1

I known the post from here and here regarding RSA padding. I still don't understand why simple addition of the message with an random number and then encrypting the result with plain RSA isn't secure.

Here's a more precise description of the scheme:

Suppose the message is $m$. Then suppose we draw a random integer $r$ and compute $m'=m+r\bmod n$ and feed $m'$ to the RSA function.

At a later time I will recover the encrypted message from the server and I'll decrypt it myself. I known that RSA isn't best scheme for this application. Is the proposed padding secure in this context?

SEJPM
  • 46,697
  • 9
  • 103
  • 214
mip
  • 327
  • 2
  • 8

1 Answers1

7

The system proposed has no practical interest.

  • If $r$ is public, then it is easy to check a guess $\overline m$ of $m$ (compute $\overline m'=\overline m+r$, feed it to the RSA function, and compare the result to the actual ciphertext; it matches when $m=\overline m$). That possibility is a disaster in practice; e.g. if $m$ is a name on the class roll, or a credit card number, poof goes confidentiality.
  • If $r$ is secret and chosen randomly in $[0,n)$ for each message, then the system is safe and we can use $m'$ as the ciphertext, without needing RSA on top of that. That's in effect a One Time Pad.
fgrieu
  • 149,326
  • 13
  • 324
  • 622