Score:15

Crypto

Is there an asymmetric encryption protocol which provides arbitrarily many seemingly unrelated public keys for a single private key?

zabop

11/1/22, 7:15 AM

I am looking for an encryption protocol with the following properties.

Alice has a private key $x$. Using this private key, she chooses public key $p$ corresponding to this private key. She let's Bob know about this public key. Bob then uses this public key to encrypt a message to Alice.
Later Alice wants to receive a message again. She creates public key $q$ using the same private key $x$. Bob then uses this public key to encrypt a message for Alice.
Bob should not be able to deduce from $p$ & $q$ that the two public keys $p$ and $q$ were generated using the same private key $x$.
Alice should not need to have more than 1 private key.
The protocol should enable Alice to produce arbitrarily many public keys, if they are allowed to be arbitrarily long.

Does such a protocol exists?

1587

2 + 2

public-key

hanshenrik

11/2/22, 1:58 PM

for an actual implementation, check the Electrum bitcoin client, it create a single private key that can be used to create any number of public bitcoin keys/wallets/addresses

Ajedi32

11/2/22, 3:37 PM

[BIP32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki) does this. See also https://crypto.stackexchange.com/q/22274/21238

Score:15

Crypto

Yehuda Lindell

11/1/22, 8:00 AM

Such a scheme can be created generically, as follows. Let $(Gen,Enc,Dec)$ be a public-key encryption scheme, and let $F$ be a pseudorandom function. Then, the "master" private key of the scheme is a symmetric key $k$ for the PRF. In order to generate a new public key, choose a random $\rho$ (or if you have state then use a counter) and compute randomness $r \leftarrow F_k(\rho)$. Then, use $r$ (and an appropriate pseudorandom generator, if needed) to generate a new key pair $(pk,sk) \leftarrow Gen(r)$. In order to ensure that it's possible to decrypt, you do need to know $r$ or $\rho$, so yo can make $\rho$ part of the public key. Alternatively, if you keep state, the decryptor can store all of the $\rho$'s or $r$'s, and then just try them all (using a method of redundancy and a CCA secure scheme in order to know when you succeed).

0 + 6

DannyNiu

11/1/22, 8:49 AM

$\rho$ may need to be part of the public key for the corresponding private key to be quickly identified.

Yehuda Lindell

11/1/22, 9:18 AM

@DannyNiu Indeed, I wrote this in the answer.

Bobson

11/1/22, 7:07 PM

Incidentally, this scheme works for symmetric encryption, too, subject to the usual differences between symmetric and asymmetric encryption. A and B would need to have pre-shared the base key, but anyone in the middle wouldn't be able to tell whether any two messages used the same base.

K.G.

11/1/22, 9:39 PM

For common symmetric cryptosystems, it is usually already difficult to distinguish ciphertexts from randomness, so they already satisfy this.

Nat

11/2/22, 7:32 AM

Would sharing $r$ in the public-key be safe? Seems like it ought to be $\rho .$

Yehuda Lindell

11/2/22, 2:29 PM

Sorry; you're right. It has to be sharing of $\rho$ and not of $r$. I'll fix it.

Score:5

Crypto

K.G.

11/1/22, 9:14 PM

To supplement the generic answer, here's a concrete construction based on ElGamal.

ElGamal based on a group $G$ of order $p$ with generator $g$ has a public key $y = g^a$, where $a$ is the private key.

To create a new public key, choose a random number $s$ and compute $(u,v)$ as $u=g^s$ and $v=y^s$.

To encrypt $m$ with $(u,v)$, choose a random number $r$ and compute $(x,w)$ as $x=u^r$ and $w = v^r m$.

To decrypt $(x,w)$, compute $wx^{-a}$.

Under the DDH assumption, $(u,v)$ is indistinguishable from a random pair, so that is good. It is easy to show that the scheme is secure under DDH.

Exercise for the reader: It is useful to figure out why this scheme is essentially just ElGamal.

Extensions to more useful messages spaces is trivial using standard techniques.

This scheme (with some extra tricks) has been used to build theoretically better malware. (As far as I know, it has never been used to build actual malware.)

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there an asymmetric encryption protocol which provides arbitrarily many seemingly unrelated public keys for a single private key?

TH: มีโปรโตคอลการเข้ารหัสแบบอสมมาตรที่ให้คีย์สาธารณะจำนวนมากที่ดูเหมือนไม่เกี่ยวข้องโดยพลการสำหรับคีย์ส่วนตัวเดียวหรือไม่

RO: Există un protocol de criptare asimetrică care oferă în mod arbitrar multe chei publice aparent fără legătură pentru o singură cheie privată?

RU: Существует ли протокол асимметричного шифрования, который предоставляет произвольное количество, казалось бы, несвязанных открытых ключей для одного закрытого ключа?

VI: Có giao thức mã hóa bất đối xứng nào cung cấp tùy ý nhiều khóa công khai dường như không liên quan cho một khóa riêng không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.