Encyclopedia of Cryptography and Security

2005 Edition
| Editors: Henk C. A. van Tilborg

RSA Problem

  • Ronald L. Rivest
  • Burt Kaliski
Reference work entry
DOI: https://doi.org/10.1007/0-387-23483-7_363


In RSA public-key encryption [ 30], Alice encrypts a plaintext M for Bob using Bob's public key ( n, e) by computing the ciphertext
$$ C = M^{ e}\!\!\!\! \pmod{n}, $$
This is a preview of subscription content, log in to check access.


  1. [1]
    Alexi, W.B., B. Chor, O. Goldreich, and C.P. Schnorr (1984). “RSA/Rabin bits are 1/2 + 1/poly(log(N)) secure.” Proceedings of FOCS'84, Singer Island, IEEE, 449–457.Google Scholar
  2. [2]
    Alexi, W.B., B. Chor, O. Goldreich, and C.P. Schnorr (1988). “RSA and Rabin functions: Certain parts are as hard as the whole.” SIAM Journal of Computing, 17 (2), 194–209.zbMATHMathSciNetCrossRefGoogle Scholar
  3. [3]
    Barić, Niko and Birgit Pfitzmann (1997). “Collision-free accumulators and fail-stop signature schemes without trees.” Advances in Cryptology—EUROCRYPT'97, Lecture Notes in Computer Science, vol. 1233, ed. W. Fumy. Springer-Verlag, Berlin, 480–494.Google Scholar
  4. [4]
    Bellare, M., A. Desai, D. Pointcheval, and P. Rogaway (1998). “Relations among notions of security for public-key encryption.” Advances in Cryptology—CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, ed. H. Krawczyk. Springer-Verlag, Berlin, 26–45.Google Scholar
  5. [5]
    Bellare, Mihir and Phillip Rogaway (1996). “Optimal asymmetric encryption—how to encrypt with RSA.” Advances in Cryptology—EUROCRYPT'94, Lecture Notes in Computer Science, vol. 950, ed. A. DeSantis. Springer-Verlag, Berlin, 92–111.Google Scholar
  6. [6]
    Bellare, Mihir and Phillip Rogaway (1996). “The exact security of digital signatures—how to sign with RSA and Rabin.” Advances in Cryptology—EUROCRYPT'96, Lecture Notes in Computer Science, vol. 1070, ed. U. Maurer. Springer-Verlag, Berlin, 399–416.Google Scholar
  7. [7]
    Bleichenbacher. D. (1988). “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1.” Advances in Cryptology—CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, ed. H. Krawczyk. Springer, Berlin, 1–12.Google Scholar
  8. [8]
    Boneh, D. and G. Durfee (2000). “Cryptanalysis of RSA with private key d less than N 0.292.” IEEE Transactions on Information Theory, 46 (4), 1339–1349.zbMATHMathSciNetCrossRefGoogle Scholar
  9. [9]
    Boneh, D. and R. Venkatesan (1988). “Breaking RSA may not be equivalent to factoring.” Advances in Cryptology—EUROCRYPT'98, Lecture Notes in Computer Science, vol. 1403, ed. K. Nyberg. Springer, Berlin, 59–71.Google Scholar
  10. [10]
    Boneh, Dan (1999). “Twenty years of attacks on the RSA cryptosystem.” Notices of the AMS, 46 (2), 203–213.zbMATHMathSciNetGoogle Scholar
  11. [11]
    Benny, Chor and Oded Goldreich (1985). “RSA/Rabin least significant bits are 1/2 + 1/poly(log n) secure.” Advances in Cryptology—CRYPTO'84, Lecture Notes in Computer Science, vol. 196. eds. G.R. Blakley and D.C. Chaum. Springer, Berlin, 303–313.Google Scholar
  12. [12]
    Coppersmith, D., M. Franklin, J. Patarin, and M. Reiter (1996). “Low-exponent RSA with related messages.” Advances in Cryptography—EUROCRYPT'96, Lecture Notes in Computer Science, vol. 1070, ed. V. Maurer. Springer-Verlag. Berlin, 1–9.Google Scholar
  13. [13]
    Cramer, Ronald and Victor Shoup (2000). “Signature schemes based on the strong RSA assumption.” ACM Transactions on Information and System Security, 3 (3), 161–185.CrossRefGoogle Scholar
  14. [14]
    Davida, G. (1982). “Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem.” Technical Report Tech Report TR-CS-82-2, Deptartment of EECS, University of Wisconsin, Milwaukee.Google Scholar
  15. [15]
