Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!uwvax!uwmacc!uwmcsd1!leah!itsgw!spencert
From: spencert@itsgw.RPI.EDU (Thomas Spencer)
Newsgroups: sci.crypt
Subject: Re: non-RSA public-key encryption systems
Message-ID: <651@itsgw.RPI.EDU>
Date: Thu, 16-Jul-87 17:04:10 EDT
Article-I.D.: itsgw.651
Posted: Thu Jul 16 17:04:10 1987
Date-Received: Sat, 18-Jul-87 08:34:49 EDT
References: <8248@utzoo.UUCP] <8457@linus.UUCP> <498@cernvax.UUCP>
Reply-To: spencert@itsgw.rpi.edu (Thomas Spencer)
Distribution: world
Organization: RPI Info Tech Services - Troy, NY
Lines: 40


> In article <8457@linus.UUCP> bs@linus.UUCP (Robert D. Silverman) writes:

[Henry Spencer's request for a good public-key cyrpto-system deleted]

>What about Michael Rabin's scheme? It is possibly more secure than RSA
>since Rabin proves it to be as intractable as factorization. Like RSA,
>the scheme involves a number n=p*q, a product of two large primes, but
>encryption and decryption functions are different. Also, they are a lot 
>faster to compute. 
>The scheme is described in MIT note MIT/LCS/TR-212 of January 1979.
>
>In fact, Rabin's scheme seems to be a clear winner over RSA, and I haven't 
>heard of anybody finding flaws in it or applying for a patent. Anybody has
>more information?
>
>Michael Kharitonov
>misha@cernvax.bitnet

As you probably know, Rabin's scheme is just like RSA except that it
uses the exponent 2, instead of some exponent to relatively prime to
(p-1)(q-1).  Thus, it may be covered by the RSA patent.  Get a lawyer
to read the RSA patent, if you plan to do anything serious with the
system. 

The proof that beaking this scheme is equivalent to factoring points
out a fatal weakness of the system if it is used as a signature system.
If we assume that the advesary can force you to sign arbitrary messages,
he can easily break the system as follows:
      1. He picks a random number x.
      2. He computes x^2.
      3. He makes you sign x^2 to obtain y.
      4. With probability 1/2 y is neither x nor -x (mod n).
      5. If so x+y is a multpile of p or q and factoring n is now easy.

I hope that this helps.

                                -Tom Spencer
                                 spencert@cs.rpi.edu