What is the proof that the RSA is collision-free?

Jakab Martin

3/11/24, 9:24 AM

We have the RSA function: $c = m^e (mod n)$. I would like to know the proof that there is not an $m_1$ and an $m_2$ message that produce the same $c$.

My thoughts:

We know that $m \le n$, so $m_1 \ncong m_2 (mod n)$. We also know that if $a \cong b (mod n)$, then $a^k \cong b^k (mod n)$. So if $m_1 \ncong m_2 (mod n)$ then $m_1^e \ncong m_2^e (mod n)$?

0 + 6

collision-resistance

congruence

fgrieu

3/11/24, 10:58 AM

The part of the reasoning that goes from the correct $a\equiv b\pmod n\implies a^k\equiv b^k\pmod n$ to the conclusion $m_1\not\equiv m_2\pmod n\implies{m_1}^e\not\equiv {m_2}^e\pmod n$ is of the form: $P\implies Q$ therefore $\bar P\implies\bar Q$. That line of reasoning is wrong. Counterexample to the conclusion thus obtained: $n=25$, $k=e=3$, $a=m_1=10$, $b=m_2=20$. Slightly different one: $n=35$, $k=e=3$, $a=m_1=2$, $b=m_2=22$. Yet with proper hypothesis, textbook RSA is collision-free. We have a [closely related question](https://crypto.stackexchange.com/q/1004/555).

fgrieu

3/11/24, 11:16 AM

In that kind of proof about RSA, notation is important. In cryptography, we tend to write $c\equiv m^e\pmod n$ (`$c\equiv m^e\pmod n$`) when we mean that $m^e-c$ is a multiple of $n$. The opening parenthesis right before$\bmod$denotes that$\bmod$is _not_ an operator. We tend to write $c=m^e\bmod n$ (`$c=m^e\bmod n$`) when we mean that $c\in[0,n)$ and $c\equiv m^e\pmod n$. In this$\bmod$is an operator, similar to `%` in C except for precedence and what happens for negative arguments. Anything in-between, like $c=m^e\pmod n$, is ambiguous. Avoid $mod n$ at all cost.

Jakab Martin

3/11/24, 4:15 PM

Sorry, i'm not that familiar with Latex, and thank you for pointing me to the right direction.

fgrieu

3/11/24, 8:35 PM

Hints: you'll need a definition of RSA such that $n$ is the product of _distinct_ primes, and such that if prime $p$ divides $n$ then $\gcd(e,p-1)=1$. My counterexamples can be because they violate these rules.

Jakab Martin

3/12/24, 3:10 PM

So if we prove the correctness of RSA (All encrypted M can be decrypted to M), then we prove the collision-freeness as well, because two encrypted message can not yield the same decrypted message, am I right?

fgrieu

3/12/24, 3:31 PM

Yes, that argument is correct. It's not the only possible line of proof. Another, more direct, shows that with proper hypothess on $n$ and $e$, it holds ${m_1}^e\equiv {m_2}^e\pmod n\implies m_1\equiv m_2\pmod n$, using the Chinese Remainder Theorem, Fermat's little theorem, and that $\gcd(e,p-1)=1$ imples $e$ has an inverse modulo $p-1$.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the proof that the RSA is collision-free?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.