Is the result of a RSA encryption guaranteed to be random

别来无恙 提交于 2019-12-04 05:22:38

问题


I use RSACryptoServiceProvider to encrypt some small blocks of data. For the solution I'm working on, it's important that if the same piece of source data is encrypted twice with the same public key, the result (the encrypted block of data) is not the same.

I have checked this with an example and it worked like I hoped. My question is now, if this behaviour is by design and guaranteed or if I have to add some random part to the source data for guaranteeing that data blocks with the same data can not be matched anymore after encryption.

Here is the example:

byte[] data=new byte[]{1,7,8,3,4,5};
RSACryptoServiceProvider encrypter = cert.PublicKey.Key as RSACryptoServiceProvider;
byte[] encryptedData = encrypter.Encrypt(data,true);

// encryptedData has always other values in, although the source data is always
// 1,7,8,3,4,5 and the certificate is always the same (loaded from disk)

The concrete question is for .net but maybe the answer can be given in general for all RSA-implementations if it is by design?


回答1:


The text-book RSA encryption algorithm is deterministic:

ciphertext = plaintext ^ encryption-exponent  mod  modulus

(Here ^ is integer exponentiation, mod the remainder operation.)

But as you remarked, this does not provide a good security guarantee, as an attacker which can guess the plaintext can simply verify this guess by encrypting it himself and comparing the results.

For this reason, the official RSA specifications (and also all implementations used in practice) include some (partly random) padding, so we don't actually encrypt plaintext, but pad(plaintext):

ciphertext = pad(plaintext) ^ encryption-exponent  mod  modulus

Decryption:

plaintext = unpad( ciphertext ^ decryption-exponent mod modulus )

Only with this padding RSA is actually a secure encryption scheme.

A similar padding is also used for RSA signatures, to avoid easy forging of signatures.



来源:https://stackoverflow.com/questions/7932061/is-the-result-of-a-rsa-encryption-guaranteed-to-be-random

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!