sign in sign up
<<
Home , Digital signature, RSA (cryptosystem)

KI194-Tilborg May 24, 2005 14:37

RSA scheme 527

result and chaining variable of 256 bits (eight 32- et al. to RIPEMD-128 (as plug-in substitute for bit words) is used and that there are only 64 steps. RIPEMD) and RIPEMD-160 [2]. At the same time, Eight 32-bit chaining variables h0, h1, h2, h3, h4, the variants RIPEMD-256 and RIPEMD-320 were h5, h6, h7 are either initialized to the fixed values introduced as well. An additional reason for the IV0 through IV3 and IV5 through IV8 for the first introduction of RIPEMD-160 are brute force col- 512-bit message block or to the intermediate hash lision search attacks. In [4], van Oorschot and value for the following message blocks. Then the Wiener estimate that with a 10 million US$ ma- compression function works as follows: chine collisions of MD5 can be found in 21 days in 1994, which corresponds to 4 hours in 2004. ′ To counter such collision search attacks, hash val- A ← h0, A ← h4 ′ of at least 160 bits are required. RIPEMD- B ← h1, B ← h5 ′ 128 and RIPEMD-160 are included in ISO/IEC C ← h2, C ← h6 ′ 10118-3 [5]. D ← h3, D ← h7 for i = 0to63do Antoon Bosselaers ≪si (r(i)) T ← (A + f i (B, C, D) + Wr(i) + Ki ) ′ ′ ′ ′ ′ T ← (A + f 63−i (B , C , D ) + Wr ′(i) References ′ ′ ≪si (r (i)) +Ki ) A ← D, A′ ← D′ [1] RIPE (1995). “Integrity primitives for secure infor- D ← C, D′ ← C′ mation systems.” Final Report of RACE Integrity C ← B, C′ ← B′ Primitives Evaluation (RIPE-RACE 1040), Lecture B ← T, B′ ← T′ Notes in Computer Science, vol. 1007, eds. A. if i = 15 then Bosselaers, and B. Preneel. Springer-Verlag, Berlin. T ← A, A ← A′, A′ ← T [2] Dobbertin, H., A. Bosselaers, and B. Preneel (1996). “RIPEMD-160: A strengthened version of else if i = 31 then RIPEMD.” Fast Software , Lecture Notes ← ← ′ ′ ← T B, B B , B T in Computer Science, vol. 1039, ed. D. Goll- else if i = 47 then mann, Springer-Verlag, Berlin, 71–82. Final ver- ′ ′ T ← C, C ← C , C ← T sion available at http://www.esat.kuleuven.ac.be/ else if i = 63 then ∼cosicart//AB-9601/. More information on all T ← D, D ← D′, D′ ← T aspects of RIPEMD-xxx can be found at http:// ′ h0 ← h0 + A, h4 ← h4 + A www.esat.kuleuven.ac.be/∼bosselae/ripemd160/ ′ h1 ← h1 + B, h5 ← h5 + B [3] Dobbertin, H. (1992). “RIPEMD with two-round ′ compress function is not collisionfree.” Journal of h2 ← h2 + C, h6 ← h6 + C ′ Cryptology, 10 (1), 51–69. h3 ← h3 + D, h7 ← h7 + D [4] van Oorschot, P.C. and M. Wiener (1999). “Paral- lel collision search with cryptanalytic applications.” ′ where the ordering of message words r(i) and r (i), Journal of cryptology, 12 (1), 1–28. the non-linear functions f i , the shifts si , and the [5] ISO/IEC 10118-3 (2003). “Information technology— ′ constants Ki and Ki are defined as in RIPEMD- security techniques—hash-functions—Part 3: Ded- ′ 00000000 icated hash-functions.” 160, except that Ki = x for 48 ≤ i ≤ 63.

