9

In RSA, a message is encrypted by $m^e \pmod N$. $N$ is the modulus, $m$ is the message and $e$ is the public exponent. (I know that $m$ should not be greater than $N$.)

My question is, can $m^e$ be greater than $N$ (obviously, before taking the modulus)?

In that case is there a possibility like $ m_1^e=m_2^e \pmod N$, i.e. can we get a collision?

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
Ashwin
  • 303
  • 4
  • 9

2 Answers2

14

Correction to Henricks answer: collisions are impossible (unless someone did something wrong). That is, if:

  • $e$ is a proper RSA exponent (that is, relatively prime to $p-1$ and $q-1$, where $p$ and $q$ are the factors of $N$), and:

  • $m_1 \neq m_2 \mod N$ (that is, you're not trying to encrypt the same message twice),

Then we will always have $m_1^e \neq m_2^e \mod N$

This is rather implied by the fact that the RSA operation can be inverted using the decryption exponent; if two different messages collided, then that couldn't be inverted uniquely.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • can, you atleast point me to the proof of what henrick hellstrom said - me1(modN)=me2(modN), because it will only happen if GCD(e,LCM(p−1,q−1))≠1. – Ashwin Apr 18 '12 at 11:21
  • 2
    @Ashwin: Well, an outline of a proof would look like: if $\gcd(e,p-1)=1$, and if $m_1 ≢ m_2\pmod p$, then ${m_1}^e ≢ {m_2}^e\pmod p$ (note: the proof of this relies on the primality of $p$). And, by symmetry, if $\gcd(e, q-1)=1$, and if $m_1 ≢ m_2\pmod q$, then ${m_1}^e ≢ {m_2}^e\pmod q$. Now, if we combine these two statements using the Chinese Remainder Theorem, we get: if $\gcd(e,\operatorname{lcm}(p-1,q-1))=1$ and if $m_1 ≢ m_2 \pmod{p,q}$, then ${m_1}^e ≢ {m_2}^e\pmod{p,q}$. Take the converse of that statement, and that's the statement you're asking about. – poncho Apr 26 '12 at 00:35
11

Yes, $m^e$ is in fact supposed to be larger than the public modulus $N$, or else it would be trivial for an attacker with knowledge of nothing but the cipher text and the public exponent to calculate $m$. If $m^e$ is less than $N$, then it is obviously equal to its residue $\bmod N$. Calculating roots is not hard; calculating the root of a residue $\bmod N$ is.

Regarding your second question: As Poncho wrote, as long as the RSA parameters are correctly selected, it is impossible that you will accidentally find two different messages $m_1$ and $m_2$, both greater than 0 and less than $N$, such that $m_1^e \pmod N = m_2^e \pmod N$, because it will only happen if $GCD(e,LCM(p-1,q-1)) \neq 1$.

Henrick Hellström
  • 10,406
  • 1
  • 30
  • 58
  • Since factoring the modulus is so hard that for practical purposes it is impossible, finding two such messages must also be so hard that for practical purposes it is impossible. – David Schwartz Apr 15 '12 at 10:50
  • @Henrick Hellstrom : Take the case where e is only 3. And if your message is small m^e will be smaller than the large N. – Ashwin Apr 15 '12 at 11:26
  • @Ashwin: That is why you are supposed to use padding, such as OAEP or PKCS#1 v1.5. – Henrick Hellström Apr 15 '12 at 11:27
  • @Henrick Hellström : Can you please explain the logic behind GCD(m1-m2,N)!=1. – Ashwin Apr 15 '12 at 11:31
  • @HenrickHellström : I understand that if GCD(k,N)!=1 then k is either a multiple of p or q. But I don't undertand that m1-m2 – Ashwin Apr 15 '12 at 11:35
  • @HenrickHellström : You don't reply to my comments. But at least tell something about poncho's answer. poncho says collisions are impossible. – Ashwin Apr 15 '12 at 12:23
  • @HenrickHellström : Or can you just give me the link where there is a proof or something that explains what you said - m^e1(modN)=m^e2(modN), because it will only happen if GCD(m1−m2,N)≠1 – Ashwin Apr 15 '12 at 12:26
  • "if your message is small m^e will be smaller than the large N." Since m is the padded message, this won't happen in practice. – CodesInChaos Apr 15 '12 at 15:54
  • @HenrickHellström : dude please tell me the logic behind GCD(m1-m2,N)!=1 – Ashwin Apr 16 '12 at 04:39
  • 1
    Unless my math is completely off, if $e|p-1$ and $m_1^e \equiv m_2^e \pmod N$, then $m_1 \equiv m_2 \pmod q$. As poncho wrote, however, this won't happen if $e$ is correctly chosen. – Henrick Hellström Apr 16 '12 at 08:55
  • 1
    @HenrickHellström: from the 'nits-r-us' department, the example $e=3$, $N=91$, $p=7$, $q=13$, $m_1=5$, $m_2=6$ shows $e|p-1$ and $m_1^e \equiv m_2^e (\bmod N)$ but $m_1 \neq m_2 (\bmod q)$. On the other hand, if you add the condition $gcd(e, q-1) = 1$, then your statement is true. – poncho Apr 18 '12 at 14:13