RSA encryption/decryption process is not working correctly

Question

I'm trying to apply the RSA cryptosystem to encrypt a byte M=72, using predefined modulus n, public key exponent e and private key d.

(n, e, d, p, q) = (4802, 5, 59, 43, 8)

In order to accomplish that, I used the following code on Python console:

C=(M**e)%n
M=(C**d)%n
print M

the first instruction encrypts the byte as C: using the RSA encryption mathematical expression (** stands for exponentional, and % for modulus in Python programming language)
the second decrypts C to get M back: using the RSA decryption mathematical expression.

However, the output shows:

2816

which means that M was incorrectly computed as '2816', although I'm pretty sure that all the values of n, e, d, p and q respect the RSA public key algorithm specification.

Does anyone have any idea?

did you click to the link and see the factors? see Text book RSA — kelalaka, Oct 21 '18 at 17:12
@kelalaka Yes, so since the number has more than 2 prime divisors, I think I made a mistake for computing n. — user6039980, Oct 21 '18 at 17:16
@kelalaka Obviously p*q is different from n, and q is not prime number. — user6039980, Oct 21 '18 at 17:18
On top of the answer: A) n is some million (.. dozens words "million" suppressed) million times too small to provide security. B) M=(C**d)%n won't work even if you increase n by a million million. See modular exponentiation or/and use the three-argument form of pow. C) With the question's textbook RSA, a message guess can be checked; think of e.g. a name on the class roll. See encryption padding. — fgrieu, Oct 21 '18 at 19:42
@fgrieu Thanks for your help, B) Regarding the modular exponentiation, I know that C**d performs the exponentiation and %n applies the modulus. Why it won't work if n is increased by million? A+C) I'm not understanding what you're talking about. sorry. — user6039980, Oct 21 '18 at 20:59
On B): because no computer has enough memory to store C**dexactly for n large enough for security, which implies nearly as large Cand d. Modular reduction must be applied as the exponentiation is performed. Three-arguments pow does, but (C**d)%ndoes not. On A): n needs to be MUCH larger, otherwise it can be factored and an adversary can then decipher just as easily as the legitimate recipient. On C): with the question's textbook RSA, if you know that the name of a student is enciphered, you can encrypt each name on the class roll and see which matches the ciphertext. — fgrieu, Oct 21 '18 at 21:56
@fgrieu I understood, this is very important. Thanks for the information. — user6039980, Oct 21 '18 at 22:10

kelalaka · Accepted Answer · 2020-07-05T11:35:27.527

The RSA definition requires $n = p q$ where $p$ and $q$ are distinct primes.

In your example $n=4802$ has a factorization as;

$$ n = 2 \cdot 7^4$$ with 10 divisors. Also, your $q=8$ is not a prime.

Here a working example for you with fips.186-4 standard, or see $\lambda$ versus $\varphi$ in RSA;

Select two distinct random primes; $p = 47, q = 43$
compute $n = 47*43 = 2021 $
compute $\lambda(n)=\operatorname{lcm}(p-1,q-1)= \operatorname{lcm}(62,42)= 966$
select $e$;
- $e=3$;
- $gcd(3,966) = 3 \neq 1$ chose another;
- $e=5$
- check $gcd(5,966) = 1$, ok.
$d = 773$ by $d = e^{-1} \bmod{\lambda(n)}$

As noted by Fgrieu on the comments, make sure that you are using efficient methods. For example;

For finding prime numbers probabilistic Miller–Rabin primality test, should be enough. Note that Miller–Rabin primality test is probabilistic; composite output is always true, prime output has probability defined by the number iterations.
For modular multiplication there are various chocies as $2^k$-ary sliding window algorithm used by GNU GMP, left-to-right or right-to-left modular multiplications.
Modular inverse by the extended-gcd algorithm.

Calculating with Wolfram Alpha

One can use the highlighted text to enter at WolframAlpha with your paramaters:

$\lambda(n):$ CarmichaelLambda(2021) result is 966
$gcd(5,966):$ gcd(5,966) result is 1
$d:$ 5^-1 mod CarmichaelLambda(2021) result is 773
encrypt $m=65:$ 65^5 mod 2021 result is c=168
decrypt $c=168:$ 168^773 mod 2021 result is 65

Note: if you are using textbook RSA then change CarmichaelLambda() with phi()

Unfortunately I'm facing the same problem given: (n, e, d, p, q) = (289, 77, 133, 17, 17) and M=72. n is prime as well as p and q. Moreover I verified that (e * d) mod ((p-1)*(q-1)) = (77×133) mod (16×16) = 1 — user6039980, Oct 21 '18 at 18:45

RSA encryption/decryption process is not working correctly

1 Answers1

Linked

Related