# Python RSA: multiply crypto message and then decrypt it again raises DecryptionError('Decryption failed')

I want to do something like that :

``````#Let m be the initial message
c = rsa.encrypt(m)
new_m = rsa.decrypt( Enc(2m))
``````

Now `Enc(2m) = 2^e *c mod n ` so a user that knows c can have `Enc(2m)` as well.
My python code was something like that:

``````import rsa
(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong'        #m should be in bytes
c = rsa.encrypt(b_message, pub_key)     #this is a byte number

n = pub_key.n
c = int.from_bytes(c, byteorder ='big') #turn bytes into int
c = (pow(2, pub_key.e, n) * (c%n)) %n   #compute Enc(2m)
c = c.to_bytes(length = 256, byteorder = 'big')    #turn c back to bytes
new_m = rsa.decrypt(c, priv_key)
``````

### >Solution :

You forgot about padding. `rsa.encrypt(m)` does not just compute `pow(m, e, n)`, instead it computes `pow(pkcs1_padding(m), e, n)`, and that inner `pkcs1_padding` function is not multiplicative.

Consider a slight variation of the program to print out what happens to the plaintext:

``````import rsa

(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong'  # m should be in bytes
c = rsa.encrypt(b_message, pub_key)  # this is a byte number

n = pub_key.n
c = int.from_bytes(c, byteorder='big')  # turn bytes into int

# now decrypt 'manually' to see the padding

plain_int = pow(c, priv_key.d, n)
print(plain_int.to_bytes(256 // 8, 'big').hex(' '))

c = (pow(2, pub_key.e, n) * (c % n)) % n  # compute Enc(2m)

plain_int2 = pow(c, priv_key.d, n)
print(plain_int2.to_bytes(256 // 8, 'big').hex(' '))
``````

hex output is

``````00 02 cb de 6a 67 41 f6 f4 6f 3e 67 a2 95 00 4a 6f 75 72 6e 61 6c 69 73 74 20 62 65 6c 6f 6e 67
00 05 97 bc d4 ce 83 ed e8 de 7c cf 45 2a 00 94 de ea e4 dc c2 d8 d2 e6 e8 40 c4 ca d8 de dc ce
``````

The first has correct pkcs-1 padding and `rsa.decrypt()` run on it would succeed without error, whereas the second has byte `05` where `rsa.decrypt()` would expect to see a `02` bytes.