Alexi, W., B Chor, O Goldreich, and C.P Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As The Whole", SIAM Jour on Computing, Extended Abstract in Proc 25th FOCS, 1984.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....from Bob. Bob creates a digital signature s by exponentiating: s = m where d is Bob s private key. He sends m and s to Alice. To verify the signature, Alice exponentiates and checks that the message m is recovered: m = s where (n, e) is Bob s public key. The RSA pseudorandom bit generator [ACGS88] is based on the assumption that the RSAP is intractable. The generator first selects a random seed, x 0 , then computes the sequence x 1 , x 2 , x l by successively applying the RSA function. The An attack on RSA with short d is known from Wiener [Wie90] This attack will discover d ....

Werner Alexi, Benny Chor, Oded Goldreich, and Claus-P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194--209, April 1988.

....(least significant bit) hard core predicate. This generator has been originally proven secure assuming intractability of Quadratic Residuosity Problem in [5] and subsequently under the assumption that factoring Blum integers is hard (Assumption 4. 1) in [26] by adapting the techniques in [1]) Note also that it is the basis for the Blum Goldwasser public key encryption scheme [6] For simplicity of exposition , we choose to replace the LSB( Delta) hard core predicate with the Goldreich Levin B r ( Delta) The easy access problem arises when one notices that it is easy to access ....

.... the reconstruction of u Delta w by only asking queries which refer to u Delta w (i.e. u Delta w is fixed throughout the process, and only r changes from one query to another) As discussed in Section 6, a similar property is satisfied by the LSB based reconstruction techniques by Alexi et al. [1, 10]. See Section 6 for an analogous construction that uses the LSB predicate. Claim 5.6 Let a; g; u and w be defined as above, then B r (g ) B r (u Delta w) Proof: Using the above notations (and Claim 5.2) we have: p(2 Sigma Gamma( i Gammak) Delta v ....

[Article contains additional citation context not shown here]

W. B. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput., vol. 17(2), 1988, pp. 194-209.

....has three parts: a mathematical argument tracing our RNG s randomness to a formal definition of turbulence s unpredictability, a novel use of the FFT as an unbiasing algorithm, and a sanity check data analysis. I Introduction Secure PRNG design commonly rests on computational complexity [2, 5, 6, 13, 24], but none of the underlying problems has been proven to be hard. Specialized hardware can provide naturally random physical noise, but has disadvantages: dedicated devices tend to be expensive; natural noise tends to be biased and correlated; hardware failure can silently suppress randomness; and ....

W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr, "RSA and Rabin functions: certain parts are as hard as the whole," Proc. 25th IEEE Symp. on Foundations of Computer Science,

.... with the notions of one way function [10] and permutation; of hardcore bits [7] with the fact that all one way functions have a Goldreich Levin hardcore bit [13] and with the notion of a natural hardcore bit (one that is simply a bit of the input, such as the last bit of the RSA input [3]) All this traditional material is more thoroughly summarized in Appendix C. It suffices, in fact, to reveal only the current state and the characters observed by the reading heads the adversary can infer the rest by observing the leakage at every step. 7 4.2 Physically Observable ....

W. Alexi, B. Chor, O. Goldreich, and C. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194--209, April 1988.

....is a permutation of the quadratic residues modulo n, and is hard to invert, if factoring n is hard. In this case, Yao s Xor Theorem is not necessary to obtain a bit commitment scheme it is known that guessing the least significant bit of x from f(z) is polynomiaily equivalent to factoring n [ACGS]. 26 ....

Alexi, Chor, Goldreich, Schnorr: "RSA and Rabin Functions: Certain Parts are as Hard as the Vhole" Siam J. Compt., vo1.17, no.2, 1988, pp.194-209.

....to the hypothesis that a pseudorandom generator exists [15, 10, 14] However, the theoretical constructions proposed in these articles are often impractical. Several schemes have been proposed which have a proven security , i.e. based on the difficulty of well known problems like factorization [21, 3, 1, 18] or the discrete logarithm [4, 16, 12] But these propositions suffer from a relatively slow computing rate (i.e. they need much computation per generated bit) For example, outputting a single bit for the BBS generator takes quadratic time, and cubic time for the RSA based generators. This can be ....

Alexi, W., Chor, B., Goldreich, O., Schnorr, C. P.: Rsa and rabin functions: certain parts are as hard as the whole. SIAM J. Computing 17 (1988) 194--209.

