The Rabin cryptosystem revisited Michele Elia 1 , Matteo Piva 2 , - PowerPoint PPT Presentation

The Rabin cryptosystem revisited Michele Elia 1 , Matteo Piva 2 , Davide Schipani 3 Mykonos, 30th May 2012 1 Polytechnic of Turin 2 Univesity of Trento 3 University of Zurich M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 1 / 17

Introduction 1 Preliminaries 2 Root identification 3 Rabin Signature 4 Conclusions 5 M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 2 / 17

Rabin scheme In 1979, Michael Rabin suggested a variant of RSA with public-key exponent 2, which he showed to be as secure as factoring. Let N = pq be a product of two prime numbers. Encryption. Let m ∈ Z ∗ N be a message, the encryption is C = m 2 mod N Decryption. To decrypt we solve the equation x 2 = C mod N which has four roots in Z ∗ N . M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 3 / 17

Rabin scheme Main strengths . To solve x 2 = C mod N (1) it is easy if the factors of N are known it is hard if the factors of N are unknown it is equivalent to factorize N Main problems (decryption stage) . Let x 1 , x 2 , x 3 , x 4 be the four roots of equation (1). How can we identify the original message? The further information should be computed from m without knowing the factors of N (or any information leading to easy factorization) M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 4 / 17

Roots in Z N The equation x 2 − C = 0 is solvable mod N if and only if it has solution mod p and mod q . Let u 1 be a root mod p , the second root is − u 1 Let v 1 be a root mod q , the second root is − v 1 the four roots (thanks to CRT) can be written as  x 1 = u 1 ψ 1 + v 1 ψ 2 mod N   x 2 = u 1 ψ 1 + ( q − v 1 ) ψ 2 mod N  (2) x 3 = ( p − u 1 ) ψ 1 + v 1 ψ 2 mod N   x 4 = ( p − u 1 ) ψ 1 + ( q − v 1 ) ψ 2 mod N  where ψ 1 , ψ 2 are obtained by extended Euclidean algorithm x �→ x 2 is a 4 to 1 map. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 5 / 17

Lemma (A) The four roots x 1 , x 2 , x 3 , x 4 of the polynomial x 2 − C are partitioned into two sets R 1 = { x 1 , x 4 } and R 2 = { x 2 , x 3 } such that the roots in the same set have different parity, i.e. x 1 = 1 + x 4 mod 2 and x 2 = 1 + x 3 mod 2 . Assuming that u 1 and v 1 in equation (2) have the same parity, the residues modulo p and modulo q of each root in R 1 have the same parity, while the roots in R 2 have residues of different parity. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 6 / 17

By Lemma (A) each x i is identified by the pair of bits B p = ( x i mod p ) mod 2 B q = ( x i mod q ) mod 2 . For example if u 1 = v 1 = 0 mod 2 and suppose x 1 and x 2 even, we have root B p B q B p + B q mod 2 x i mod 2 x 1 0 0 0 0 x 2 0 1 1 0 x 3 1 0 1 1 x 4 1 1 0 1 A root x i is identified by the pair of bits b 0 = x i mod 2 b 1 = [ x i mod p ] + [ x i mod q ] mod 2 M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 7 / 17

Dedekind sums Definition (Dedekind sums) Let h , k be relatively prime and k ≥ 1, a Dedekind sum is denoted by s ( h , k ) and defined as �� �� j k �� hj �� � s ( h , k ) = k k j =1 where the symbol (( x )) is defined as � x − ⌊ x ⌋ − 1 if x is not an integer 2 (( x )) = 0 if x is an integer denotes the well-known sawtooth function of period 1. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 8 / 17

Properties 1 h 1 = h 2 mod k = ⇒ s ( h 1 , k ) = s ( h 2 , k ) 2 s ( − h , k ) = − s ( h , k ) � h 3 s ( h , k ) + s ( k , h ) = − 1 4 + 1 k + 1 hk + k � , (reciprocity law of 12 h Dedekind sums) � h 4 12 s ( h , k ) = k + 1 − 2 � mod 8 for k odd (connection between k Dedekind sums and Jacobi symbol) The properties 1, 2, and 3 allow us to compute a Dedekind sum by a method that mimics the Euclidean algorithm and has the same efficiency. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 9 / 17

