Asymmetric or public-key cryptography differs from conventional cryptography in that key material is bound to a single user. The key material is divided into two components:

- a private key, to which only the user has access, and
- a public key, which may be published or distributed on request.

Each key generates a function used to transform text. The private key
generates a private transformation function, and the public key generates
a public transformation function. The functions are inversely related,
i.e., if one function is used to encrypt a message, the other is used to
decrypt the message. The order in which the transformation functions
are invoked is irrelevant. Note that since the key material is used to
generate the transformation functions, the terms *private key* and
*public key* not only reference the key values, but also the
transformation functions. For example, the phrase, *``the message is
encrypted using the message recipient's public key''*, means the recipient's
public key transformation function is invoked using the recipient's public
key value and the message as inputs, and a ciphertext representation of the
message is generated as output.

The advantage of a public-key system is that two users can communicate securely without exchanging secret keys. For example, assume an originator needs to send a message to a recipient, and secrecy is required for the message. The originator encrypts the message using the recipient's public key. Only the recipient's private key can be used to decrypt the message. This is due to the computational infeasibility of inverting the public key transformation function. In other words, without the recipient's private key, it is computationally infeasible for the interceptor to transform the ciphertext into its original plaintext. Note that with a public-key system, while the secrecy of the public-key is not important (in fact, it is intended to be ``public''), the integrity of the public-key and the ability to bind a public-key to its owner is crucial to its proper functioning.

One disadvantage of a public-key system is that it is inefficient compared to its conventional counterpart. The mathematical computations used to encrypt data require more time, and depending on the algorithm, the ciphertext may be much larger than the plaintext. Thus, the current use of public-key cryptography to encrypt large messages is impractical.

A second disadvantage of a public-key system is that an encrypted message can only be sent to a single recipient. Since a recipient's public key must be used to encrypt the message, sending to a list of recipient's is not feasible using a public-key approach.

Although public-key cryptography, by itself, is inefficient for providing message secrecy, it is well suited for providing authentication, integrity, and non-repudiation services. All these services are realized by the digital signature.

Fri Oct 7 16:17:21 EDT 1994