....first generator based on the factoring assumption was proposed by Blum, Blum and Shub [BBS86] It iterated modular squaring with an n bit modulus, extracted one bit of output per iteration, and was originally proven secure based on the quadratic residuosity assumption. This was later improved by [ACGS88], who showed that that only the factoring assumption is needed and that O(log n) bits could be extracted per iteration. Hastad, Schrift and Shamir [HSS93] demonstrated that discrete logarithm modulo a product of two primes hides n 2 O(log n) bits, based only on the factoring assumption. They ....

W. Alexi, B. Chor, O. Goldreich, and C. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194-- 209, April 1988.

....representation of the message bit length. The length is 888 = 0x 00 00 00 00 00 00 03 78 bits in this case (64 2 17 = 111 octets) The SHA 1 compression function fills this last block into 32 bit variables W 0 , W 15 , where W 8 = m[10] m[9] m[8] m[7] W 9 = m[6] m[5] m[4] m[3] W 10 = m[2] m[1] m[0] 00 W 11 = 00 00 00 80 W 12 = 00 00 00 00 W 13 = 00 00 00 00 And then expansion to words W 16 , W 79 is performed according to the following relations (W 15 xor W 10 xor W 4 xor W 2 ) etc. When calculating W 16 , the first operation performed is W 13 xor W 8 , where W 13 ....

....enables us to obtain the least significant bit of the plaintext m with a high probability and therefore, in accordance with [11] we can establish the remaining part of m. We presume that procedures in [11] will be used directly, in particular the methods based on computing gcd (for details see [2]) In this way we are able to handle errors during the reception of information from the side channel. In this paper we strive to show that such an attack is realistic and that it operates in a random polynomial time, following from the above analysis and the results of [2, 11] We would like to ....

[Article contains additional citation context not shown here]

Alexi, W., Chor, B., Goldreich, O. and Schnorr, C.: RSA and Rabin functions: Certain parts are as hard as the whole, SIAM Journal on Computing, 17(2), pp. 194-209, 1988.

....bit 1, 71 zero bits and a 64 bit representation of the message bit length. The length is 888 Ox O0 O0 O0 O0 O0 O0 03 78 bits in this case (64 2 17 111 octets) The SHA 1 compression function fills this last block into 32 bit variables Wo, Ws, where W8 = milO] m[9] m[8] m[7] Wo = rn[2] rn[1] rn[O] O0 W2 = O0 O0 O0 O0 W14 = O0 O0 O0 O0 W9 = m[6] m[5] m[4] m[3] W = O0 O0 O0 80 Ws = O0 O0 O0 O0 Wts = O0 O0 03 78 And then expansion to words W16, W79 is performed according to the following relations W16 = ql (w13 xor V 8 xor W2 xor Wo) W17 = ql (w14 xor V 9 xor W3 ....

....enables us to obtain the least significant bit of the plaintext m with a high probability and therefore, in accordance with [11] we can establish the remaining part of m. We presume that procedures in [11 ] will be used directly, in particular the methods based on computing gcd (for details see [2]) In this way we are able to handle errors during the reception of information from the side channel. In this paper we strive to show that such an attack is realistic and that it operates in a random polynomial time, following from the above analysis and the results of [2, 11] We would like to ....

[Article contains additional citation context not shown here]

Alexi, W., Chor, B., Goldreich, O. and Schnorr, C.: RSA andRabin functions: Certain parts are as hard as the whole, SIAM Journal on Computing, 17(2), pp. 194-209, 1988.

....for a given c and RSA(x) This is exactly the structure of the Hidden Number Problem. Due to space limitations we will only can briefly sketch the proof of the security of the least significant bit and for the special case when I is the set of all odd primes. This proof is due to Alexi et al. [1]. Now, what happens if N is not a prime First, when N is even then one can use the Chinese remainder Theorem to concentrate only on the odd part of the modulus. So lets assume N is odd. When going deeper into the proof technique of [13] it becomes clear that one has to invert a special function ....

....decision over many randomly chosen r to determine, with overwhelming probability of success, the parity of dx. The problem is that the lsb oracle now may err on both ends lsb(rx) and lsb( r q d)x) To get around with this a technique called pairwise independent sampling may be applied. See [1] for more details. 4 Hard Core Predicates and Universal Hash Functions 4.1 Definitions Definition 4 (hash family) An (N; n, m) hash family is a set 7 I of N functions h X Y where Ixl n and IYI m. There will be no loss in generality assuming n m. Definition 5 (e universal hash ....

W. Alexi, B. Z. Chor, O. Goldreich, and C.-P. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194-209, April 1988. Special issue on cryptography.