RIPEMD: The original RIPEMD consists of es- sentially two parallel versions of MD4, with some RSA DIGITAL improvements to the shifts and the order of the SIGNATURE SCHEME message words; the two parallel instances differ only in the round constants. At the end of the In the basic formula for the RSA cryptosys- compression function, the words of left and right tem [30] (see also RSA Problem, RSA public- halves are added to each other and to the initial encryption), a digital signature s is computed on a values of the chaining variable. message m according to the equation (see ) SECURITY CONSIDERATIONS: The RIPEMD d Family has been designed to provide collision s = m mod n, (1) resistance. RIPEMD was developed in 1992 in the where (n, d) is the signer’s RSA private key. The framework of the EC-RACE project RIPE [1]. In signature is verified by recovering the message m 1995, Dobbertin found collisions for reduced ver- with the signer’s RSA public key (n, e): sions of RIPEMD [3]. Due to these partial attacks, RIPEMD was upgraded in 1996 by Dobbertin m = se mod n. (2) KI194-Tilborg May 24, 2005 14:37

528 RSA digital signature scheme

Though the meaning of the value m that is some way from the result of applying a hash signed with this formula has changed over the function to the actual message to be signed. years, the basic formula has remained the same r Nontrivial message representative: Message since it was introduced in 1977. The purpose representatives such as 0 and 1 should be of this entry is to survey the main approaches avoided, or should be very unlikely. In some based on that formula, each of which can be re- schemes, this is accomplished by giving m a ferred to as an RSA digital signature scheme “random” appearance; in others, just by some (see also digital signature schemes for general . definitions). r Sparse message representative space: Only a In the definition just given, the value m is itself small fraction of values of m should be valid the message. This is helpful for illustration, but message representatives; this makes it un- introduces a few challenges: likely for that a random signature s will cor- 1. The set of messages that can be signed with the respond to a valid m. For this reason, the value basic formula is limited to the set of integers in m generally has some structure that can be ver- the range [0, n − 1]. A larger value of m could be ified, and which is unlikely to occur at random. signed, but the value m mod n is all that would Alternatively, if many values of m are valid, be protected. then it should be difficult to find a message with 2. Some messages are quite easy to sign: for in- a given message representative. stance, m = 0 always has the signature 0 re- r Non-multiplicativity: Multiplicative relation- gardless of the signer’s private key, and simi- ships between signatures should be avoided. larly for m = 1 and m = n − 1. Randomness or padding, and structure, both 3. Every signature value s corresponds to some help in this regard. message m by Equation (2). It is easy there- One of the earliest and simplest improvements fore to construct valid message-signature pairs over the basic formula is to define the message given only the signer’s public key by starting representative m as the hash of the message M with the signature value s (though the mes- being signed, m = Hash(M). This meets the first sages so obtained might not be anything mean- three design goals: messages of any length can be ingful). signed; hash values such as 0 and 1 are very un- 4. Finally, the signer’s willingness to provide sig- likely; and, assuming the hash values are suffi- natures on some messages can be exploited by ciently shorter than the modulus n, only a small an opponent to obtain signatures on additional fraction of values of m will be valid hash values. messages. As one example, if the opponent However, multiplicative relationships are still a wants a signature on a message m but does not potential problem. In particular, if the hash output want the signer to see m, the opponent can in- is significantly shorter than the modulus (e.g., 160 stead ask to have the message m′ = mr e mod n bits vs. 1024 bits with today’s parameter sizes), signed, where r is a random value. Let s′ be the then it is possible to attack the signature scheme signature on m′, and let s = s′r −1 mod n. Then s by methods from index calculus. Although the op- is the signature on m. Though this property has ponent cannot factor the modulus, the attacker the benefit of enabling blind signatures, it also can readily factor the much shorter hash values. presents an avenue for attack. More generally, From a sufficiently large set of signatures, the at- RSA signatures have a multiplicative property tacker can thereby solve for the signatures on all that can be an advantage or a disadvantage de- values m in a factor base by index calculus—and pending on the situation: given signatures on from those construct the signature on any message messages m1 and m2, it is straightforward to M for which Hash(M) is smooth with respect to determine the signatures on any combination that factor base (see smoothness). (This approach, i j observed in the design of the PKCS #1 specification of products of the form m1m2. Due to the various concerns just described, RSA [14] discussed below, is an extension of an early digital signature schemes in practice are typically attack on the RSA by Desmedt and constructed so that the value m is not the mes- Odlyzko [7].) sage itself, but rather a message representative de- On the other hand, if the hash value is as long as rived from the message. This approach employs the modulus n, then factoring the hash value is as four design principles that address the concerns hard as factoring the modulus, so the attack just just noted: described is not a concern. This is the basis for the r Large message space: The set of messages that Full Domain Hash (FDH) scheme of Bellare and can be signed should be as large as possible. For Rogaway [2]. In fact, FDH turns out to have an ad- this reason, the value m is typically derived in ditional security benefit, which is that it is possible KI194-Tilborg May 24, 2005 14:37

