3

Are there any security concerns with using RSA in “CBC mode”?

Specifically: if I use RSA encryption as my block cipher operation, and apply the standard CBC mode operations including a random IV, will the resulting cipher text provide the same level of theoretical security as the underlying RSA problem?

I am only considering RSA on its own. No padding scheme. I know traditionally RSA is insecure without proper padding, but in CBC mode I don’t see why the padding would be necessary (and it complicates the issue by introducing non-deterministic elements)

I also understand that CTR, CFB, and other block cipher modes that use the block encryption function for both encryption and decryption would fail horribly with RSA. Only concerned with CBC

Crypto Questions
  • 33
  • 3

1 Answers1

6

This is a truly mad idea, so I applaud you for that. But it's seriously insecure. My interpretation of "RSA-CBC" would work like this:

$$ \begin{array}{l} \textsf{RSA-CBC}\Bigl( (N,e), m_1 \| m_2 \| \ldots \|m_\ell \Bigr): \\ \quad c_0 \gets \mathbb{Z}_N \\ \quad \mbox{for $i=1$ to $\ell$:} \\ \quad\quad c_i := (c_{i-1} + m_i)^e \bmod N \\ \quad \mbox{return } c_0 \| c_1 \| \ldots \| m_\ell \end{array}$$

Here each $m_i$ and each $c_i$ is a $\mathbb{Z}_N$-element. RSA-CBC chooses a random "IV" (element of $\mathbb{Z}_N$), then encrypts each plaintext block by adding the previous ciphertext block and then applying the RSA function.

So what's wrong with it? Suppose I see an encryption of some unknown plaintext. If I have a guess for $m_i$, then I can check whether my guess is correct via $c_i \overset?= (c_{i-1} + m_i)^e \bmod N$. I can indeed perform this check because the RSA exponent $e$ is public.

More generally, CBC doesn't work with public-key operations. Anyone can repeat the steps done during CBC encryption, if the block cipher is replaced by a public-key operation that anyone can perform.

Mikero
  • 13,187
  • 2
  • 33
  • 51
  • Beautiful. I knew there was something simple I was missing. – Crypto Questions Feb 10 '22 at 04:21
  • Well, one can design this with secure PKCS and OAEP padding, too. $$c_i := (pad(c_{i-1} + m_i))^e \bmod N$$ (the reduced size of padding is omitted) – kelalaka Feb 10 '22 at 14:23
  • @kelalaka, $c_{i-1}+m_i$ is already a "full size" element of $\mathbb{Z}_N$, so I'm not sure what padding you could apply while still keeping the result in $\mathbb{Z}_N$. – Mikero Feb 10 '22 at 15:04
  • @Mikero one has to reduce the size of input of this scheme like 11-byte for PKCS#1 v1.5 padding ( see this for OAEP ) as I said (may be not clear, sorry for that). Then encryptions are secure as long as PKCS#1 v1.5 padding or OEAP is secure. Anyway, one has to use ECIES... – kelalaka Feb 10 '22 at 15:29
  • OK, then in that case the "CBC chaining" adds nothing. You might as well just do RSA-OAEP in "ECB" mode ;) – Mikero Feb 10 '22 at 16:18
  • Yes, the OAEP and PKCS are probabilistic encryptions, however, the CBC also provides some chaining that one might want. and, this should not be confused with authentication since one can already attack CBC with bit flipping. – kelalaka Feb 10 '22 at 16:40
  • "If I have a guess for mi, then I can check" this applies in the same way for ECB. So your actual statement is, "CBC is no improvement" and the security gap, that allows the check of the guess comes from the public key being known to an attacker. Think, in a TLS protocol he won't have this. – Sam Ginrich Apr 08 '22 at 22:43