The RSA and Rabin cryptosystems - Mathematics of Public Key Cryptography

Cryptography Reference

In-Depth Information

Give a reduction from STRONG-RSA to RSA. This shows that the STRONG-RSA problem

is not harder than the RSA problem. 5

Exercise 24.1.17 Let N

pq be an RSA modulus. Let A be an oracle that takes as input

an integer a and returns a (mod ϕ ( N )). Show how to use A to factor N .

Exercise 24.1.18 Consider the following variant of RSA encryption. Alice has a public key

N and two public exponents e 1 ,e 2 such that e 1 =

e 2 and gcd( e i ,λ ( N ))

1for i

1 , 2. To

m e 1

m e 2

encrypt to Alice one is supposed to send c 1 =

(mod N ) and c 2 =

(mod N ). Show

that if gcd( e 1 ,e 2 )

1 then an attacker can determine the message given the public key and

a ciphertext ( c 1 , c 2 ).

Exercise 24.1.19 Consider the following signature scheme based on RSA. The public key is

an integer N

Theprivatekeyistheinverseof e modulo λ ( N ) as usual. Let H be a collision-resistant

hash function. The signature on a message m is an integer s such that

pq , an integer e coprime to λ ( N ) and an integer a such that gcd( a,N )

s e

a H ( m )

≡

(mod N )

where H ( m ) is interpreted as an integer. Explain how the signer can generate signatures

efficiently. Find a known message attack on this system that allows an adversary to make

selective forgery of signatures.

24.2 The textbook Rabin cryptosystem

The textbook Rabin cryptosystem [ 444 ]isgiveninBox 24.2 . Rabin is essentially RSA

with the optimal choice of e , namely e

2. 6 As we will see, the security of Rabin is more

closely related to factoring than RSA. We first have to deal with the problem that if N

where p and q are distinct primes then squaring is a four-to-one map (in general) so it is

necessary to have a rule to choose the correct solution in decryption.

Lemma 24.2.1 Suppose p and q are primes such that p

≡

3(mod4) . Let N

and 1 <x<Nbe such that ( N )

1 . Then either x or N

−

x is a square modulo N.

Exercise 24.2.2 Prove Lemma 24.2.1 .

Definition 24.2.3 Let p

≡

3 (mod 4) be primes. Then N

pq is called a Blum

integer .

Note that, as with RSA, the value m in encryption is actually a symmetric key (passed

through a padding scheme) while in signing it is a hash of the message. The choice

The word “strong” is supposed to indicate that the assumption that STRONG-RSA is hard is a stronger assumption than the

assumption that RSA is hard. Of course, the computational problem is weaker than RSA, in the sense that it might be easier to

solve STRONG-RSA than RSA.

The original paper [ 444 ] proposed encryption as E N,b ( x ) = x ( x + b )(mod N ) for some integer b . However, there is a gain in

efficiency with no loss of security by taking b = 0.

Mathematics of Public Key Cryptography

Search WWH ::

Custom Search

Home