Cryptography · Educational

RSA Multiplicative Homomorphism

Multiply two ciphertexts, decrypt once — and get the product of the original plaintexts. No plaintext ever required on the server.

Educational example — does not provide actual cryptographic protection — Bastiaan Quast

01 Key parameters

Choose two primes

P (prime)

Q (prime)

n = P · Q

φ(n)

modulus n²

196

Derived key pair

e is chosen as the smallest odd integer coprime to φ(n). d is its modular inverse.

e — public exponent

gcd(e, φ) = 1 ✓

d — private exponent

e · d mod φ = 1 ✓

encryption / decryption

encrypt: c = m^e mod n² · decrypt: m = c^d mod n

02 Plaintext inputs

m₁

m₂

Warning Inputs should be < n for well-defined results

plaintext product m₁ · m₂ mod n

This is the target value. Decrypting the cipher product must yield this.

03 Encryption & decryption

Encrypt m₁

c₁

3⁵ mod 196

→

decrypt(c₁)

47⁵ mod 14

Encrypt m₂

c₂

4⁵ mod 196

→

decrypt(c₂)

44⁵ mod 14

Cipher product (no decryption needed yet)

c₁ · c₂ mod n²

108

47 · 44 mod 196

→

decrypt

108⁵ mod 14

04 Homomorphic result

decrypt(c₁ · c₂ mod n²) ≡ m₁ · m₂ (mod n)

homomorphism holds decrypt(c₁·c₂ mod n²) = 12 = 3·4 mod 14

RSA is multiplicatively homomorphic: a party can multiply two ciphertexts and — upon decryption — recover the product of the original plaintexts. Neither plaintext m₁ nor m₂ was ever revealed. The use of n² as the encryption modulus (rather than n) is what gives the cipher product enough headroom to survive decryption correctly.