RSA encrypted messages that cannot be decrypted

by
John
from John D. Cook on (#6ER96)

Not all messages encrypted with the RSA algorithm can be decrypted. This post will show why this is possible and why it does not matter in practice.

RSA in a nutshell

RSA encryption starts by finding two large primes, p and q. These primes are kept secret, but their productn = pq is made public.

You publish an invitation for anyone to send you encrypted messages by turning their message into a number m < n and computing

c = me mod n

where e is a number you announce along with n. That is, your public key consists of the pair (n, e).

When someone sends you c, you can decrypt it by computing

m = cd mod n

where d is your decryption key. You can compute d, and the rest of the world cannot, because you know the factors of n. The private key d is computed by solving

ed = 1 mod (n)

where (n) is the number of positive integers less thann and relatively prime ton. For distinct primes p andq we have

(pq) = (p - 1)(q - 1).

Nobody else knows p and q, and so they don't know (n), and they cannot compute d. It is conceivable that there's a way to compute d that requires less work than factoring n, but nobody has found such an algorithm.

The reason d works as a decryption key is Euler's theorem. This is the heart of the RSA cryptosystem. Euler's theorem says that if a is relatively prime to n, then

a(n) = 1 mod n.

Because

c = me mod n

it follows that

cd = med = m(n)+1 = m mod n.

Exception

Everything above is valid, except we've glossed over a requirement of Euler's theorem: m must be relatively prime to n. If m is not relatively prime ton the decryption algorithm will not work.

For a tiny example, assume n = 10. There are four positive numbers less than 10 and relatively prime to 10, namely 1, 3, 7, and 9, and so (10) = 4. If m is a number that ends in 1, 3, 7, or 9 and you raise it to the 4th power you get a number ending in 1. This is a concrete example of Euler's theorem. But if m is any number that does not end in 1, 3, 7, or 9, then m4 will not end in 1.

Most of the numbers less than 10 are not relatively prime to 10. But the values of n used in RSA encryption are enormous, and nearly all numbers less than n are relatively prime to n.

An RSA modulus n only has two factors: p and q. So if m is not relatively prime to n, then m is a multiple ofp or q. This is extremely unlikely to happen by chance, as unlikely as guessing the factorization of n.

In practice the primes p and q have at least 1024 bits. In that case the odds of creating a message m that is not relatively prime to pq are on the order of 1 in 10308.

So while the chance of sending a message than cannot be decrypted is vanishingly small, it is possible. So why not warn people about the possibility? Because then you'd be giving away your private key! You'd have to reveal the secret factorsp and q in order to tell people what messages to avoid.

You could check that your message m is relatively prime to n before encrypting it. This can be done efficiently using the Euclidean algorithm. If you find that m is not relatively prime to n, then you've discovered one of the factors of n and so you've broken the encryption.

Related postsThe post RSA encrypted messages that cannot be decrypted first appeared on John D. Cook.
External Content
Source RSS or Atom Feed
Feed Location http://feeds.feedburner.com/TheEndeavour?format=xml
Feed Title John D. Cook
Feed Link https://www.johndcook.com/blog
Reply 0 comments