Rabin cryptosystem

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.^[1]^[2]

The Rabin trapdoor function has the advantage that inverting it has been mathematically proven to be as hard as factoring integers, while there is no such proof known for the RSA trapdoor function. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a ciphertext, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext. Naive attempts to work around this often either enable a chosen-ciphertext attack to recover the secret key or, by encoding redundancy in the plaintext space, invalidate the proof of security relative to factoring.^[1]

Public-key encryption schemes based on the Rabin trapdoor function are used mainly for examples in textbooks. In contrast, RSA is the basis of standard public-key encryption schemes such as RSAES-PKCS1-v1_5 and RSAES-OAEP that are used widely in practice.

^ ^a ^b Galbraith, Steven D. (2012). "§24.2: The textbook Rabin cryptosystem". Mathematics of Public Key Cryptography. Cambridge University Press. pp. 491–494. ISBN 978-1-10701392-6.
^ Bellare, Mihir; Goldwasser, Shafi (July 2008). "§2.3.4 The Squaring Trapdoor Function Candidate by Rabin". Lecture Notes on Cryptography (PDF). pp. 29–32.

[galbraith2012mathpkc-1] Galbraith, Steven D. (2012). "§24.2: The textbook Rabin cryptosystem". Mathematics of Public Key Cryptography. Cambridge University Press. pp. 491–494. ISBN 978-1-10701392-6.

[bellare-goldwasser-rabin-trapdoor-2] Bellare, Mihir; Goldwasser, Shafi (July 2008). "§2.3.4 The Squaring Trapdoor Function Candidate by Rabin". Lecture Notes on Cryptography (PDF). pp. 29–32.

[1]

[2]