[Cryptography] Asymmetric encryption analogy (vault with 2 different locks)

Erik van Straten (Cryptography list) evs20200430f at xs4all.nl
Tue Sep 13 11:53:09 EDT 2022


Dear list,

Apple just released IOS 16 which supports Passkeys, and I plan to write about their advantages and risks (on a Dutch web 
site). However, Passkeys use asymmetric key pairs that tend to be hard to explain.

A couple of years ago I came up with an analogy to explain asymmetric encryption to lay(wo)men, based on a physical 
vault with two mutually different locks (with non-interchangeable keys): one for locking the vault, and the other one 
for unlocking.

I'm first sharing my idea with you. Perhaps you want to comment on it; please let me know if you think it's stupid, 
wrong or misleading, and why. Alternatively, you may want to use this idea yourself (feel free to do so - as long as you 
don't patent it :-)

Note: I created a physical POC of such a "vault", and recently made some photos of it. Upon request I can send 9 
minimized photos (.zip of 350KB) to interested individuals - optionally attached to a subsequent mail to this list, 
provided that the moderators permit that.

I hope that you understand the cutaway drawings (front view) displayed "inline" below, without the photos. If the 
figures below show up garbled in your mail program, you may want to copy this text and paste it into to a text editor 
that uses a monospaced font:

.---------------------------------.
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|\\\.--------------------------.\\|
|\\\|.-----------------------. |\\|
|\\\||///////////////////////|I|\\|
|\\\||///////////////////////|I|\\|
|\|   ===========O===========|I|\\|
|\\\||//|        |      |////|I|\\|
|\\\||      _    | _         |I|\\|
|\\\||  ===(!)   |(!)===     |I|\\|
|\\\||     |_|    |_|        |I|\\|
|\\\||   c2          c1      |I|\\|
|\\\||///////////////////////|I|\\|
|\\\|'-----------------------' |\\|
|\\\'--------------------------'\\|
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
'---------------------------------'
Figure 1: vault unlocked

Explanatory notes:
- c1 and c2 are different "Euro" type cilinder locks, aka pin tumbler locks (front view);
- the exclamation mark '!' in c1 and c2 indicates that no key is inserted;
- the column of 'I' letters at the right depicts the hinge;
- the door (the smallest square in the middle) can be opened towards you (if unlocked as is the case in figure 1 and 4, 
but not 2 and 3).

Also note that the pins to the right of c1 and to the left of c2 are in their default positions (only in these positions 
a key can be removed from the locks). Furthermore, let's call the key that fits in c1 the lock-key or "k1", and in c2 
the unlock-key or "k2". The keys themselves are not shown in my figures, however, the '$' symbol instead of '!' in a 
cylinder implies an inserted key. Finally, one must imagine that the bar "===========O===========" can only be shifted 
to the left or to the right if any key is inserted (it cannot be moved by shaking the vault or hammering on a side).

To lock the vault, one inserts k1 into c1 and turns it 180 degrees counterclockwise:

.---------------------------------.
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|\\\.--------------------------.\\|
|\\\|.-----------------------. |\\|
|\\\||///////////////////////|I|\\|
|\\\||///////////////////////|I|\\|
|\|===========O===========   |I|\\|
|\\\||//|     |    <-.  |////|I|\\|
|\\\||      _ |    _  '      |I|\\|
|\\\||  ===(!)|===($) k1     |I|\\|
|\\\||     |_|    |_|        |I|\\|
|\\\||   c2          c1      |I|\\|
|\\\||///////////////////////|I|\\|
|\\\|'-----------------------' |\\|
|\\\'--------------------------'\\|
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
'---------------------------------'
Figure 2: vault being locked using k1

To be able to remove k1, one first has to rotate it back by 180 degrees clockwise:

.---------------------------------.
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|\\\.--------------------------.\\|
|\\\|.-----------------------. |\\|
|\\\||///////////////////////|I|\\|
|\\\||///////////////////////|I|\\|
|\|===========O===========   |I|\\|
|\\\||//|     |         |////|I|\\|
|\\\||      _ |    _         |I|\\|
|\\\||  ===(!)|   (!)===     |I|\\|
|\\\||     |_|    |_|        |I|\\|
|\\\||   c2          c1      |I|\\|
|\\\||///////////////////////|I|\\|
|\\\|'-----------------------' |\\|
|\\\'--------------------------'\\|
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
'---------------------------------'
Figure 3: vault locked, k1 removed

Note that k1/c1 cannot be used to unlock the vault. Unlocking is only possible by inserting k2 into c2 and rotating it 
by 180 degrees clockwise:

.---------------------------------.
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
|\\\.--------------------------.\\|
|\\\|.-----------------------. |\\|
|\\\||///////////////////////|I|\\|
|\\\||///////////////////////|I|\\|
|\|   ===========O===========|I|\\|
|\\\||//| .->    |      |////|I|\\|
|\\\||   '  _    | _         |I|\\|
|\\\||  k2 ($)===|(!)===     |I|\\|
|\\\||     |_|    |_|        |I|\\|
|\\\||   c2          c1      |I|\\|
|\\\||///////////////////////|I|\\|
|\\\|'-----------------------' |\\|
|\\\'--------------------------'\\|
|\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\|
'---------------------------------'
Figure 4: vault being unlocked using k2

After rotating k2 by 180 degrees counterclockwise and removing the key, we end up with figure 1. Note that k2/c2 cannot 
be used to lock the vault.


Some remarks must/can be made:

1) The physical keys can be compared to their digital equivalents, while the vault replaces the algorithm *and* 
associates k1 with k2.

2) If you want (someone else) to encrypt, k1 (lock-key) is the public key; if you want to sign, k1 (lock-key) is your 
private key.

3) My understanding is that one should /not/ use one digital asymmetric key pair for both signing and encryption. The 
vault analogy renders that impossible; you'll have to choose its purpose (signing or encrypting) before sharing the 
vault, plus the appropriate public key, with anyone.

4) One must imagine that an unlimited number of identical copies can be made of each key, but also of each vault - with 
or without contents; however, without /revealing/ any such contents (or allow modification) while locked.

5) Furthermore, one must imagine that such vaults can be easily transported via snail mail (or beamed up by Scotty, or 
transformed into a range of bits and backwards - and sent via internet).

6) Also, vaults can change in size and be nested (for encryption plus signature).

7) However, these vaults are always small: you cannot put "big things" in them. To securely transport big piles of 
secret documents, put them in a big ordinary vault with one symmetric key, and ship it together with its symmetric key 
in the assymetric vault of the recipient, locked by you, using (the recipient's public) k1. I have no simple equivalent 
for digital signatures, except for printing a cryptographic hash of the pile of documents on a small piece of paper, 
putting the latter in your asymmetric vault and locking it using your (private) k1.

8) Digital files may become corrupted during transport (either deliberately or accidentally). The same applies to such a 
vault; for example, it may be subjected to fire or water. Although this should not reveal secret contents or allow an 
attacker to replace a signature (hash), there is no "built in" integrity check, so the results may be unpredictable 
after an attack.

9) Of course also /physical/ public keys must be shared in a secure manner, for example "signed" by a TTP (Trusted Third 
Party).

10) The analogy with an X.509 certificate is a signing vault (locked using private k1 owned by a TTP) containing at 
least a physical public key and identifying information (plus optional additional attributes). Remember 4: you can make 
identical copies of a vault before unlocking any copy using k2.

Best regards,
Erik van Straten



More information about the cryptography mailing list