Properties Lemma (B) If k = 1 mod 4 , then, for any h relatively prime with k, the denominator of s ( h , k ) is odd. Lemma (C) If k is a product of two Blum primes, x 1 is relatively prime with k, and x 2 = x 1 ( ψ 1 − ψ 2 ) , then s ( x 1 , k ) + s ( x 2 , k ) = 1 mod 2 . M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 10 / 17

A scheme based on Jacobi symbol, p , q ≡ 3 mod 4 Public key: [ N ] Encryption: m the message [ C , b 0 , b 1 ] the encrypted message, where b 1 = 1 �� m C = m 2 mod N , � � b 0 = m mod 2 , + 1 2 N Decryption: compute the four roots, written as positive numbers; take the two roots having the same parity specified by b 0 , say z 1 and z 2 , �� z 1 �� z 2 compute the numbers 1 , 1 � � � � + 1 + 1 2 N 2 N The original message is the root corresponding to the number equal to b 1 . M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 11 / 17

A scheme based on Dedekind sums, p , q ≡ 3 mod 4 Public key: [ N ] M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 12 / 17

A scheme based on Dedekind sums, p , q ≡ 3 mod 4 Public key: [ N ] Encryption: m the message [ C , b 0 , b 1 ] the encrypted message, where C = m 2 mod N , b 0 = m mod 2 , b 1 = s ( m , N ) mod 2 The Dedekind sum can be taken modulo 2 since the denominator is odd. (Lemma (B)) M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 12 / 17

A scheme based on Dedekind sums, p , q ≡ 3 mod 4 Public key: [ N ] Encryption: m the message [ C , b 0 , b 1 ] the encrypted message, where C = m 2 mod N , b 0 = m mod 2 , b 1 = s ( m , N ) mod 2 The Dedekind sum can be taken modulo 2 since the denominator is odd. (Lemma (B)) Decryption: compute the four roots, written as positive numbers; take the two roots having the same parity specified by b 0 , say z 1 and z 2 , compute the numbers s ( z 1 , N ) mod 2, s ( z 2 , N ) mod 2 The original message is the root corresponding to the number equal to b 1 . (Lemma (C)) M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 12 / 17

Root identification for every pair of primes List. To get b 1 is to publish a pre-computed binary list that has in position i the bit b 1 pertaining to the message m = i . The list makes the task theoretically feasible, although its size is of exponential complexity with respect to N and thus practically unrealizable. Residuacity. For primes congruent 1 modulo 4, Legendre symbols cannot distinguish numbers of opposite sign. Higher power residue symbols could in principle works but their use unveils the factorization of N . Polynomial. Choosing a prime P > N , the polynomial: N − 1 � (1 − ( x − j ) P − 1 )[( j L ( x ) = mod p ) + ( j mod q ) mod 2] j =1 distinguish the roots, but its complexity is prohibitive Group isomorphism. Use a function χ from Z N into a finite group G . The limitation of this scheme is that χ must be a one-way function M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 13 / 17

Rabin signature The Rabin scheme may also be used to sign a message m : Let S be any root of x 2 = m mod N The signature is the pair [ m , S ] If the quadratic equation is not solvable a random padding factor U is used until x 2 = mU mod N can be solved The signature is the triple [ m , U , S ] We propose a Rabin signature that makes use of a deterministic padding factor. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 14 / 17

Rabin signature Public key: [ N ] M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 15 / 17

Rabin signature Public key: [ N ] Signed message: [ U , m , S ] , where U = R 2 ( f 1 ψ 1 + f 2 ψ 2 ) mod N is the padding factor, where: R a random number � � � � m m f 1 = , f 2 = p q S is any solution of the equation x 2 = mU mod N M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 15 / 17

Rabin signature Public key: [ N ] Signed message: [ U , m , S ] , where U = R 2 ( f 1 ψ 1 + f 2 ψ 2 ) mod N is the padding factor, where: R a random number � � � � m m f 1 = , f 2 = p q S is any solution of the equation x 2 = mU mod N compute mU mod N and S 2 mod N ; Verification: the signature is valid if and only if these two numbers are equal. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 15 / 17

Conclusions the root identification requires the delivery of additional information, which 1 may not be easily computed, especially when not both primes are Blum primes; the delivery of two bits together with the encrypted message exposes the 2 process to active attacks by maliciously modifying these bits. The Rabin scheme may come with some hindrance when used to conceal a 3 message, The Rabin scheme seems effective when applied to generate electronic 4 signature. M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 16 / 17

Thank you for your attention M.Piva (University of Trento) Rabin cryptosystem Mykonos, 30th May 2012 17 / 17