....f # : for 0 i n and words w of length i as follows: f # (#) #, f 1 (f # (w) f n 1 (f # (w) The pseudo random function is f # . The di#culty of predicting outputs of this pseudo random function is provably equivalent to the di#culty of factoring N by results of [16, 1]. 3 Oblivious Transfer solutions to OVCS In sections 4 and 5 we describe two alternative solutions to section 2. These solutions use more elaborate concepts that we now explore in details. 3.1 Mathematical Notations For b 1 and scalars x, y we define the selection function (x, y) b] ....

Alexi, W., B. Chor, O. Goldreich, and C. P. Schnorr, "RSA and Rabin Functions: Certain Parts Are as Hard as the Whole". In Proceedings of the 25th Annual IEEE Symposium on Foundations of Computer Science, 1984, pp. 449 -- 457.

....is indeed one way. 2 bit) hard core predicate. This generator has been originally proven secure assuming intractability of Quadratic Residuosity Problem in [5] and subsequently under the assumption that factoring Blum integers is hard (Assumption 4. 1) in [24] by adapting the techniques in [1]) Note also that it is the basis for the Blum Goldwasser public key encryption scheme [6] For simplicity of exposition , we choose to replace the LSB( Delta) hard core predicate with the Goldreich Levin B r ( Delta) predicate [14] where B r (m) denotes the inner product, hm; ri mod 2) We ....

....pseudorandom function and a generator, here we get it for free. 4.4 Using Other Hard Core Bits In our construction (Construction 4.1) we use the Goldreich Levin hard core bit, B r . The other, more natural, hard core bit in this context is the LSB predicate (shown to be secure by Alexi et al. [1]) The key property which we require from the B r predicate is that its reconstruction algorithm fixes the unknown value and changes r throughout the process (see Footnote 14) As pointed out to us by Roger Fischlin [9] a similar property is satisfied by the LSB based reconstruction techniques ....

[Article contains additional citation context not shown here]

W. B. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput., vol. 17(2), 1988, pp. 194-209.

....[12] generalized the Blum Micali s generator [5] based on the discrete logarithm problem and showed that O(logk) bits can be securely produced per each exponentiation where k is the bit length of a modulus. The same result was obtained by Peralta [17] with different technique. Alexi et al. [1] showed that RSA Rabin function can hide O(logk) bits under the intractability assumption of RSA encryption and factoring. Vazirani and Vazirani [22] showed that O(logk) bits can be securely extracted from the x 2 mod N generator of Blum, Blum and Shub [2] as well as from the RSA Rabin ....

....A dA j 1 mod OE(N A ) where OE denotes the Euler phi function. Let h be a one way hash function hashing arbitrary input strings into output values less than e A . Let G(n; s) be the same as before. But it can be based on the modulus NA of the receiver, such as the RSA Rabin scheme based generators [1] [14] or the x 2 mod N generator [2] 22] Of course, a common, possibly standardized, pseudorandom number generator may be used independently of the individual modulus. Assume that user B wants to send user A an n bit message m. Then the enciphering and deciphering algorithms are as follows. ....

W.Alexi, B.Chor, O.Goldreich and C.P.Schnorr, "RSA and Rabin functions : certain parts are as hard as the whole," SIAM J. Computing vol.17 no.2 (1988), 194-208.

....f(x) Next, under the decision Ko Lee assumption, we construct two provably secure pseudorandom schemes: a pseudorandom generator and a pseudorandom synthesizer. 1 Introduction The notions of pseudorandomness and onewayness which are closely related are quite important in modern cryptography [8, 1, 17, 12]. These concepts are informally stated as: i) A distribution is pseudorandom if no e#cient algorithm can distinguish it from the uniform distribution [26] ii) A function is one way if it is easy to evaluate but hard to invert [9] Recently, some mathematically hard problems in braid groups have ....

....such that b(x) is hard to predict from f(x) So far, two kinds of hard core predicates have been proposed. On the one hand, for a few one way function f s, there has been discovered a particular bit of x, the so called hardcore bit, which is the source of b(x) by the unique characteristic of f [8, 1]. For instance, Alexi et al. 1] showed that b(x) points to the least significant bit of x for the RSA and the Rabin functions. On the other hand, for any one way function, one can make a hard core predicate by Goldreich Levin s construction [14] More precisely, for any one way function f , the ....

[Article contains additional citation context not shown here]

W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput. 17 (1988) 194--209.

