Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!uwvax!uwmacc!uwmcsd1!leah!itsgw!spencert From: spencert@itsgw.RPI.EDU (Thomas Spencer) Newsgroups: sci.crypt Subject: Re: non-RSA public-key encryption systems Message-ID: <651@itsgw.RPI.EDU> Date: Thu, 16-Jul-87 17:04:10 EDT Article-I.D.: itsgw.651 Posted: Thu Jul 16 17:04:10 1987 Date-Received: Sat, 18-Jul-87 08:34:49 EDT References: <8248@utzoo.UUCP] <8457@linus.UUCP> <498@cernvax.UUCP> Reply-To: spencert@itsgw.rpi.edu (Thomas Spencer) Distribution: world Organization: RPI Info Tech Services - Troy, NY Lines: 40 > In article <8457@linus.UUCP> bs@linus.UUCP (Robert D. Silverman) writes: [Henry Spencer's request for a good public-key cyrpto-system deleted] >What about Michael Rabin's scheme? It is possibly more secure than RSA >since Rabin proves it to be as intractable as factorization. Like RSA, >the scheme involves a number n=p*q, a product of two large primes, but >encryption and decryption functions are different. Also, they are a lot >faster to compute. >The scheme is described in MIT note MIT/LCS/TR-212 of January 1979. > >In fact, Rabin's scheme seems to be a clear winner over RSA, and I haven't >heard of anybody finding flaws in it or applying for a patent. Anybody has >more information? > >Michael Kharitonov >misha@cernvax.bitnet As you probably know, Rabin's scheme is just like RSA except that it uses the exponent 2, instead of some exponent to relatively prime to (p-1)(q-1). Thus, it may be covered by the RSA patent. Get a lawyer to read the RSA patent, if you plan to do anything serious with the system. The proof that beaking this scheme is equivalent to factoring points out a fatal weakness of the system if it is used as a signature system. If we assume that the advesary can force you to sign arbitrary messages, he can easily break the system as follows: 1. He picks a random number x. 2. He computes x^2. 3. He makes you sign x^2 to obtain y. 4. With probability 1/2 y is neither x nor -x (mod n). 5. If so x+y is a multpile of p or q and factoring n is now easy. I hope that this helps. -Tom Spencer spencert@cs.rpi.edu