Is there a known attack on a small (e.g. 256-bit) random number encrypted using 2048-bit textbook RSA that allows the attacker to read the number?

Question

I have a protocol where I need to encrypt an elliptic curve exponent in RSA, but the elliptic curve exponent is only 256 bit. I have all the zero-knowledge proofs required to prove that it is done correctly, but I am unsure as to whether my adversary will be able to read the message in any reasonable amount of time. My proofs only work on textbook RSA, so I am stuck with textbook RSA.

My only concern is with the adversary being able to read the messages. For the life cycle of this RSA key, there will only be 2 different RSA ciphertexts of this kind (as well as a few Paillier ciphertexts).

I know that textbook RSA doesn't have IND-CPA, so if they do guess the message that they can confirm it, but guessing a 256-bit message will take a long time, so (unless I am wrong) this shouldn't be a problem. I know that they can alter the message, but that has no effect on my protocol as the receiving party is the only one interested and there are zero-knowledge proofs ensuring the validity of the message.

I am using 65537 as my exponent $e$.

My messages in RSA only need to be secure for a week at most.

I don't work with RSA that much, so I am concerned that I am missing something that might known in the RSA world.

My concern is that the message space of my random number is significantly smaller than the RSA message space, which maybe could cause problems.

Answer 1

No, there are no know attack using the specified exponent ($e$) of 65537.

There is possible to known the plain text ($M$) if the exponent is small and the message is also small. Is this particular case $M^e < n$, which can make your cipher text factorization possible.

In the beginning of RSA, 3 was used as a exponent, but now this is a widely know flaw in implementing RSA, because of that 65537 is widely adopted.

Fun fact: 65537 is a Fermat prime in the form $2^{2^4}+1$

Using a big enough exponent makes this attack not viable and 65537 makes even the smallest possible message (the number 2) greater than $n$, as $2^{65537}$ will have 65537 bits and is greater than a 2048 bits $n$.

Answer 2

I don't work with RSA that much, so I am concerned that I am missing something that might known in the RSA world.

Paddings. The PKCS#1 standard on RSA is available as RFC-8017 at IETF website, RSAES-OAEP is the go to choice for encrypting small amount of data if you have to use RSA.

---

Beyond that, I consider RSA the relic of dawn. We've since known better ways of exchanging secrets, and have a whole security framework for that.

To begin, there's the elliptic-curve integrated encryption scheme - ECIES, where elliptic-curve Diffie-Hellman is first executed to establish a symmetric encryption key, then it's used in 2 sub components - a encryption algorithm, and a message authenication algorithm, to protect messages. This is an instance of "hybrid encryption".

Next, there's key encapsulation mechanism. Because often,

1. the actual usage of the key isn't the concern of the algorithm that establishes it,
2. focusing on the goal can leviate unnecessary design concerns such as maximum supported length of the algorithm.

we are able to skip the symmetric part of a hybrid algorithm. For example, we can generate a random number, encrypt it using RSA, then hash it into a key after decrypting it.