Unlocking the Mechanisms Behind Public Key Cryptography
When I was nine, my friend and I had a phase where we would pretend to be spies. She had gotten a spy kit for Christmas, and I’m not even gonna lie — it was pretty darn cool. The kit came with invisible ink pens, pocket-sized black lights, a listening device, lots of other neat gadgets, and a decoder ring.
No one was out to get us, but I guess we just loved injecting suspense into our lives and sending each other secret messages—often devising new ciphers with the decoder ring and waiting for the other to figure out the message (we didn’t use the invisible ink pens too much because we didn’t want them to dry out).
Where I’m getting with this is that while decoder rings were fun to play with as kids, securing messages with a simple substitution cipher like the ones we made would be absolutely futile in the real world. Cryptography has made leaps and bounds since the time of Caesar ciphers (yes, Julius Caesar times) however, and it’s pretty much essential to every aspect of modern day cybersecurity — we just use much more complex methods to secure our messages now.
The Issue with Symmetric Cryptography
Let’s pretend I wanted to send a secret message to my friend in class. The problem is, she sits at the other end of the classroom, so any message I send goes through a bunch of my classmates before getting to her. I could pass her a handwritten note, but if I wrote it in plain English, any one of my classmates could read it. Thus, we would have to come up with a code prior to then that only we knew how to crack. Using that code, I could turn my message from English into gibberish and send that off instead, so that none of my classmates would be able to read it.
When I sent my friend secret messages as such back in the day, we were using what is called symmetric cryptography or private key cryptography. Symmetric cryptography is what most may think of when generating codes or secret messages, where both parties share the same secret key. This key would have to be shared prior to communicating, and each pair of individuals communicating would require a unique key. When sending off a message, you would encrypt it with the secret key, turning it into cipher text — or what would appear to most as gibberish. The receiver would then decrypt that with the same secret key to get your original message.
But there’s a problem with this. In fact, multiple. First of all, if I wanted to communicate in secret with different friends, I would have to have a different code for each friend. How in the world would I be able to keep track? Second, what if someone was eavesdropping, and heard us when we were coming up with the code?
Thankfully, modern cryptographic systems have come up with a way around these issues through public key cryptography.
What is Public Key Cryptography?
Public key cryptography or asymmetric cryptography involves the use of a pair of keys, consisting of a public key and a private key. The public key is visible to everyone — you can think of it like a bank account number, or perhaps an email address given that most people use E-Transfer nowadays. The private key is only visible to the owner, almost like a bank account PIN number.
It’s important to understand that these two keys function as a pair. In this sense, a public key would be used to encrypt a message (like a lock, unintuitively), while the corresponding private key would be used to decrypt the message (like a key, as the name suggests).
Just like in your typical lock-and-key system, a key can only unlock its corresponding lock. It wouldn’t work if you had a different key, and it wouldn’t work if you were using your key on the wrong lock.
Let’s say we upgraded — we turned twelve, got our first phones, and I wanted to send a private message to my friend online. We first need to realize however, that when communicating on the Internet, someone else is handling our messages. This could be an Internet Service Provider or whatever platform we’re using to communicate. We don’t really care if they can see the fact that we are communicating, but we want to make sure that no one in the network can see what we’re saying.
Using public key cryptography now, my friend would send me her public key. Heck, she could even post it in her Instagram bio — the public key is meant for everyone to see, so it doesn’t matter if someone other than the communicating partner gets their hands on it. I would then use her public key to encrypt my message, turning it into cipher text to secure it from other members on the network, and send that off. Once it reaches my friend, or the intended address as specified by the public key, she would use her private key to decrypt the message. Remember, because public and private keys function as pairs, only the person with the corresponding private key would be able to decrypt my message, which is why it is essential to keep your private key private.
With this new and improved system, I would only have to keep track of two keys — my public and private key — rather than secret keys for every line of communication I have. Not only that, eavesdroppers would have nothing to eavesdrop on, since my friend and I would never have to communicate anything in secret in order to share private messages. I would never have a reason to say my private key out loud, and my public key is out in the open for anyone who wants it.
Hold on — how do the public key and private key know that they’re paired? The public key is actually derived from the private key, so that they are associated through a mathematical relationship. This mathematical function is irreversible, meaning it’s easy to calculate in one direction, but extremely difficult the other way.
For example, when we do multiplication, it’s easy to get the answer if I asked for 6 x 8. However, if I gave you 48, you wouldn’t know for sure that I meant 6 x 8. It could have been 1 x 48, 2 x 24, 3 x 16, or 4 x 12 for all you knew. This is important, because we wouldn’t want to be able to derive the private key from the public key, as that would defeat the whole purpose of encryption.
