Cryptography Asked on November 28, 2021
Is there an algorithmic, mathematical, technical or implementation "hack" to recover the private key or is it definitively encrypted without any particular mathematical property, like any message M?
Although there is an answer here saying "no" for usual definitions, I want to strongly warn that there is no rigorous basis for that. Specifically, it is true that there is no known way of recovering a private key from an encryption of it with its associated public key. However, there is also no proof whatsoever that it isn't possible. Security of this kind is called "circular security" and there has been researching understanding it. In general, it is possible to achieve this in the random oracle model (quite easily - since the random oracle breaks the mathematical connection between the keys). Specifically, the encryption ${sf enc}'_{pk}(m) = ({sf enc}_{pk}(r), H(r) oplus m)$ is circular secure when $H$ is modelled as a random oracle (meaning that it's secure when taking $m=sk$ or the like), as shown by Camenisch-Lysyanskaya in their EUROCRYPT 2001 paper titled An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. However, in general, there are no reductions from the security of the encryption scheme in general to the case of encrypting the private key, and one should be careful.
Answered by Yehuda Lindell on November 28, 2021
With RSA or ECC, if I encrypt my private key with my public key, is there a way to recover my private key?
No, at least for usual or safe definitions of encrypt: anything involving hybrid encryption (ECIES…) or random padding (RSAES-OAEP in ECB mode¹, likely RSAES-PKCS1-v1_5…). Argument (not a formal proof, but still strong): without the private key, we can't decipher a ciphertext for random unknown plaintext. That condition applies for hybrid encryption and OAEP padding, and is approached for PKCS#1 random padding.
That argument does not apply for an arbitrary scheme (as rightly pointed in that answer). And it does not apply for direct textbook RSA encryption of the private exponent $d$, which sometime is assimilated to the private key. The problem then boils down to: given an RSA public key $(N,e)$, and $c=d^ebmod N$ with $d$ a valid RSA private exponent, can we factor $N$? I find no way, but that's far from a valid argument. I asked there.
¹ As discussed in comments, size restrictions make it hard to RSA-encipher the private key with proper padding. That requires splitting it into multiple blocks, which is unusual and inneficient. I retract my statement that it is commonly supported by crypto APIs.
Answered by fgrieu on November 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP