Introduction
In RSA public-key encryption [30], Alice encrypts a plaintext M for Bob using Bob's public key (n, e) by computing the ciphertext
where n, the modulus, is the product of two or more large primes, and e, the public exponent, is an (odd) integer \(e \ge 3\) that is relatively prime to \(\phi(n)\), the order of the multiplicative group \({\bf Z} _n^\ast\). (See also Euler's totient function, modular arithmetic for background on these concepts.) Bob, who knows the corresponding RSA private key \((n,d)\), can easily decrypt, since \(de=1\pmod{\phi(n)}\) implies that
An adversary may learn C by eavesdropping, and may very well also know Bob's public key; nonetheless such an adversary should not be able to compute the corresponding plaintext M.
One may formalize the task faced by this adversary as the RSA Problem: The RSA Problem: Given an RSA public key (n, e) and a ciphertext \(C = M^e\!\!\pmod{n}\),...
This is a preview of subscription content, log in via an institution.
References
Alexi, W.B., B. Chor, O. Goldreich, and C.P. Schnorr (1984). “RSA/Rabin bits are 1/2 + 1/poly(log(N)) secure.” Proceedings of FOCS'84, Singer Island, IEEE, 449–457.
Alexi, W.B., B. Chor, O. Goldreich, and C.P. Schnorr (1988). “RSA and Rabin functions: Certain parts are as hard as the whole.” SIAM Journal of Computing, 17 (2), 194–209.
Barić, Niko and Birgit Pfitzmann (1997). “Collision-free accumulators and fail-stop signature schemes without trees.” Advances in Cryptology—EUROCRYPT'97, Lecture Notes in Computer Science, vol. 1233, ed. W. Fumy. Springer-Verlag, Berlin, 480–494.
Bellare, M., A. Desai, D. Pointcheval, and P. Rogaway (1998). “Relations among notions of security for public-key encryption.” Advances in Cryptology—CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, ed. H. Krawczyk. Springer-Verlag, Berlin, 26–45.
Bellare, Mihir and Phillip Rogaway (1996). “Optimal asymmetric encryption—how to encrypt with RSA.” Advances in Cryptology—EUROCRYPT'94, Lecture Notes in Computer Science, vol. 950, ed. A. DeSantis. Springer-Verlag, Berlin, 92–111.
Bellare, Mihir and Phillip Rogaway (1996). “The exact security of digital signatures—how to sign with RSA and Rabin.” Advances in Cryptology—EUROCRYPT'96, Lecture Notes in Computer Science, vol. 1070, ed. U. Maurer. Springer-Verlag, Berlin, 399–416.
Bleichenbacher. D. (1988). “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1.” Advances in Cryptology—CRYPTO'98, Lecture Notes in Computer Science, vol. 1462, ed. H. Krawczyk. Springer, Berlin, 1–12.
Boneh, D. and G. Durfee (2000). “Cryptanalysis of RSA with private key d less than N 0.292.” IEEE Transactions on Information Theory, 46 (4), 1339–1349.
Boneh, D. and R. Venkatesan (1988). “Breaking RSA may not be equivalent to factoring.” Advances in Cryptology—EUROCRYPT'98, Lecture Notes in Computer Science, vol. 1403, ed. K. Nyberg. Springer, Berlin, 59–71.
Boneh, Dan (1999). “Twenty years of attacks on the RSA cryptosystem.” Notices of the AMS, 46 (2), 203–213.
Benny, Chor and Oded Goldreich (1985). “RSA/Rabin least significant bits are 1/2 + 1/poly(log n) secure.” Advances in Cryptology—CRYPTO'84, Lecture Notes in Computer Science, vol. 196. eds. G.R. Blakley and D.C. Chaum. Springer, Berlin, 303–313.
Coppersmith, D., M. Franklin, J. Patarin, and M. Reiter (1996). “Low-exponent RSA with related messages.” Advances in Cryptography—EUROCRYPT'96, Lecture Notes in Computer Science, vol. 1070, ed. V. Maurer. Springer-Verlag. Berlin, 1–9.
Cramer, Ronald and Victor Shoup (2000). “Signature schemes based on the strong RSA assumption.” ACM Transactions on Information and System Security, 3 (3), 161–185.
