RSA AND RABIN FUNCTIONS: CERTAIN PARTSA RE AS HARD AS THE WHOLE*. Werner Alexi, Benny Chor, Oded Goldreich and Claus P. Schnorr. Abstract The RSA and Rabin encryption functions EN (·) are respectively defined by raising x Z N to the power e ( where e is relatively prime to φ(N)) and squaring modulo N (i.e., EN(x)=xe (mod N), EN(x)=x2 (mod N), respectively). We prove that for both functions, the following problems are computationally equivalent (each is probabilistic polynomial-time reducible to the other): (1) Given EN(x), find x. (2) Given EN(x) , guess the least significant bit of x with success probability ½ +1/poly (n )(where n is the length of the modulus N). This equivalence implies that an adversary, given the RSA/Rabin ciphertext, cannot have a non-negligible advantage (over a random coin flip) in guessing the leastsignificant bit of the plaintext, unless he can invert RSA/factor N. The proof techniques also yield the simultaneous security of the log n least-significant bits. Our results improve the efficiency of pseudorandom number generation and probabilistic encryption schemes based on the intractability of factoring.