Scribd
Upload
218 views12 pages

Naiara Sanchez - Rabin Cryptosystem

The document provides an overview of the Rabin cryptosystem, which is an asymmetric encryption algorithm based on the difficulty of factoring large numbers. It describes the key components: choosing two prime numbers p and q to generate the public key n=pq; encrypting a message m by computing m^2 mod n; and decrypting the ciphertext c by taking the square root mod n, which yields four possible messages requiring the Chinese Remainder Theorem. The security relies on the inability to efficiently compute square roots modulo a composite number n when its factors p and q are unknown. Compared to RSA, Rabin is less efficient but provably as secure as integer factorization, while RSA's security is not directly related to factoring.

Uploaded by

Mihaela Diminet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
218 views12 pages

Naiara Sanchez - Rabin Cryptosystem

The document provides an overview of the Rabin cryptosystem, which is an asymmetric encryption algorithm based on the difficulty of factoring large numbers. It describes the key components: choosing two prime numbers p and q to generate the public key n=pq; encrypting a message m by computing m^2 mod n; and decrypting the ciphertext c by taking the square root mod n, which yields four possible messages requiring the Chinese Remainder Theorem. The security relies on the inability to efficiently compute square roots modulo a composite number n when its factors p and q are unknown. Compared to RSA, Rabin is less efficient but provably as secure as integer factorization, while RSA's security is not directly related to factoring.

Uploaded by

Mihaela Diminet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

The Rabin Cryptosystem

Universitt Paderborn
Complexity and Cryptography Seminar
Summer 2011

Naiara Escudero Snchez


July 15, 2011

Index

Introduction

Rabin Cryptosystem
Basic mathematical concepts
The Rabin cryptosystem
Evaluation: security
Comparison with RSA cryptosystem
Conclusion

Introduction
What is a cryptosystem:
A cryptosystem is defined by the fivefold (P, C, K, E, D):
P: the set of all unencrypted messages (plaintext).
C: the set of all encrypted messages (ciphertext).
K: the set of keys that used by the cryptosystem.
E: the set of encryption transformations or functions applied to each
element of M to obtain an element of C.
D: D is the set of decryption transformations.
Dk (Ek (m)) = m

Introduction
Two main types of cryptosystem:
Symmetric Key Encryption: the
same private key is used to encrypt
and decrypt.
Asymmetric Key Encryption: two
keys, a private key and a public
key. The information is encrypted
with one of them and decrypted
with the other one.

The Rabin Cryptosystem

Asymmetric cryptosystem
Based on the idea of the hardness of factorization

Basic mathematical concepts:


Chinese Remainder Theorem
Quadratic Residues Modulo a Prime
Quadratic Residues Modulo a Composite

(along this presentation, we will assume that p and q are primes and N=pq)

The Chinese Remainder Theorem


It is a method of solving systems of congruences:
 Let r and s be positive integers which are relatively prime and
let a and b be any two integers. Then, there is an integer N
such that:
N a mod r

and

N b mod s

The theorem can be generalizated to solve a set of


simultaneous congruences: x ai mod mi , for i = 1, ..., r
x a1 b1 (M/ m1) + ..... + ar br (M/ mr) mod M
where M = m1 m2 ... mr
6

Quadratic Residues Modulo a Prime


Let two elements x,y Zq*. Then, y is called quadratic residue
(QRq) if exists such x that:

x2 = y mod q
If there is no such y, then y is called a quadratic nonresidue (QNRq).

Example: quadratic residues modulo 11:

{1, 3, 4, 5, 9} QR11
{2, 6, 7, 8, 10} QNR11
7

Quadratic Residues Modulo a Prime


Properties: (let q > 2)
Every QRq has exactly two square roots and the number of
solutions are:
1 solution if y = 0.
2 solutions if y 0.

The number of QRq and QNRq must be the same: (q-1)/2


The product of two QRq or QNRq is a QRq, whereas the product
of a QRq and a QNRq gives a QNRq.

Quadratic Residues Modulo a Prime


Example: quadratic residues modulo 11:

x2 = 4 mod 11 solutions: 2 and 9


x2 = 9 mod 11 solutions: 3 and 8
QR11 : {1, 3, 4, 5, 9} 5 elemnts
QNR11: {2, 6, 7, 8, 10} 5 elemnts
(q - 1)/2 = (11 - 1)/2 = 5
4 x 1 = 4 QRq
3 x 2 = 6 QNRq
9

Quadratic Residues Modulo a Prime

One way to express if an element y is a quadratic or nonquadratic residue mod q is using the Legendre symbol:
+1 if y QRq
Lq(y) =

-1 if y QNRq

Lq(y) = y (q-1)/2 mod q

Example:
L11(4) = 45 mod 11 = 1 4 QR11
L11(2) = 25 mod 11 = 10 = -1 2 QNR11

10

Quadratic Residues Modulo a Prime

Algorithm to determine if an element y is QRq or QNRq:

+1 if y QRq
y (q-1)/2 mod q =

-1 if y QNRq

Example:
15 mod 11 = 1 mod 11 = 1 1 QR11
25 mod 11 = 32 mod 11 = 10 = -1 10 QNR11
35 mod 11 = 243 mod 11 = 1 1 QR11

11

Quadratic Residues Modulo a Composite


Now, the elements x,y ZN*, where ZN* = Zp* x Zq*. An element
can be denoted by:
y (yp, yq)

