On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

  • Ron Steinfeld
  • Josef Pieprzyk
  • Huaxiong Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)


Pseudorandom Generators (PRGs) based on the RSA inversion (one-wayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, despite extensive study, the most efficient provably secure RSA-based generators output asymptotically only at most O(logn) bits per multiply modulo an RSA modulus of bitlength n, and hence are too slow to be used in many practical applications.

To bring theory closer to practice, we present a simple modification to the proof of security by Fischlin and Schnorr of an RSA-based PRG, which shows that one can obtain an RSA-based PRG which outputs Ω(n) bits per multiply and has provable pseudorandomness security assuming the hardness of a well-studied variant of the RSA inversion problem, where a constant fraction of the plaintext bits are given. Our result gives a positive answer to an open question posed by Gennaro (J. of Cryptology, 2005) regarding finding a PRG beating the rate O(logn) bits per multiply at the cost of a reasonable assumption on RSA inversion.


Pseudorandom generator RSA provable security lattice attack 


  1. 1.
    Alexi, W., Chor, B., Goldreich, O., Schnorr, C.P.: RSA and Rabin Functions: Certain Parts Are as Hard as the Whole. SIAM Journal on Computing 17(2), 194–209 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Ben-Or, M., Chor, B., Shamir, A.: On the Cryptographic Security of Single RSA Bits. In: Proc. 15-th STOC, pp. 421–430. ACM Press, New York (1983)Google Scholar
  3. 3.
    Berbain, C., Gilbert, H., Patarin, J.: QUAD: a Practical Stream Cipher with Provable Security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Reconstructing Noisy Polynomial Evaluation in Residue Rings. Journal of Algorithms (to appear)Google Scholar
  5. 5.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Predicting Nonlinear Pseudorandom Number Generators. Mathematics of Computation 74, 1471–1494 (2004)CrossRefMathSciNetGoogle Scholar
  6. 6.
    Blum, L., Blum, M., Shub, M.: A Simple Unpredictable Pseudo-Random Number Generator. SIAM Journal on Computing 15, 364–383 (1986)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Blum, M., Micali, S.: How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM Journal on Computing 13, 850–864 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Info. Theory 46(4), 1339–1349 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Boneh, D., Halevi, S., Howgrave-Graham, N.A.: The Modular Inversion Hidden Number Problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.: Paillier’s Cryptosystem Revisited. In: Proc. CCS 2001, November 2001, ACM, New York (2001)Google Scholar
  11. 11.
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. of Cryptology 10, 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Coppersmith, D.: Finding Small Solutions to Low Degree Polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 20–31. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Dai, W.: Crypto++ 5.2.1 Benchmarks (2006),
  14. 14.
    Fischlin, R., Schnorr, C.P.: Stronger Security Proofs for RSA and Rabin Bits. Journal of Cryptology 13, 221–244 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Gennaro, R.: An Improved Pseudo-Random Generator Based on the Discrete-Logarithm Problem. Journal of Cryptology 18, 91–110 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Goldreich, O.: Foundations of Cryptography, vol. I. Cambridge University Press, Cambridge (2003)Google Scholar
  17. 17.
    Goldreich, O., Rosen, V.: On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators. J. of Cryptology 16, 71–93 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. J. of Computer and System Sciences 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Goldwasser, S., Micali, S., Tong, P.: Why and How to Establish a Private Code on a Public Network. In: Proc. FOCS 1982, pp. 134–144. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
  20. 20.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Polynomials Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  21. 21.
    Impagliazzo, R., Naor, M.: Efficient Cryptographic Schemes Provably as Secure as Subset Sum. Journal of Cryptology 9, 199–216 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Annalen 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Lenstra, A.K., Verheul, E.R.: Selecting Cryptographic Key Sizes. J. of Cryptology 14, 255–293 (2001)zbMATHMathSciNetGoogle Scholar
  24. 24.
    Micali, S., Schnorr, C.P.: Efficient, Perfect Polynomial Random Number Generators. J. of Cryptology 3, 157–172 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15, 151–176 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Nguyen, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Patel, S., Sundaram, G.: An Efficient Discrete Log Pseudo Random Generator. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 304–317. Springer, Heidelberg (1998)Google Scholar
  28. 28.
    Sidorenko, A., Schoenmakers, B.: Concrete Security of the Blum-Blum-Shub Pseudorandom Generator. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 355–375. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Steinfeld, R., Pieprzyk, J., Wang, H.: On the Provable Security of an Efficient RSA-Based Pseudorandom Generator. Cryptology ePrint Archive, Report 2006/206 (2006),
  30. 30.
    Vazirani, U.V., Vazirani, V.V.: Efficient and Secure Pseudo-Random Number Generation. In: Proc. FOCS 1984, pp. 458–463. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ron Steinfeld
    • 1
  • Josef Pieprzyk
    • 1
  • Huaxiong Wang
    • 1
  1. 1.Centre for Advanced Computing – Algorithms and Cryptography (ACAC), Dept. of ComputingMacquarie UniversityNorth RydeAustralia

Personalised recommendations