Is it a risk if RSA 开发者_Go百科produce exactly same ciphertext for the given plaintext?
You should only ever use the RSA algorithm on (a) randomly-generated session keys used for a symmetric cipher (b) cryptographic hash functions used as part of a signature mechanism.
For your point specifically, see page 290 of Handbook of Applied Cryptography (Chapter 8 :)
One supremely nice benefit of using RSA only on random and indistinguishable-from-random inputs is that you're never at risk of ciphertext being interpreted as plaintext.
Using RSA on data directly is dangerous.
RSA encryption with a 1024-bit public key encrypts messages up to 117 bytes, and the corresponding ciphertext has length 128 bytes. More generically, for all key sizes and with standard PKCS#1 padding modes, the ciphertext is always longer than the plaintext. Thus, they cannot be equal to each other.
If you consider post-padding input (i.e. the 128-byte string which goes under exponentiation) then a fixed point (a number which goes unchanged through the exponentiation) may expose parts of the private key; however, you will not hit it by chance. Or, rather, you will hit it only with negligible probability (you can force it if you wish, but nobody can prevent you from revealing your own private key anyway). An attacker gains no extra information by such a random occurrence, because such an equality can already be tested by the attacker... so the answer is: no, there is no risk in that.
Yes, but it is extremely rare. There are (gcd(e−1,p−1)+1)(gcd(e−1,q−1)+1) of these values for every RSA key.
精彩评论