10

I have a 1024 bits private key, and use it to generate a public key. Does that automatically mean that my public key also has 1024 encryption? Or can it be of a lesser encryption size? (512, 256...)

PS: What i'm mostly interested in, and talking about, is the size of the modulus ("n") in RSA keys. The size is typically 1024 or 2048 bits. But I'm glad to see that this sparked a discussion, and all this is feeding my interest in cryptography.

Rolf
  • 5,550
  • 5
  • 41
  • 61
  • I'm having a hard time choosing what answer to accept. Ben's answer was the first, it was direct (and correct), but I needed to hear some confirmation first, provided later by CodesInChaos in a quite informative answer. I wish I could select both, as both answers are somewhat complementary in my eyes. – Rolf Oct 17 '13 at 23:33

5 Answers5

14

This depends on the encryption algorithm and on what precisely you call public/private key. Sometimes it's possible to use a different size in RAM compared to serialization on disk or the network.

RSA

An RSA public key consists of a modulus n and a public exponent e. We usually choose a small value for e (3, or 65537 are common). The size of e has little influence on security. Since e is usually less than four bytes and n over a hundred, the total size is dominated by the modulus. If you really want to, you can fix e as part of your protocol specification so there is only n to store.

An RSA private key can be represented in different forms, but typically we store the values p, q, dp, dq, e, d, n, InvQ. Their combined size is larger than the public key. Most of these aren't strictly required, but it's convenient to have them available instead of regenerating them. Regenerating all of them given e, p and q is straight forward.

When we talk about key-size in the context of RSA we always mean the size of the modulus, ignoring all the other elements. This is a useful convention, since this is the only value that affects security. A typical size for n is 2048 bits.

Finite field crypto (Diffie-Hellman, DSA, etc.)

The private key is a scalar twice the size of the security level. A typical value is 256 bits.

The public key is a group element, which is much larger than the private key. A typical value is 2048 bits.

So with finite field crypto the public key is much larger than the private key.

Elliptic curves

The private key is a scalar twice the size of the security level. A typical value is 256 bits. This part is identical to finite field crypto.

The public key is a group element. There are two forms of serializing such an element. The compressed form is slightly larger than the private key (a couple of bits at most). The uncompressed form is about twice the size of the private key. A typical value for the compressed form is 256 bits and 512 bits for the uncompressed form.

Private key as seed

When you generate public/private key pairs yourself, you can always store them as seeds for a PRNG. That way they're quite small, 160 bits or so regardless of the scheme you use. The downside of this is that regenerating the natural form of the private key may be expensive. It is required that the method of creating the key pair remains constant.

Fingerprint of public key

Instead of storing the full public key, you can often store only a fingerprint, which is 160 bits or so in size. The downside of this is that it increases the size of the message/signature.

Summary

For some algorithms the size of public and private key are the same, for some they differ, and it is often possible to compress either or both of them at a cost (decompression time or message size).

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Yes, I meant the size of the modulus, n, of RSA keys, do they have to be of the same size in the private and public keys, or can they differ? Thanks for the exposé :) – Rolf Oct 13 '13 at 12:28
  • 2
    @Rolf The `e` and `n` fields of the private key are identical to the public key. They're the very same numbers, not just the same size. If you take a full private key, with all the fields I mentioned and remove everything except `e` and `n` you get the public key. – CodesInChaos Oct 13 '13 at 13:02
7

No. The public key in a key pair always matches the private key size, in fact it is derived from the private key.

However, with some public key cryptographic implementations, such as OpenPGP, keys are created with subkeys assigned to different tasks. Those subkeys can be different sizes to each other and the master key used to create them. In those cases the public key data will indicate the key sizes for the master key and the subkey(s) which will match the corresponding private key data.

Whereas many other public key implementations do not utilise subkeys (e.g. TLS) so you will only ever see the single key size. Again that key size will be indicated in both the public and private key data.

