administration, public: see administrative law.
utility, public, industry required by law to render adequate service in its field at reasonable prices to all who apply for it. Public utilities frequently operate as monopolies in their market. In the United States, public utilities are most commonly involved in the business of supplying consumers with water, electricity, telephone, natural gas, and other necessary services. Such an industry is said to be "affected with a public interest" and therefore subject to a degree of government regulation from which other businesses are exempt.

Opinions differ as to the characteristics that an industry must possess to merit classification as a public utility, since all industries in a sense serve the public. By its nature a public utility is often a monopoly and as such is not prevented by competing companies from charging exorbitant prices. It usually operates under a license or franchise by which it enjoys special privileges, such as the right of eminent domain. Finally, it may supply an essential service, such as water or light, the unavailability of which would injuriously affect public health and welfare. From an early period there was public regulation of canals, turnpikes, toll roads and ferries, inns, gristmills, and pawnshops. Docks, sleeping cars, commodity exchanges, warehouses, insurance companies, banks, housing, milk, coal mines, and (in the 20th cent.) broadcasting, are other types of goods and services held to be affected with public interest. Important utilities that satisfy the vital needs of large populations include water, gas, and electric companies; transportation facilities, such as subways, bus lines, and railroads; and communication facilities, such as telephones and telegraphs. In most European nations such industries have often been owned by the state, although many have been privatized in recent years. In the United States, however, many public utilities are privately owned.

Regulation of Utilities

Public utility rates and standards of service are established by direct legislation and are administered by state regulatory commissions and by such federal agencies as the Federal Energy Regulatory Commission (FERC), the Securities and Exchange Commission (SEC), and the Federal Communications Commission (FCC). These federal agencies supervise utilities conducting interstate business. Rates are subject to review by the courts, which have held that they must provide a "fair" return on a "fair" valuation of investment. How valuation is to be determined, whether on the basis of prudent investment, present earning power, or present cost of production, has been the subject of much controversy. That a utility may not earn excessive profits is an established principle of regulation. The means of regulation include supervision of accounting and control of security issues.

Municipalities dissatisfied with the results of public regulation of privately owned local utilities have often acquired ownership of such enterprises, especially in the case of urban public transportation systems (see public ownership). To keep rates down and make utilities available to more people, the United States has formed public corporations or agencies, such as the Tennessee Valley Authority, which also has served as a yardstick for measuring the efficiency of privately owned utilities, and the National Railroad Passenger Corporation (Amtrak; see railroad), which operates virtually all intercity passenger rail lines in the United States.

In the 1970s and 80s, U.S. government agencies broke up some utilities and deregulated others. In 1974 an antitrust suit was filed against American Telephone and Telegraph (AT&T); in 1982 the company settled the suit by agreeing to divest itself (1984) of 22 local telephone operating companies. In return, AT&T was given the right to enter new businesses. Since then federal regulators have made it easier for companies to enter the telecommunications industry and for phone companies to set rates for long-distance services. Legislation passed in 1978 partially deregulated natural gas prices in 1985 and legislation passed in the late 1970s and early 80s deregulated trucking, railroad, and airline rates, which had been set by the federal government.

In the 1990s state regulators began to end utilities' monopolies, by permitting business and residential consumers to select utilities (primarily electricity and gas suppliers) based on rates and service; lower rates were expected to result. Such deregulatory efforts have not been entirely successful. In 2000-2001, parts of California experienced an energy crisis that was due, at least in part, to the way deregulation had been set up several years earlier, The deregulated electrical companies had been required to divest themselves of their power plants and purchase power on the spot market (rather than through long-term contracts) and were not allowed to pass the price increases they eventually experienced along to consumers. Evidence also later emerged that other deregulated energy companies had contributed to the crisis through market manipulation and price gouging.

Tighter regulatory controls designed to limit acid rain and other environmental problems have, however, been imposed on electricity companies that run coal-fired generators or nuclear power plants. The cable television industry, which had been regulated by local governments, was deregulated in 1984, and cable operators were allowed to set their own rates. Consumer complaints, however, led to a 1992 law that allowed the FCC to regulate cable rates.


See E. Hungerford, The Story of Public Utilities (1928); M. Crew, The Economics of Public Utility Regulation (1986); L. Hyman, America's Electric Utilities: Past, Present and Future (1988).

debt, public, indebtedness of a central government expressed in money terms, often referred to as national debt. The debt is computed differently by nearly every nation. Some authorities exclude all government obligations other than those incurred by public borrowing from individuals.

