- A symmetric matched pair of RSA keys,
- Concealment of both keys of a pair.

- The public key is not concealed whereas the private key is.
- The public key can be derived from the private key.
- The exponent of the public key is smaller and thus that key is faster to use.

I hasten to note that I know of no compelling problems to which this is a solution but merely note that symmetries seldom go unexploited! The symmetric RSA scheme has a disadvantage over normal practice in that both keys are expensive to use. In the normal scheme the public key is much quicker to use because of its small exponent.

To exploit symmetric applications, current protocols must be reexamined for concealment of the public key, as that was not a requirement when those protocols were designed.

- p and q are prime.
- c = m
^{e}(mod pq) - m = c
^{d}(mod pq) - ed = 1 (mod (p−1)(q−1))
- 0 ≤ c, m < pq.

In the symmetric variation d is chosen to be unguessable. While the generation of the keys is asymmetric that fact is invisible outside the generator mechanism. When both keys are concealed they are on equal footing. This symmetry will simplify protocols and arguments about their correctness. Note that if d is chosen to be unguessable then pq may be revealed for that will not compromise the “public” key. I suspect that pq can be shared between several symmetric key pairs—a family parameter!

- A message from one population can be so recognized by the other.
- Only members of one population can decrypt messages from the other.

To solve this problem with conventional RSA we try three cases:

- equip the archivers (and only them) with a public key and the sources with the corresponding private key.
- equip the archivers with the private key and the sources (and only them) with the public key.
- Use two key pairs, one for secrecy and one for authorization.

In scheme 2 the archivers can read data that is addressed to other archivers. This may be unsuitable.

In scheme 3 ...

It is not yet clear how to concoct a plausible set of requirements that requires the symmetric key.

Two conventional public RSA keys pairs serve all the functions of a symmetric RSA key pair. |

- Private key from A with public key from B
- Private key from B with public key from A

To transmit a message with such a packet, first sign the message with the private key from the package, then encrypt the result with the public key from the packet.

To receive a message with a packet, decrypt the message with the private key from the packet and then verify the signature with the public key from the packet.

There are formalizations for arguments such as these that would raise issues more systematically.

There is only a meager advantage of the symmetric RSA cypher over two pair; This is because the public RSA keys have few bits in the exponent and are thus fast to use.

I think that the same tricks regarding bulk data apply equally to symmetric and asymmetric RSA.