1

This may be nit-picking, I’m not sure so feel free to say so.

In RSA-KEM as described e.g. in Wikipedia or this answer, we choose a secret $x : 0 \leq x < n$, and send $x^e \bmod n$ for public exponent $e$.

But isn’t this “textbook RSA”? For example, if $x^e \bmod n < n$ then it won’t wrap, and $x$ can be obtained directly.

Now of course for any normal $n$, the chances of choosing a random $x$ meeting this condition are infinitesmally small. Nevertheless isn’t it technically precise to choose $x: x < n$, $x^e \bmod n > n$ ?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
eddydee123
  • 147
  • 11
  • Related questions (but which do not directly address my question) https://crypto.stackexchange.com/questions/53232/rsa-kem-minimal-number-of-random-bits, https://crypto.stackexchange.com/questions/34041/bitwise-method-of-generating-r-for-rsa-kem, https://crypto.stackexchange.com/questions/76089/why-rsa-kem-is-more-secure-than-textbook-rsa – eddydee123 Dec 30 '21 at 18:59
  • @kelalaka IIUC the answer there is it's mathematically imprecise, but it is indeed nit-picking – eddydee123 Dec 30 '21 at 19:03
  • @kelalaka So shall I delete my question? – eddydee123 Dec 30 '21 at 19:31
  • 1
    No need, it has already been closed; having a dupe may lead other persons looking for the same Q/A to the right answer. – Maarten Bodewes Dec 30 '21 at 20:42
  • @MaartenBodewes yes, you are right, however, I did not like the title change of the dupe! – kelalaka Dec 30 '21 at 23:33

0 Answers0