RSA/Rabin least significant bits are 1-2- + 1/poly(log N) secure
Proceedings of CRYPTO 84 on Advances in cryptology
Simultaneous security of bits in the discrete log
Proc. of a workshop on the theory and application of cryptographic techniques on Advances in cryptology---EUROCRYPT '85
RSA-bits are 0.5 + &egr; secure
Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theory and application of cryptographic techniques
On the number of close-and-equal pairs of bits in a string
Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theory and application of cryptographic techniques
RSA and Rabin functions: certain parts are as hard as the whole
SIAM Journal on Computing - Special issue on cryptography
The discrete logarithm hides O(log n) bits
SIAM Journal on Computing - Special issue on cryptography
Computerized patient information system in a psychiatric unit: five-year experience
Journal of Medical Systems
Chinese remaindering with errors
STOC '99 Proceedings of the thirty-first annual ACM symposium on Theory of computing
Finding smooth integers in short intervals using CRT decoding
STOC '00 Proceedings of the thirty-second annual ACM symposium on Theory of computing
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Hidden Number Problem with the Trace and Bit Security of XTR and LUC
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Adi Shamir: On the Universality of the Next Bit Test
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
An Efficient Discrete Log Pseudo Random Generator
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
The Security of Individual RSA Bits
FOCS '98 Proceedings of the 39th Annual Symposium on Foundations of Computer Science
The Security of Individual RSA Bits
FOCS '98 Proceedings of the 39th Annual Symposium on Foundations of Computer Science
"Soft-decision" decoding of Chinese remainder codes
FOCS '00 Proceedings of the 41st Annual Symposium on Foundations of Computer Science
On the cryptographic security of single RSA bits
STOC '83 Proceedings of the fifteenth annual ACM symposium on Theory of computing
The security of bits in the discrete logarithm
The security of bits in the discrete logarithm
Stronger security proofs for RSA and rabin bits
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Hidden Number Problem with the Trace and Bit Security of XTR and LUC
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
On the Bit Security of NTRUEncrypt
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
Breaking and Provably Fixing Minx
PETS '08 Proceedings of the 8th international symposium on Privacy Enhancing Technologies
The Security of All Bits Using List Decoding
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
On the power generator and its multivariate analogue
Journal of Complexity
| Hi-index | 0.00 |
We study the security of individual bits in an RSA encrypted message EN(x). We show that given EN(x), predicting any single bit in x with only a nonnegligible advantage over the trivial guessing strategy, is (through a polynomial-time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O(log log N) bits of x are computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme.Considering the discrete exponentiation function gx modulo p, with probability 1 − o(1) over random choices of the prime p, the analog results are demonstrated. The results do not rely on group representation, and therefore applies to general cyclic groups as well. Finally, we prove that the bits of ax + b modulo p give hard core predicates for any one-way function f.All our results follow from a general result on the chosen multiplier hidden number problem: given an integer N, and access to an algorithm Px that on input a random a ∈ ZN, returns a guess of the ith bit of ax mod N, recover x. We show that for any i, if Px has at least a nonnegligible advantage in predicting the ith bit, we either recover x, or, obtain a nontrivial factor of N in polynomial time. The result also extends to prove the results about simultaneous security of blocks of O(log log N) bits.