Can you use RSA in “CBC mode”?

Question

Are there any security concerns with using RSA in “CBC mode”?

Specifically: if I use RSA encryption as my block cipher operation, and apply the standard CBC mode operations including a random IV, will the resulting cipher text provide the same level of theoretical security as the underlying RSA problem?

I am only considering RSA on its own. No padding scheme. I know traditionally RSA is insecure without proper padding, but in CBC mode I don’t see why the padding would be necessary (and it complicates the issue by introducing non-deterministic elements)

I also understand that CTR, CFB, and other block cipher modes that use the block encryption function for both encryption and decryption would fail horribly with RSA. Only concerned with CBC

Answer 1

This is a truly mad idea, so I applaud you for that. But it's seriously insecure. My interpretation of "RSA-CBC" would work like this:

$$ \begin{array}{l} \textsf{RSA-CBC}\Bigl( (N,e), m_1 \| m_2 \| \ldots \|m_\ell \Bigr): \\ \quad c_0 \gets \mathbb{Z}_N \\ \quad \mbox{for $i=1$ to $\ell$:} \\ \quad\quad c_i := (c_{i-1} + m_i)^e \bmod N \\ \quad \mbox{return } c_0 \| c_1 \| \ldots \| m_\ell \end{array}$$

Here each $m_i$ and each $c_i$ is a $\mathbb{Z}_N$-element. RSA-CBC chooses a random "IV" (element of $\mathbb{Z}_N$), then encrypts each plaintext block by adding the previous ciphertext block and then applying the RSA function.

So what's wrong with it? Suppose I see an encryption of some unknown plaintext. If I have a guess for $m_i$, then I can check whether my guess is correct via $c_i \overset?= (c_{i-1} + m_i)^e \bmod N$. I can indeed perform this check because the RSA exponent $e$ is public.

More generally, CBC doesn't work with public-key operations. Anyone can repeat the steps done during CBC encryption, if the block cipher is replaced by a public-key operation that anyone can perform.