....A 1 ; A s g such that Pr[ A i (z) g(z) 1 0 jzj c , where c is a constant. We say that this is a weak sense technique because the guessing algorithm is not unique for all inputs. We apply our technique to obtain a hard core of k0symbol one way funcitons. Hard core predicates [2, 3, 4] are fundamental tools in modern cryptology such as pseudorandom generators [2, 4] secure probabilistic encryptions [5] and etc. A predicate b(x) which takes a value in f0; 1g, is called a hard core of a one way function f(x) if b(x) is easily evaluated on input x, but hard to be guessed ....

W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr. \RSA and Rabin functions: certain parts are as hard as the whole ". In SIAM Journal on Computing, vol. 17, pages 194-209, 1988.

....field, predicting the least significant bit (LSB) # Supported by NSF and the Packard Foundation. ## Supported in part by ARC of the Di#e Hellman secret, for many curves in a family of curves, is as hard as computing the entire secret. Such results were previously known for the RSA function [1, 7] but not for Di#e Hellman. Let p be prime and let #s# p denote the remainder of an integer s on division by p. We also use log z to denote the binary logarithm of z 0. In the classical settings G is selected as the multiplicative group F # p of a finite field of p elements (and thus g is a ....

....p, 1 # ) where T is some fixed polynomial independent of p and E 0 . We note that there are other ways of extending the Di#e Hellman function to obtain a hard core bit [8, 12] 4 Review of the ACGS algorithm The proof of Theorem 1 uses an algorithm due to Alexi, Chor, Goldreich, and Schnorr [1]. We refer to this algorithm as the ACGS algorithm. For completeness, we briefly review the algorithm here. First, we define the following variant of the Hidden Number Problem (HNP) presented in [5] HNP CM: Fix an # 0. Let p be a prime. For an # # F p let L : F # p # 0, 1 be a function ....

[Article contains additional citation context not shown here]

W. Alexi, B. Chor, O. Goldreich, and C. Schnorr. `RSA and Rabin functions: Certain parts are as hard as the whole', SIAM J. Computing , 17(

....can predict P (x; Delta) with this high an accuracy. Now to see the effectiveness of Theorem 9, note that the extra input has length log n, which by the theorem is only O(log k log 1 ffi ) Aside: Recall that the early results of Blum and Micali [6] and Alexi, Chor, Goldreich, and Schnorr [1] that gave hardcore predicates for specific one way functions (namely, Discrete Log and RSA) actually use l = 0 extra randomness. It would be interesting to see if these specific results can also be explained in terms of list decoding. Predicting witnesses for NP search problems. Consider an ....

Werner Alexi, Benny Chor, Oded Goldreich, and Claus P. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194-209, April 1988.

....the future we will have to prove the security of practical schemes for much weaker assumptions. For several public key schemes it was proved that computing certain bits of the secret (the plaintext or the shared key in case of the Diffie Hellman protocol) is as hard as computing the entire value [3, 13, 39]. 8 Cryptographic Protocols Cryptographic protocols, often based on public key functionality, are among the most delicate and fascinating topics in cryptography. In the past decade there has been an extensive research activity on various types of protocols, in particular on interactive proofs ....

W. Alexi, B. Chor, O. Goldreich, and C. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM Journal on Computing, vol. 17, no. 2, pp. 194--209, 1988.

....As a rst step we show that in the group of points of an elliptic curve over a nite eld, predicting the least signi cant bit (LSB) of the Die Hellman secret, for many curves in a family of curves, is as hard as computing the entire secret. Such results were previously known for the RSA function [1, 7] but not for Die Hellman. Let p be prime and let bsc p denote the remainder of an integer s on division by p. We also use log z to denote the binary logarithm of z 0. In the classical settings G is selected as the multiplicative group F p of a nite eld of p elements (and thus g is a ....

....p; 1 ) where T is some xed polynomial independent of p and E 0 . We note that there are other ways of extending the Die Hellman function to obtain a hard core bit [8, 12] 4 Review of the ACGS algorithm The proof of Theorem 3. 1 uses an algorithm due to Alexi, Chor, Goldreich, and Schnorr [1]. We refer to this algorithm as the ACGS algorithm. For completeness, we brie y review the algorithm here. First, we de ne the following variant of the Hidden Number Problem (HNP) presented in [5] Recall that for a prime p we denote by bsc p the value of s mod p. HNP CM: Fix an 0. Let p be a ....

