4

In the Rabin cryptosystem, decrypting a message can produce four different outputs, of which only one is the correct plaintext. How can one know which of the outputs is the correct one?

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
Aria
  • 721
  • 3
  • 9
  • 18

3 Answers3

5

This is a solution that should work with very high probability, but possibly can fail. As a bonus it also resists tampering with the ciphertext.

As encrypter generate a random key (say a 128-bit key for AES128-CTR) and encrypt the plaintext using that key. Then compute a MAC over the ciphertext (for example using HMAC-SHA1) using the same key. Finally you encrypt the randomly generated key using the Rabin cryptosystem. You then send $encrypted\_key || MAC || ciphertext$ to the receiver.

The receiver first decrypts the encrypted key to get 4 potential keys. For each key he computes the MAC over the ciphertext and see if it equals the sent MAC. If yes he proceeds to decrypt the ciphertext using that key.

Another bonus of this system is authentication. If you have a shared secret/token of sufficient cryptographic length (say 128 bits) between sender and receiver you can use that as the key for the MAC instead of the randomly generated key.

orlp
  • 4,355
  • 21
  • 31
4

Nightcracker's method works fine. There also are deterministic solutions to select the correct ciphertext that require very few additional bits. One very useful ingredient is the use of the Jacobi symbol.

For example, you might look at The Rabin cryptosystem revisited by M. Elia, M. Piva and D. Schipani (http://arxiv.org/pdf/1108.5935.pdf).

minar
  • 2,282
  • 15
  • 26
-2

Decoding produces three false results in addition to the correct one, so that the correct result must be guessed. This is the major disadvantage of the Rabin cryptosystem and one of the factors which have prevented it from finding widespread practical use.

That's straight from the Wikipedia page. It goes on to discuss that guessing the answer is easier with something like a text-based message, but obviously much more difficult if you're decrypting a number. Or imagine if you double-encrypted your result, meaning you'd have to perform decryption 5 times (first time results in 4; then one more for each of those) and result in 16 possible outcomes.

There may be use for this type of cryptosystem, but for most applications it seems this flaw is pretty major.

armani
  • 111
  • 2