Advertisements

I want to do something like that :

```
#Let m be the initial message
c = rsa.encrypt(m)
new_m = rsa.decrypt( Enc(2m))
```

Now `Enc(2m) = 2^e *c mod n `

so a user that knows c can have `Enc(2m)`

as well.

My python code was something like that:

```
import rsa
(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong' #m should be in bytes
c = rsa.encrypt(b_message, pub_key) #this is a byte number
n = pub_key.n
c = int.from_bytes(c, byteorder ='big') #turn bytes into int
c = (pow(2, pub_key.e, n) * (c%n)) %n #compute Enc(2m)
c = c.to_bytes(length = 256, byteorder = 'big') #turn c back to bytes
new_m = rsa.decrypt(c, priv_key)
```

### >Solution :

You forgot about padding. `rsa.encrypt(m)`

does **not** just compute `pow(m, e, n)`

, instead it computes `pow(pkcs1_padding(m), e, n)`

, and that inner `pkcs1_padding`

function is not multiplicative.

Consider a slight variation of the program to print out what happens to the plaintext:

```
import rsa
(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong' # m should be in bytes
c = rsa.encrypt(b_message, pub_key) # this is a byte number
n = pub_key.n
c = int.from_bytes(c, byteorder='big') # turn bytes into int
# now decrypt 'manually' to see the padding
plain_int = pow(c, priv_key.d, n)
print(plain_int.to_bytes(256 // 8, 'big').hex(' '))
c = (pow(2, pub_key.e, n) * (c % n)) % n # compute Enc(2m)
plain_int2 = pow(c, priv_key.d, n)
print(plain_int2.to_bytes(256 // 8, 'big').hex(' '))
```

hex output is

```
00 02 cb de 6a 67 41 f6 f4 6f 3e 67 a2 95 00 4a 6f 75 72 6e 61 6c 69 73 74 20 62 65 6c 6f 6e 67
00 05 97 bc d4 ce 83 ed e8 de 7c cf 45 2a 00 94 de ea e4 dc c2 d8 d2 e6 e8 40 c4 ca d8 de dc ce
```

The first has correct pkcs-1 padding and `rsa.decrypt()`

run on it would succeed without error, whereas the second has byte `05`

where `rsa.decrypt()`

would expect to see a `02`

bytes.