[Article contains additional citation context not shown here]

W. Alexi, B. Chor, O. Goldreich, and C. Schnorr. `RSA and Rabin functions: Certain parts are as hard as the whole', SIAM J. Computing , 17(1988), 194-209, Nov. 1988.

....that E(X Y ) which is the same as E(X)E(Y ) can be decrypted (yielding XY ) and then dividing the result by Y to obtain X. One might interpret this as saying that either RSA is uniformly secure or it is uniformly insecure. Even stronger results have been proven. For example, it has been shown [81, 6, 18] that if a polynomial fraction of RSA ciphertexts can t be decrypted in polynomial time, then neither can just the least signi cant bit of the message be guessed from the ciphertext with better than an bias. Hastad [88] shows that it is unwise to use a low encryption exponent e, such as 3, if ....

....i = 1; k. Theorem 2 (Goldwasser Micali[78] If trapdoor predicates exist, then the above probabilistic public key encryption scheme is polynomial time secure. Implementation of trapdoor predicates based on the problem of factoring integers, and of inverting the RSA function can be found in [6]. We outline the RSA based implementation. Let n be the public modulus, e the public exponent, and d the secret exponent. Let B(x) be the least signi cant bit of x d mod n for x 2 Z n . Then, to select uniformly an x 2 Z n such that B(x) v simply select a y 2 Z n whose least signi ....

[Article contains additional citation context not shown here]

W. B. Alexi, B. Chor, O. Goldreich, and C. P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole. SIAM J. Computing, 17(2):194-209, April 1988.

....construct a secure PRBG for which each iteration consists of a single A preliminary version of this paper appeared in the proceedings of CRYPTO 2000 [7] The main differences between the two versions are summarized in Section 1.2 1 squaring in Z N and outputs a pseudo random bit. Alexi et al. [2] showed that one can improve this to O(log log N) bits and rely only the intractability of factoring as the underlying assumption. Up to this date, this is the most efficient provably secure PRBG. In [17] Patel and Sundaram propose a very interesting variation on the Blum Micali generator. They ....

....The generator works by repeatedly squaring modN a random seed in Z N where N is a Blum integer (N = PQ with P; Q both primes of identical size and j 3 mod 4. At each iteration it outputs the least significant bit of the current value. The rate of this generator is thus of 1 bit squaring. In [2], Alexi et al. showed that one can output up to k = O(log log N) bits per iteration of the squaring generator (and this while also relaxing the underlying assumption to the hardness of factoring) The actual number k of bits that can be outputted depends on the concrete parameters adopted. The ....

[Article contains additional citation context not shown here]

W. Alexi, B. Chor, O. Goldreich and C. Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. Computing, 17(2):194--209, April 1988.

....in x, this has so far only been proven to be true for the O(log log N) least significant bits. Starting from a relatively weak result, in a sequence of papers, 15, 3, 29, 11, 26, 8] this was improved, ending with the final proof of complete security by Alexi, Chor, Goldreich, and Schnorr in [1]. There are also other known security results for certain predicates that are related to the individual bits of x, e.g. half N (x) # 1 if x # (N 1) 2, 0 otherwise, see [15] for instance. For the other, internal bits, however, the best known result up until now states that they can cannot be ....

....can cannot be computed with probability greater than 3 4. By using relations between half N (x) and the individual bits of x, Ben Or, Chor, and Shamir proved in [3] that the internal bits cannot be computed with probability of success exceeding 15 16. By a reduction to this proof, the result in [1] for the least significant bit, then improved the result to 3 4, still leaving a large gap to the desired 1 2 result. In this paper we show the following: Theorem. For any constant c and all su#ciently large n, unless RSA can be broken 1 in random polynomial time, no single bit of E 1 N (x) ....

[Article contains additional citation context not shown here]

Werner Alexi, Benny Chor, Oded Goldreich, and Claus P. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194--209, 1988.

....: A s g such that Pr[ A i (z) g(z) 1 Gamma jzj Gammac , where c is a constant. We say that this is a weak sense technique because the guessing algorithm is not unique for all inputs. We apply our technique to obtain a hard core of k Gammasymbol one way funcitons. Hard core predicates [2, 3, 4] are fundamental tools in modern cryptology such as pseudorandom generators [2, 4] secure probabilistic encryptions [5] and etc. A predicate b(x) which takes a value in f0; 1g, is called a hard core of a one way function f(x) if b(x) is easily evaluated on input x, but hard to be guessed ....

W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr. "RSA and Rabin functions: certain parts are as hard as the whole ". In SIAM Journal on Computing, vol. 17, pages 194--209, 1988.

