RSA+: An RSA variant

Soeren Kleine; Andreas Nickel; Torben Ritter; Krishnan Shankar

RSA+: An RSA variant

Soeren Kleine, Andreas Nickel, Torben Ritter, Krishnan Shankar

TL;DR

RSA+ proposes a probabilistic public-key cryptosystem that blends RSA and Rabin by encrypting with $c = m^x mod n$ and embedding $y = x^2 mod n$, then decrypting via the four square roots of $y$ modulo $n$ and inverting modulo $φ(n)$ to recover the message. The approach aims to combine Rabin's hard security (factoring) with RSA's practicality, yielding at most two candidate plaintexts in decryption and enabling a security relationship where breaking RSA+ is at least as hard as breaking RSA (and potentially closer to factoring than RSA alone). The authors provide a practical, faster RSA+ variant by selecting $x$ as $x = l_0 l_1^k$ with a large random $l_0$ and a small public prime $l_1$, achieving speedups of an order of magnitude over naive RSA+ and bringing slowdown relative to RSA down to a factor of about 2–3. They also analyze the number of possible decryptions, showing that decryption often yields a single plaintext, with a heuristic probability and empirical validation; overall, RSA+ offers a compelling trade-off between security and efficiency compared to the classic RSA and Rabin schemes, with clear guidance on parameter choices and potential vulnerabilities to factorization if multiple decryptions are exploited.

Abstract

We introduce a new probabilistic public-key cryptosystem which combines the main ingredients of the well-known RSA and Rabin cryptosystems. We investigate the security and performance of our new scheme in comparison to the other two.

RSA+: An RSA variant

TL;DR

RSA+ proposes a probabilistic public-key cryptosystem that blends RSA and Rabin by encrypting with

and embedding

, then decrypting via the four square roots of

modulo

and inverting modulo

to recover the message. The approach aims to combine Rabin's hard security (factoring) with RSA's practicality, yielding at most two candidate plaintexts in decryption and enabling a security relationship where breaking RSA+ is at least as hard as breaking RSA (and potentially closer to factoring than RSA alone). The authors provide a practical, faster RSA+ variant by selecting

with a large random

and a small public prime

, achieving speedups of an order of magnitude over naive RSA+ and bringing slowdown relative to RSA down to a factor of about 2–3. They also analyze the number of possible decryptions, showing that decryption often yields a single plaintext, with a heuristic probability and empirical validation; overall, RSA+ offers a compelling trade-off between security and efficiency compared to the classic RSA and Rabin schemes, with clear guidance on parameter choices and potential vulnerabilities to factorization if multiple decryptions are exploited.

Abstract

Paper Structure (13 sections, 5 theorems, 22 equations, 1 algorithm)

This paper contains 13 sections, 5 theorems, 22 equations, 1 algorithm.

The cryptosystems
(Textbook) RSA
Rabin
RSA+
Runtime analysis
A practical implementation
Runtime comparison
On the security of the RSA+ cryptosystem
Security definitions
On the security of RSA, Rabin and RSA+
On the number of possible clear texts output by the decryption function
Conclusion
Acknowledgments

Key Result

Lemma 1.4

Let ${p \equiv 3 \pmod{4}}$ be a prime, and let ${y \in (\mathbb{Z}/p\mathbb{Z})^\times}$ be a quadratic residue. Then the two square roots of $y$ modulo $p$ are

Theorems & Definitions (19)

Remark 1.1
Remark 1.2
Remark 1.3
Lemma 1.4
proof
Lemma 1.5
proof
Remark 2.1
Remark 3.1
Definition 3.2
...and 9 more

RSA+: An RSA variant

TL;DR

Abstract

RSA+: An RSA variant

Authors

TL;DR

Abstract

Table of Contents

Key Result

Theorems & Definitions (19)