1

I known the post from here and here regarding RSA padding. I still don't understand why simple addition of the message with an random number and then encrypting the result with plain RSA isn't secure.

Here's a more precise description of the scheme:

Suppose the message is $m$. Then suppose we draw a random integer $r$ and compute $m'=m+r\bmod n$ and feed $m'$ to the RSA function.

At a later time I will recover the encrypted message from the server and I'll decrypt it myself. I known that RSA isn't best scheme for this application. Is the proposed padding secure in this context?

SEJPM
  • 45,967
  • 7
  • 99
  • 205
mip
  • 327
  • 2
  • 8
  • 2
    So, does this mean you will "simply" remember $r$ and keep it secret until you recover the ciphertext from the server? – SEJPM Sep 11 '18 at 13:06

1 Answers1

7

The system proposed has no practical interest.

  • If $r$ is public, then it is easy to check a guess $\overline m$ of $m$ (compute $\overline m'=\overline m+r$, feed it to the RSA function, and compare the result to the actual ciphertext; it matches when $m=\overline m$). That possibility is a disaster in practice; e.g. if $m$ is a name on the class roll, or a credit card number, poof goes confidentiality.
  • If $r$ is secret and chosen randomly in $[0,n)$ for each message, then the system is safe and we can use $m'$ as the ciphertext, without needing RSA on top of that. That's in effect a One Time Pad.
fgrieu
  • 140,762
  • 12
  • 307
  • 587