....can predict P (x; Delta) with this high an accuracy. Now to see the effectiveness of Theorem 5, note that the extra input has length log n, which by the theorem is only O(log k log 1 ffi ) Aside: Recall that the early results of Blum and Micali [6] and Alexi, Chor, Goldreich, and Schnorr [1] that gave hardcore predicates for specific one way functions (namely, Discrete Log and RSA) actually use l = 0 extra randomness. It would be interesting to see if these specific results can also be explained in terms of list decoding. Predicting witnesses for NP search problems. Consider an ....

Werner Alexi, Benny Chor, Oded Goldreich, and Claus P. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194-209, April 1988. 10

....bytes 00 02. The recipient thus becomes an oracle in the theoretical sense for determining particular bits of the decryption of an arbitrary ciphertext. The ability to predict certain bits of an RSA decryp tion has previously been shown to provide a means for computing all bits of a decryption [1]. Recently, the first author of this bulletin showed that one can also compute all bits of a decryption from the bits revealed by successful PKCS #1 decryptions of adaptively chosen ciphertexts [3] Thus the oracle just mentioned enables an opponent to compute the decryption of a selected ....

W. Alexi, B. Chor, O. Goldreich and C. P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194-209, April 1988.

....Poopings, Mary Poppins, musical computer science, reversible computation, Supercalifragilisticexpialidocious, superpolylogarithmic subexponential functions, SuperPolyLog SubExp. A preliminary version of this paper appeared in two parts in SIGACT News, 22:1 (winter 1991) Whole Number 78, 65 73, and 22:2 (spring 1991) Whole Number 79, 51 56. 1 Alan T. Sherman, On Superpolylogarithmic Subexponential Functions April 1, 1991 2 1 Introduction In an abandoned wine cellar beneath the Ratskeller in Wein am Rhein, construction workers recently discovered an intriguing manuscript. This ....

....functions. 1 Although difficult to decipher through numerous beer stains, the manuscript appears to bear the inscription M.P. which I believe stands for Maria Poopings, who is believed to be the little known illegitimate daughter of the dubious German composer P. D. Q. Bach (1807 1742) 32] and the brilliant French mathematician Marie Sophie Germain (1776 1831) 13] Reprinted in Section 3, the text of this manuscript fits remarkably well especially after an evening at the Ratskeller the tune Supercalifragilisticexpialidocious from the 1964 Walt Disney musical Mary Poppins ....

[Article contains additional citation context not shown here]

Alexi, Werner; Benny Chor; Oded Goldreich; and Claus P. Schnoor, "RSA and Rabin functions: Certain parts are as hard as the whole," SIAM Journal on Computing, 17:2 (April 1988), 194--209.

....is used for direct RSA signing of messages; however, the same protocol could be used for decryption. Our results simply concern the application of the RSA function in its assumed intractable direction as a oneway function (as assumed in protocols with formal security proofs which employ RSA, e.g. [ACGS]) Define hist(d; N; L) to be a history of messages signature pairs with messages taken by L, and signatures generated using the RSA secret key (d; N) Definition 11 The RSA security assumption: Let h be the security parameter. Let key generator GE define a family of RSA functions (i.e. e; ....

W. Alexi, B. Chor, O. Goldreich and C. Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. In SIAM Journal of Computing, volume 17, n. 2, pages 194--209, April 1988.

....i as follows: f 0 OE (ffl) OE; f i 1 OE (0w) G n 1 (f i OE (w) f i 1 OE (1w) G 2n n 1 (f i OE (w) The pseudo random function is f n OE . The difficulty of predicting outputs of this pseudo random function is provably equivalent to the difficulty of factoring N by results of [16, 1]. 3. Oblivious Transfer solutions to OVCS In Sections 4 and 5 we describe two alternative solutions to Section 2. These solutions use more elaborate concepts that we now explore in details. 3.1. Mathematical Notations For b 2 f0; 1g and scalars x; y we define the selection function (x; y) b] ....

W. Alexi, B. Chor, O. Goldreich, and C. P. Schnorr (1984) RSA and Rabin Functions: Certain Parts Are as Hard as the Whole. In Proceedings of the 25th Annual IEEE Symposium on Foundations of Computer Science, 1984, pp. 449 -- 457.

