I want to do something like that :

#Let m be the initial message
c = rsa.encrypt(m)
new_m = rsa.decrypt( Enc(2m))

Now Enc(2m) = 2^e *c mod n so a user that knows c can have Enc(2m) as well. My python code was something like that:

import rsa
(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong' 
b_message = b'Journalist belong'        #m should be in bytes
c = rsa.encrypt(b_message, pub_key)     #this is a byte number

n = pub_key.n
c = int.from_bytes(c, byteorder ='big') #turn bytes into int
c = (pow(2, pub_key.e, n) * (c%n)) %n   #compute Enc(2m)
c = c.to_bytes(length = 256, byteorder = 'big')    #turn c back to bytes
new_m = rsa.decrypt(c, priv_key)

CodePudding user response：

You forgot about padding. rsa.encrypt(m) does not just compute pow(m, e, n), instead it computes pow(pkcs1_padding(m), e, n), and that inner pkcs1_padding function is not multiplicative.

Consider a slight variation of the program to print out what happens to the plaintext:

import rsa

(pub_key, priv_key) = rsa.newkeys(256)
message = 'Journalists belong'
b_message = b'Journalist belong'  # m should be in bytes
c = rsa.encrypt(b_message, pub_key)  # this is a byte number

n = pub_key.n
c = int.from_bytes(c, byteorder='big')  # turn bytes into int

# now decrypt 'manually' to see the padding

plain_int = pow(c, priv_key.d, n)
print(plain_int.to_bytes(256 // 8, 'big').hex(' '))

c = (pow(2, pub_key.e, n) * (c % n)) % n  # compute Enc(2m)

plain_int2 = pow(c, priv_key.d, n)
print(plain_int2.to_bytes(256 // 8, 'big').hex(' '))

hex output is

00 02 cb de 6a 67 41 f6 f4 6f 3e 67 a2 95 00 4a 6f 75 72 6e 61 6c 69 73 74 20 62 65 6c 6f 6e 67
00 05 97 bc d4 ce 83 ed e8 de 7c cf 45 2a 00 94 de ea e4 dc c2 d8 d2 e6 e8 40 c4 ca d8 de dc ce

The first has correct pkcs-1 padding and rsa.decrypt() run on it would succeed without error, whereas the second has byte 05 where rsa.decrypt() would expect to see a 02 bytes.