Thus, for example, if in a public key system based on factoring (such as RSA) or the discrete log problem, the plaintext message is blocked into blocks of size one (i.e., individual letters) which are then run through the encryption algorithm, the cryptanalyst has an easy method for decrypting without finding the key.
Example: The plaintext was encoded by replacing each letter with its corresponding value mod 26, i.e., A = 0, B = 1, C = 2 , etc. The RSA system was used to encipher this message using the public values n = 18721 and encryption exponent 25, and the following ciphertext was produced: 365, 0, 4845, 14930, 2608, 2608, 0
The cryptanalyst, knowing this encoding scheme, just calculates x25 mod (18721) for each x in the range 0 to 25 to get the following table of values:
The plaintext message can then be read off from the table : VANILLA.
To avoid this pitfall, the blocks of the message must be long enough so that it is impractical to store all possible blocks and their encrypted equivalents.
To avoid this problem, each user in the system should have a different modulus. A similar protocol failure occurs if three participants have the same encryption exponents (with different moduli), and so this should be avoided as well.