[Cryptography] "‘The intelligence coup of the century’"

[Jon Callas]

> On Feb 12, 2020, at 5:09 PM, Ryan Carboni <ryacko at gmail.com> wrote:
> 
> The Rabin cryptosystem is listed on wikipedia. I don't understand the
> math behind it particularly well, but "the Rabin cryptosystem has the
> advantage that it has been mathematically proven to be computationally
> secure against a chosen-plaintext attack as long as the attacker
> cannot efficiently factor integers, while there is no such proof known
> for RSA."

Oversimplifying slightly, Rabin is like RSA but where p == q, meaning that it's p^2 rather than p*q.

All of our public-key cryptosystems have had growing pains that I'll call engineering considerations. The math hasn't changed at a math level, but at a security level, it's not quite as simple as the math. With RSA, for example, it took us years to figure out padding, and once we figured out padding, there were more years to get it right. (Look at the OAEP history.) There are DH issues with picking a generator (e.g. 2 is a great generator for encryption, but not signing). With ECC, we learned that the math done mod p is secure in a way that it done mod p^n is not. In plainer language, it would be really nice to do a "binary" curve, where we use normal binary bignums as opposed to mod some prime that's really close to some 2^n. NTRU went through lots of iterations before we thought we had it right and this grander issue pervades a lot of post-quantum work and is why cautious steps into hybrid schemes are a good idea.

By the time the fiddly bits in Rabin got sorted out, RSA was dominant. Zix email encryption used Rabin at one time and might even still.

	Jon