The element y is QRN if:

y QRN

yp QRp
yq QRq

12

Quadratic Residues Modulo a Composite


Example: N = 15 = p q = 3 5
Z15*:
1: 11 mod 3 = 1
2: 21 mod 3 = 2
4: 41 mod 3 = 1
7: 71 mod 3 = 1

//
//
//
//

1: 12 mod 5 = 1
2: 22 mod 5 = 4
4: 42 mod 5 = 1
7: 72 mod 5 = 4

8: 81 mod 3 = 2
11: 111 mod 3 = 2
13: 131 mod 3 = 2
14: 141 mod 3 = 2

//
//
//
//

8: 82 mod 5 = 4
11: 112 mod 5 = 1
13: 132 mod 5 = 4
14: 142 mod 5 = 1

{1,4} QR15

13

Quadratic Residues Modulo a Composite


Properties:
Every QRN has exactly four square roots given by:
(xp, xq), (-xp, xq), (xp, -xq), (-xp, -xq)

Only the fourth part of elements of ZN* are QRN


The product of two QRN or QNRN is a QRN, whereas the
product of a QRN and a QNRN gives a QNRN.

14

Quadratic Residues Modulo a Composite


It is possible to extend the Legendre symbol to the case of
modulo a composite N, called in this case Jacobi symbol :

JN(y) = Lq(yq) Lp(yp) = (y (q-1)/2 mod q)(y (p-1)/2 mod p)


Now, it is not possible to know if an element is QRN or QNRN just
computing JN(y):
JN(y) = +1 y QRN or yp QNRp and yq QNRq
JN(y) = -1 y QNRN

15

Quadratic Residues Modulo a Composite


Algorithm to determine if an element y is QRN or QNRN:
+1 if y QRN
y (q-1)/2 mod q = y (q-1)/2 mod q =

-1 if y QNRN

Example:
(11 mod 3) = (12 mod 5) = 1 = 1 = 1 1 QR15
(21 mod 3) = (22 mod 5) = 2 4 1 2 QNR15
(41 mod 3) = (42 mod 5) = 1 = 1 = 1 4 QR15
... ... ... ...

16

The Rabin Cryptosystem: encryption


1) The first step is to choose the key:

K = {n, p, q}
where:

Private key: p, q. Are primes such that: p,q 3 mod 4.

Public key: n = p q

2) The encryption function is applied to the message, m:


ek (m) = m2 mod n = c
Now, the ciphertext c can be send.
17

The Rabin Cryptosystem: decryption


3) The decryption function is applied to the received message, c:
dk (c) = m mod n = m
Problem dk is not an injection function, there are four square
roots of c mod n (four possible original message):

mp =
m2

c(p+1)/4

c mod n
mq = c(q+1)/4

+ mp mod p
mod p - mp mod p
+ mq mod q
mod q - mq mod q

4) Finally, the Chinese Remainder Theorem is applied to


compute these four square roots.
18

The Rabin Cryptosystem: example (1)


Let m = 32
1) The key: K = {n, p, q} = {77, 7, 11}
2) The encryption function is applied:
ek (m) = m2 mod n = ek (32) = 322 mod 77 = 23 = c
Now, the ciphertext c = 23 can be sent.
3) The decryption algorithm is applied:
mp = c(p+1)/4 mod p = 23(7+1)/4 mod 7 = 4
mq = c(q+1)/4 mod q = 23(11+1)/4 mod 11 = 1

19

The Rabin Cryptosystem: example (2)


4) The Chinese Remainder Theorem is applied:
First, we compute b1 y b2 :
N/7 b1 1 mod 7 b1 = 2
N/11 b2 1 mod 11 b2 = 8
x 4 mod 7 and x 1 mod 11 :
x = a1 b1 (M/m1) + a2 b2 (M/m2) = 4 x 2 x 11 + 1 x 8 x 7
x 144 = 67 mod 77 x = 67
x 3 mod 7

and x 1 mod 11 :

x = a1 b1 (M/m1) + a2 b2 (M/m2) = 11 x 2 x 3 + 7 x 8 x 1
x 122 = 45 mod 77 x = 45
For symmetry:
77 67 = 10 x = 10
77 45 = 32 x = 32
20

The Rabin Cryptosystem: security


The security of the Rabin Cryptosystem is based on the hardness
of computing square roots modulo N.
N known: it is simple to compute square roots modulo N.
N unknown: it is very complex. But, how complex it is?
It is possible to prove: Computing square roots modulo N
when N is unknown is as hard as integer factorization.
About the risk of attacks:
Secure against a choosen plaintext attacks
Insecure against a choosen ciphertext attacks.

21

Comparison: Rabin vs RSA


In terms of security:
Rabin Cryptosystem:
Break the security as hard as integer factorization.
Secure against plaintext attacks.
Insecure against ciphertext attacks key visible!
RSA Cryptosystem:
It is not possible to relate the RSA problem with the hardness
of factoring.
Secure against plaintext attacks.
Insecure against ciphertext attacks.
22

Comparison: Rabin vs RSA


In terms of efficiency:
Rabin Cryptosystem:
Encryption process: compute square modulo N.
Decryption process: square roots modulo N.
Four possible results.
RSA Cryptosystem:
Encryption process: compute n-th powers.
Decryption process: n-th roots.

23

Thank you
for your attention

24

You might also like