Document Open Access Logo

Breaking RSA Generically Is Equivalent to Factoring, with Preprocessing

Authors Dana Dachman-Soled, Julian Loss , Adam O'Neill

PDF
Thumbnail PDF

File

LIPIcs.ITC.2024.8.pdf
  • Filesize: 0.86 MB
  • 24 pages

Document Identifiers

Author Details

Dana Dachman-Soled
  • University of Maryland, College Park, MD, USA
Julian Loss
  • CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Adam O'Neill
  • Manning College of Information & Computer Sciences, UMass Amherst, MA, USA

Funding

  • Dachman-Soled, Dana: Supported in part by NSF grants #CNS-1933033, #CNS-1453045 (CAREER), and by financial assistance awards 70NANB15H328 and 70NANB19H126 from the U.S. Department of Commerce, National Institute of Standards and Technology.
  • Loss, Julian: Supported by the European Union, ERC-2023-STG, Project ID: 101116713. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.

Acknowledgements

We thank Nikki Sigurdson for collaboration in the early stages of this work.

Cite AsGet BibTex

Dana Dachman-Soled, Julian Loss, and Adam O'Neill. Breaking RSA Generically Is Equivalent to Factoring, with Preprocessing. In 5th Conference on Information-Theoretic Cryptography (ITC 2024). Leibniz International Proceedings in Informatics (LIPIcs), Volume 304, pp. 8:1-8:24, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)
https://doi.org/10.4230/LIPIcs.ITC.2024.8

Abstract

We investigate the relationship between the classical RSA and factoring problems when preprocessing is considered. In such a model, adversaries can use an unbounded amount of precomputation to produce an "advice" string to then use during the online phase, when a problem instance becomes known. Previous work (e.g., [Bernstein, Lange ASIACRYPT '13]) has shown that preprocessing attacks significantly improve the runtime of the best-known factoring algorithms. Due to these improvements, we ask whether the relationship between factoring and RSA fundamentally changes when preprocessing is allowed. Specifically, we investigate whether there is a superpolynomial gap between the runtime of the best attack on RSA with preprocessing and on factoring with preprocessing. Our main result rules this out with respect to algorithms that perform generic computation on the RSA instance x^e od N yet arbitrary computation on the modulus N, namely a careful adaptation of the well-known generic ring model of Aggarwal and Maurer (Eurocrypt 2009) to the preprocessing setting. In particular, in this setting we show the existence of a factoring algorithm with polynomially related parameters, for any setting of RSA parameters. Our main technical contribution is a set of new information-theoretic techniques that allow us to handle or eliminate cases in which the Aggarwal and Maurer result does not yield a factoring algorithm in the standard model with parameters that are polynomially related to those of the RSA algorithm. These techniques include two novel compression arguments, and a variant of the Fiat-Naor/Hellman tables construction that is tailored to the factoring setting.

Subject Classification

ACM Subject Classification
  • Security and privacy → Public key (asymmetric) techniques
  • Security and privacy → Information-theoretic techniques
Keywords
  • RSA
  • factoring
  • generic ring model
  • preprocessing

