**On the Provable Security of an Efficient RSA-Based Pseudorandom Generator**

*Ron Steinfeld and Josef Pieprzyk and Huaxiong Wang*

**Abstract: **Pseudorandom Generators (PRGs) based on the RSA inversion
(one-wayness) problem have been extensively studied in the
literature over the last 25 years. These generators have the
attractive feature of provable pseudorandomness security assuming
the hardness of the RSA inversion problem. However, despite
extensive study, the most efficient provably secure RSA-based
generators output asymptotically only at most $O(\log n)$ bits per
multiply modulo an RSA modulus of bitlength $n$, and hence are too
slow to be used in many practical applications.

To bring theory closer to practice, we present a simple modification to the proof of security by Fischlin and Schnorr of an RSA-based PRG, which shows that one can obtain an RSA-based PRG which outputs $\Omega(n)$ bits per multiply and has provable pseudorandomness security assuming the hardness of a well-studied variant of the RSA inversion problem, where a constant fraction of the plaintext bits are given. Our result gives a positive answer to an open question posed by Gennaro (J. of Cryptology, 2005) regarding finding a PRG beating the rate $O(\log n)$ bits per multiply at the cost of a reasonable assumption on RSA inversion.

**Category / Keywords: **Pseudorandom generator, RSA, provable security, lattice attack

**Publication Info: **To appear at Asiacrypt 2006.

**Date: **received 20 Jun 2006, last revised 21 Sep 2006

**Contact author: **rons at ics mq edu au

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Note: **Several small corrections and additions have been made.

**Version: **20060921:085532 (All versions of this report)

**Short URL: **ia.cr/2006/206

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]