RSA digital signature scheme 529

in the random oracle model to obtain a proof that signature s is generated. Second, a mes- the signature scheme is as difficult to break, as sage representative m = se mod n is computed. the RSA Problem is to solve. (Recall that the RSA Third, the pair (m, s) is entered in the table as Problem is to solve for x such that y = xe mod n, the hash-signature pair for the message M. Fi- given y, n and e, where the target value y is ran- nally, the hash or signature is returned accord- dom.) It is instructive to explore that proof briefly, ing to the attacker’s request. as it is a good example of the modern design of This simulation looks just like an actual signer cryptographic schemes that has resulted from the and random hash function, because the hash insights of Bellare and Rogaway and other con- value for a given message is random (since s is ran- temporary researchers. dom), and the hash-signature pair for each mes- In the proof, the attacker is assumed to have the sage is internally consistent. Thus, an attacker ability to do the following: will be just as successful when interacting with r Obtain signatures from the actual signer on this simulation, as in the actual environment. But some number of chosen messages M. notice that the simulation doesn’t need the actual r Evaluate the hash function on some number of signer’s private key. So the simulator, combined chosen messages M. with the A, produces another algorithm The underlying hash function is modeled as a ran- B, also independent of the actual signer’s private dom oracle, meaning that the attacker’s probabil- key, which can then be applied to solve the RSA ity of success is taken over a random choice of hash Problem. function. Accordingly, it is not enough that the at- In order to produce a forged signature on some tack works well for some hash function; rather, message other than by accident, the attacker has it must work well, on average, for any (theoret- to ask for the hash of the message. Otherwise, ical) hash function. This is a strong assumption since the hash value is random, the probability on the attack, but a reasonable starting point for that the signature will match is 1/n, i.e., essen- analysis. tially 0. Since this signature is a forgery and FDH The attacker’s goal is to produce a new signature is deterministic, though, the attacker can’t also s′ on a new message M′, and to be able to do so in a ask for a signature on the same message. This reasonable amount of time with high probability. means that there will be at least one message that Suppose now that there is such an attacker, rep- the attacker asks to be hashed, but doesn’t ask to resented by an algorithm A. In the proof, this al- be signed. gorithm A is transformed to a second algorithm B The one extra message gives the simulator an that breaks the RSA Problem in a similar amount opportunity to embed an instance of the RSA Prob- of time and probability. The “reduction” (see lem into the hash value. This is done with a small computational complexity) from B to A takes ad- change to Step 2 above. In particular, at one, ran- vantage of the fact that the hash function is a black domly selected time during the interaction with box, so the attacker cannot look inside. Accord- the attacker, instead of constructing a new entry, ingly, it is possible to “simulate” both the signer the step returns, as the hash value on that mes- and the hash function so that they appear to be sage, the target value y for the RSA Problem to actual ones to the algorithm A, but such that when be solved. Now, if the attacker also asks for a sig- algorithm A forges the signature, it will in fact be nature on the same message, the simulation will solving an instance of the RSA Problem. fail. But if the attacker produces a new signature The reduction employs a table that has a on that message—a forgery—then the signature signature-hash entry for each message, and goes will be the solution to the RSA Problem on y! something like this: Algorithm B is thus able to solve the RSA Prob- 1. When the attacker asks to obtain a signature on lem whenever algorithm A produces a forgery, pro- a message M, the simulated signer first looks vided that the hash value involved in the forgery in the table to see if there’s an entry for the is the one selected by the simulator (and Algo- message. If so, the signature part of that entry rithm A uses the hash value, rather than guess- is returned. If not, see Step 3 below. ing the signature). Suppose algorithm A succeeds 2. When the attacker asks to evaluate the hash with probability ǫA in time TA, and asks for at function on a message M, the “simulated” hash most messages to be hashed. Then algorithm function likewise first looks and returns the B succeeds with probability at least (ǫA − 1/n)/Q hash part of an entry, if there is one. If not, see in time just slightly more than TA. Conversely, Step 3 next. this means that if there is no algorithm for solv- 3. In either case, if there isn’t an entry for the mes- ing the RSA Problem that succeeds with proba- sage, then a new one is created. First, a random bility greater than ǫB in time TB, then there is no KI194-Tilborg May 24, 2005 14:37

