2

I'm pretty new in crypto, and studying RSA now. I saw few videos and read about it and how it works. So basically, after we have the modulus N and exponent, we encrypt a message with:

m^e mod N = Cipher

and then decrypt that cipher with d

My question is that, seemingly, we can have multiple values for m that would yield the same cipher C, so how can the original text can be determined? For example:

p = 11
q = 13
n = 143
e = 7
d = 103

Now if we encrypt the message 9 for example:

9^7 mod 143 = 48

We get 48, which is the same if we encrypt 152.

How does it work then?

YoavKlein
  • 159
  • 4
  • 2
    RSA works on modulo $n=143$. So $9 \equiv 152 \pmod{143}$, nothing special here. Therefore $|m| <n$ – kelalaka Jan 26 '21 at 23:29
  • 1
    @kelalaka: I think the author means following. To what messages is this operation with this particular modulo applicable? Answer: Obviously the messages should not be greater than modulo. Thus, encryption of 152 is not allowed and 48 will be unambiguously decrypted to 9. Then the next question of the author could be "OK, if I have a stream of bits, how should I proceed: Split into chunks of bits that give numbers less than modulo? Less than square of modulo? Any other requirements?" I think an answer to such question would be more helpful :) – mentallurg Jan 27 '21 at 00:29
  • @mentallurg anything to add? – kelalaka Jan 27 '21 at 01:08
  • 2
    @kelalaka: You don't go deeper into text book topic, and it is really not needed in the real world. Compact and all essential info is there. I like it :) – mentallurg Jan 27 '21 at 23:15

1 Answers1

3

What you are using is the so-called Text-Book RSA. For encryption, we always want the correctness requirement and for public-key systems, this is;

$$D(prv,(E(pk,m)) = m$$ where $E$ is the public key encryption with the public key ($pk$) and $D$ is the decryption with the private key ($prv$).

In Text-Book RSA if we let the messages $m\geq n$ then as you noticed the decryption is not giving back the original message instead provides the $m'$ such that $m' = m \pmod n$ $(9 \equiv 152 \pmod{143})$. Therefore the meaningful resolution is restricting the message space into $[0..n-1]$. Then we can have the correctness requirement.

If you want to encrypt messages with Text-Book RSA then you can split your files into a chunk of sizes in bits at most $\lfloor \log_2 n \rfloor$-bit*. Here one should consider putting information like the $i$-part of $\ell$, etc. This, however, is not the way to encrypt messages and you must never use the text-book RSA.

We prefer a hybrid-cryptosystem in which the public-key is used to key exchange like RSA-KEM or DHKE and a symmetric cryptosystem is used to encrypt the message with the key.

If you still want to use RSA for encryption then use the correct padding to be secure since the text-book RSA is not secure. RSA should be used with PKCS#1 v1.5 padding or with OAEP.

* To find the number of digits in binary representation of given base 10 integer $n$, calculate $\lfloor \log_2 n \rfloor +1$. Using bits, or actually bytes is much fastert than calculating the data as integer and comparing to the integer $n$.

Community
  • 1
kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • @kelaka I have suggested an edit - please check if that's what you meant. I believe it was a typo - you meant "a symmetric cryptosystem" rather than "an asymmetric cryptosystem". Also in "of sizes at most n-1" it would probably be good to clarify that n-1 is the chunk size in bits, where n is the modulus size in bits, not the modulus value. If I got it all wrong - please revert my edits. – tum_ Jan 27 '21 at 10:45
  • 1
    @tum_ Thanks for the notice. I've clarified the other pars, originally I've used the size in integers, however, size in bit or better in bytes much preferable. – kelalaka Jan 27 '21 at 10:57