I have a plaintext about 18 bit size. I have to encipher it using RSA. How large have to be p and q? So M (message to encipher) = 2**18 bit I tried, using a Python coded RSA algorithm, different sizes for p and q, and my results are these:
p=61, q=31 not working
p=61, q=127 not working
p=997, q=4253 OK working
I tried them randomly but I think there's a way to decide the size.
I have a plaintext about 18 bit size. I have to encipher it using RSA. How large have to be $p$ and $q$?
For security, the recommendation is: very large, like each at least 700 bits and the sum of their bit size at least 2000, so that their product is hard to factor. But maybe that's not the answer thought, for it does not consider plaintext size. Also, there are other conditions for security.
In textbook RSA, the public and private keys are $(N,e)$ and $(N,d)$, with $N=p\,q$, $e\,d\bmod(p-1)\;=\;1\;=\;e\,d\bmod(q-1)$, where $p$ and $q$ are primes. Encryption of a plaintext (integer representative of a) message $m$ is per $c=m^e\bmod N$, and decryption is per $e=x^d\bmod N$.
From the later equation and the definition¹ of $\bmod$ it follows that decryption can return the original message only if $0\le m<N$. This condition is sufficient when primes $p$ and $q$ are distinct (see this question), which we'll assume.
Thus $p$ and $q$ should be large enough that the largest possible $m$ verifies $m<p\,q$. If $m$ is 18-bit, by the definition² of bit size, it is sufficient that $p\,q\ge2^{18}$.
In term of bit size of $p\,q$: at least 19 is sufficient.
In term of sum of the bit sizes of $p$ and $q$: at least 20 is sufficient. This follows from $\|p\|+\|q\|-1\le\|p\,q\|\le\|p\|+\|q\|$.
p=61, q=127 not working
Correct. One way to prove this is that $2^5=32\le p=61<64=2^6$ and $64=2^6\le q=127<128=2^7$, therefore $p$ is 6-bit and $q$ is 7-bit, therefore $p\,q$ is no more than 13-bit, thus all 18-bit $m$ are such that $m\not<p\,q$, thus such $m$ does not belong to the plaintexts that can be enciphered and deciphered back to the original.
p=997, q=4253 OK working
Correct. One way to prove this is that $2^9=512\le p=997<1024=2^{10}$ and $4096=2^{12}\le q=4253<8183=2^{13}$, therefore $p$ is 10-bit and $q$ is 13-bit, therefore $p\,q$ is no less than 22-bit, thus all 18-bit $m$ are such that $m<p\,q$, thus such $m$ belongs to the plaintexts that can be enciphered and deciphered back to the original.
By computing $p\,q=4240241$, we can find that $p\,q$ is 23-bit (rather than the minimum of 22 established above), thus $p=997$, $q=4253$ allows decryption of all messages up to and including 22-bit, and some 23-bit messages.
¹ For integer $i$ and strictly positive integer $k$, the quantity $i\bmod k$ is uniquely defined as the integer $j$ with $k$ dividing $i-j$ and $0\le j<k$. It is written $j=i\bmod k$ without an opening parenthesis immediately on the left of $\bmod$.
Contrast with $j\equiv i\pmod k$, which means that $k$ divides $i-j$, but leaves the range of $j$ unspecified.
² The bit size of a strictly positive integer $a$ is the uniquely defined integer $b$ with $2^{b-1}\le a<2^b$. It holds $b=\left\lceil\log_2(a+1)\right\rceil=\left\lfloor\log_2(a)\right\rfloor+1$. In a cryptographic context, it can be written $b=\|a\|$.
In the core RSA operation (aka textbook RSA) the modulus must be larger than the message. The decryption operation is computed modulo the modulus, so any message larger than the modulus will not correctly be recovered.
However, if you want your system to be secure then there are (at least) two other issues you need to deal with.
The padding scheme will expand the message, thus reducing the size of message that can be encrypted with a given modulus.
In practice RSA is rarely used to encrypt messages directly, instead it is used to encrypt the key for a symmetric encryption algorithm.