....that can be accelerated efficiently by parallel evaluation. 2.6. Some presumed PT perfect generators Various generators proposed recently have been proved to be PT perfect, under some yet unproven complexity assumption. See for instance Yao (1982) Blum and Micali (1984) Blum et al. 1986) Alexi et al. 1988), Reif and Tygar (1988) Micali and Schnorr (1988) All of these are in fact based on presumed one way functions. In the next sections, we examine in more detail two of these generators. 3. THE BBS GENERATOR 3.1. Definition Blum, Blum and Schub (1986) have proposed the following generator. ....

....prime to dg. Call this generator G1 . CONJECTURE SPG1. Generator G1 is PT perfect. This conjecture is related to the security of the RSA encryption scheme. The next conjecture allows even d, which yields more efficient generators (e.g. if d is a power of two) It is justified by the work of Alexi et al. 1988). Call G2 the SPG generator obtained when Dn is replaced by its subset D 0 n = fN 2 Dn j N is a Blum integer g. CONJECTURE SPG2. Generator G2 is PT perfect. Micali and Schnorr suggest n = 512 and d = 15 or 16 for practical applications. We did empirical investigations with SPG generators, with ....

Alexi, W., Chor, B., Goldreich, O. and Schnorr, C. P. (1988). RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. on Computing , 17, 2, 194--209.

....1 mod (n) where (n) is the Euler function. To decode x from y compute x : y d mod n. RSA can be used to encode securely single bits by encoding a random even (resp. odd) x n if the bit is 0 (resp. 1) The security of this probabilistic encryption is know to be as good as that of RSA, see [1]. Our pair of disjoint NP sets is based on it. For i = 0; 1, let A i = df f(n; e; y) 9x; d; r n (x j i mod 2 x e j y mod n y d j x mod n y r j 1 mod n (e; r) 1g : One can check that exponentiation modulo a number n 2 is definable and satisfies the usual relations in S 1 2 , ....

W.B. Alexi, B.Chor, O. Goldreich, C.P. Schnorr (1988) RSA and Rabin functions: Certain parts are as hard as the whole, SIAM J. Comp., 17, pp.194-209.

....poly preserving. In fact, most of our reductions (as the reduction from the security of the pseudo random functions to the security of the pseudo random synthesizers) are linearpreserving. The only place were our reductions are not linear preserving is when they rely on the hard card bits of [2, 28]. Our constructions of pseudo random functions have additional attractive properties. First, it is possible to obtain from the constructions a sharp time space tradeoff. Loosely speaking, by keeping m strings as the key we can reduce the amount of work for computing the functions from n ....

....; d (x) for our proof. Based on the RSA Assumption with the restriction that N 2 G n , we define a collection of I 6n 7 I 1 pseudo random synthesizers, SRSA2 . In the definition of SRSA2 , we use the least significant bit (LSB) instead of the Goldreich Levin hard core bit. Alexi et al. [2] showed that LSB is a hardcore bit for RSA. Fischlin and Schnorr [22] have recently provided a stronger reduction for this bit. Definition 8.9 Let N be a 2n bit integer, let g = fg 1 ; g 3n g be a sequence of 3n elements in Z N and let d = fd 1 ; d 3n g be a sequence of 3n ....

[Article contains additional citation context not shown here]

W. B. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput., vol. 17(2), 1988, pp. 194-209.

....w of length i as follows: f 0 # (#) #, f i 1 # (0w) G n 1 (f i # (w) f i 1 # (1w) G 2n n 1 (f i # (w) The pseudo random function is f n # . The di#culty of predicting outputs of this pseudo random function is provably equivalent to the di#culty of factoring N by results of [16, 1]. 3 Oblivious Transfer solutions to OVCS In sections 4 and 5 we describe two alternative solutions to section 2. These solutions use more elaborate concepts that we now explore in details. 3.1 Mathematical Notations For b # 0, 1 and scalars x, y we define the selection function (x, y) b] ....

Alexi, W., B. Chor, O. Goldreich, and C. P. Schnorr, "RSA and Rabin Functions: Certain Parts Are as Hard as the Whole". In Proceedings of the 25th Annual IEEE Symposium on Foundations of Computer Science, 1984, pp. 449 -- 457.

No context found.

Alexi, W., B Chor, O Goldreich, and C.P Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As The Whole", SIAM Jour on Computing, Extended Abstract in Proc 25th FOCS, 1984.

No context found.

Alexi, W., B Chor, O Goldreich, and C.P Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As The Whole", SIAM Jour on Computing, Extended Abstract in Proc 25th FOCS, 1984.

No context found.

W. Alexi, B. Chor, O. Goldreich and C. Schnorr, "RSA and Rabin Functions: Certain Parts Are as Hard as the Whole," SIAM J. on Computing, Vol. 17, No. 2, 1988, pp. 194--209.