Bringing it to the Blockchain
One of the biggest uses of cryptography in today’s world is with cryptocurrencies such as Bitcoin. As you can guess from the name, it works by storing and securing transaction records with cryptography. While it still uses public key cryptography, it uses it not for the purpose of encrypting messages, but for signing them to verify ownership.
How Public and Private Keys are Created
You already know that the public key is derived mathematically from the private key, but let’s take this one step further by introducing some of the functions used in cryptography.
The private key is a long, 256-bit number chosen at random. That’s about 10⁷⁷ in base-10 decimal format, and to put that into perspective, the universe is estimated to contain 10⁸⁰ atoms! Here is an example of one shown in hexadecimal format:
1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDDIn Bitcoin, the public key is derived using Elliptic Curve Multiplication, an irreversible mathematical function. I’ll save how it works for another day, but just know that it’s pretty much impossible to crack. In fact, even if your computer could make 1 trillion guesses per second and you had been running your computer since the beginning of the universe, you would only be around 0.00000009% of the way there!
Next, an address is derived from the public key by using a one-way hashing algorithm. This is where coins will be sent. Hashing algorithms take any sort of input, be it text, video, MP3 file, or whatever else you wish, and returns a hash of a finite size or number of bits. Just as with everything else we’ve talked about, the hash is irreversible and also deterministic, meaning that if you took the exact same input, you would get the same outputted hash every time when using that hash function. You can test this out here!
With Bitcoin, two hash functions are actually used: first the SHA-256, and then the RIPEMD-160. Together, these algorithms transform the public key into a 160-bit number representing the address. To simplify and shorten this long number and prevent any typos or transcription errors, it’s also encoded with the Base58Check (I’ll save that for another day as well). Here’s an example of a Bitcoin address:
1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy
Digital Signing
As I briefly mentioned before, public and private keys aren’t actually used to “encrypt” data on the blockchain. Rather, it’s used to create digital signatures that verify ownership.
Essentially, the entire process for concealing messages described above is reversed. Instead of encrypting a message with the receiver’s public key, it’s done with the sender’s private key. Consequently, the message is to be decrypted with the sender’s public key.
But wait — doesn’t that mean that anyone can see the message? Yes, but that doesn’t really matter. We aren’t so concerned with concealing messages as we are with validating the authenticity and integrity of the data. This ensures that we know who we’re dealing with, and that the information there is tamper-proof.
Let’s pretend my friend wanted to send me a message this time. First, she would hash her message just like we did before, turning it into a 256-bit number. She would then encrypt the hash with her private key, creating a unique digital signature. When she sends me her message, she also sends along the encrypted hash or digital signature — like a stamp of approval.
Upon receiving it, I can decrypt the hash with her public key to retrieve the original hash of the message. The fact that I can do this means the message must have come from her, since I used the corresponding public key to her private key, which only she has access to. Along with that, I can also hash the message she sent. Remember that hash functions are deterministic, meaning that I will get the same output as when she hashed it — as long as no information in the message has been changed. I can now compare the decrypted hash and the hash I took to see if they are the same. If they are, I can verify that the message I received was the one she sent me.
Note: The purpose of hashing the message here was just to simplify and condense things for easier comparison. If she had sent me a 400 page legal document, it would take a lot more effort to see if it had been tampered with, whereas the hashes would appear drastically different.
What if someone tried to tamper with the message along the way? If they altered anything, it would be immediately evident as the hashes would not be identical. But what if the interferer sent a new encrypted hash? Sure, the two hashes would be identical now, but I wouldn’t be able to decrypt the hash, since the public key I’m using is my friend’s, not the interferer’s.
Tying it All Back
It’s certainly clear now that we have come a tremendously long way in cryptography since Caesar ciphers and decoder rings. One thing has stayed constant throughout however — the need to secure our information. While the goal may have been to secure our messages from prying eyes of classmates in the past, we now need these systems to secure things of much more importance now: our money and identities. Because impersonation and theft have never been easier in the digital world today, learning how to secure your information should be prioritized just as much as securing it itself.
TL;DR
- Symmetric cryptography is where both parties share the same secret key. This requires a unique key for each line of communication an individual may have.
- Public key cryptography is where each individual has a public key that is given out to others and a private key that must be kept to oneself. The private key mathematically derives the public key, but it is not possible to determine the private key from the public key.
- Public and private keys are used to create digital signatures on a blockchain that verify ownership and integrity of the information, rather than encrypt data.
- When encrypting a message, the receiver’s public key is used to encrypt, and their private key is used to decrypt. When signing a message, the sender’s private key is used to encrypt, and their public key is used to decrypt.
If you enjoyed reading this article or learned something new, be sure to drop a follow on Medium and connect with me on LinkedIn! Also, if you’d like to keep up with the projects I’m working on, feel free to subscribe to my monthly newsletter. Thanks for reading!
