Cryptography
Updated Mon, 20 Jun 2022 02:51:30 GMT

# Can RSA with padding detect all errors in ciphertext?

I'm new in cryptography and there are a couple of things that i'm not sure if i understand correctly.

First, when using padding (PKCS or OAEP), if the chiphertext has errors in transmission we'll we always get an error at the decyption process? Will it detect all errors, or is there a possibility that a certain combination of errors will result in a decryption but with a false result in plaintext?

Second, if no padding is used, (i believe it is called vanilla rsa?) and there are errors on the ciphertext, then the decryption will work any time but will give wrong results instead of the original encrypted plaintext?

Finally with padding or not, with no errors on ciphertext and by using a wrong private key will we get an error in decryption or just a false decrypted plaintext?

## Solution

First, when using padding (PKCS or OAEP), if the chiphertext has errors in transmission we'll we always get an error at the decyption process?

Yes, with extremely high probability. This is basically a chosen ciphertext attack and RSA-OAEP is fully immune to them, so the odds that you won't detect this attack (a.k.a. "error") are extremely low (below $2^{-128}$).

Will it detect all errors, or is there a possibility that a certain combination of errors will result in a decryption but with a false result in plaintext?

This is possible but extremely unlikely, again due to the IND-CCA2 security of RSA-OAEP.

Second, if no padding is used, (i believe it is called vanilla rsa?) and there are errors on the ciphertext, then the decryption will work any time but will give wrong results instead of the original encrypted plaintext?

Sometimes it's called "textbook RSA", "plain RSA" or "unpadded RSA".
If you follow the textbook RSA description, any errors will change the value of the ciphertext, resulting in a different number being decoded, resulting in an (unrelated) decryption, which will always work. If the error is malicious it could be exploited, depending on the reaction of the system.

Finally with padding or not, with no errors on ciphertext and by using a wrong private key will we get an error in decryption or just a false decrypted plaintext?

If you use a wrong private key $d$, which, by definition, doesn't satisfy $ed\equiv 1 \pmod{\lambda(n)}$, you'll decrypt a wrong message, which will lead to a verification error for OAEP and to a simple wrong message for unpadded RSA.