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

Related Versions

References

  1. Divesh Aggarwal and Ueli Maurer. Breaking RSA generically is equivalent to factoring. In Antoine Joux, editor, EUROCRYPT 2009, volume 5479 of LNCS, pages 36-53. Springer, Heidelberg, April 2009. URL: https://doi.org/10.1007/978-3-642-01001-9_2.
  2. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby, editors, ACM CCS 93, pages 62-73. ACM Press, November 1993. URL: https://doi.org/10.1145/168588.168596.
  3. Daniel J. Bernstein and Tanja Lange. Non-uniform cracks in the concrete: The power of free precomputation. In Kazue Sako and Palash Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS, pages 321-340. Springer, Heidelberg, December 2013. URL: https://doi.org/10.1007/978-3-642-42045-0_17.
  4. Dan Boneh. Twenty years of attacks on the rsa cryptosystem. Notices of the American Mathematical Society (AMS), 46(2):203-213, 1999. Google Scholar
  5. Dan Boneh and Ramarathnam Venkatesan. Breaking RSA may not be equivalent to factoring. In Kaisa Nyberg, editor, EUROCRYPT'98, volume 1403 of LNCS, pages 59-71. Springer, Heidelberg, May / June 1998. URL: https://doi.org/10.1007/BFb0054117.
  6. D. R. L. Brown. Breaking rsa may be as difficult as factoring. Eprint Cryptology Archive, 2006. Google Scholar
  7. Don Coppersmith. Modifications to the number field sieve. J. Cryptol., 6(3):169-180, 1993. Google Scholar
  8. Sandro Coretti, Yevgeniy Dodis, and Siyao Guo. Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part I, volume 10991 of LNCS, pages 693-721. Springer, Heidelberg, August 2018. URL: https://doi.org/10.1007/978-3-319-96884-1_23.
  9. Sandro Coretti, Yevgeniy Dodis, Siyao Guo, and John P. Steinberger. Random oracles and non-uniformity. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part I, volume 10820 of LNCS, pages 227-258. Springer, Heidelberg, April / May 2018. URL: https://doi.org/10.1007/978-3-319-78381-9_9.
  10. Henry Corrigan-Gibbs and Dmitry Kogan. The discrete-logarithm problem with preprocessing. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 415-447. Springer, Heidelberg, April / May 2018. URL: https://doi.org/10.1007/978-3-319-78375-8_14.
  11. Dana Dachman-Soled, Julian Loss, and Adam O'Neill. Breaking rsa generically is equivalent to factoring, with preprocessing. Cryptology ePrint Archive, Paper 2022/1261, 2022. URL: https://eprint.iacr.org/2022/1261.
  12. Ivan Damgård and Maciej Koprowski. Generic lower bounds for root extraction and signature schemes in general groups. In Lars R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS, pages 256-271. Springer, Heidelberg, April / May 2002. URL: https://doi.org/10.1007/3-540-46035-7_17.
  13. Anindya De, Luca Trevisan, and Madhur Tulsiani. Time space tradeoffs for attacks against one-way functions and prgs. In Tal Rabin, editor, Advances in Cryptology - CRYPTO 2010, pages 649-665, Berlin, Heidelberg, 2010. Springer Berlin Heidelberg. Google Scholar
  14. Yevgeniy Dodis, Siyao Guo, and Jonathan Katz. Fixing cracks in the concrete: Random oracles with auxiliary input, revisited. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part II, volume 10211 of LNCS, pages 473-495. Springer, Heidelberg, April / May 2017. URL: https://doi.org/10.1007/978-3-319-56614-6_16.
  15. Yevgeniy Dodis, Iftach Haitner, and Aris Tentes. On the instantiability of hash-and-sign RSA signatures. In Ronald Cramer, editor, TCC 2012, volume 7194 of LNCS, pages 112-132. Springer, Heidelberg, March 2012. URL: https://doi.org/10.1007/978-3-642-28914-9_7.
  16. Andrew Drucker. New limits to classical and quantum instance compression. In 53rd FOCS, pages 609-618. IEEE Computer Society Press, October 2012. URL: https://doi.org/10.1109/FOCS.2012.71.
  17. Amos Fiat and Moni Naor. Rigorous time/space tradeoffs for inverting functions. In Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, May 5-8, 1991, New Orleans, Louisiana, USA, pages 534-541, January 1991. URL: https://doi.org/10.1145/103418.103473.
  18. Georg Fuchsbauer, Eike Kiltz, and Julian Loss. The algebraic group model and its applications. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part II, volume 10992 of LNCS, pages 33-62. Springer, Heidelberg, August 2018. URL: https://doi.org/10.1007/978-3-319-96881-0_2.
  19. Martin E. Hellman. A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory, 26(4):401-406, 1980. Google Scholar
  20. Antoine Joux, David Naccache, and Emmanuel Thomé. When e-th roots become easier than factoring. In Kaoru Kurosawa, editor, ASIACRYPT 2007, volume 4833 of LNCS, pages 13-28. Springer, Heidelberg, December 2007. URL: https://doi.org/10.1007/978-3-540-76900-2_2.
  21. Jonathan Katz, Julian Loss, and Jiayu Xu. On the security of time-lock puzzles and timed commitments. In Rafael Pass and Krzysztof Pietrzak, editors, TCC 2020, Part III, volume 12552 of LNCS, pages 390-413. Springer, Heidelberg, November 2020. URL: https://doi.org/10.1007/978-3-030-64381-2_14.
  22. Gregor Leander and Andy Rupp. On the equivalence of RSA and factoring regarding generic ring algorithms. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT 2006, volume 4284 of LNCS, pages 241-251. Springer, Heidelberg, December 2006. URL: https://doi.org/10.1007/11935230_16.
  23. Michael Luby and Charles Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing, 17(2), 1988. Google Scholar
  24. Ueli M. Maurer. Abstract models of computation in cryptography (invited paper). In Nigel P. Smart, editor, 10th IMA International Conference on Cryptography and Coding, volume 3796 of LNCS, pages 1-12. Springer, Heidelberg, December 2005. Google Scholar
  25. V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165-172, 1994. Google Scholar
  26. Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the Association for Computing Machinery, 21(2):120-126, 1978. Google Scholar
  27. Ronald L. Rivest, Adi Shamir, and David A. Wagner. Time-lock puzzles and timed-release crypto. Technical report, MIT, 1996. Google Scholar
  28. Lior Rotem. Revisiting the uber assumption in the algebraic group model: Fine-grained bounds in hidden-order groups and improved reductions in bilinear groups. In Dana Dachman-Soled, editor, 3rd Conference on Information-Theoretic Cryptography, ITC 2022, July 5-7, 2022, Cambridge, MA, USA, volume 230 of LIPIcs, pages 13:1-13:13. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2022. Google Scholar
  29. Lior Rotem and Gil Segev. Generically speeding-up repeated squaring is equivalent to factoring: Sharp thresholds for all generic-ring delay functions. In Daniele Micciancio and Thomas Ristenpart, editors, CRYPTO 2020, Part III, volume 12172 of LNCS, pages 481-509. Springer, Heidelberg, August 2020. URL: https://doi.org/10.1007/978-3-030-56877-1_17.
  30. Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor, EUROCRYPT'97, volume 1233 of LNCS, pages 256-266. Springer, Heidelberg, May 1997. URL: https://doi.org/10.1007/3-540-69053-0_18.
  31. Aron van Baarsen and Marc Stevens. On time-lock cryptographic assumptions in abelian hidden-order groups. In ASIACRYPT, pages 367-397, 2021. Google Scholar
  32. Mark Zhandry. To label, or not to label (in generic groups). In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology - CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, CA, USA, August 15-18, 2022, Proceedings, Part III, volume 13509 of Lecture Notes in Computer Science, pages 66-96. Springer, 2022. Google Scholar
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2024 Schloss Dagstuhl – LZI GmbH Imprint Privacy Contact