Is the result of a RSA encryption guaranteed to be random

Question

I use RSACryptoServiceProvider to encrypt some small blocks of data. For the solution I'm working on, it's important that if the same piece of source data is encrypted twice with the same public key, the result (the encrypted block of data) is not the same.

I have checked this with an example and it worked like I hoped. My question is now, if this behaviour is by design and guaranteed or if I have to add some random part to the source data for guaranteeing that data blocks with the same data can not be matched anymore after encryption.

Here is the example:

byte[] data=new byte[]{1,7,8,3,4,5};
RSACryptoServiceProvider encrypter = cert.PublicKey.Key as RSACryptoServiceProvider;
byte[] encryptedData = encrypter.Encrypt(data,true);

// encryptedData has always other values in, although the source data is always
// 1,7,8,3,4,5 and the certificate is always the same (loaded from disk)

The concrete question is for .net but maybe the answer can be given in general for all RSA-implementations if it is by design?

Answer 1

The text-book RSA encryption algorithm is deterministic:

ciphertext = plaintext ^ encryption-exponent  mod  modulus

(Here ^ is integer exponentiation, mod the remainder operation.)

But as you remarked, this does not provide a good security guarantee, as an attacker which can guess the plaintext can simply verify this guess by encrypting it himself and comparing the results.

For this reason, the official RSA specifications (and also all implementations used in practice) include some (partly random) padding, so we don't actually encrypt plaintext, but pad(plaintext):

ciphertext = pad(plaintext) ^ encryption-exponent  mod  modulus

Decryption:

plaintext = unpad( ciphertext ^ decryption-exponent mod modulus )

Only with this padding RSA is actually a secure encryption scheme.

A similar padding is also used for RSA signatures, to avoid easy forging of signatures.