The only variation in key sizes you will see is when asymmetric encryption is used in conjunction with symmetric encryption. The symmetric encryption (session key) will be smaller, but it uses entirely different algorithms (e.g. AES, TWOFISH, etc.) and is not part of the public key (except in OpenPGP, where symmetric cipher preferences can be saved because it does not utilise a live connection to establish the symmetrically encrypted communication and exchange session key data).

EDIT: More detail on the relationship between the public and private key data (also known as proving David wrong)

Pointing to RSA is all very well and good, but it depends on the key exchange protocol and for that we go to Diffie-Hellman key exchange and the original patent, which is now expired. Both of these have examples and explanations of the key exchange methods and the relationship between the public and private keys.

Algorithms implementing this relationship, including RSA and El-Gamal, all create both the public and private keys simultaneously. Specifically by creating a private key which then generates the public key. The public key inherits all the features of the private key which made it. The only way to get mis-matched details between the two components would be by somehow generating a public key independently of the private key. The problem there, of course, is that they would no longer be a key pair.

The key generation descriptions for both RSA and El-Gamal explain the common data between the public and private keys and specifically that all the components of the public key are a part of the private key, but the private key contains additional data necessary to decrypt data and/or sign data. In El-Gamal the public components are G, q, g and h while the private components are G, q, g, h and x.

Now, on to the lack of mention of the bit size of the key pairs in the algorithms, yes, that's true, but every practical implementation of them incorporates the selected key size as one of the constants when generating the private key. Here's the relevant code (after all the options are selected, including selecting the key size and specifying the passphrase) for generating keys in GnuPG:

static int
do_create( int algo, unsigned int nbits, KBNODE pub_root, KBNODE sec_root,
           DEK *dek, STRING2KEY *s2k, PKT_secret_key **sk, u32 timestamp,
       u32 expiredate, int is_subkey )
{
  int rc=0;

  if( !opt.batch )
    tty_printf(_(
"We need to generate a lot of random bytes. It is a good idea to perform\n"
"some other action (type on the keyboard, move the mouse, utilize the\n"
"disks) during the prime generation; this gives the random number\n"
"generator a better chance to gain enough entropy.\n") );

  if( algo == PUBKEY_ALGO_ELGAMAL_E )
    rc = gen_elg(algo, nbits, pub_root, sec_root, dek, s2k, sk, timestamp,
         expiredate, is_subkey);
  else if( algo == PUBKEY_ALGO_DSA )
    rc = gen_dsa(nbits, pub_root, sec_root, dek, s2k, sk, timestamp,
         expiredate, is_subkey);
  else if( algo == PUBKEY_ALGO_RSA )
    rc = gen_rsa(algo, nbits, pub_root, sec_root, dek, s2k, sk, timestamp,
         expiredate, is_subkey);
  else
    BUG();

  return rc;
}

The slight differences between the three algorithms relate to the values for the items referred to in the published algorithms, yet in each case the "nbits" is a constant.

You'll find the same consistency relating to the key size in the code for generating keys in OpenSSL, OpenSSH and any other system utilising public key cryptography. In every implementation in order to have a matched public and private key pair the public key must be derived from the private key. Since the private key is generated with the key size as a constant, that key size must be inherited by the public key. If the public key does not contain all the correct shared information with the private key then it will be, by definition, not matched to that key and thus the encryption/decryption processes and the signing/verifying processes will fail.