Davida, G. (1982). “Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem.” Technical Report Tech Report TR-CS-82-2, Deptartment of EECS, University of Wisconsin, Milwaukee.
DeLaurentis, J.M. (1984). “A further weakness in the common modulus protocol for the RSA cryptoalgorithm.” Cryptologia, 8, 253–259.
Desmedt, Y. and A. M. Odlyzko (1986). “A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes.” Advances in Cryptology—CRYPTO'85, Lecture Notes in Computer Science, vol. 218, ed. H.C. Williams. Springer, Berlin, 516–522.
Fischlin, Roger and Claus-Peter Schnorr (2000). “Stronger security proofs for RSA and Rabin bits.” Journal of Cryptology, 13 (2), 221–244.
Fujisaki, Eiichiro and Tatsuaki Okamoto (1997). “Statistical zero knowledge protocols to prove modular polynomial relations.” Advances in Cryptology—CRYPTO'97, Lecture Notes in Computer Science, vol. 1294, ed. Burton S. Kaliski Jr. Springer-Verlag, Berlin, 16–30.
Fujisaki, Eiichiro, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern (2004). “RSA-OAEP is secure under the RSA assumption.” Journal of Cryptology, 17 (2), 81–104.
Gennaro, Rosario, Shai Halevi, and Tal Rabin. (1999). “Secure hash-and-sign signatures without the random oracle.” Advances in Cryptography—EUROCRYPT'99, Lecture Notes in Computer Science, vol. 1592, ed. J. Stern. Springer-Verlag, Berlin, 123–139.
Goldwasser, S., S. Micali, and P. Tong (1982). “Why and how to establish a private code on a public network.” Proc. FOCS'82, IEEE. Chicago, 134–144.
Håstad, J. (1988). “Solving simultaneous modular equations of low degree.” SIAM Journal of Computing, 17, 336–341.
Johan Håstad and Mats Näslund (1998). “The security of individual RSA bits.” IEEE Symposium on Foundations of Computer Science, 510–521.
Stefan Katzenbeisser (2001). Recent Advances in RSA Cryptography. Kluwer Academic Publishers.
Lenstra, A.K., H.W. Lenstra, Jr., and L. Lovász (1982). “Factoring polynomials with rational coefficients.” Mathematische Ann., 261, 513–534.
Manger, J. (2001). “A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized in PKCS #1 v2.0.” Advances in Cryptology—CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, ed. J. Kilian. Springer, Berlin, 260–274.
Gary, L. Miller (1976). “Riemann's hypothesis and tests for primality.” Journal of Computer and Systems Sciences, 13 (3), 300–317.
Motwani Rajeev and Prabhakar Raghavan (1995). Randomized Algorithms. Cambridge University Press, Cambridge.
Okamoto, T. and D. Pointcheval (2001). “REACT: Rapid enhanced-security asymmetric cryptosystem transform.” Proceedings Cryptographers' Track RSA Conference (CT-RSA) 2001, Lecture Notes in Computer Science, vol. 2020, ed. D. Naccache. Springer, Berlin, 159–175.
Ronald, L. Rivest, Adi Shamir, and Leonard M. Adleman (1978). “A method for obtaining digital signatures and public-key cryptosystems.” Communications of the ACM, 21 (2), 120–126.
Shoup. V. (2001). A Proposal for an ISO Standard for Public Key Encryption (Version 2.1). Manuscript, December 20. Available from http://shoup.net/papers/
Vazirani Umesh and Vijay Vazirani (1984). “RSA bits are .732 + ɛ secure.” Proceedings CRYPTO'83, ed. D. Chaum. Plenum Press, New York, 369–375.
Wiener, M. (1990). “Cryptanalysis of short RSA secret exponents.” IEEE Transactions on Information Theory, 36 (3), 553–558.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this entry
Cite this entry
Rivest, R.L., Kaliski, B. (2005). RSA Problem. In: van Tilborg, H.C.A. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA . https://doi.org/10.1007/0-387-23483-7_363
Download citation
DOI: https://doi.org/10.1007/0-387-23483-7_363
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-23473-1
Online ISBN: 978-0-387-23483-0
eBook Packages: Computer ScienceReference Module Computer Science and Engineering