Academy Of Cryptography Techniques

Government Cipher Committee

The Rabin
Cryptosystem

Instructor: Dr. Luc Nhu Quynh

Project team: Dinh Duc Dong

Do Cong Hoa

Ha Noi - 2019

1
Contents

1 Introduction 3

2 Rabin cryptographic algorithm 4

2.1 Key generation . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Evaluate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Example 6
3.1 Exemple 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Characteristics of Rabin cryptosystem 9

4.1 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.2 Excess data usage . . . . . . . . . . . . . . . . . . . . . . . . 10
4.3 Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.4 Advantages and disadvantages of Rabin compared to RSA . 11

5 Applications of Rabin cryptosystem 12

5.1 Digital ssignatures on Rabin . . . . . . . . . . . . . . . . . . 12

Conclusion 13

References 14

2
Chapter 1

Introduction

Cryptography is the science of using mathematics that’s used to

hide information or data that is being sent between participants in a way
that prevents other people from reading it. The need of exchanging mes-
sages secretly promoted the creation of cryptosystems to enable receivers
to interpret the exchanged information. In this , a particular public key
cryptosystem called Rabin topicCryptosystem is presented considered with
the help of Chinese Reminder Theorem
The algorithm was published in January 1979 by Michael O. Rabin.The Ra-
bin cryptosystem was the first asymmetric cryptosystem where recovering
the plaintext from the ciphertext could be proven to be as hard as factor-
ing.
Like all asymmetric cryptosystems, the Rabin system uses a key pair: a
public key for encryption and a private key for decryption. The public key
is published for anyone to use, while the private key remains known only to
the recipient of the message.
The Rabin cryptosystem is an asymmetric cryptographic technique, whose
security, like that of RSA, is related to the difficulty of integer factorization.
However the Rabin cryptosystem has the advantage that it has been math-
ematically proven to be computationally secure against a chosen-plaintext
attack as long as the attacker cannot efficiently factor integers, while there
is no such proof known for RSA. It has the disadvantage that each output
of the Rabin function can be generated by any of four possible inputs; if
each output is a ciphertext, extra complexity is required on decryption to
identify which of the four possible inputs was the true plaintext.

3
Chapter 2

Rabin cryptographic algorithm

2.1 Key generation

• Each party creates a public key and a corresponding secret key. Alice
has to do the following:

1. Alice generates two large random and distinct primes p and q,

roughly the same size
2. Computes n = p ∗ q
3. n is public key, (p, q) is private key.

2.2 Encryption
• Bob encrypts a message m for Alice:

1. Obtains Alice’s authentic public key n

2. Represents the message as an integer m in the range
[0, 1, . . . , n − 1]
3. Computes c = m2 mod n
4. Sends the ciphertext c to Alice.

* Note: The problem of choosing p and q, we can choose p and q are

any prime numbers. But we can choose p ≡ q ≡ 3 mod 4 to make the
decrypting simple.

• Then we have two ways to decryption:

1. Decrypts when choosing any p and q

2. Decrypts when selecting p ≡ q ≡ 3 mod 4
The coding is still the same.

4
2.3 Decryption
• To recover plaintext m from c, Alice should do:

1. Given ciphertext c Alice computes 4 square roots of c mod n

using private keys p and q
2. Decryption when selecting p ≡ q ≡ 3 mod 4
(a) We use the extended Euclidean algorithm to find two integers
a and b satisfying: ap + bq = 1
(b) Computes:
– r = c(p+1)/4 mod p
– s = c(q+1)/4 mod q
– x = (aps + bqr) mod n
– y = (as − bqr) mod n
(c) Get 4 square roots of c mod n is:
m1 = x , m2 = −x mod n, m3 = y, and m4 = −y mod n
(d) The message sent was either m1 , m2 , m3 or m4 . Alice decides
which one of these is m
Usually done with the help opf preset bits.
3. De when choosing any p and q
(a) Choose random b ∈ Zp until b2 −4a is a quadratic non-residue
module p
(b) Let f be the polynomial x2 − bx + a in Zp [x]
(c) Comute r = x(p+1)/2 mod f (Note: r will be an integer)
(d) Return (r, −r)
(e) Do the same to find the two square roots of a according to
mod q. The result will be (s, −s)
(f) Use the extended Euclidean algorithm to find two integers c
and d satisfying: cp + dq = 1
(g) Set x = (rdq + scp) mod n and y = (rdq − scp) mod n
(h) The result will be: (±x mod n, ±y mod n).

