Cryptology ePrint Archive: Report 1999/019

Security of all RSA and Discrete Log Bits

Johan Hastad and Mats Naslund

Abstract: We study the security of individual bits in an RSA encrypted message E_N(x). We show that given E_N(x), predicting any single bit in x with only a non-negligible advantage over the trivial guessing strategy, is (through a polynomial time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O(log log N) bits of x are computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme.

Considering the discrete exponentiation function, g^x modulo p, with probability 1-o(1) over random choices of the prime p, the analog results are demonstrated. Finally, we prove that the bits of ax+b modulo p give hard core predicates for any one-way function f.

Category / Keywords: public key encryption, RSA, discrete log, bit security, hard core.

Publication Info: Appeared in the THEORY OF CRYPTOGRAPHY LIBRARY and has been included in the ePrint Archive.

Date: received August 27, 1999. Work performed 1998/early 1999. (Preliminary versions in FOCS '98 and in Naslund's PhD thesis from Aug. 1998).

Contact author: mats naslund at era-t ericsson se

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation

Short URL: ia.cr/1999/019

Discussion forum: Show discussion | Start new discussion