In a single-key cryptosystem a common secret key is used both to encrypt and decrypt messages. Thus only two parties who have safely exchanged such a key beforehand can use these systems for private communication. This severely limits the applicability of single-key systems.
In a double-key cryptosystem, the process of encrypting and decrypting is instead governed by different keys. In essence, one comes up with a pair of matching encryption and decryption keys. What is encrypted using a given encryption key can only be decrypted using the corresponding decryption key. Moreover, the encryption key does not "betray" its matching decryption key. That is, knowledge of the encryption key does not help to find out the value of the decryption key. The advantage of double-key systems is that they can allow two parties who have never safely exchanged any key to privately communicate over an insecure communication line (i.e., one that may be tapped by an adversary). They do this by executing an on-line, private communication protocol.
In particular, Party A alerts Party B that he wants to talk to him privately. Party B then computes a pair of matching encryption and decryption keys (E.sub.B, D.sub.B). B then sends A key E.sub.B. Party A now encrypts his message m, obtaining the ciphertext c=E.sub.B (m), and sends c to B over the insecure channel. B decrypts the ciphertext by computing m=D.sub.B (c). If an adversary eavesdrops all communication between A and B, he will then hear both B's encryption key, E.sub.B, and A's ciphertext, c. However, since the adversary does not know B's decryption key, D.sub.B, he cannot compute m from c.
The utility of the above protocol is still quite limited since it suffers from two drawbacks. First, for A to send a private message to B it is necessary also that B send a message to A, at least the first time. In some situations this is a real disadvantage. Moreover, A has no guarantee (since the line is insecure anyway) that the received string D.sub.B really is B's encryption key. Indeed, it may be a key sent by an adversary, who will then understand the subsequent, encrypted transmission.
An ordinary public-key cryptosystem ("PKC") solves both difficulties and greatly facilitates communication. Such a system essentially consists of using a double-key system in conjunction with a proper key management center. Each user X comes up with a pair of matching encryption and decryption keys (E.sub.X, D.sub.X) of a double-key system. He keeps D.sub.X for himself and gives E.sub.X to the key management center. The center is responsible for updating and publicizing a directory of correct public keys for each user, that is, a correct list of entries of the type (X, E.sub.X). For instance, upon receiving the request from X to have E.sub.X as his public key, the center properly checks X's identity, and (digitally) signs the pair (X, E.sub.X), together with the current date if every encryption key has a limited validity. The center publicizes E.sub.X by distributing the signed information to all users in the system. This way, without any interaction, users can send each other private messages via their public, encryption key that they can look up in the directory published by the center. The identity problem is also solved, since the center's signature of the pair (X, E.sub.X) guarantees that the pair has been distributed by the center, which has already checked X's identity.
The convenience of a PKC depends on the key management center. Because setting up such a center on a grand scale requires a great deal of effort, the precise protocols to be followed must be properly chosen. Moreover, public-key cryptography has certain disadvantages. A main disadvantage is that any such system can be abused, for example, by terrorists and criminal organizations who can use their own PKC (without knowledge of the authorities) and thus conduct their illegal business with great secrecy and yet with extreme convenience.
It would therefore be desirable to prevent any abuse of a public key cryptosystem while maintaining all of its lawful advantages.