Journal of Cryptology

, Volume 29, Issue 1, pp 220–241 | Cite as

Breaking RSA May Be As Difficult As Factoring

  • Daniel R. L. Brown


If factoring is hard, this paper shows that straight line programs cannot efficiently solve the low public exponent RSA problem. More precisely, no efficient algorithm can take an RSA public key as input and then output a straight line program that efficiently solves the low public exponent RSA problem for the given public key—unless factoring is easy.


RSA Factoring Straight line programs 



Steven Galbraith pointed out a major mistake in a previous paper of the author. The author’s efforts to correct this mistake ultimately led to this paper. Alfred Menezes provided extensive comments on the presentation of this paper.(One of which led to the correction: the condition that \(g(X)\) should be square-free, which can be used to factor if it fails.) Adrian Antipa, Rob Lambert, Scott Vanstone, Rene Struik and John Goyo also provided comments. Andy Rupp provided several comments. Anonymous reviewers provided valuable comments.


  1. 1.
    D. Aggarwal, U. Maurer, Breaking RSA generically is equivalent to factoring, in A. Joux, editor, Advances in Cryptology—EUROCRYPT 2009, Number 5479 in LNCS (IACR, Springer, Berlin, 2009), pp. 36–53.Google Scholar
  2. 2.
    D. Boneh, Twenty years of attacks on the RSA cryptosystem. Not. Am. Math. Soc. 46(2), 203–213 (1999).
  3. 3.
    D. Boneh, R. Venkatesan, Breaking RSA may be easier than factoring, in Nyberg [10], pp. 59–71.
  4. 4.
    J.-S. Coron, A. May, Deterministic polynomial-time equivalence of computing the RSA secret key and factoring. J. Cryptol. 20(1), 39–50 (2007)Google Scholar
  5. 5.
    I. Damgård, M. Koprowski, Generic lower bounds for root extraction and signature schemes in general groups, in L. Knudsen, editor, Advances in Cryptology—EUROCRYPT 2002, Number 2332 in LNCS (IACR, Springer, Berlin), pp. 256–271Google Scholar
  6. 6.
    J. M. de Laurentis, A further weakness in the common modulus protocol for the RSA cryptoalgorithm. Cryptologia 8, 253–259 (1984)Google Scholar
  7. 7.
    G. Leander, A. Rupp, On the equivalence of RSA and factoring regarding generic ring algorithms, in X. Lai, K. Chen, editors, Advances in Cryptology—ASIACRYPT 2006, Number 4284 in LNCS (IACR, Springer, Berlin, 2006), pp. 241–251Google Scholar
  8. 8.
    A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography. (CRC Press, Boca Raton, FL, 1997)Google Scholar
  9. 9.
    G.L. Miller, Riemann’s hypothesis and test for primality. J. Comput. Syst. Sci. 13(3), 300–317 (1976)Google Scholar
  10. 10.
    K. Nyberg, editor, Advances in Cryptology—EUROCRYPT ’98, Number 1403 in LNCS. (IACR, Springer, Berlin, 1998)Google Scholar
  11. 11.
    T. Okamoto, S. Uchiyama, Security of an identity-based cryptosystem and the related reductions, in Nyberg [10], pp. 546–560Google Scholar
  12. 12.
    M.O. Rabin, Digitalized Signatures and Public-Key Functions as Intractable as Factorization. LCS/TR 212 (MIT, 1979).Google Scholar
  13. 13.
    R.L. Rivest, B. Kaliski, Encyclopedia of Cryptography and Security, Chapter RSA Problem. (Kluwer, Dordrecht, 2002). To appear.
  14. 14.
    R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  1. 1.Certicom ResearchMississaugaCanada

Personalised recommendations