Why is this authentication procedure using Rabin crypto not useful?

Question

A friend asked me the following, pointing out that the method is not very useful (my problem is I do not see why it is not good):

Consider a person A which chooses $n$ as the public key for the Rabin crypto-system.
We want to be sure that we are communicating with person A so we send her a random item $r\equiv m^2 \mod n$.
Person A receives $r$ and decodes it using the factorization of $n$ and finds a square rot $m_1$ of $r$.
A then sends us $m_1$ and we check $r\equiv m_1^2 \mod n$.

Why is this not useful?

score 9 · Accepted Answer · answered Jan 19 '14 at 20:53

A is acting as a square-root oracle in that protocol. We can use that oracle to factor $n$ and break the scheme.

Suppose you are an attacker that wants to impersonate A. You:

Pick a random $m$;
Send $m^2$ to A;
Compute $p = \gcd(m_1 - m, n)$, thus factoring $n$.

This works with probability $1/2$ for each attempt.

score 4 · Answer 2 · answered Jan 19 '14 at 18:57

4

Because $r$ is not guaranteed to be a Quadratic Residue, so for random $r$ there wouldn't be $m_1$ such that $r \equiv m_1^2(\mod n)$, therefore authentication will be impossible in this case.

answered Jan 19 '14 at 18:57

daniel

565
2
7

Why is this authentication procedure using Rabin crypto not useful?

2 Answers2