The U.S. national debt originated with the American Revolution and as of 2009 amounted to more than $12.3 trillion. President Ronald Reagan made the debt a campaign issue in his successful presidential run (1980), but the national debt nearly tripled during his presidency. By the late 1990s, however, a federal budget surplus allowed President Bill Clinton to start paying down the debt—the first time this action had been taken since 1972. In 1998, Clinton presented the first balanced federal budget (with no annual deficit) since 1969. By 2002, however, the large tax cuts enacted under President G. W. Bush, combined with the effects of an economic slowdown and increased expenditures on national security following the Sept. 11, 2001, attacks on the United States and the U.S. invasion of Iraq, led to new deficits and an increase in the national debt. In the financial crisis that began in 2007 and the subsequent recession, the U.S. government's efforts under President Barack Obama to stabilize the financial system and revive the economy led to record budget deficits.

Reasons for Government Indebtedness

Governments may borrow to meet temporary needs, as when estimated revenue falls below or is exceeded by estimated expenditures. Short-term treasury notes, payable by increased taxes or by greater economizing, may be issued, but such a debt should not become permanent. Nonetheless, many national goverments incur such debt because of an unwillingness to limit spending or increase taxes for fear of the political consequences. Borrowing to finance public works, especially when widespread unemployment exists, is another source of public debt and is justified in part by their long-term social utility. The largest public debts are incurred to meet emergencies, such as war debts that arise when it is difficult to finance the extended activities of the government by new or increased taxes, or when the government must borrow abroad to finance the war effort..

Public debt is advantageous in that part of the national funds are secured at an interest rate lower than that provided to private industry and in that the financial operations of government are funded on a permanent basis. It may also have an expansionary effect on employment and production during times of high unemployment. The disadvantages are that unjustifiable projects may be undertaken because the full burden of payment is postponed; that the government's demands may become so large that the interest rate on government bonds will rise to the point where money is diverted from private enterprise; and that too great a debt may induce governments to depreciate currency or default on obligations.

Forms of Government Indebtedness

Public loans, the characteristic form of government debts in modern times, may be in the form of short-term instruments, e.g., tax warrants, treasury certificates, treasury notes, and other notes such as those of the Federal Reserve System; of long-term government bonds; and of various notes that promise yearly payment of interest but do not specify a date for payment of principal. Although governments in times of stress have often converted bonds to issues carrying lower interest rates, have depreciated the value of currency, or have defaulted entirely on their obligations, with disastrous results for the bondholders, the number of those holding government obligations has increased in recent history. Default on obligations held by foreigners has been a reason offered for past intervention by major powers in Latin America, Africa, and elsewhere.

Payment of the Public Debt

The payment of the public debt improves the national credit by instilling public confidence in the economy, which usually leads to economic growth. Public debts may be paid by a sinking fund or by annuities, but both have the disadvantage of committing the government to fixed annual payments, whether convenient or not. Another method is to use only surplus revenue, setting a permanent appropriation to be paid against principal over and above annual interest rates. The ultimate security of the public debt lies in the willingness of the people to pay and the ability of the government to collect taxes.


See R. Heilbroner and P. Bernstein, The Debt and the Deficit (1989); D. Stabile, The Public Debt of the United States (1991); J. S. Gordon, Hamilton's Blessing: The Extraordinary Life and Times of Our National Debt (1997).

Enterprise that provides certain classes of services to the public, including common-carrier transportation (buses, airlines, railroads); telephone and telegraph services; power, heat and light; and community facilities for water and sanitation. In most countries such enterprises are state-owned and state-operated; in the U.S. they are mainly privately owned, but they operate under close regulation. Given the technology of production and distribution, they are considered natural monopolies, since the capital costs for such enterprises are large and the existence of competing or parallel systems would be inordinately expensive and wasteful. Government regulation in the U.S., particularly at the state level, aims to ensure safe operation, reasonable rates, and service on equal terms to all customers. Some states have experimented with deregulation of electricity and natural-gas operations to stimulate price reductions and improved service through competition, but the results have not been universally promising.

Learn more about public utility with a free trial on

Transportation systems, usually publicly but sometimes privately owned and operated, designed to move large numbers of people in various types of vehicles in cities, suburbs, and large metropolitan areas. Modern mass transit is an outgrowth of industrialization and urbanization. In the 1830s early mass transit in New York City included horse-drawn buses, which were soon replaced by fixed-rail horse-drawn trolleys. By 1900 motorized buses had appeared in Europe and America. With the advent of electricity, streetcars and subways were introduced in many large cities. In the 20th century the automobile's increasing popularity undermined mass transit development; fixed-rail streetcar systems were widely removed to provide space for cars. Concern over air pollution has revived interest in light-rail transit and has led to regional mass transit systems.

Learn more about mass transit with a free trial on

Body of government officials employed in civil occupations that are neither political nor judicial. In well-ordered societies, they are usually recruited and promoted on the basis of a merit-and-seniority system, which may include examinations; elsewhere, corruption and patronage are more important factors. They often serve as neutral advisers to elected officials and political appointees. Though not responsible for making policy, they are charged with its execution. The civil service originated in the earliest known Middle Eastern societies; the modern European civil services date to 17th- and 18th-century Prussia and the electors of Brandenburg. In the U.S., senior officials change with each new administration. In Europe, regulations were established in the 19th century to minimize favouritism and to ensure a wide range of knowledge and skills among civil service officers. Seealso Chinese examination system; spoils system.

Learn more about civil service with a free trial on

or independent school

In the United Kingdom, any of a small group of tuition-charging secondary schools that specialize in preparing students for university and for public service. The name public school dates from the 18th century, when the schools began attracting students from beyond their immediate environs and thus became “public” as opposed to local. Such schools are thus in fact private schools independent of the state system. Although many schools have become coeducational, only boys attend the historically important schools Winchester (1394), Eton (1440–41), Westminster (1560), and Harrow (1571); well-known girls' schools include Cheltenham (1853), Roedean (1885), and Wycomb Abbey (1896). Public schools cultivated a class-conscious code of behaviour, speech, and appearance that set the standard for British officialdom from the early 19th century. Seealso secondary education.

Learn more about public school with a free trial on

Aspect of communications that involves promoting a desirable image for a person or group seeking public attention. It originated in the U.S. in the early 20th century with pioneers such as Edward L. Bernays and Ivy Ledbetter Lee. Government agencies in Britain and the U.S. soon began hiring publicists to engineer support for their policies and programs, and the public-relations business boomed after World War II. Clients may include individuals such as politicians, performers, and authors, and groups such as business corporations, government agencies, charities, and religious bodies. The audience addressed may be as narrow as male alternative-music fans between the ages of 21 and 30 or as broad as the world at large. A publicist's functions include generating favourable publicity and knowing what kind of story is likely to be printed or broadcast. The task is complicated by the variety of existing media: besides newspapers, magazines, radio, and television, there are publications of professional associations, direct-mail lists, on-site promotional events, and so on. It consists largely of optimizing good news and forestalling bad news; if disaster strikes, the publicist must assess the situation, organize the client's response so as to minimize damage, and marshal and present information to the media.

Learn more about public relations (PR) with a free trial on

Government attorney who presents the state's case against the defendant in a criminal prosecution. In some countries (France, Japan), public prosecution is carried out by a single office. In the U.S., states and counties have their own prosecutors. Only at the federal level is the system unitary; the U.S. attorney general's office appoints a U.S. attorney for each federal district. In most state and local jurisdictions, prosecutors are elected to office. Whether elected or appointed, prosecutors are often subject to political pressures. A prosecutor takes charge of the investigation once a crime has been committed, presents evidence at a hearing before a grand jury, and questions witnesses during the trial. Seealso independent counsel.

Learn more about prosecutor with a free trial on

or pub

Establishment that serves alcoholic beverages for consumption on the premises, especially in Britain. Under English common law, inns and taverns were declared public houses responsible for the well-being of travelers. They were expected to receive all travelers in reasonable condition who were willing to pay for food, drink, and lodging. In Tudor England, certain innkeepers were obliged by royal act to maintain stables; others served as unofficial postmasters. The early public houses were identified by simple signs that featured creatures such as lions, dolphins, or swans. In the 18th century, the word Arms was added to many pub names to indicate that the establishment was under the protection of a noble family. Though British public houses were traditionally owned and operated by independent licensed proprietors, by the early 20th century many were owned or associated with brewery companies.

Learn more about public house with a free trial on

Science and art of preventing disease, prolonging life, and promoting health through organized community efforts. These include sanitation, control of contagious infections, hygiene education, early diagnosis and preventive treatment, and adequate living standards. It requires understanding not only of epidemiology, nutrition, and antiseptic practices but also of social science. Historical public health measures included quarantine of leprosy victims in the Middle Ages and efforts to improve sanitation following the 14th-century plague epidemics. Population increases in Europe brought with them increased awareness of infant deaths and a proliferation of hospitals. Britain's Public Health Act of 1848 established a special public health ministry. In the U.S., public health is studied and coordinated on a national level by the Centers for Disease Control and Prevention; internationally, the World Health Organization plays an equivalent role.

Learn more about public health with a free trial on

or public debt

Total indebtedness of a government, especially as evidenced by securities issued to investors. The national debt grows whenever the government operates a budget deficit—that is, when government spending exceeds government revenues in a year. To finance its debt, the government can issue securities such as bonds or treasury bills. The level of national debt varies from country to country, from less than 10percnt of the gross domestic product (GDP) to more than double it. Public borrowing is thought to have an inflationary effect on the economy and thus is often used during recessions to stimulate consumption, investment, and employment. Seealso deficit financing; John Maynard Keynes.

Learn more about national debt with a free trial on

Concept of government in which the state plays a key role in protecting and promoting the economic and social well-being of its citizens. It is based on the principles of equality of opportunity, equitable distribution of wealth, and public responsibility for those who lack the minimal provisions for a good life. The term may be applied to a variety of forms of economic and social organization. A basic feature of the welfare state is social insurance, intended to provide benefits during periods of greatest need (e.g., old age, illness, unemployment). The welfare state also usually includes public provision of education, health services, and housing. Such provisions are less extensive in the U.S. than in many European countries, where comprehensive health coverage and state-subsidized university-level education have been common. In countries with centrally planned economies, the welfare state also covers employment and administration of consumer prices. Most nations have instituted at least some of the measures associated with the welfare state; Britain adopted comprehensive social insurance in 1948, and in the U.S., social-legislation programs such as the New Deal and the Fair Deal were based on welfare-state principles. Scandinavian countries provide state aid for the individual in almost all phases of life.

Learn more about welfare state with a free trial on

Branch of economics established in the 20th century that seeks to evaluate economic policies in terms of their effects on the community's well-being. Early theorists defined welfare as the sum of the satisfactions accruing to an individual through an economic system. Believing it was possible to compare the well-being of two or more individuals, they argued that a poor person would derive more satisfaction from an increase in income than would a rich person. Later writers argued that making such comparisons with any precision was impossible. A new and more limited criterion was later developed: one economic situation was deemed superior to another if at least one person had been made better off without anyone else being made worse off. Seealso consumer's surplus; Vilfredo Pareto.

Learn more about welfare economics with a free trial on

or social welfare

Any of a variety of governmental programs that provide assistance to those in need. Programs include pensions, disability and unemployment insurance, family allowances, survivor benefits, and national health insurance. The earliest modern welfare laws were enacted in Germany in the 1880s (see social insurance), and by the 1920s and '30s most Western countries had adopted similar programs. Most industrialized countries require firms to insure workers for disability (see workers' compensation) so that they have income if they are injured, whether temporarily or permanently. For disability from illness unrelated to occupational injury, most industrial states pay a short-term benefit followed by a long-term pension. Many countries pay a family allowance to reduce the poverty of large families or to increase the birth rate. Survivor benefits, provided for widows below pension age who are left with a dependent child, vary considerably among nations and generally cease if the woman remarries. Among the world's wealthy countries, only the U.S. fails to provide national health insurance other than for the aged and the poor (see Medicare and Medicaid).

Learn more about welfare with a free trial on

or notary public

Public officer who certifies and attests to the authenticity of writings (e.g., deeds) and takes affidavits, depositions, and protests of negotiable instruments. The notary is commissioned by the state and may act only within the territory authorized by state statutes. Most states set maximum fees for notarial services and require that a notarial seal or stamp be impressed on documents authenticated by a notary public. In the civil-law countries of western Europe and in Latin American and French areas of North America, the role of the notary is more significant, being roughly equivalent to that of a lawyer who specializes in real estate, sales, mortgages, and the settlement of estates but who may not appear in court.

Learn more about notary with a free trial on

U.S. government agency (1933–39). It was established as part of the New Deal to reduce unemployment through the construction of highways and public buildings. Authorized by the National Industrial Recovery Act (1933) and administered by Harold Ickes, it spent about $4 billion to build schools, courthouses, city halls, public-health facilities, and roads, bridges, dams, and subways. It was gradually dismantled as the country moved to a military-industrial economy during World War II.

Learn more about Public Works Administration with a free trial on

Largest city public library in the U.S. and one of the great libraries of the world. It was established in 1895, and its central building opened in 1911. Its holdings include more than 10 million books and more than 10 million manuscripts, as well as large collections of pictures, maps, books for the blind, films, and microfilms.

Learn more about New York Public Library with a free trial on

Political body of the French Revolution that controlled France during the Reign of Terror. It was set up in April 1793 to defend France against its enemies, foreign and domestic. At first it was dominated by Georges Danton and his followers, but they were soon replaced by the radical Jacobins, including Maximilien Robespierre. Harsh measures were taken against alleged enemies of the Revolution, the economy was placed on a wartime basis, and mass conscription was undertaken. Dissension within the committee contributed to the downfall of Robespierre in July 1794, after which it declined in importance.

Learn more about Committee of Public Safety with a free trial on

Public-key cryptography, also known as asymmetric cryptography, is a form of cryptography in which the key used to encrypt a message differs from the key used to decrypt it. In public key cryptography, a user has a pair of cryptographic keys—a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Incoming messages would have been encrypted with the recipient's public key and can only be decrypted with his corresponding private key. The keys are related mathematically, but the private key cannot be practically derived from the public key.

Conversely, secret key cryptography, also known as symmetric cryptography, uses a single secret key for both encryption and decryption. To use symmetric cryptography for communication, both the sender & receiver would have to know the key beforehand, or it would have to be sent along with the message.

The two main branches of public key cryptography are:

  • Public key encryption — a message encrypted with a recipient's public key cannot be decrypted by anyone except the recipient possessing the corresponding private key. This is used to ensure confidentiality.
  • Digital signatures — a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender signed it and that the message has not been tampered with. This is used to ensure authenticity.

An analogy for public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the key can open the mailbox and read the message.

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the seal authenticates the sender.

A central problem for use of public-key cryptography is confidence (ideally proof) that a public key is correct, belongs to the person or entity claimed (i.e., is 'authentic'), and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public-key infrastructure (PKI), in which one or more third parties, known as certificate authorities, certify ownership of key pairs. Another approach, used by PGP, is the "web of trust" method to ensure authenticity of key pairs.

So far, public key techniques have been much more computationally intensive than purely symmetric algorithms. The judicious use of these techniques enables a wide variety of applications without incurring a prohibitive computational penalty. In practice, public key cryptography is often used in combination with secret-key methods for efficiency reasons. Such a combination is called a hybrid cryptosystem. For encryption, the sender encrypts the message with a secret-key algorithm using a randomly generated key, and that random key is then encrypted with the recipient's public key. For digital signatures, the sender hashes the message (using a cryptographic hash function) and then signs the resulting "hash value". Before verifying the signature, the recipient also computes the hash of the message, and compares this hash value with the signed hash value to check that the message has not been tampered with.


For most of the history of cryptography, a key had to be kept absolutely secret and would be agreed upon beforehand using a secure, but non-cryptographic, method; for example, a face-to-face meeting or a trusted courier. There are a number of significant practical difficulties in this approach to distributing keys. Public-key cryptography was invented to address these drawbacks — with public-key cryptography, users can communicate securely over an insecure channel without having to agree upon a shared key beforehand.

In 1874, a book by William Stanley Jevons described the relationship of one-way functions to cryptography and went on to discuss specifically the factorization problem used to create the trapdoor function in the RSA system. In July 1996, one observer commented on the Jevons book in this way:

In his book The Principles of Science: A Treatise on Logic and Scientific Method, written and published in the 1890s , William S. Jevons observed that there are many situations where the 'direct' operation is relatively easy, but the 'inverse' operation is significantly more difficult. One example mentioned briefly is that enciphering (encryption) is easy while deciphering (decryption) is not. In the same section of Chapter 7: Introduction titled 'Induction an Inverse Operation', much more attention is devoted to the principle that multiplication of integers is easy, but finding the (prime) factors of the product is much harder. Thus, Jevons anticipated a key feature of the RSA Algorithm for public key cryptography, though he certainly did not invent the concept of public key cryptography.

The first invention of asymmetric key algorithms was by James H. Ellis, Clifford Cocks, and Malcolm Williamson at GCHQ in the UK in the early 1970s; these inventions were what later became known as Diffie-Hellman key exchange, and a special case of RSA. The GCHQ cryptographers referred to the technique as "non-secret encryption". These inventions were not publicly disclosed at the time, and the fact that they had been developed was kept secret until 1997.

An asymmetric-key cryptosystem was published in 1976 by Whitfield Diffie and Martin Hellman, who, influenced by Ralph Merkle's work on public-key distribution, disclosed a method of public-key agreement. This method of exponential-key exchange, which came to be known as Diffie-Hellman key exchange, was the first published practical method for establishing a shared secret-key over an unprotected communications channel without using a prior shared secret. Merkle's public-key-agreement technique became known as Merkle's Puzzles, and was published in 1978.

A generalisation of the Cocks method was reinvented in 1977 by Rivest, Shamir and Adleman, all then at MIT. The latter authors published their work in 1978, and the algorithm appropriately came to be known as RSA. RSA uses exponentiation modulo a product of two large primes to encrypt and decrypt, performing both public key encryption and public key digital signature, and its security is connected to the presumed difficulty of factoring large integers, a problem for which there is no known efficient (i.e., practicably fast) general technique.

Since the 1970s, a large number and variety of encryption, digital signature, key agreement, and other techniques have been developed in the field of public-key cryptography. The ElGamal cryptosystem (invented by Taher ElGamal) relies on the (similar, and related) difficulty of the discrete logarithm problem, as does the closely related DSA developed at NSA and published by NIST as a proposed standard. The introduction of elliptic curve cryptography by Neal Koblitz in the mid 1980s has yielded a new family of analogous public-key algorithms. Although mathematically more complex, elliptic curves appear to provide a more efficient way to leverage the discrete logarithm problem, particularly with respect to key size for equivalent estimated security.


Some encryption schemes can be proven secure based on the presumed hardness of a mathematical problem like factoring the product of two large primes or computing discrete logarithms Rabin has done so for an impracticable approach. Note that "secure" here has a precise mathematical meaning, and there are multiple different (meaningful) definitions of what it means for an encryption scheme to be secure. The "right" definition depends on the context in which the scheme will be deployed.

In contrast to the one-time pad, no public-key encryption scheme has been shown to be secure against eavesdroppers with unlimited computational power. Proofs of security therefore hold with respect to computationally-limited adversaries, and can give guarantees (relative to particular mathematical assumptions) of the form "the scheme cannot be broken using a desktop computer in 1000 years", or "this algorithm is secure if no improved method of (for instance, integer factoring) is found".

The most obvious application of a public key encryption system is confidentiality; a message which a sender encrypts using the recipient's public key can be decrypted only by the recipient's paired private key (assuming, of course that no flaw is discovered in the basic algorithm used). Public-key digital signature algorithms can also be used for sender authentication and non-repudiation. For instance, a user can encrypt a message with his own private key and send it. If another user can successfully decrypt it using the corresponding public key, this provides assurance that the first user (and no other) sent it (if, that is, there is not a flaw in the algorithm, if the public key is the correct one, and if the corresponding private key has not been compromised). In practice, a cryptographic hash value of the message is usually calculated, encrypted with the private key and sent along with the message (in essence, a cryptographic signature of the message). The receiver can then verify message integrity and origin by calculating the hash value of the received message and comparing it against the decoded signature (the original hash). If the hash from the sender and the hash on the receiver side do not match, then the received message is not identical to the message which the sender "signed", or the sender's identity is wrong.

To achieve authentication, non-repudiation, and confidentiality, the sender would first encrypt the message using his private key, then a second encryption is performed using the recipient's public key.

These characteristics can be used to construct many other, sometimes surprising, cryptographic protocols and applications, like digital cash, password-authenticated key agreement, multi-party key agreement, etc.

Practical considerations

A postal analogy

An analogy which can be used to understand the advantages of an asymmetric system is to imagine two people, Alice and Bob, sending a secret message through the public mail. In this example, Alice wants to send a secret message to Bob, and expects a secret reply from Bob.

With a symmetric key system, Alice first puts the secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice's key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and reads the message. Bob can then use the same padlock to send his secret reply.

In an asymmetric key system, Bob and Alice have separate padlocks. First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice's open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party (perhaps, in the example, a corrupt postal worker) from copying a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. So in the public key scenario, Alice and Bob need not trust the postal service as much. In addition, if Bob were careless and allowed someone else to copy his key, Alice's messages to Bob would be compromised, but Alice's messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.

In another kind of asymmetric key system, Bob and Alice have separate padlocks. First, Alice puts the secret message in a box, and locks the box using a padlock to which only she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he adds his own padlock to the box, and sends it back to Alice. When Alice receives the box with the two padlocks, she removes her padlock and sends it back to Bob. When Bob receives the box with only his padlock on it, Bob can then unlock the box with his key and read the message from Alice. This three-pass protocol is typically used during key exchange.

Actual algorithms—two linked keys

Not all asymmetric key algorithms operate in precisely this fashion. The most common ones have the property that Alice and Bob each own two keys, one for encryption and one for decryption. In a secure asymmetric key encryption scheme, the private key should not be deducible from the public key. This is known as public-key encryption, since an encryption key can be published without compromising the security of messages encrypted with that key.

In the analogy above, Bob might publish instructions on how to make a lock ("public key"), but the lock is such that it is impossible (so far as is known) to deduce from these instructions how to make a key which will open that lock ("private key"). Those wishing to send messages to Bob use the public key to encrypt the message; Bob uses his private key to decrypt it.

The key pair can also be used in reverse; the private key can be used to encrypt messages that only the public key can decrypt. This is useful for applications where, instead of confidentiality being the goal, integrity, authenticity, and/or transparency is the goal, such as with digital signing.


Of course, there is a possibility that someone could "pick" Bob's or Alice's lock. Among symmetric key encryption algorithms, only the one-time pad can be proven to be secure against any adversary, no matter how much computing power is available. Unfortunately, there is no public-key scheme with this property, since all public-key schemes are susceptible to brute force key search attack. Such attacks are impractical if the amount of computation needed to succeed (termed 'work factor' by Claude Shannon) is out of reach of potential attackers. The work factor can be increased by simply choosing a longer key. Other attacks may be more efficient, and some are known for some public key encryption algorithms. Both RSA and ElGamal encryption have known attacks which are much faster than the brute force approach. Such estimates have changed both with the decreasing cost of computer power, and new mathematical discoveries.

In practice, these insecurities can be avoided by choosing key sizes large enough that the best known attack would take so long that it is not worth any adversary's time and money to break the code. For example, if an estimate of how long it takes to break an encryption scheme is one thousand years, and it were used to encrypt your credit card details, they would be safe enough, since the time needed to decrypt the details will be rather longer than the useful life of those details, which expire after a few years. Typically, the key size needed is much longer for public key algorithms than for symmetric key algorithms.

Besides the raw algorithmic strength of a particular keypair, the security of the certification hierarchy must be considered when deploying public key systems. This hierarchy vouches for the identities assigned to specific private keys. Public key digital certificates are typically valid for several years at a time, so the associated private keys must be held securely over the long term. When a private key higher in the hierarchy is compromised or accidentally disclosed then a man in the middle attack attack is possible.

Major weaknesses have been found for several formerly promising asymmetric key algorithms. The 'knapsack packing' algorithm was found to be insecure when a new attack was found. Recently, some attacks based on careful measurements of the exact amount of time it takes known hardware to encrypt plain text have been used to simplify the search for likely decryption keys (see side channel attack). Thus, mere use of asymmetric key algorithms does not ensure security; it is an area of active research to discover and protect against new attacks.

Another potential security vulnerability in using asymmetric keys is the possibility of a man in the middle attack, in which communication of public keys is intercepted by a third party and modified to provide different public keys instead. Encrypted messages and responses must also be intercepted, decrypted and re-encrypted by the attacker using the correct public keys for different communication segments in all instances to avoid suspicion. This attack may seem to be difficult to implement in practice, but it's not impossible when using insecure media (e.g. public networks such as the Internet or wireless communications). A malicious staff member at Alice or Bob's ISP might find it outright easy.

One approach to prevent such attacks is the use of a certificate authority, a trusted third party who is responsible for verifying the identity of a user of the system and issuing a digital certificate, which is a signed block of data stating that this public key belongs to that person, company or other entity. This approach also has weaknesses. For example, the certificate authority must be trusted to have properly checked the identity of the key-holder and the correctness of the public key when it issues a certificate, and has been correctly set up at communication participants before it can be used. An attacker who could subvert the certificate authority into issuing a certificate for a bogus public key could then mount a man in the middle attack as easily as if the certificate scheme were not used at all. Despite its problems, this approach is widely used; examples include SSL and its successor, TLS, which are commonly used to provide security in web browsers, for example, to securely send credit card details to an online store.

Computational cost

Public key algorithms known thus far are relatively computationally costly compared with most symmetric key algorithms of apparently equivalent security. The difference factor is typically quite large. This has important implications for their practical use. Most are used in hybrid cryptosystems for reasons of efficiency; in such a cryptosystem, a shared secret key ("session key") is generated by one party and this much briefer session key is then encrypted by each recipient's public key. Each recipient uses the corresponding private key to decrypt the session key. Once all parties have obtained the session key they can use a much faster symmetric algorithm to encrypt and decrypt messages. In many of these schemes, the session key is unique to each message exchange, being randomly chosen for each message.

Associating public keys with identities

The binding between a public key and its 'owner' must be correct, lest the algorithm function perfectly and yet be entirely insecure in practice. As with most cryptography, the protocols used to establish and verify this binding are critically important. Associating a public key with its owner is typically done by protocols implementing a public key infrastructure; these allow the validity of the association to be formally verified by reference to a trusted third party, either in the form of a hierarchical certificate authority (e.g., X.509), a local trust model (e.g., SPKI), or a web of trust scheme (e.g., that originally built into PGP and GPG and still to some extent usable with them). Whatever the cryptographic assurance of the protocols themselves, the association between a public key and its owner is ultimately a matter of subjective judgement on the part of the trusted third party, since the key is a mathematical entity whilst the owner, and the connection between owner and key, are not. For this reason, the formalism of a public key infrastructure must provide for explicit statements of the policy followed when making this judgement. For example, the complex and never fully implemented X.509 standard allows a certificate authority to identify its policy by means of an object identifier which functions as an index into a catalogue of registered policies. Policies may exist for many different purposes, ranging from anonymity to military classification.

Relation to real world events

A public key will be known to a large and, in practice, unknown set of users. All events requiring revocation or replacement of a public key can take a long time to take full effect with all who must be informed (i.e. all those users who possess that key). For this reason, systems which must react to events in real time (e.g. safety-critical systems or national security systems) should not use public-key encryption without taking great care. There are four issues of interest:

Privilege of key revocation

A malicious (or erroneous) revocation of some, or all, of the keys in the system is likely, in the second case, certain, to cause a complete failure of the system. If public keys can be revoked individually, this is a possibility. However, there are design approaches which can reduce the practical chance of this occurring. For example, by means of certificates we can create what is called a "compound principal"; one such principal could be "Alice and Bob have Revoke Authority". Now only Alice and Bob (in concert) can revoke a key, and neither Alice nor Bob can revoke keys alone. However, revoking a key now requires both Alice and Bob to be available, and this creates a problem of reliability. In concrete terms, from a security point of view, there is now a single point of failure in the public key revocation system. A successful Denial of Service attack against either Alice or Bob (or both) will block a required revocation. In fact, any partition of authority between Alice and Bob will have this effect, regardless of how it comes about.

Because the principal having revocation authority for keys is very powerful, the mechanisms used to control it should involve both as many participants as possible (to guard against malicious attacks of this type), while at the same time as few as possible (to ensure that a key can be revoked without dangerous delay). Public key certificates which include an expiry date are unsatisfactory in that the expiry date may not correspond with a real world revocation need, but at least such certificates need not all be tracked down system wide, nor must all users be in constant contact with the system at all times.

Distribution of a new key

After a key has been revoked, or when a new user is added to a system, a new key must be distributed in some predetermined manner. Assume that Carol's key has been revoked (e.g. automatically by exceeding its use-before date, or less so, because of a compromise of Carol's matching private key). Until a new key has been distributed, Carol is effectively out of contact. No one will be able to send her messages without violating system protocols (i.e. without a valid public key, no one can encrypt messages to her), and messages from her cannot be signed for the same reason. Or, in other words, the "part of the system" controlled by Carol is essentially unavailable. Security requirements have been ranked higher than system availability in such designs.

One could leave the power to create (and certify) keys as well as revoke them in the hands of each user, and the original PGP design did so, but this raises problems of user understanding and operation. For security reasons, this approach has considerable difficulties; if nothing else, some users will be forgetful or inattentive or confused. On one hand, a message revoking a public key certificate should be spread as fast as possible while, on the other hand, (parts of) the system might be rendered inoperable before a new key can be installed. The time window can obviously be reduced to zero by always issuing the new key together with the certificate that revokes the old one, but this requires co-location of both authority to revoke and to generate new keys.

It is most likely a system-wide failure if the (possibly combined) principal that issues new keys fails by issuing keys improperly. It is an instance of a common mutual exclusion; a design can make the reliability of a system high, but only at the cost of system availability, and vice versa.

Spreading the revocation

Notification of a key certificate revocation must be spread to all those who might potentially hold it, and as rapidly as possible.

There are two means of spreading information (e.g., a key revocation here) in a distributed system: either the information is pushed to users from a central point(s), or it is pulled from a central point(s) to end users.

Pushing the information is the simplest solution in that a message is sent to all participants. However, there is no way of knowing that all participants will actually receive the message, and if the number of participants is large and some of their physical or network distance great, the probability of complete success (which is, ideally, required for system security) will be rather low. In a partially updated state, the system is particularly vulnerable to denial of service attacks as security has been breached, and a vulnerability window will continue to exist as long as some users have not 'gotten the word'. In other words, pushing certificate revocation messages is neither easy to secure nor very reliable.

The alternative to pushing is pulling. In the extreme, all certificates contain all the keys needed to verify that the public key of interest (i.e. the one belonging to the user to whom one wishes to send a message, or whose signature is to be checked) is still valid. In this case, at least some use of the system will be blocked if a user cannot reach the verification service (i.e. one of those systems which can establish the current validity of another user's key). Again, such a system design can be made as reliable as one wishes, at the cost of lowering security (the more servers to check for the possibility of a key revocation, the longer the window of vulnerability).

Another trade-off is to use a somewhat less reliable, but more secure, verification service but to include an expiry date for each of the verification sources. How long this timeout should be is a decision which embodies a trade-off between availability and security that will have to be decided in advance, at system design time.

Recovery from a leaked key

Assume that the principal authorized to revoke a key has decided that a certain key must be revoked. In most cases this happens after the fact; for instance, it becomes known that at some time in the past an event occurred that endangered a private key. Let us denote the time at which it is decided that the compromise occurred with T.

Such a compromise has two implications. Messages encrypted with the matching public key (now or in the past) can no longer be assumed to be secret. One solution to avoid this problem is to use a protocol that has perfect forward secrecy. Second, signatures made with the no longer trusted to be actually private key after time T, can no longer be assumed to be authentic without additional information about who, where, when, etc of the events leading up to digital signature. These will not always be available, and so all such digital signatures will be less than credible. A solution to reduce the impact of leaking a private key of a signature scheme is to use timestamps.

Loss of secrecy and/or authenticity, even for a single user, has system-wide security implications, and a strategy for recovery must thus be established. Such a strategy will determine who has authority and under what conditions to revoke a public key certificate, how to spread the revocation, but also, ideally, how to deal with all messages signed with the key since time T (which will rarely be known precisely). Messages sent to that user (which require the proper, now compromised, private key to decrypt) must be considered compromised as well, no matter when they were sent.

Such a recovery procedure can be quite complex, and while it is in progress the system will likely be vulnerable against Denial of Service attacks, among other things.


Examples of well-regarded asymmetric key techniques for varied purposes include:

Examples of notable yet insecure asymmetric key algorithms include:

Examples of protocols using asymmetric key algorithms include:



See also

External links

Search another word or see publicon Dictionary | Thesaurus |Spanish
Copyright © 2015, LLC. All rights reserved.
  • Please Login or Sign Up to use the Recent Searches feature