# Rabin vs. RSA/ElGamal

Hello NG,

You know RSA and ElGamal and their shortcomings, e.g. their poor speed.
Now there is Rabin's pubkey encryption scheme, which is based on the
difficulty of finding square roots in a finite field with a composite
modulus. The public key is some blum integer n and the private key is
its factorization p*q. The ciphertext is the square of the plaintext.
The plaintext can be recovered by calculating the four square roots and
selecting the 'right' one.

The problem of deriving the plaintext from the ciphertext is provably
equivalent to the problem of determining n's factorization. There is a
chosen ciphertext attack, but you can easily overcome that risk.

Both the encryption and the decryption in Rabin's scheme are a lot
faster than in RSA and ElGamal. My question: How come that everyone
still uses ElGamal or RSA? You can turn Rabin's encryption method into
a signature scheme easily, so RSA/ElGamal don't actually provide any
more functionality.

Regards.
.

## Relevant Pages

• Naive encryption schemes
... One of the first encryption schemes most students and even ... software professionals think of is to apply a stream of psuedorandom ... to the plaintext. ... Why is this a naive scheme? ...
(sci.crypt)
• Re: Rabin vs. RSA/ElGamal
... You know RSA and ElGamal and their shortcomings, ... Now there is Rabin's pubkey encryption scheme, ... of elliptic curve is that the best algorithms known to break it are ...
(sci.crypt)
• Re: Order question
... SECRET exponent e: ... The difference with RSA is that the order of the multiplicative group is ... and it is therefore a symmetric encryption system. ... the plaintext is in the subgroup of order q or not, ...
(sci.crypt)
• Re: Rabin vs. RSA/ElGamal
... You know RSA and ElGamal and their shortcomings, ... Now there is Rabin's pubkey encryption scheme, ... Rabin is not deterministic and you can't easily sign with it. ...
(sci.crypt)
• [long] C code of PEARL1, a block encryption algorithm emphasising simplicity
... (cf. "A plead for simple encryption ... It uses a combined PRNG (cf. "A simple scheme ... // allocates 64 bits to unsigned long int. ...
(sci.crypt)