I was wondering whether plain RSA encryption can be cracked given:
The public key
A plaintext of a known cipher text(s).
In other words the decrypted message from an encrypted one (but without knowing the private key)
I.E.: you have managed to find the plaintext of an already encrypted message using the public key, however, you DO NOT know the private key.
With maybe some form of adaptive-chosen-ciphertext attack?
edit: maybe also take advantage of plain-RSA malleability?
It depends on what you mean by "cracking", and also what you mean by "RSA".
"Plain RSA", also sometimes described as "textbook RSA", is the lone modular exponentiation. By itself, it is very weak. For instance, if $n$ is the modulus and $e$ the public exponent, suppose that you want to "decrypt" a cipher text $c_1$ (i.e. you want to find $m_1$ such that $m_1^e = c_1 \pmod n$). You can choose a random integer $c_2$ modulo $n$, and compute $c_3 = c_1/c_2 \pmod n$; then, obtain the decrypted messages $m_2$ and $m_3$, corresponding to $c_2$ and $c_3$, respectively. In that situation, you know that $m_1 = m_2m_3 \pmod n$. This is a chosen ciphertext attack, in which you ask for two decryptions and obtain three plaintext messages, including the target message $m_1$, and yet the decryption oracle did not see any request ending in revealing $m_1$. That's "cracked" by any decent definition of "cracking".
That's why "plain RSA" is not RSA. RSA, the asymmetric encryption algorithm, is described by PKCS#1 and includes a padding operation which is essential to security. With appropriate padding, there is no known attack on RSA which would help in decrypting a given message, even in an adaptative chosen ciphertext context.
Firstly, we do not have access to the server/oracle that encrypts messages. Therefore the method of using a given encryption of m1 and m2 so that we can determine the encryption c3 of m1 . m2 is impossible.
The only thing accessible to us is a number of 'already cracked' messages, with their ciphertexts, (acquired from a database of encrypted messages) and the public key used to encrypt the plaintexts.
– user1084514 Dec 07 '11 at 13:06Plain RSA encryption is considered. In this setup, anyone obtains the ciphertext $c$ for a plaintext message $m$ such that $0\le m\lt n$, as: $c = m^e \bmod n$.
Among the classical vulnerabilities of plain RSA:
It is trivial to determine that a message $m$ has been repeated: that's when the ciphertext $c$ is.
It is easy to verify a guess of the message. E.g. if one is expected to send a "yes" or "no" message, it is trivial to find which; if one sends a password encrypted, it is possible to recover the password, assuming it is in a list of common passwords; if one sends a small variation of an earlier message, the new message can be guessed and verified.
When $e \cdot log_2(m) < log_2(n)$, modular reduction has not occurred during encryption, and recovering $m$ is trivial; e.g. for $e=3$ this is cube root extraction. This can be extended to a somewhat larger choice of $m$.
When the same message is sent encrypted to $e$ destinations using different public keys sharing the same $e$, it can be recovered (we know $m^e$ modulo enough $n_j$ to reconstruct $m^e$ fully using the Chinese Remainder Theorem, then can recover $m$ as in the previous attack). There are extensions to that.
As pointed by Thomas Pornin, in order to decrypt $c$, an attacker can replace it with $c'=(c\cdot(r^e\bmod n))\bmod n$ for some random $r$; the resulting $m'$ is $m\cdot r \bmod n$ and will not make sense to the decipherer, but if $m'$ gets revealed, the attacker can deduce $m$ as $m=(m'\cdot(r^{-1}\bmod n)\bmod n)$.
The solution is easy: never use plain RSA. Rather, use RSA as defined in PKCS#1.