The security of all RSA and discrete log bits
2004 (English)In: Journal of the ACM, ISSN 0004-5411, E-ISSN 1557-735X, Vol. 51, no 2, 187-230 p.Article in journal (Refereed) Published
We study the security of individual bits in an RSA encrypted message E-N(x). We show that given E-N(x), predicting any single bit in x with only a nonnegligible advantage over the trivial guessing strategy, is (through a polynomial-time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O (log log N) bits of x are computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme. Considering the discrete exponentiation function g(x) modulo p, with probability 1 - o(1) over random choices of the prime p, the analog results are demonstrated. The results do not rely on group representation, and therefore applies to general cyclic groups as well. Finally, we prove that the bits of ax + b modulo p give hard core predicates for any one-way function f. All our results follow from a general result on the chosen multiplier hidden numberproblem: given an integer N, and access to an algorithm P-x, that on input a random a epsilon Z(N), returns a guess of the ith bit of ax mod N, recover x. We show that for any i, if P-x has at least a nonnegligible advantage in predicting the ith bit, we either recover x, or, obtain a nontrivial factor of N in polynomial time. The result also extends to prove the results about simultaneous security of blocks of O (log log N) bits.
Place, publisher, year, edition, pages
2004. Vol. 51, no 2, 187-230 p.
cryptography, complexity, RSA-encryption, bit-security, discrete logarithms
Computer and Information Science
IdentifiersURN: urn:nbn:se:kth:diva-23252DOI: 10.1145/972639.972642ISI: 000220153200003ScopusID: 2-s2.0-4243189287OAI: oai:DiVA.org:kth-23252DiVA: diva2:341950
QC 20100525 QC 201110282010-08-102010-08-102012-01-21Bibliographically approved