    DeLaurentis, J.M. (1984). “A further weakness in the common modulus protocol for the RSA cryptoalgorithm.” Cryptologia, 8, 253–259.MathSciNetGoogle Scholar
  16. [16]
    Desmedt, Y. and A. M. Odlyzko (1986). “A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes.” Advances in Cryptology—CRYPTO'85, Lecture Notes in Computer Science, vol. 218, ed. H.C. Williams. Springer, Berlin, 516–522.Google Scholar
  17. [17]
    Fischlin, Roger and Claus-Peter Schnorr (2000). “Stronger security proofs for RSA and Rabin bits.” Journal of Cryptology, 13 (2), 221–244.zbMATHMathSciNetCrossRefGoogle Scholar
  18. [18]
    Fujisaki, Eiichiro and Tatsuaki Okamoto (1997). “Statistical zero knowledge protocols to prove modular polynomial relations.” Advances in Cryptology—CRYPTO'97, Lecture Notes in Computer Science, vol. 1294, ed. Burton S. Kaliski Jr. Springer-Verlag, Berlin, 16–30.Google Scholar
  19. [19]
    Fujisaki, Eiichiro, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern (2004). “RSA-OAEP is secure under the RSA assumption.” Journal of Cryptology, 17 (2), 81–104.zbMATHMathSciNetCrossRefGoogle Scholar
  20. [20]
    Gennaro, Rosario, Shai Halevi, and Tal Rabin. (1999). “Secure hash-and-sign signatures without the random oracle.” Advances in Cryptography—EUROCRYPT'99, Lecture Notes in Computer Science, vol. 1592, ed. J. Stern. Springer-Verlag, Berlin, 123–139.Google Scholar
  21. [21]
    Goldwasser, S., S. Micali, and P. Tong (1982). “Why and how to establish a private code on a public network.” Proc. FOCS'82, IEEE. Chicago, 134–144.Google Scholar
  22. [22]
    Håstad, J. (1988). “Solving simultaneous modular equations of low degree.” SIAM Journal of Computing, 17, 336–341.zbMATHCrossRefGoogle Scholar
  23. [23]
    Johan Håstad and Mats Näslund (1998). “The security of individual RSA bits.” IEEE Symposium on Foundations of Computer Science, 510–521.Google Scholar
  24. [24]
    Stefan Katzenbeisser (2001). Recent Advances in RSA Cryptography. Kluwer Academic Publishers.Google Scholar
  25. [25]
    Lenstra, A.K., H.W. Lenstra, Jr., and L. Lovász (1982). “Factoring polynomials with rational coefficients.” Mathematische Ann., 261, 513–534.Google Scholar
  26. [26]
    Manger, J. (2001). “A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized in PKCS #1 v2.0.” Advances in Cryptology—CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, ed. J. Kilian. Springer, Berlin, 260–274.Google Scholar
  27. [27]
    Gary, L. Miller (1976). “Riemann's hypothesis and tests for primality.” Journal of Computer and Systems Sciences, 13 (3), 300–317.MathSciNetzbMATHGoogle Scholar
  28. [28]
    Motwani Rajeev and Prabhakar Raghavan (1995). Randomized Algorithms. Cambridge University Press, Cambridge.zbMATHGoogle Scholar
  29. [29]
    Okamoto, T. and D. Pointcheval (2001). “REACT: Rapid enhanced-security asymmetric cryptosystem transform.” Proceedings Cryptographers' Track RSA Conference (CT-RSA) 2001, Lecture Notes in Computer Science, vol. 2020, ed. D. Naccache. Springer, Berlin, 159–175.Google Scholar
  30. [30]
    Ronald, L. Rivest, Adi Shamir, and Leonard M. Adleman (1978). “A method for obtaining digital signatures and public-key cryptosystems.” Communications of the ACM, 21 (2), 120–126.CrossRefGoogle Scholar
  31. [31]
    Shoup. V. (2001). A Proposal for an ISO Standard for Public Key Encryption (Version 2.1). Manuscript, December 20. Available from http://shoup.net/papers/
  32. [32]
    Vazirani Umesh and Vijay Vazirani (1984). “RSA bits are .732 + ɛ secure.” Proceedings CRYPTO'83, ed. D. Chaum. Plenum Press, New York, 369–375.Google Scholar
  33. [33]
    Wiener, M. (1990). “Cryptanalysis of short RSA secret exponents.” IEEE Transactions on Information Theory, 36 (3), 553–558.zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Ronald L. Rivest
  • Burt Kaliski

There are no affiliations available