Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [rabin-cryptosystem]

A public-key cryptosystem based on squaring modulo the product of two primes, introduced in 1979 by Michael O. Rabin and proven to have security reducible to the hardness of integer factorization. It is similar to RSA but uses e=2.

The Rabin cryptosystem was the first asymmetric cryptosystem where recovering the plaintext from the ciphertext could be proven to be as hard as factoring.

The Rabin cryptosystem does not provide indistinguishability against chosen plaintext attacks since the process of encryption is deterministic. An adversary, given a ciphertext and a candidate message, can easily determine whether or not the ciphertext encodes the candidate message (by simply checking whether encrypting the candidate message yields the given ciphertext).

The Rabin cryptosystem is insecure against a chosen ciphertext attack (even when challenge messages are chosen uniformly at random from the message space)

The Rabin cryptosystem can be used to create and verify digital signatures.

50 questions
12
votes
1 answer

Why isn't Rabin-Williams cryptosystem widely used?

I think we all know RSA. And of course we also know DJB (a.k.a. Daniel J. Bernstein). Now some already have noticed that he has an opinion towards cryptographic questions. In his 2008 paper ("RSA signatures and Rabin–Williams signatures: the state…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
7
votes
2 answers

Rabin-Williams signature and it's reduction to factorization

Rabin signature is rightly celebrated as a signature scheme with provable reduction to factorization. How do we show that for Rabin-Williams signature as standardized, under the common and realistic hypothesis that the adversary has access to a…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
7
votes
0 answers

Why did Rabin use $x(x + b)$ instead of just $x^2$ in the original paper?

Encryption in the original Rabin scheme took a message $x$ and computed $x(x + b) \bmod n$, where $0 \le b \lt n$ and $n$ is the product of two secret primes $p$ and $q$. The private key is defined as $(p,q)$ and the public key as $(b,n)$. Modern…
forest
  • 15,626
  • 2
  • 49
  • 103
7
votes
2 answers

Why is this authentication procedure using Rabin crypto not useful?

A friend asked me the following, pointing out that the method is not very useful (my problem is I do not see why it is not good): Consider a person A which chooses $n$ as the public key for the Rabin crypto-system. We want to be sure that we are…
TI Jones
  • 299
  • 1
  • 4
6
votes
2 answers

Why is Rabin encryption equivalent to factoring?

I don't understand the proof of equivalence I've read everywhere (e.g., in Rabin's paper or on Wikipedia). Here's my objection: let's say you have a Rabin decryption oracle that takes n and c and returns one of the square roots of c mod n. It always…
Kyle Rose
  • 109
  • 4
5
votes
1 answer

Decryption in Rabin

Recently I was working on the Rabin cryptosystem. But in the decryption part of the algorithm, there are two ways to decrypt the cipher. The first solution which has $p$ and $q$ equal to $3\pmod4$ is very clear for me. But the second solution which…
dqhuy78
  • 53
  • 1
  • 7
4
votes
3 answers

Identification of correct plaintext after decryption in Rabin cryptosystem

In the Rabin cryptosystem, decrypting a message can produce four different outputs, of which only one is the correct plaintext. How can one know which of the outputs is the correct one?
Aria
  • 721
  • 3
  • 9
  • 18
4
votes
1 answer

Is this a good choice of a digital signature scheme?

This is a concrete instantiation of Rabin-Williams signatures. Specifically: The private key is 2 primes $p, q$. The public key is their product $N = pq$ and is approximately 3072 bits long. the hash function is Skein-512 with 3072 + 512 = 3584…
Demi
  • 4,853
  • 1
  • 22
  • 40
4
votes
1 answer

How do I attack an RSA setup where e is even?

As a challenge, we were shown an RSA setup where we have a big $n$ (617 decimal digits), $e=4$, and asked to recover three messages. (However, the messages are padded to the same length as the key with random bytes.) I don't have a very strong…
zneak
  • 143
  • 6
3
votes
1 answer

Rabin encryption when M is not Disjoint to n

I need help with proving that the encryption going well when the message $M$ is not Disjoint to $n$ (public key). Encryption message $\ C= M^2 \bmod n$ Decryption message $\ C^{(p+1)/4} \equiv ±M \bmod p$ and $\ C^{(q+1)/4} \equiv ±M \bmod q$. Now,…
Talor T
  • 31
  • 4
3
votes
1 answer

How to prove the hardness of Rabin's function?

I am unable to prove the following theorem: If for a $1/(\log(n))$ fraction of the quadratic residues $q\pmod n$ one could find a square root of $q$, then one could factor $n$ in random polynomial time. $n$ is the product of two large distinct…
Aditi Rai
  • 31
  • 3
3
votes
0 answers

Residue requirements of Rabin-Williams primes?

I'm trying to determine the residue requirements of Rabin-Williams. An older copy of P1363's Public Key Cryptography states the following in Section 8.1.3.2 RW key pairs: An RW public key consists of a modulus n, which is the product of two odd…
user10496
2
votes
1 answer

Does Rabin function lose its one-way property if squaring mod a prime?

I am looking into various one way functions and I stumbled upon a Rabin function, which is squaring modulo an RSA modulus $N=pq$, where $p,q$ are prime: $R_N(x) = x^2 \mod N$. Would it lose the one-way property if $N$ is prime and not a product of…
bazzilic
  • 197
  • 7
2
votes
1 answer

Estimate Security level of the Rabin Signature

I'm trying to figure out how long the modulus $n$ has to be in the Rabin Signature scheme, to provide 128 bit security. We assume that the used hash function is "secure enough". Then the naive approach would be the following: Since forging a…
Mark Neuhaus
  • 175
  • 6
2
votes
1 answer

Rabin cryptosystem - How many solutions?

If in Rabin cryptosystem we have $n = p \cdot q$ where $p$ and $q$ is prime we have four solutions (roots) - exist four solution of $x^2 \equiv b \pmod{n}$. However, when we have: $n = p \cdot q \cdot r$ where $p$ and $q$ and $r$ is prime or: $n = p…
Aurelio
  • 123
  • 2
1
2 3 4