我想这样做:
#Let m be the initial message
c = rsa.encrypt(m)
new_m = rsa.decrypt( Enc(2m))
现在是Enc(2m) = 2^e *c mod n,所以知道c的用户也可以有Enc(2m)。我的python代码是这样的:
import rsa
(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong' #m should be in bytes
c = rsa.encrypt(b_message, pub_key) #this is a byte number
n = pub_key.n
c = int.from_bytes(c, byteorder ='big') #turn bytes into int
c = (pow(2, pub_key.e, n) * (c%n)) %n #compute Enc(2m)
c = c.to_bytes(length = 256, byteorder = 'big') #turn c back to bytes
new_m = rsa.decrypt(c, priv_key)
你忘了填充。rsa.encrypt(m)doesnot只计算pow(m, e, n),而不计算pow(pkcs1_padding(m), e, n),内部的pkcs1_padding函数不是乘法。
考虑稍微改变一下程序,打印出明文发生了什么:
import rsa
(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong' # m should be in bytes
c = rsa.encrypt(b_message, pub_key) # this is a byte number
n = pub_key.n
c = int.from_bytes(c, byteorder='big') # turn bytes into int
# now decrypt 'manually' to see the padding
plain_int = pow(c, priv_key.d, n)
print(plain_int.to_bytes(256 // 8, 'big').hex(' '))
c = (pow(2, pub_key.e, n) * (c % n)) % n # compute Enc(2m)
plain_int2 = pow(c, priv_key.d, n)
print(plain_int2.to_bytes(256 // 8, 'big').hex(' '))
十六进制输出
00 02 cb de 6a 67 41 f6 f4 6f 3e 67 a2 95 00 4a 6f 75 72 6e 61 6c 69 73 74 20 62 65 6c 6f 6e 67
00 05 97 bc d4 ce 83 ed e8 de 7c cf 45 2a 00 94 de ea e4 dc c2 d8 d2 e6 e8 40 c4 ca d8 de dc ce
第一个具有正确的pkcs-1填充,并且rsa.decrypt()在其上运行将成功而没有错误,而第二个具有05字节,rsa.decrypt()将期望看到02字节。