Paper Info
Title
The security of all RSA and discrete log bits
Abstract
We study the security of individual bits in an RSA encrypted message EN(x). We show that given EN(x), predicting any single bit in x with only a nonnegligible advantage over the trivial guessing strategy, is (through a polynomial-time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O(log log N) bits of x are computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme.Considering the discrete exponentiation function gx modulo p, with probability 1 − o(1) over random choices of the prime p, the analog results are demonstrated. The results do not rely on group representation, and therefore applies to general cyclic groups as well. Finally, we prove that the bits of ax + b modulo p give hard core predicates for any one-way function f.All our results follow from a general result on the chosen multiplier hidden number problem: given an integer N, and access to an algorithm Px that on input a random a ∈ ZN, returns a guess of the ith bit of ax mod N, recover x. We show that for any i, if Px has at least a nonnegligible advantage in predicting the ith bit, we either recover x, or, obtain a nontrivial factor of N in polynomial time. The result also extends to prove the results about simultaneous security of blocks of O(log log N) bits.
Year
DOI
Venue
1999
10.1145/972639.972642
Journal of the ACM (JACM)
Keywords
DocType
Volume
log log n,individual bit,random choice,complexity,bit-security,nonnegligible advantage,random bit,cryptography,discrete logarithms,rsa-encryption,ith bit,prime p,integer n,discrete log bit,ax mod n,modulo p
Journal
51
Issue
ISSN
Citations 
2
0004-5411
15
PageRank 
References 
Authors
1.19
20
2
Name
Order
Citations
PageRank
Johan Håstad13586557.23
Mats Näslund214121.58