Issues with Raw RSA 관련

The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS

---

The RSA algorithm was introduced in 1978 in the seminal paper, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...

---

The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS

The RSA algorithm was introduced in 1978 in the seminal paper, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...

Raw or “Textbook” RSA soon turned out to be insecure when two major weaknesses were discovered.

The operations involved in RSA are entirely deterministic, which means that for a given plaintext $m$, encryption always produces the same cipher text

$$C=m^{e}\:\text{mod}\:n.$$

An eavesdropper or an attacker, say Eve, can guess or derive plain texts by exploiting the predictability of outputs. Since RSA encryption is a public operation, an attacker can encrypt likely messages and compare results to a target cipher text – a trivial chosen plaintext attack.

Besides this, textbook RSA is also malleable. This means that its algebraic structure allows attackers to manipulate cipher texts in meaningful ways. For instance, given a cipher text $C=\text{RSA}\left(M\right)$, an attacker can multiply it by the encryption of a known value (say, $r$) to produce a new cipher text $C'=C\cdot{r^{e}}\:\text{mod}\:n$, which decrypts to the plaintext $M\cdot{r}$. When the legitimate receiver decrypts $C'$, the result is $M\cdot{r}$, from which the attacker can often recover $M$.

Let’s understand these vulnerabilities with a small practical example.