RSA AND RABIN FUNCTIONS:
CERTAIN PARTSA RE AS HARD AS THE WHOLE*.
Werner Alexi, Benny Chor, Oded Goldreich and Claus P. Schnorr.
Abstract
The RSA and Rabin encryption functions EN (·) are respectively defined by raising
x  Z N to the power e ( where e is relatively prime to φ(N)) and squaring modulo N
(i.e., EN(x)=xe (mod N), EN(x)=x2 (mod N), respectively). We prove that for both
functions, the following problems are computationally equivalent (each is
probabilistic polynomial-time reducible to the other):
(1) Given EN(x), find x.
(2) Given EN(x) , guess the least significant bit of x with success probability
½ +1/poly (n )(where n is the length of the modulus N).
This equivalence implies that an adversary, given the RSA/Rabin ciphertext, cannot
have a non-negligible advantage (over a random coin flip) in guessing the leastsignificant bit of the plaintext, unless he can invert RSA/factor N. The proof
techniques also yield the simultaneous security of the log n least-significant bits.
Our results improve the efficiency of pseudorandom number generation and
probabilistic encryption schemes based on the intractability of factoring.