Ben
  • 3,981
  • 2
  • 25
  • 34
  • 3
    Thanks (blah blah blah thanks stackoverflow, hopefully that's enough characters to allow me to thank Ben for his kindness) – Rolf Oct 13 '13 at 09:54
  • Not a problem. If you're happy with the answer then feel free to accept it. :) – Ben Oct 13 '13 at 10:07
  • With due respect, you have stated that it's impossible, not shown or proven that it's impossible. I provided the algorithm for generating key pairs, you did not. Common implementations use similar size keys, that does not mean it's impossible. The key generation algorithm uses abstract integer maths, bits are not mentioned at all except in specific computer implementations. – David Cummins Oct 13 '13 at 10:25
  • Oh really? You want to make this argument. You realise that the bit size is part of the data that is calculated to generate the private key, right? Well, you wanted more detail, you're getting it. Along with a challenge. I do hope you at least try to accept it. – Ben Oct 13 '13 at 12:08
  • 2
    Ben: you and David are actually talking about different definitions of key size. This is possible because "key size" is ambiguous in the context of RSA. David is talking about the sizes of the primes, you are talking about something else. Nobody knows what the OP is talking about. – President James K. Polk Oct 13 '13 at 12:21
  • Heh. Wait ... are you saying that both David and I are both wrong **and** right? Brilliant! :) That makes this even more entertaining (and informative, it can be both). I'll be curious to see if the Rolf comes back and clarifies what he meant by bit size then. – Ben Oct 13 '13 at 12:40
  • 1
    Your answer is a bit confusing, so I can't tell if you're right or wrong. At least for Diffie-Hellman we often use private keys much smaller than the public key. You first fix the group parameters, e.g. using a 2048 bit modulus. Some consider these parameters part of the public key, some fix them as part of the protocol. Then you pick a private key `x`, which could be a 256 bit number. Then you compute the public key as `Y = G^x` which is a 2048 bit number. Choosing a private key determines the public key, but the public key can be larger. – CodesInChaos Oct 13 '13 at 13:24
  • Well, I've been rather insomniac for a little while now so it's possible that the sentences ran away from me somewhere in the middle there. I know what I was aiming at, though, so I'll check on the answer after I've slept and see if I can refine it or if I've wandered off on too much of a tangent. – Ben Oct 13 '13 at 13:52
  • Thanks for the other comments. I left it a few days because it had gotten a bit heated, and I had no ambition to either see a hat eaten or to work to disprove someone for the rest of my/their life. I thought of working to implement a system such as I described, but TBH I have no time. Hopefully my edits below will clarify my point, maybe the divide isn't as big as we thought. – David Cummins Oct 16 '13 at 18:41
  • Yeah, I left it for much the same reason and I've removed the hat eating part because frankly it was just ridiculous (and I don't want to have to buy a hat :P). Especially after GregS pointed out we were each using different definitions of key size (see also: "size does matter, but it's not what we think it is" and "if a cryptographer says your key is a 'nice size' s/he thinks it's small"). – Ben Oct 17 '13 at 12:34
2

I was looking from various sources, and my conclusion is that the modulus (n=p*q) used to RSA key generation, is the same for the public and the private key. The modulus determines the length of the key for both.

jww
  • 97,681
  • 90
  • 411
  • 885
Jorge Caceres
  • 31
  • 1
-1

From what I understand, there is no requirement that both keys be the same size. Check below for how to generate keys:
http://en.wikipedia.org/wiki/RSA_algorithm#Key_generation

However I believe that if one key (or factor of the modulus) is significantly smaller it would weaken the strength against cryptanalysis.

Edit:

This discussion has largely become irrelevant since the OP clarified that they were most interested in the size of the modulus, which will naturally be the same for encryption and decryption (excluding any bizarre unknown cryptosystems).

Just to clarify my point, I am simply saying that if e << d (or d << e) you can distribute the keys as different key sizes. They would be generated by the same algorithm using the same bit-size mathematics (e.g. 256 bits), and similarly encryption and decryption would require the same number of bits. If you look at (for the sake of argument) the numbers 1 and 128, you have a range of choices in how to represent them. They could both be 8 bit, or 1 could be represented by any number of bits from 1-7 bits. This could be considered a cheap trick unless your key generation method guarantees that the magnitudes of d and e would be significantly different in a predictable way. However as stated, I don't see much point to doing this.

David Cummins
  • 972
  • 6
  • 15
-1

For RSA your public key can be as small as 2 bits. That is the number 3 can be your public key. A popular choice for RSA public key is 17.

Vlad Krasnov
  • 1,027
  • 7
  • 12