Re: Rabin vs. RSA/ElGamal
- From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
- Date: Sun, 5 Mar 2006 23:54:37 +0000 (UTC)
Mike Amling wrote:
I'm quite hazy on this, but isn't Rabin susceptible to a kind of
chosen ciphertext attack in that if I can get you to extract square
roots for me modulo your modulus, I can factor your modulus?
Depends how you use it. If you use "raw Rabin" (e.g., without hashing or
proper padding), then yes, it is insecure. But then, so is "raw RSA".
So this is not an advantage or disadvantage of RSA; it is just a fact
that no matter which public-key encryption scheme you use, you have to
apply hashing, padding, or some other mechanism to turn a raw trapdoor
permutation into a full-blown public-key encryption scheme.
Many textbooks are thoroughly confused on this point, because they fail
to distinguish between a primitive (a trapdoor permutation, like squaring
or cubing modulo N -- a building block, not something it makes sense to
use on its own) vs a public-key encryption scheme (something that does
make sense to use on its own, and that provides the security goals that
you'd expect an application to need).
.
- Follow-Ups:
- Re: Rabin vs. RSA/ElGamal
- From: Roger Schlafly
- Re: Rabin vs. RSA/ElGamal
- From: Ertugrul Soeylemez
- Re: Rabin vs. RSA/ElGamal
- From: Roger Schlafly
- Re: Rabin vs. RSA/ElGamal
- References:
- Rabin vs. RSA/ElGamal
- From: Ertugrul Soeylemez
- Re: Rabin vs. RSA/ElGamal
- From: David Wagner
- Re: Rabin vs. RSA/ElGamal
- From: Mike Amling
- Rabin vs. RSA/ElGamal
- Prev by Date: Re: Does this have a flaw in de-biasing an entropy stream?
- Next by Date: Re: A little bit out of topic but not that much...
- Previous by thread: Re: Rabin vs. RSA/ElGamal
- Next by thread: Re: Rabin vs. RSA/ElGamal
- Index(es):
Relevant Pages
|