530 RSA digital signature scheme

algorithm for forging signatures with probability Standards from RSA Laboratories [14]. The greater than ǫBQ + 1/n in time TB. scheme has an ad hoc design where the message Since in practice an attacker can run a hash representative is constructed from a hash value function a very large number of times, the ratio with simple padding. On the one hand, no practical between the probabilities ǫA and ǫB may be quite attack has been developed on this scheme, though large. Thus, the security proof itself may not imply some specially constructed cases have been shown as great a minimum difficulty as one might desire to have weaknesses (see [6]). On the other hand, for forging FDH signatures, at least for typical pa- no security proof is available either, and it seems rameter sizes. For instance, if one believes that unlikely that one would be developed. Thus, like the probability of breaking the RSA problem in a primitives from symmetric cryptography,the secu- certain amount of time is at most 2−80, and that rity of the scheme depends on resistance against an attacker can run the hash function 264 times, specific attacks rather than a security reduction then the proof only shows that the probability of from a hard problem. forgery is at most about 2−16. This doesn’t mean Another scheme today, found more in standards that there’s an algorithm that is this successful; it documents than in practice, is the scheme in ANSI just means that such an algorithm can’t be ruled X9.31 [1], which is also in ISO/IEC 14888-3 [13]. (A out by the proof itself. Still, the line of reasoning is variant with message recovery is in ISO/IEC 9796- better than for “ad hoc” designs, where there is no 2 [12].) This scheme also has an ad hoc design with clear connection between the difficulty of forgery similar security properties to PKCS #1 v1.5. and the RSA Problem. An early scheme with message recovery can be The reason that the reduction for FDH is so found in ISO/IEC 9796-1 [11]. The scheme is par- “loose” (i.e., the ratio is so high) is that the sim- ticularly attractive for implementation since no ulator is able to embed the RSA Problem into only hash function is involved. However, the scheme one hash value. Another scheme by the same au- has turned out to be vulnerable to attack in some thors, the Probabilistic Signature Scheme (PSS) cases, as shown by Grieu [9] and in drafts cir- [3], overcomes this limitation by introducing a ran- culated by Coppersmith, Halevi and Jutla. The dom value (called a , which plays a role similar standard has since been withdrawn. (Not all im- to ) into each signature operation. As a result, plementations of the standard are affected by the each signature is independent of previous hash op- attacks; in particular, implementations where the erations, so each hash value can embed a separate message being signed and “recovered” is itself a instance of the RSA Problem. hash value are not affected.) In PSS, the probability of success for breaking Some of the RSA signature schemes men- the RSA Problem is about the same as the proba- tioned also have variants based on the Rabin bility for forging signatures, which is the best se- cryptosystem; this is true of the schemes in ANSI curity reduction one can achieve. X9.31 and the various ISO/IEC documents, as (Some improvement in the security reduction for well as PSS and PSS-R, though not the PKCS FDH can be obtained by a better proof technique, #1 v1.5 scheme. The variants based on the Ra- as Coron has shown [4]. Coron also gives a very bin cryptosystem have the advantage that they careful analysis of the effect of the size of the salt allow the public exponent e = 2, so that signa- on the reduction in PSS.) ture verification is very efficient; but on the other In addition to the tight security proof, PSS has a hand some extra steps are required due to the second advantage: It has a simple variant, called fact that not every message representative m may PSS-R, that provides message recovery. In PSS-R, have a root modulo n. (See Rabin digital part or all of the message can be carried in the mes- signature scheme for further discussion.) sage representative in addition to the hash value. A complementary approach to the schemes just This is a return to the goal of the original formula, described, which is primarily of research interest but with stronger security properties. so far, is to derive the public exponent e itself from For the long term, PSS and PSS-R may well pre- the message, where the value m is fixed within vail as the most common RSA signature schemes, the public key. The advantage of this approach, de- and they are found in newer standards such as scribed by Gennaro et al. [8], is that it is possible to PKCS #1 v2.1 [15], ISO/IEC 9796-2 [12] and the obtain a tight security proof in the standard model, forthcoming IEEE P1363a [10]. However, in the where the hash function is only assumed to have a short term, other signature schemes are better certain “division-intractability” property—it does established. The most common today in prac- not need to be modeled as a random oracle. The tice is the PKCS #1 v1.5 scheme, introduced in difficulty of forging a signature can be shown to 1991 in the first set of Public-Key Cryptography be closely related to the Strong RSA Assumption KI194-Tilborg May 24, 2005 14:37

