Is it safer to encrypt twice with RSA?

Question

I wonder if it's safer to encrypt a plain text with RSA twice than it is to encrypt it just once. It should make a big difference if you assume that the two private keys are different, and that the only way used to crack it is brute force. I submitted these theories to my teacher, but he claims that a double encryption doesn't make it any safer. I didn't follow his arguments entirely, so I decided to ask here.

So, if I encrypt a message with one key once, and the encrypt the resulting cipher text once more with a different key, does this make the encryption simpler?

EDIT: My teacher said that "it doesn't get safer with a double encryption, at least not if n is the same and e is different.". This is the part I don't follow, since you'd still need both p and q to derive the two different private keys that this would produce. I have made a few calculations and I do not quite understand. Why would the particular statement my teacher sent me mean that it doesn't get safer?

Answer 1

Well, think about it this way. If breaking one encryption with brute force will take longer than the lifetime of the universe, are you any safer with an encryption scheme that will take twice the lifetime of the universe? No. The first encryption cannot be broken. Adding a second encryption just adds computation overhead with no real benefit.

Think about it this way, if it is estimated to take 500 years for a prisoner to chew through the bars on his prison cell to escape, is the public any safer if we add a second set of bars so that it will take 1000 years to chew through the two sets before the prisoner can escape? Not really.

UPDATE
Given the update in the question, I thought I'd update.

So, you fix an $n$ and choose $e_1$ and $e_2$ as public exponents and compute $d_1$ and $d_2$ as the private exponents.

To encrypt, you are proposing $(m^{e_1})^{e_2}\bmod{n}$ and wondering why this is not stronger than just $m^{e_1}\bmod{n}$ in a brute-force attack[*].

So, you haven't given detail as to what the "brute-force" attack is, so let's look at two options.

1. Factoring $n$. If I factor $n$ using a brute-force attack, I then use the factorization to compute $d_1$ and $d_2$. Computing both $d_1$ and $d_2$ is not much more than just computing $d_1$ since you broke the factorization.

2. Instead of factoring $n$, what if you try to brute force $d_1$ and $d_2$. Recall that $d_i$ is chosen such that $e_i d_i\equiv 1\bmod{\varphi(n)}$. Furthermore, $(m^{e_1})^{e_2}=m^{e_1e_2}$. Raise that to $d_1d_2$ and you get $m$ back. Therefore, you really need to bruteforce $d_1d_2$ instead of $d_1$ and then $d_2$ (or vice-versa). If you assume each of the $d$s are $l$ bits, brute forcing $d_1$ then $d_2$ would be like brute forcing $l^2$ bits. Brute forcing $d_1d_2$ on the other hand is $2l$ bits. One could argue that this is harder, but asymptotically it isn't.

3. Brute force only $d_1$ then factor. It turns out if you know $d_1$ you can easily factor $n$ then use the factorization to compute $d_2$. (This comes from @CodesInChaos comment).

Any other brute force options you had in mind?

_{[*] My description of double encrypted RSA here is assuming textbook RSA. For padded RSA (which is what you find in the real world), points 1 and 3 are still valid, 2 however is not.}

Answer 2

Double encryption/decryption with RSA is equal to single encryption/decryption with public/private exponents raised to the square. It doesn't make brute-forcing the private exponent harder. More, it doesn't complicate the factorization of N.

So, it is not more secure.

Answer 3

Yes it is.

If we accept that a brute force attack against cannot be broken in a lifetime then it makes no sense to add a second layer. But what happens if one of the keys becomes compromised? having a second, entirely different encryption key, keeps the data safe.

In a single decryption operation if you had the right key you would convert your cipher text into plain text and yay! with a double encryption you'd convert cipher text to cipher text which would appear the same as using a wrong key...

Why do nuclear submarines have two keys to launch their missiles?!

(It's more secure than one key!)

Answer 4

Assuming that you use a IND-CPA,CCA secure assymetric enncryption scheme that leaks some kind of information from the ciphertext. By re-encrypting the message is like you encode into a different form and you achieve all-or-nothing security. That means that the attacker in order to reveal 1 single block he should break the message in its entire form. A second point is that you actually re-encrypt sth if you have an intermediate node that transforms messages of key k1 into messages encrypted with key k2. This is so callade proxy re-encryption and is done for delegation of operations and transitivity purposes.