0

RSA can't be used securely as is as it is deterministic. So an encrypted "yes" always looks the same. A simple workaround, which is apparently not secure, is to add 100 bits, say, of random salt to your plaintext before encryption. Why is this not considered secure?

Simd
  • 299
  • 1
  • 2
  • 8
  • Do you have a citation for that claim? – Daniel S Mar 07 '24 at 10:06
  • To be honest you are almost 20 years late about this. The history is long about this and we have tons of questions on this. We have RSAES-PKCS1-v1_5 padding and RSAES-OAEP. former still problematic due to incorrect coding and later is proven to be secure. – kelalaka Mar 07 '24 at 10:06
  • Duplicates : RSA signature with random padding Why don't use random padding in RSA? – kelalaka Mar 07 '24 at 10:10
  • Sketch of an argument (different from that in answer to the slightly different second question linked in the above comment): even with $e=65537$ and a receiving end that does not leak anything about an attempted decryption (contrary to what happened so many times with error codes or timing variation), there's a sizable chance that the padded message is the product of two numbers both less than 64-bit, and then there is an attack with cost $2^{64}$ something that deciphers the cryptogram. – fgrieu Mar 07 '24 at 10:50
  • @fgrieu-modelectiontime Oh that sounds interesting. Would you be able to flesh out the math for that please? – Simd Mar 07 '24 at 11:03
  • @Simd: Look at this answer, Encryption / Decryption, item 3 for why we want $e$ not too small, and item 5 (and the link there) for why 100 random bits are not enough. For danger of leak on the receiving end, see e.g. this. – fgrieu Mar 07 '24 at 11:29
  • Adding 100 bits when the message is known to be either YES or NO is of course insecure, because the result will be either 124 or 116 bits. – gnasher729 Mar 10 '24 at 15:22
  • @gnasher729 don't you normally pad to block sizes? But yes you do need to pad to a fixed message length for everything in these circumstances. – Simd Mar 10 '24 at 15:28
  • It would also be a problem if there are only two different messages, one just less and one just above a block size. – gnasher729 Mar 11 '24 at 21:45
  • @gnasher729 Yes, I get the message length problem – Simd Mar 11 '24 at 22:54

0 Answers0