RSA/Rabin least significant bits are 1-2- + 1/poly(log N) secure

Authors:
Benny Chor;Oded Goldreich
Affiliations:
-;-
Venue:
Proceedings of CRYPTO 84 on Advances in cryptology
Year:
1985

Citing 9
Cited 4

How to generate cryptographically strong sequences of pseudo-random bits

SIAM Journal on Computing
RSA-bits are 0.5 + &egr; secure

Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theory and application of cryptographic techniques
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
How discreet is the discrete log?

STOC '83 Proceedings of the fifteenth annual ACM symposium on Theory of computing
On the cryptographic security of single RSA bits

STOC '83 Proceedings of the fifteenth annual ACM symposium on Theory of computing
DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION

DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION
Probabilistic encryption: theory and applications (partial information, factoring, pseudo random bit generation)

Probabilistic encryption: theory and applications (partial information, factoring, pseudo random bit generation)
Why and how to establish a private code on a public network

SFCS '82 Proceedings of the 23rd Annual Symposium on Foundations of Computer Science
Theory and application of trapdoor functions

SFCS '82 Proceedings of the 23rd Annual Symposium on Foundations of Computer Science

Algorithmic derandomization via complexity theory

STOC '02 Proceedings of the thiry-fourth annual ACM symposium on Theory of computing
A Secure Poker Protocol that Minimizes the Effect of Player Coalitions

CRYPTO '85 Advances in Cryptology
The security of all RSA and discrete log bits

Journal of the ACM (JACM)
Trading one-wayness against chosen-ciphertext security in factoring-based encryption

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We prove that RSA least significant bit is 1/2 + 1/logc N secure, for any constant c (where N is the RSA modulus). This means that an adversary, given the ciphertext, cannot guess the least significant bit of the plaintext with probability better than 1/2 + 1/logc N unless he can break RSA.Our proof technique is strong enough to give, with slight modifications, the following related results: (1) The log log N least significant bits are simultaneously 1/2 + 1/logc N secure. (2) The above also holds for Rabin's encryption function.Our results imply that Rabin/RSA encryption can be directly used for pseudo random bits generation, provided that factoring/inverting RSA is hard.