RSA factoring challenge 531

(see again RSA Problem). (Note though that the [11] ISO/IEC 9796-1:1999 (withdrawn). Information initial analysis needed some improvements [5].) Technology—Security Techniques Digital Signa- A related approach is presented by Vanstone and tures Giving Message Recovery—Part 1: Mecha- Qu [17]; in their approach, both e and m may be nisms Using Redundancy. derived from the message. [12] ISO/IEC 9796-2:2002. Information Technology— Security Techniques—Digital Signatures Giving Burt Kaliski Message Recovery—Part 2: Integer Based Mechanisms. References [13] ISO/IEC 14888-3:1998. Information Technology— Security Techniques—Digital Signatures with [1] American National Standard X9.31-1998. Digital Appendix—Part 3: Certificate-Based Mechanisms. Signatures Using Reversible Public Key Cryptog- [14] PKCS #1 v1.5 (1993). RSA Encryption Standard. raphy for the Financial Services Industry (rDSA). RSA Laboratories. [2] Bellare, Mihir and Phillip Rogaway (1993). “Ran- [15] PKCS #1 v2.1 (2002). RSA Cryptography Stan- dom oracles are practical. A paradigm for designing dard. RSA Laboratories. efficient protocols.” Proceedings of 1st ACM Confer- [16] Rivest, Ronald L., , and Leonard M. ence on Computer and Communications Security. Adleman (1978). “A method for obtaining digital ACM Press, 62–73. signatures and public-key .” Com- [3] Bellare, Mihir and Phillip Rogaway (1996). “The munications of the ACM, 21 (2), 120–126. exact security of digital signatures—how to sign [17] Vanstone, Scott A and Minghua Qu. Digital Signa- with RSA and Rabin.” Advances in Cryptology— ture Protocol with Reduced Bandwdith. U.S. Patent EUROCRYPT’96, Lecture Notes in Computer Sci- No. 6,097,813, August 1, 2000 (Filed May 15, ence, vol. 1070, ed. U. Maurer. Springer, Berlin, 1997). 399–416. [4] Coron, Jean-Sebastien´ (2002). “Optimal security proofs for PSS and other signature schemes.” Ad- vances in Cryptology—EUROCRYPT 2002, Lec- ture Notes in Computer Science, vol. 2332, ed. L.R. RSA FACTORING Knudsen. Springer, Berlin, 272–287. CHALLENGE [5] Coron, Jean-Sebastien´ and David Naccache (2000). “Security analysis of the Gennaro–Halevi–Rabin Starting in 1991, RSA Data Security offered a set signature scheme.” Advances in Cryptology— EUROCRYPT 2000, Lecture Notes in Computer of “challenges” intended to measure the difficulty Science, vol. 1807, ed. B. Preneel. Springer, Berlin, of integer factoring. The challenges