Quiz Entry - updated: 2026.07.14
What is the homomorphic (multiplicative) property of RSA, and why is it both useful and dangerous?
RSA is multiplicatively homomorphic: the product of two ciphertexts decrypts to the product of the plaintexts. This enables blind signatures but also allows ciphertext manipulation without knowing the key.
* Knowing only the public key, Eve multiplies in 3ᵉ and Bob silently decrypts 3·m — malleability means RSA alone gives no integrity. *
The property: Given $c_1 = m_1^e \mod N$ and $c_2 = m_2^e \mod N$: $$c_1 \cdot c_2 \mod N = (m_1 \cdot m_2)^e \mod N$$
Decrypting $c_1 \cdot c_2$ gives $m_1 \cdot m_2$.
Attack example (tripling a value):
- Alice encrypts $m$: $c = m^e \mod N$
- Eve wants Bob to receive $3m$ instead
- Eve computes $3^e \mod N$ (she knows the public key!)
- Eve sends $c' = 3^e \cdot c \mod N$ to Bob
- Bob decrypts: $(3^e \cdot c)^d = 3 \cdot m \mod N$
- Eve never knew $m$ or $d$, yet successfully manipulated the message!
Consequences:
- RSA provides no integrity — ciphertext is "malleable" / "formable"
- This is why RSA encryption alone is never sufficient — you always need authentication (MAC or signature)
Positive uses:
- Blind signatures: Sign a document without seeing its content
- Double signatures: Split the private exponent for multi-party signing
- Side-channel countermeasures: Randomize computations using the multiplicative property
Go deeper:
Homomorphic encryption (Wikipedia) — the property in general, from partial (RSA) to fully homomorphic.
Malleability (cryptography) (Wikipedia) — why a malleable cipher provides no integrity.