TY - GEN
T1 - On the regularity of lossy RSA
T2 - 12th Theory of Cryptography Conference, TCC 2015
AU - Smith, Adam
AU - Zhang, Ye
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2015.
PY - 2015
Y1 - 2015
N2 - We provide new bounds on how close to regular the map x ↦ xe is on arithmetic progressions in ℤN, assuming e|Φ(N) and N is composite. We use these bounds to analyze the security of natural cryptographic problems related to RSA, based on the well-studied Φ-Hiding assumption. For example, under this assumption, we show that RSA PKCS #1 v1.5 is secure against chosen-plaintext attacks for messages of length roughly bits, whereas the previous analysis, due to [19], applies only to messages of length less than. In addition to providing new bounds, we also show that a key lemma of [19] is incorrect. We prove a weaker version of the claim which is nonetheless sufficient for most, though not all, of their applications. Our technical results can be viewed as showing that exponentiation in ℤN is a deterministic extractor for every source that is uniform on an arithmetic progression. Previous work showed this type of statement only on average over a large class of sources, or for much longer progressions (that is, sources with much more entropy).
AB - We provide new bounds on how close to regular the map x ↦ xe is on arithmetic progressions in ℤN, assuming e|Φ(N) and N is composite. We use these bounds to analyze the security of natural cryptographic problems related to RSA, based on the well-studied Φ-Hiding assumption. For example, under this assumption, we show that RSA PKCS #1 v1.5 is secure against chosen-plaintext attacks for messages of length roughly bits, whereas the previous analysis, due to [19], applies only to messages of length less than. In addition to providing new bounds, we also show that a key lemma of [19] is incorrect. We prove a weaker version of the claim which is nonetheless sufficient for most, though not all, of their applications. Our technical results can be viewed as showing that exponentiation in ℤN is a deterministic extractor for every source that is uniform on an arithmetic progression. Previous work showed this type of statement only on average over a large class of sources, or for much longer progressions (that is, sources with much more entropy).
UR - http://www.scopus.com/inward/record.url?scp=84924675025&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84924675025&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-46494-6_25
DO - 10.1007/978-3-662-46494-6_25
M3 - Conference contribution
AN - SCOPUS:84924675025
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 609
EP - 628
BT - Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Proceedings
A2 - Dodis, Yevgeniy
A2 - Nielsen, Jesper Buus
PB - Springer Verlag
Y2 - 23 March 2015 through 25 March 2015
ER -