（！opt.batch）
 tty_printf（_（
我们需要生成很多随机字节，这是一个好主意，执行\\\

一些其他动作（在键盘上键入，移动鼠标，利用\\\

磁盘）;这给出随机数\\\

更好的机会获得足够的熵。 
 
 if（algo == PUBKEY_ALGO_ELGAMAL_E）
 rc = gen_elg（algo，nbits，pub_root，sec_root，dek，s2k，sk，timestamp，
 expiredate，is_subkey）; 
 else if（algo == PUBKEY_ALGO_DSA）
 rc = gen_dsa（nbits，pub_root，sec_root，dek，s2k，sk，timestamp，
 expiredate，is_subkey）; 
 else if（algo == PUBKEY_ALGO_RSA）
 rc = gen_rsa（algo，nbits，pub_root，sec_root，dek，s2k，sk，timestamp，
 expiredate，is_subkey）; 
 else 
 BUG（）; 
 
 return rc; 
} 
  

三种算法之间的微小差异与所引用项目的值在发布的算法中，但在每种情况下，nbits是一个常数。

您会发现与生成密钥的代码中的键大小相同的一致性在OpenSSL，OpenSSH和任何其他使用公共密钥加密系统。在每个实现中，为了具有匹配的公钥和私钥对，必须从私钥导出公钥。由于私钥是以密钥大小作为常量生成的，所以密钥大小必须由公钥继承。如果公共密钥不包含与私钥的所有正确的共享信息，则根据定义，它将不与该密钥匹配，因此加密/解密过程和签名/验证过程将失败。

I have a 1024 bits private key, and use it to generate a public key. Does that automatically mean that my public key also has 1024 encryption? Or can it be of a lesser encryption size? (512, 256...)

PS: What i'm mostly interested in, and talking about, is the size of the modulus ("n") in RSA keys. The size is typically 1024 or 2048 bits. But I'm glad to see that this sparked a discussion, and all this is feeding my interest in cryptography.

解决方案

No. The public key in a key pair always matches the private key size, in fact it is derived from the private key.

However, with some public key cryptographic implementations, such as OpenPGP, keys are created with subkeys assigned to different tasks. Those subkeys can be different sizes to each other and the master key used to create them. In those cases the public key data will indicate the key sizes for the master key and the subkey(s) which will match the corresponding private key data.

Whereas many other public key implementations do not utilise subkeys (e.g. TLS) so you will only ever see the single key size. Again that key size will be indicated in both the public and private key data.

The only variation in key sizes you will see is when asymmetric encryption is used in conjunction with symmetric encryption. The symmetric encryption (session key) will be smaller, but it uses entirely different algorithms (e.g. AES, TWOFISH, etc.) and is not part of the public key (except in OpenPGP, where symmetric cipher preferences can be saved because it does not utilise a live connection to establish the symmetrically encrypted communication and exchange session key data).

EDIT: More detail on the relationship between the public and private key data (also known as proving David wrong)

Pointing to RSA is all very well and good, but it depends on the key exchange protocol and for that we go to Diffie-Hellman key exchange and the original patent, which is now expired. Both of these have examples and explanations of the key exchange methods and the relationship between the public and private keys.

Algorithms implementing this relationship, including RSA and El-Gamal, all create both the public and private keys simultaneously. Specifically by creating a private key which then generates the public key. The public key inherits all the features of the private key which made it. The only way to get mis-matched details between the two components would be by somehow generating a public key independently of the private key. The problem there, of course, is that they would no longer be a key pair.

The key generation descriptions for both RSA and El-Gamal explain the common data between the public and private keys and specifically that all the components of the public key are a part of the private key, but the private key contains additional data necessary to decrypt data and/or sign data. In El-Gamal the public components are G, q, g and h while the private components are G, q, g, h and x.

Now, on to the lack of mention of the bit size of the key pairs in the algorithms, yes, that's true, but every practical implementation of them incorporates the selected key size as one of the constants when generating the private key. Here's the relevant code (after all the options are selected, including selecting the key size and specifying the passphrase) for generating keys in GnuPG:

static int
do_create( int algo, unsigned int nbits, KBNODE pub_root, KBNODE sec_root,
           DEK *dek, STRING2KEY *s2k, PKT_secret_key **sk, u32 timestamp,
       u32 expiredate, int is_subkey )
{
  int rc=0;

  if( !opt.batch )
    tty_printf(_(
"We need to generate a lot of random bytes. It is a good idea to perform\n"
"some other action (type on the keyboard, move the mouse, utilize the\n"
"disks) during the prime generation; this gives the random number\n"
"generator a better chance to gain enough entropy.\n") );

  if( algo == PUBKEY_ALGO_ELGAMAL_E )
    rc = gen_elg(algo, nbits, pub_root, sec_root, dek, s2k, sk, timestamp,
         expiredate, is_subkey);
  else if( algo == PUBKEY_ALGO_DSA )
    rc = gen_dsa(nbits, pub_root, sec_root, dek, s2k, sk, timestamp,
         expiredate, is_subkey);
  else if( algo == PUBKEY_ALGO_RSA )
    rc = gen_rsa(algo, nbits, pub_root, sec_root, dek, s2k, sk, timestamp,
         expiredate, is_subkey);
  else
    BUG();

  return rc;
}

The slight differences between the three algorithms relate to the values for the items referred to in the published algorithms, yet in each case the "nbits" is a constant.

You'll find the same consistency relating to the key size in the code for generating keys in OpenSSL, OpenSSH and any other system utilising public key cryptography. In every implementation in order to have a matched public and private key pair the public key must be derived from the private key. Since the private key is generated with the key size as a constant, that key size must be inherited by the public key. If the public key does not contain all the correct shared information with the private key then it will be, by definition, not matched to that key and thus the encryption/decryption processes and the signing/verifying processes will fail.

这篇关于公钥可以具有与私钥不同的长度（加密）吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！