2.4 Evaluate
• Rabin is essentially RSA with the optimal choice of e, namely e = 2

• As with RSA, the value m in encryption is actually a symmetric key

while in signing it is a hash of the message. The choice of p, q ≡
3(mod4) is to simplify the taking of square roots the Rabin scheme
can be used with other moduli.

5
Chapter 3

Example

3.1 Exemple 1
Question: Let p = 331, q = 311

1. Generate key

2. Use public key n to the text encrypts m = 633

Assume the last 6 bits of the original message need to be repeated
before encptypting

3. Use private key (p, q) to decrypts the text obtained from sentence (2).

Solution

1. Generate key

• Computes n = pq = 331.311 = 102941

⇒ Public key is n = 102941, privatekey is (p = 331q = 311)

2. Encryption

• To en the message 10 bits m = 633(10) = 1001111001(2) , Bob

repeats the last 6 bits of m to receive a 16 bits message m =
1001111001111001(2) = 40569(10)
• Then Bob computes: c = m2 mod n= 405692 mod 102941 =
23053
⇒ Sends the ciphertext c = 23063 to Alice

3. Decryption

• Use the extended Euclidcryptsean algorithm to find two integers

a and b satisfying: a.331 + b.311 = 1
Result: a = 140, b = −149

6
 Q A1 A2 A3 B1 B2 B3
1 0 331 0 1 311
1 0 1 311 1 -1 20
15 1 -1 20 -15 16 11
1 -15 16 11 16 -17 9
1 16 -17 9 -31 33 2
4 -31 33 2 140 -149 1

• Computes:
r = c(p+1)/4 mod p = 23053(331+1)/4 mod 331 = 144
s = c(q+1)/4 mod q = 23023(311+1)/4 mod 311 = 139
x = (aps + bqr) mod n = (6441260 − 6672816) mod 102941 =
77267
y = (aps − bqr) mod n = (6441260 + 6672816) mod 102941 =
40569

• Get 4 square roots of c mod n is: x, −x mod n, y and −y mod n

m1 = 77267(10) = 10010110111010011(2)
m2 = 25674(10) = 0110010001001010(2)
m3 = 40569(10) = 1001111001111001(2)
m4 = 62372(10) = 1111001110100100(2)

• Since only m3 has redundant required data, A decodes c into

m3 (omits the last 6 repeating bits) and restores the original
plaintext is m = 1001111001(2) = 633(10) .

7
3.2 Example 2
Question: Let p = 7, q = 19

1. Generate key

2. Use public key n to the text encrypts m = 2

3. Use private key (p, q) to decrypts the text obtained from sentence (2).

Solution

1. Public key is n = 133 and private key is (p = 7, q = 19)

2. The ciphertext c = 56

3. Use Euclidean algorithm a = −8, b = 3

4. r = 4(7+1)/4 mod 7 = 2
s = 4(19+1)/4 mod 19 = 17
x = −838 mod 133 = 93
y = −1093 mod 133 = 131

5. m1 = x = 93
m2 = −x mod n = 40
m3 = y = 131
m4 = −y mod n = 2

8
Chapter 4

Characteristics of Rabin
cryptosystem

4.1 Security
• It has been proven that any algorithm which decrypts a Rabin-encrypted
value can be used to factor the modulus n. Thus, Rabin decryption is
at least as hard as the integer factorization problem, something that
has not been proven for RSA. It is generally believed that there is no
polynomial-time algorithm for factoring, which implies that there is
no efficient algorithm for decrypting a Rabin-encrypted value without
the private key (p, q).

• The Rabin cryptosystem does not provide indistinguishability against

chosen plaintext attacks since the process of encryption is determin-
istic. An adversary, given a ciphertext and a candidate message, can
easily determine whether or not the ciphertext encodes the candidate
message (by simply checking whether encrypting the candidate mes-
sage yields the given ciphertext).