....to fit in a book of the current nature. The interested reader is thus referred to the original paper of Hastad et al. HILL] which combines the results in [H90,ILL89] and to Luby s book [L94book] Simple pseudorandom generators based on specific intractability assumptions are presented in [B82,BBS82,ACGS84,VV84,K88]. In particular, ACGS84] presents pseudorandom generators based on the intractability of factoring, whereas [K88] presents pseudorandom generators based on the intractability of discrete logarithm problems. In both cases, the major step is the construction of hard core predicates for the ....

.... The interested reader is thus referred to the original paper of Hastad et al. HILL] which combines the results in [H90,ILL89] and to Luby s book [L94book] Simple pseudorandom generators based on specific intractability assumptions are presented in [B82,BBS82,ACGS84,VV84,K88] In particular, [ACGS84] presents pseudorandom generators based on the intractability of factoring, whereas [K88] presents pseudorandom generators based on the intractability of discrete logarithm problems. In both cases, the major step is the construction of hard core predicates for the corresponding collections of ....

W. Alexi, B. Chor, O. Goldreich and C.P. Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As the Whole", SIAM Jour. ot Computitg, Vol. 17, 1988, pp. 194-209. A preliminary version appeared in Pvoc. 25th FOCS, 1984, pp.

....group mod N , the function f is a one way function assuming the intractability of factoring Blum integers. Additionally, Blum, Blum and Shub showed that f induces a permutation over the set of quadratic residues in the multiplicative group mod N , and using the results of Alexi et.al. [ACGS] and Vazirani and Vazirani [VV] this implies that the least significant bit constitutes a hard core predicate for f . The BBS generator is by far more efficient than the Blum Micali generator. 3 In particular, for every polynomial P ( Delta) the BBS generator stretches an n bit seed into a P ....

W. B. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput., vol. 17(2), 1988, pp. 194-209.

No context found.

Alexi, W., B Chor, O Goldreich, and C.P Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As The Whole", SIAM Jour on Computing, Extended Abstract in Proc 25th FOCS, 1984.

No context found.

Alexi, W., B Chor, O Goldreich, and C.P Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As The Whole", SIAM Jour on Computing, Extended Abstract in Proc 25th FOCS, 1984.

No context found.

Alexi, W., Chor, B., Goldreich, O. and Schnorr, C.P.: RSA and Rabin Functions: certain parts are as hard as the whole. SIAM J. Comput., 17, 2 (1988), pp. 194 -- 208.

No context found.

W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr. RSA and Rabin Functions: Certain Parts Are as Hard as the Whole. SIAM Journal on Computing, 17(2):194--209, 1988.

No context found.

W. B. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, RSA and Rabin functions: certain parts are as hard as the whole, SIAM J. Comput., vol. 17(2), 1988, pp. 194-209.

No context found.

Werner Alexi, Benny Chor, Oded Golreich, and Claus P. Schnorr. RSA and Rabin functions: Certain parts are as hard as the whole. Siam Journal on Computation, 17(2):194--209, 1988.

No context found.

W. Alexi, B. Chor, O. Goldreich, C.P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole. S.I.A.M. Journal on Computing, 17(2), 1988, pp. 194-209.

No context found.

W. Alexi, B. Chor, O. Goldreich and C. Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. Computing, 17(2):194--209, April 1988.

No context found.

Werner Alexi, Benny Chor, Oded Goldreich, and Claus-P. Schnorr. RSA and Rabin functions: certain parts are as hard as the whole. SIAM Journal on Computing, 17(2):194-209, April 1988.

No context found.

W. Alexi, B. Chor, O. Goldreich and C. P. Schnorr, `RSA and Rabin functions: Certain parts are as hard as the whole', SIAM Journal on Computing , 17 (1988), 194--209.

No context found.

W. Alexi, B. Chor, O. Goldreich, and C. P. Schnorr, "RSA and Rabin functions: certain parts are as hard as the whole," SIAM J. Comp., vol. 17, 1988, 194-209.

No context found.

Alexi, W. B., Chor, B., Goldreich, O., Schnorr, C. P. (1988) RSA and Rabin functions: Certain parts are as hard as the whole, SIAM J. Comp., 17, pp.194-209.

No context found.

W. Alexi, B. Chor, O. Goldreich, C. Schnorr, "RSA and Rabin functions: Certain parts are as hard as the whole", SIAM Journal on Computing, Nov 1988, Vol 7 No 2.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC