What are risks in implementing the RSA algorithm without padding?

The RSA algorithm stands for Rivest-Shamir-Adelman algorithm. RSA algorithm is the most commonly used public key algorithm and this algorithm can be used both for encryption and for signing.

RSA uses a variable size encryption block and variable size key. The key pair is derived from a very large number say n that is the product of two large prime numbers selected through special rules.

The public key includes n and derives one of the factors of n, an adversary cannot determine the prime factor of n, from this information alone, makes the RSA algorithm so secure.

Hence, it is generally considered to be secure when sufficiently long keys are used.

The security of RSA relies on the difficulty of factoring large integers.

Now, padding is just to fill up the portions of data structure or any other data usually consisting of 1 bit, blank or null characters. Padding makes the RSA algorithm more secure as it fills up the data with some other message which becomes difficult for others to understand.


Now, there are number of risks for implementing the RSA without padding as following attack could happen:

  • Forward search attack − There may be a chance that message text is predictable. The attacker can decrypt the text message by encrypting all possible messages until a match with the original message text is obtained. In this way the attacker knows the corresponding plaintext. Hence RSA without Padding is not semantically secure.

  • Common modulus attack − There may be a chance that everyone is given the same modulus, but different keys paired, then under certain conditions, it is possible to decrypt the message.

  • Low encryption exponents − When encrypting with low encryption exponents says e and small values of the m, the result of me is less than the modulus. In this case, cipher text can easily decrypt.

  • RSA has the property that the product of the two-cipher text is equal to the encryption of the product of the respective plaintext. Because of this multiplicative property a chosen-ciphertext attack is possible.

Padding resolves all these problems by padding the message with random values say m before encrypting and it ensures that m will not fall into the range of insecure plaintext and the given message text once padded will encrypt to large numbers of possible ciphertext that is difficult to understand.

Risk of implementing RSA

The risk of implementing RSA without padding in real world example is explained below:

Let a secret message which needs to be sent is "Hi, How are you”. Now to secure it let’s replace each alphabet with some other alphabets in certain order i.e. changing each letter to the one that follows it in the alphabet.

So, our text will be like "ij, ipx bsf zpv”. Now there is a possibility that the attacker can realize the pattern and translate the real message and read the confidential message. And this could be happening due to RSA without Padding.

So, we need to hide the structure of the message to keep it secure. And this can only be done by Padding in which randomized data is added to hide the original formatting clues.