• The Rabin cryptosystem is insecure against a chosen ciphertext attack

(even when challenge messages are chosen uniformly at random from
the message space). By adding redundancies, for example, the repe-
tition of the last 64 bits, the system can be made to produce a single
root. This thwarts this specific chosen-ciphertext attack, since the
decryption algorithm then only produces the root that the attacker
already knows. If this technique is applied, the proof of the equiva-
lence with the factorization problem fails, so it is uncertain as of 2004
if this variant is secure. The Handbook of Applied Cryptography by
Menezes, Oorschot and Vanstone considers this equivalence proba-
ble, however, as long as the finding of the roots remains a two-part
process ( roots mod p and modq and and application of the Chinese
remainder theorem).

9
4.2 Excess data usage
• One drawback of the Rabin public coding system is that the recipi-
ent is tasked with selecting the correct plaintext from the four possi-
bilities.The confusion in decoding can be easily overcome by adding
redundant data to the original plaintext in a defined way before cod-
ing(example the last 6 bits of the message can be repeated).

• With high likelihood, only 1 of the 4 square roots of c c is m1 , m2 , m3 , m4

having that redundancy. Decoder will choose this version as the plain-
text. If no square root of c has this redundancy, the receiver will reject
c, because it is fake.

• If excess data is used as above, the Rabin schema will no longer be

vulnerable to the selected cipher attacks mentioned above. If an at-
tacker chooses a m message with redundant data as required and
placesc = m2 mod n in Alice’s decoder, there is a high chance that
the machine will return the plaintext m to the attacker (because 3
bases level 2 of the other c will have a very high probability of not
containing redundant data as required), not giving any new informa-
tion. On the other hand, if an attacker chooses an m message without
the necessary data redundancy, it is highly likely that all four square
roots of the mod mod have no redundant data needed. In this case
the decoder will fail the c decode and will not respond to the attacker.

• However, if we assume that the decoding of a Rabin consists of two

phases, the first stage is to find the four square roots of c mod n, and
the second stage is to choose the square root of the clarification, which
can be proved. equivalency. Therefore, the Rabin public key encryp-
tion scheme, appropriately modified by adding data redundancy, is of
great interest.

4.3 Effectiveness
• Decrypting produces three false results in addition to the correct one,
so that the correct result must be guessed. This is the major disad-
vantage of the Rabin cryptosystem and one of the factors which have
prevented it from finding widespread practical use.

• If the plaintext is intended to represent a text message, guessing is not

difficult; however, if the plaintext is intended to represent a numerical
value, this issue becomes a problem that must be resolved by some
kind of disambiguation scheme. It is possible to choose plaintexts with
special structures, or to add padding, to eliminate this problem. A
way of removing the ambiguity of inversion was suggested by Blum

10
 and Williams: the two primes used are restricted to primes congruent
to 3 modulo 4 and the domain of the squaring is restricted to the set
of quadratic residues. These restrictions make the squaring function
into a trapdoor permutation, eliminating the ambiguity.

• In terms of computational performance, Rabin encryption is extremely

fast (as long as encryption does not require computing a Jacobi sym-
bol) while decryption, using the Chinese remainder theorem, is roughly
the same speed as RSA decryption

4.4 Advantages and disadvantages of Rabin

compared to RSA
• Advantages

1. The security is proved to be completely equivalent to the prime

factor analysis problem, in other words, the security of Rabin is
provable.
2. Except for RSA that works with small e, Rabin’s code generation
algorithm is much faster than RSA, which requires accumulation,
the decoding time is equivalent

• Disadvantages

1. Decoding equations for 4 solutions should make it difficult to

decode. Normally, the plaintext before being encoded needs to
be appended to the end of the specified string to identify the trace
(such as appending 20 zeros so out of the 4 solutions, which ends
with 20 digits 0 is the correct plaintext to receive