consisted of 91–101. a list of 41 RSA Numbers, each the product of [6] Coron, Jean-Sebastien,´ David Naccache, and two primes of approximately equal length, and an- Julien P. Stern (1999). “On the security of RSA other, larger list of Partition Numbers generated padding.” Advances in Cryptology—CRYPTO’99, according to a recurrence. Lecture Notes in Computer Science, vol. 1666, ed. The first five of the RSA Numbers, ranging from M. Wiener. Springer, Berlin, 1–18. 100 to 140 decimal digits (330–463 bits), were fac- [7] Desmedt, Yvo and Andrew M. Odlyzko (1986). “A tored successfully by 1999 (see [2] for details on chosen text attack on the RSA cryptosystem and the largest of these). An additional 512-bit (155- some schemes.” Advances in digit) challenge number was later added in view Cryptology—CRYPTO’85, Lecture Notes in Com- puter Science, vol. 218, ed. H.C. Williams. Springer, of the popularity of that in practice; it was Berlin, 516–522. also factored in 1999 [3]. [8] Gennaro, Rosario, Shai Halevi and In addition to the formal challenge numbers, an (1999). “Secure hash-and-sign signatures with- old challenge number first published in August out the random oracle.” Advances in Cryptology— 1977, renamed ‘RSA-129’, was factored in 1994 [1]. EUROCRYPT’99, Lecture Notes in Computer Sci- The Quadratic Sieve was employed for the num- ence, vol. 1592, ed. J. Stern. Springer, Berlin, 123– bers up to RSA-129, and the Number Field Sieve 139. for the rest. The work factor in MIPS-years, sum- [9] Grieu, Franc¸ois (2000). “A chosen messages at- marized in Table 1, was roughly in line with expec- tack on the ISO/IEC 9796-1 signature scheme.” tations for these methods as techniques steadily Advances in Cryptology—EUROCRYPT 2000, Lec- improved. It is noteworthy that the effort for ture Notes in Computer Science, vol. 1807, ed. B. Preneel. Springer, Berlin, 70–80. RSA-130, taking advantage of the Number Field [10] IEEE P1363a Draft D12 (2003). Standard Specifi- Sieve, was less than that for RSA-129. cations for Public Key Cryptography: Amendment Cash prizes of more than US $50,000 have been 1—Additional Techniques. IEEE P1363 Working awarded to the winners over the duration of the Group. contest. KI194-Tilborg May 24, 2005 14:37

532 RSA problem

Table 1. Results of the RSA factoring challenge Bob’s public key (n, e) by computing the = = (QS quadratic sieve; NFS number field sieve); e adapted from [4] C = M (mod n), (1)

