Can RSA be used to encrypt p?

Question

In RSA you choose $n=pq$ where $p$ and $q$ are large primes with similar length. Then you choose $e$ that is coprime with $\phi(n)$ and find $d$ that is modular multiplicative inverse of $e$ modulo $\phi(n)$, so $ed \equiv 1 \mod \phi(n)$.

Then $(m^e)^d \mod n = m$ for any natural $m$ less than $n$.

As far as I have researched it, the exponentiation to the power $ed=k\phi(n)+1$ where $k$ is an integer relies on the Euler's theorem that states $a^{\phi(n)} \equiv 1 \mod n$ which is true if $a$ is coprime to $n$.

This leads me to a question, what happens if you choose $p$ as the message? Does RSA handle it in any way? I would like to know both about Textbook RSA and the Deployed RSA.

Answer 1

Yes, both textbook and practical RSA can reversibly encrypt $p$.

---

Textbook RSA can encrypt and decrypt any plaintext in $[0,N)$ as long as $N$ is squarefree (which is hypothetized or at least overwhelmingly likely); and that's including $p$. In a nutshell: Fermat's little theorem implies that $M^{e\,d}-M\equiv 0\pmod p$ for any $M$ and any prime $p$ dividing $N$. It follows that $M^{e\,d}-M\equiv 0\pmod N$ if $N$ is squarefree. Correct decryption for any $M\in[0,N)$ if $N$ is squarefree follows. See more detailed proof there.

However, encrypting $p$ is a particularly terrible use case of textbook RSA, because revealing the ciphertext allows factoring $N$ by computing $\gcd(\operatorname{Enc}(p),N)$ ; that's $p$, as explained there.

---

Practical RSA has no problem encrypting $p$ for many common parameters: the RSAES-OAEP encryption scheme in PKCS#1 can encipher octet strings of up to $\lceil (\log_{2}N)/8\rceil-2h-2$ octets, where $h$ is the width fo the hash in octets, and that's enough for $p$ when $N$ is larger than $4h+4$ octets and has factors of equal size, which is typically the case. RSAES_PKCS1_V1-5 has a slightly different capacity. When $p$ does not fit (e.g. 2048-bit RSAES-OAEP with SHA-512 has a capacity of 126 octets, which is typicality 2 octets short for $p$), the plaintext can be split into several cryptograms, or there's hybrid encryption.

Answer 2

You can encrypt $p$ using RSA. Since $p$ is co-prime to $q$:

$p^{k \cdotp \phi(n)}$mod $q \equiv p^{k \cdotp (p - 1) \cdotp (q - 1)}$mod $q \equiv p^{k'\cdotp \phi(q)}$mod $q \equiv 1$ mod $q$. (Fermat's little theorem)

Now, $(p^{\phi(n)})^{k} = 1 + u \cdotp q$. We multiply this equation by $p$:

$p \cdotp (p^{\phi(n)})^{k} = p + p \cdotp u \cdotp q = p + u \cdotp n$.

Therefore, $p \cdotp (p^{\phi(n)})^{k} \equiv p^{k \cdotp \phi(n) + 1} \equiv p^{d \cdotp e} \equiv p$ mod $n$