Why do the roles of public/private keys reverse when talking about public key encryption and digital signatures?

I cannot reconcile in my head how or why the roles of the keys suddenly reverses.

(I'm primarily focusing on RSA signatures.)

Anyone can produce an encrypted message (by using your public key) and only you can decrypt it (by using your private key). The roles of public and private key reverse because a signature has to be something that only you can produce (by encrypting with your private key) and everyone else can confirm (by decrypting with your public key).

The basic assumption is that if you publish a ciphertext that can be decrypted to a meaningful message with your public key, you have proven that you own the private key, because otherwise you wouldn't be able to produce such a ciphertext. (Note that this plain RSA signature algorithm is insecure for numerous reasons. Most notably, in practice you should never sign a full message text, but a hash of the message.)

You can simply swap the roles of public and private key because the mathematical design of RSA allows you to encrypt a message with either key and decrypt it with the other one - resulting in the same original plaintext both ways. That's because the encryption exponent e is the multiplicative inverse of the decryption exponent d modulo φ(N) (where N is the RSA modulus and φ is Euler's totient function). That is, 1 ≡ ed ≡ de (mod φ(N)).

Also see: How does RSA signature verification work?


I understand the principles of these two uses of public key cryptography, but I cannot reconcile in my head how or why the roles of the keys suddenly reverses.

That is the only way it makes sense. Encryption would be uselesss, if anyone could decrypt it, thus you have to need the private key for decrpytion.

Conversely, a digital signature would not make sense if anyone could create it, ergo the private is required to create it.

Does digital signing somehow build upon the concepts of public key encryption? or are the underlying algorithms completely different?

That depends on the algorithm. For RSA, encryption and signature is (mostly) the same operation with the keys reversed. With others, like ElGamal, signing and encrypting is only slightly similar techically, but you can, theoretically, reuse keys. Finally, there are schemes which are specialised to one of the operation. For example, Hash based signatures do not have any encryption counterpart.

Tags:

Encryption

Digital Signature

Asymmetric

Related

Can I trust a security hash implementation after testing it with random inputs against another implementation? How to detect a keylogger in a USB keyboard? Can a USB keyboard host a keylogger? Is it possible to embed information that is both nearly invisible to the naked eye and decodable from an external camera? Best practices communicating links in email How is the stack protection enforced in a binary? Why does LUKS use CBC? Why isn't a client-side password complexity check considered secure? Is it possible to "fake" being connected to a router? Why use HTTPS Everywhere when we have HSTS supported browsers? Facebook's warning of self-xss Is it unsafe to show message that username/account does not exist at login? Is checking the Referer and Origin headers enough to prevent CSRF, provided that requests with neither are rejected?

Recent Posts