Stronger Security Proofs for RSA and Rabin Bits

The RSA and Rabin encryption function are respectively defined as EN(x) = xe mod N and EN(x) = x2 mod N, where N is a product of two large random primes p, q and e is relatively prime to φv;(N). We present a much simpler and stronger proof of the result of ALEXI, CHOR, GOLDREICH and SCHNORR [ACGS88] that the following problems are equivalent by probabilistic polynomial time reductions: (1) given EN(x) find x (2) given EN(x) predict the least-significant bit of x with success probability 1/2 + 1/poly(n), where N has n bits. The new proof consists of a more efficient algorithm for inverhg the RSA/Rabin-function with the help of an oracle that predicts the least-significant bit of x. It yields provable security guarantees for RSA-message bits and for the RSA-random number generator for moduli N of practical size.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[3]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[4]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[5]  Silvio Micali,et al.  Why and how to establish a private code on a public network , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[6]  Vijay V. Vazirani,et al.  Efficient and Secure Pseudo-Random Number Generation (Extended Abstract) , 1984, FOCS.

[7]  Adi Shamir,et al.  The Discrete Logarithm Modulo a Composite Hides O(n) Bits , 1993, J. Comput. Syst. Sci..

[8]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[9]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[10]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[11]  H. Lenstra,et al.  Factoring integers with the number field sieve , 1993 .

[12]  Adi Shamir,et al.  On the cryptographic security of single RSA bits , 1983, STOC '83.

[13]  R. Peralta On the distribution of quadratic residues and nonresidues modulo a prime number , 1992 .

[14]  Jacques Stern,et al.  An Efficient Pseudo-Random Generator Provably as Secure as Syndrome Decoding , 1996, EUROCRYPT.