The Security of all RSA and Discrete Log Bits

The Security of all RSA and Discrete Log Bits (2003)

Cached

Download Links

by Johan Håstad , Mats Näslund

Citations:

BibTeX

@MISC{Håstad03thesecurity,
    author = {Johan Håstad and Mats Näslund},
    title = {The Security of all RSA and Discrete Log Bits},
    year = {2003}
}

Bookmark

OpenURL

Abstract

We study the security of individual bits in an RSA encrypted message EN (x). We show that given EN (x), predicting any single bit in x with only a non-negligible advantage over the trivial guessing strategy, is (through a polynomial time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O(log log N) bitsofxare computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme. Considering the discrete exponentiation function gx modulo p, with probability 1 − o(1) over random choices of the prime p, the analog results are demonstrated. The results do not rely on group representation, and therefore applies to general cyclic groups as well. Finally, we prove that the bits of ax + b modulo p give hard core predicates for any one-way function f. All our results follow from a general result on the chosen multiplier hidden number problem: givenanintegerN, and access to an algorithm Px that on input a random a ∈ ZN, returns a guess of the ith bit of ax mod N, recover x. We show that for any i, ifPx has at least a nonnegligible advantage in predicting the ith bit, we either recover x, or, obtain a non-trivial factor of N in polynomial time. The result also extends to prove the results about simultaneous security of blocks of O(log log N) bits.

Citations

2507	A method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir, et al.
1001	Probabilistic encryption - Goldwasser, Micali - 1984
256	An improved algorithm for computing logarithms over GF (p) and its cryptographic significance - Pohlig, Hellman - 1978
200	Optimal Asymmetric Encryption - Bellare, Rogaway - 1994
120	C.: RSA and Rabin Functions: Certain Parts are as Hard as the Whole - Alexi, Chor, et al. - 1988
84	R.: Hardness of Computing the Most Significant Bits of Secret Keys in Diffie–Hellman and Related Schemes - Boneh, Venkatesan - 1996
82	Theory and Applications of Trapdoor Functions (Extended Abstract - Yao - 1982
50	Efficient and secure pseudo-random number generation - Vazirani, Vazirani
35	Chinese remaindering with errors - Goldreich, Ron, et al.
30	The distribution of quadratic residues and non-residues - Burgess - 1957
27	Finding smooth integers in short intervals using CRT decoding - Boneh
27	Stronger Security Proofs for RSA and Rabin Bits - Fischlin, Schnorr - 2000
26	A.: The Discrete Logarithm Modulo a Composite Hides O(n) Bits - Håstad, Schrift, et al. - 1993
25	Why and how to establish a private code on a public network - Goldwasser, Micali, et al. - 1982
22	Soft-decision decoding of Chinese remainder codes - Guruswami, Sahai, et al. - 2000
15	An efficient discrete log pseudo random generator - Patel, Sundaram - 1998
15	Simultaneous security of bits in the discrete log - Peralta - 1986
12	On the cryptographic security of single RSA bits - Ben-Or, Chor, et al. - 1983
10	Universal hash functions & hard core bits - Näslund - 1995
9	Boneh and Ramarathnam Venkatesan. Breaking rsa may not be equivalent to factoring - Dan - 1998
8	I.: Hidden Number Problem with the Trace and Bit Security of XTR - Li, Näslund, et al. - 2002
7	The discrete log hides O(log n) bits - Long, Wigderson - 1988
4	The Security of bits in the discrete logarithm - Long
3	Two Issues in Public Key Cryptography. ACM doctoral dissertation award - Chor - 1986
3	On the number of close-and-equal pairs of bits in a string (with applications on the security of RSA’s L.S.B.). See Beth et al - Goldreich - 1985
3	35th Annual Symposium on Foundations of Computer Science, Sant,a Fe - IEEE - 1994
3	A useful primitive to prove security of every bit and about hard core predicates and universal hash functions - Kiltz
3	Security of almost all discrete log bits. Electronic Colloquium on Computational Complexity, report TR98-033. Available on-line from http://www.eccc.uni-trier.de/eccc - Schnorr - 1998
3	On the universality of the next bit test - Schrift, Shamir - 1991
2	and Oded Goldreich. RSA/Rabin least significant bits are + poly(log n) secure - Chor
2	All bits in ax + b mod p are hard. See Koblitz [1996 - Näslund - 1996
2	RSA-bits are 0.5+ɛ secure. See Beth et al - Schnorr, Alexi - 1985
2	RSA bits are .732 + ɛ secure - Vazirani, Vazirani - 1984
1	RSA/Rabin least significant bits are 1 2 + poly(logn) secure - Chor, Goldreich - 1985
1	Bit Extraction, Hard-Core Predicates, and the Bit Security of RSA - Näslund - 1998