Updated Fri, 20 May 2022 02:16:56 GMT

Multiple private keys for single public key

I am currently working in security in mobile ad-hoc networks.

I have several clusters, and I want to send some data encrypted with its public key, from the cluster head to the cluster members. I assume that each member has its own private key so it can decrypt the data.

I ask about how to get a single public key and multiple private keys for this public key?

What is the solution for this case?


Public-key algorithms such as RSA or ECDSA have exactly one private key for each public key and vice versa.

Attribute-based Encryption

Attribute-based encryption works (a little bit) like that. You have only one public key which is used to create all ciphertexts and you select the users that should be able to decrypt the data based on a policy of attributes. The policy can be a boolean formula and the users have secret attribute keys that should satisfy the policy if they must be able to decrypt the ciphertext.

If you use only one attribute for all users and a trivial policy containing that attribute, you've got that system that you wanted, but now the problem becomes that the user attribute secret keys have to be generated by a central server and you will need multi-party computation to get rid of the key escrow.


This is almost certainly too complicated for your case. You should use a symmetric algorithm like AES and a public key encryption algorithm like RSA in conjunction. You can simulate your intended system by encrypting the data with AES using a randomly generated key, then encrypt the AES key with all the RSA public keys of the intended recipients. Concatenate everything into one package and send it on its way.


Let's say multiple recipients have (a different) private key and all of them can decrypt data encrypted with the same public key. You should ask yourself, how can the different private keys be generated to arrive at the same public key, but where all the recipients wouldn't know the private key of each other.

Comments (5)

  • +0 – @Artijom B. You are right sir when you ask at the end of your comment. May be I had formulated the problem in a wrong way. Anyway, I just have started to read about ABE, but I don't haven't yet deep understanding for this topic. I will consider you suggestion, thank you for your valuable answer — Feb 25, 2015 at 13:57  
  • +0 – I don't think ABE is for you, because there are multiple problems with it. I clarified my answer. — Feb 25, 2015 at 14:03  
  • +0 – Sorry, I don't understand "then encrypt the AES key with all the RSA public keys of the intended recipients". Do you mean each intended recipient will have different public key or what — Feb 25, 2015 at 14:17  
  • +1 – @IanWarburton Probably not, but that's a big question on its own. It is likely depending on the specifics like RSA padding and AES mode of operation. If you use an adaptively secure ABE scheme this is also highly unlikely. — Oct 24, 2019 at 19:26  
  • +1 – In the case of RSA, this is not totally true; for every public key there can be more than one private key; More than one private key for RSA — Mar 15, 2022 at 22:07