The Rabin cryptosystem revisited

The Rabin public-key cryptosystem is revisited with a focus on the problem of identifying the encrypted message unambiguously for any pair of primes. In particular, a deterministic scheme using quartic reciprocity is described that works for primes congruent 5 modulo 8, a case that was still open. Both theoretical and practical solutions are presented. The Rabin signature is also reconsidered and a deterministic padding mechanism is proposed.

💡 Research Summary

The paper revisits the Rabin public‑key cryptosystem, focusing on the long‑standing problem of uniquely identifying the original plaintext among the four square‑root candidates that arise during decryption. While the original Rabin scheme (ciphertext C = m² mod N, N = p·q) is computationally attractive because the encryption exponent is 2, decryption requires solving x² ≡ C (mod N), which yields four solutions. To obtain a deterministic decryption, at least two extra bits must be transmitted together with the ciphertext.

For the classic case where both primes are Blum primes (p ≡ q ≡ 3 (mod 4)), the authors review several known solutions. Williams’ method adds a public parameter S with Jacobi symbol (S|N) = –1 and transmits two bits: a parity bit and a Jacobi‑symbol‑derived bit. Two simplified variants are presented: one that uses only the parity bit and the Jacobi symbol of the candidate roots, and another that embeds all necessary information in the ciphertext by means of an auxiliary public value ξ whose Jacobi symbols differ on the two primes. The paper then introduces a novel identification technique based on Dedekind sums: the second bit is taken as s(m,N) mod 2, where s(·,·) is the classical Dedekind sum. Because 12N·s(m,N) ≡ N+1−2·(m|N) (mod 8), this bit carries exactly the same information as the Jacobi symbol but requires no extra public key material.

The core contribution is a deterministic identification scheme that works for any pair of odd primes, including the previously unresolved case where one prime is congruent to 5 (mod 8). The authors exploit quartic reciprocity in the Gaussian integer ring ℤ