11
Chapter 5

Applications of Rabin
cryptosystem

5.1 Digital ssignatures on Rabin

In cryptography the Rabin signature algorithm is a method of digi-
tal signature originally proposed by Michael O. Rabin in 1979. The Rabin
signature algorithm was one of the first digital signature schemes proposed,
and it is the only one to relate the hardness of forgery directly to the prob-
lem of integer factorization. The Rabin signature algorithm is existentially
unforgeable in the random oracle model assuming the integer factorization
problem is intractable. The Rabin signature algorithm is also closely related
to the Rabin cryptosystem. But, the RSA cryptosystem has a prominent
role in the early days of public key cryptography, and the Rabin signature
algorithm is not covered in most introductory courses on cryptography
Original algorithm
The algorithm relies on a collision-resistant hash function
H : 0, 1∗ → 0, 1k

• Key generation

– The signer S chooses primes p, q each of size approximately k/2

bits, and computes the product n = pq
– S then chooses a random b in 1, . . . , n
– The public key is (n, b)
– The private key is (p, q)

• Signing

– To sign a message m the signer S picks random padding U and

calculates H(m, U )
– S then solves x(x + b) = H(m, U ) mod n

12
 – If there is no solution S picks a new pad U and tries again. If H
is truly random the expected number of tries is 4
– The signature on m is the pair (U, x)

• Verification

– Given a message m and a signature (U, x) the verifier V calculates

x(x + b) and H(m, U ) and verifies that they are equal

Moderm terminology
In modern presentations, the algorithm is often simplified as follows. The
hash function H is assumed to be a random oracle and the algorithm works
as follows

• Key generation

– The signer S chooses primes p,q each of size approximatelyk/2

bits, and computes the product n = pq
– The public key is n
– The private key is (p, q)

• Signing

–
– To sign a message m’ the signer S picks random padding U and
calculates H(m, U )
– If H(mU) is not a square modulo n, S picks a new pad U
– Ssolves the equation x2 = H(m, U ) mod n
– The signature on m is the pair (U, x)

• Verification

– Given a message m and a signature (U, x) the verifier V calculates

x2 and H(m, U ) and verifies that they are equal

The signature is easy to compute if the prime factors of n are known, but
probably difficult otherwise, anyone who can forge the signature can also
find factor n. The provable security has the side-effect that the prime fac-
tor can be recovered under a chosen message attack. This attack can be
countered by padding a given message with random bits or modifying the
message randomly, at the loss of provable security.

13
Conclusion

This Rabin cryptosystem is an asymmetric cryptosystem where the

private key is composed of two primes, p and q, and a public key composed
of n = pq. It is based on the hardness of factoring. It is simple to compute
square roots modulo a composite if the factorization is known, but very
complex when the factorization is unknown
In terms of computational performance, Rabin encryption is extremely fast
(as long as encryption does not require computing a Jacobi symbol) while
decryption, using the Chinese remainder theorem, is roughly the same speed
as RSA decryption.
The encryption process computes the square modulo n of the message, while
the decryption process requires to compute modular square roots. Since
the encryption process is not an injective function, four possible results will
be obtained after applying the Chinese Remainder Theorem to solve the
systems of congruence’s
Difference between Rabin cryptosystem and RSA cryptosystem is clearly
mentioned in reference of mode of attacks, security issues and their efficiency
This paper give a general idea about Rabin cryptosystem and its encryption
and decryption procedure are shown with help of few theorem of Chinese
Remainder Theorem along with suitable example.

14
References

[1] http://en.wikipedia.org/wiki/Rabin cryptosystem

[2] https://en.wikipedia.org/wiki/Rabin signature algorithm

[3] https://www.slideshare.net/hoaikhong/h-mt-m-rabin-62248865

[4] Chapter 24 The RSA and Rabin Cryptosystems - “Mathematics of

Public Key Cryptography” by Steven Galbraith

[5] Arpit, K.S. and A. Mathur, 2013. The rabin cryptosystem and analysis
in measure of chinese reminder theorem. Int. J. Sci. Res. Public.

[6] H-rabin cryptosystem by Hayder Raheem HHashim

[7] Michele Elia, Davide Schipani, On the Rabin Signature, 2011

15