Number Bits Year Method MIPS-Years where n, the modulus, is the product of two or more large primes, and e, the public exponent, is RSA-100 330 1991 QS 7 an (odd) integer e ≥ 3 that is relatively prime to RSA-110 364 1992 QS 75 Z ∗ φ(n), the order of the multiplicative group n. (See RSA-120 397 1993 QS 830 also Euler’s totient function, modular arithmetic RSA-129 426 1994 QS 5000 for background on these concepts.) RSA-130 430 1996 NFS 1000 Bob, who knows the corresponding RSA pri- RSA-140 463 1999 NFS 2000 vate key (n, d), can easily decrypt, since de = 1 RSA-155 512 1999 NFS 8000 φ n RSA-160 530 2003 NFS Not given (mod ( )) implies that RSA-576 576 2003 NFS Not given M = Cd (mod n). (2) An adversary may learn C by eavesdropping, The current RSA Factoring Challenge has num- and may very well also know Bob’s public key; bers from 576 to 2048 bits. As of this writing nonetheless such an adversary should not be able only the first challenge number, RSA-576, has to compute the corresponding M. been factored. (The numbers in the current chal- One may formalize the task faced by this adver- lenge are designated by their length in bits rather sary as the RSA Problem: than decimal digits.) See http://www.rsasecurity The RSA Problem: Given an RSA public key .com/rsalabs/challenges/ for more information. (n, e) and a ciphertext C = Me (mod n), to compute M. Burt Kaliski To solve the RSA Problem an adversary, who doesn’t know the private key, must nonetheless References invert the RSA function. The RSA Assumption is that the RSA Prob- [1] Atkins, D., M. Graff, A.K. Lenstra, and P.C. Leyland lem is hard to solve when the modulus n is suf- (1995). “The magic words are SQUEAMISH OSSIFRAGE.” Advances in Cryptology— ficiently large and randomly generated, and the ASIACRYPT’94, Lecture Notes in Computer plaintext M (and hence the ciphertext C) is a ran- Science, vol. 917, eds. J. Pieprzyk and R. Safavi– dom integer between 0 and n − 1. The assumption Naini. Springer, Berlin, 263–277. is the same as saying that the RSA function is a [2] Cavallar, Stefania, Bruce Dodson, , trapdoor one-way function (the private key is the Paul Leyland, Walter Lioen, Peter L. Montgomery, trapdoor). Brian Murphy, Herman te Riele, and Paul Zim- The randomness of the plaintext M over the mermann (1999). “Factorization of RSA-140 using range [0, n − 1] is important in the assumption. If the number field sieve.” Advances in Cryptology— M is known to be from a small space, for instance, ASIACRYPT’99, Lecture Notes in Computer Sci- then an adversary can solve for M by trying all ence, vol. 1716, eds. K.Y. Lam, E. Okamoto, and C. possible values for M. Xing. Springer, Berlin, 195–207. [3] Cavallar, Stefania, Bruce Dodson, Arjen Lenstra, The RSA Problem is the basis for the secu- Paul Leyland, Walter Lioen, Peter L. Montgomery, rity of RSA public-key encryption as well as Brian Murphy, Herman te Riele, et al. (2000). “Fac- RSA digital signature schemes. torization of a 512-bit RSA modulus.” Advances See also surveys by Boneh [10] and Katzen- in Cryptology—EUROCRYPT 2000, Lecture Notes beisser [24]. in Computer Science, vol. 1807, ed. B. Preneel. Springer, Berlin, 1–18. RELATIONSHIP TO INTEGER FACTORING: [4] Contini, Scott (1999). “The Factorization of RSA- The RSA Problem is clearly no harder than 140.” RSA Laboratories’ Bulletin 10. March 8, integer factoring, since an adversary who can fac- 1999. Available from http://www.rsasecurity.com/ tor the modulus n can compute the private key rsalabs/bulletins/ (n, d) from the public key (n, e). However, it is not clear whether the converse is true, that is, whether an algorithm for integer RSA PROBLEM factoring can be efficiently constructed from an al- gorithm for solving the RSA Problem. INTRODUCTION: In RSA public-key encryption Boneh and Venkatesan [9] have given evidence [30], Alice encrypts a plaintext M for Bob using that such a construction is unlikely when the