The RSA and Rabin Functions - Some Basic Cryptographic Settings

A.4 Some Basic Cryptographic Settings

A.4.3 The RSA and Rabin Functions

In contrast to some common presentations, we view the RSA and Rabin functions as tools (e.g., candidate one-way functions) rather than as full- fledged utilities (e.g., candidate encryption schemes). Loosely speaking, one- way functions are functions which are easy to compute but hard to invert. Both the RSA and Rabin functions have “trapdoor information”, which when given allows to efficiently invert them. (This does not contradict the hardness of inverting postulated above, as it refers to inversion when not given this trapdoor information.)

The conjectured hardness properties of the RSA and Rabin functions are based on the assumption that the Integer Factorization Problem is intractable. In particular, both functions utilize composite numbers which are the product of two large primes and are based on the assumption that it is infeasible to factor such composites. Both the RSA and Rabin functions are actually collections of functions: Each such function is associated with a composite, denotedN, which is the product of two primes, denoted P and

Q. Typically, one assumes that_|log2P −log2Q| ≤1.

The RSA function

A generic function in the RSA collection is determined by a pair, (N, e), whereN =P_·Qandeis an integer smaller thanN and relatively prime to

φ(N)def= (P−1)·(Q−1). Such a function, denotedRSAN,e, is defined over the domain{1, ..., N} so thatRSAN,e(x)def= xemodN. Using the fact that

e is relatively prime to φ(N), it can be shown that the function is in fact a permutation over its domain. Furthermore, knowledge of the inverse ofe

moduloφ(N), allows to efficiently invertRSAN,e. That is, on input (N, d) and y, where ed _≡1 (modφ(N)) and y =xe_mod_N_{, one can efficiently} retrievexby computingyd_mod_N _{(since (}_xe₎d

≡xed

≡x (modN), for all

A.4. SOME BASIC CRYPTOGRAPHIC SETTINGS 131

It is widely believed that given (N, e) (but neitherdnot the factorization ofN), it is infeasible to invertRSAN,e. Hence, it is conjectured that the RSA collection is a collection of trapdoor (one-way) permutations. However, it is not known whether factoringN can be reduced to invertingRSAN,e (in fact this is a well-known open problem).

The Rabin function

The Rabin collection of functions is defined analogously to the RSA collection, except that the function is squaring moduloN(instead of raising to the power

emodN). Namely, RabinN(x) def

= x2_mod_N_{. This function, however, does} not induces a permutation on the multiplicative group modulo N, but is rather a 4-to-1 mapping on this group.

It can be shown that extracting square roots moduloN is computationally equivalent to factoring N (i.e., the two tasks are reducible to one another via probabilistic polynomial-time reductions) [310]. Thus, assuming that factoring is intractable, it is infeasible givenN andy=RabinN(x) to find a preimage ofy. On the other hand, given the factorization ofN, it is feasible to find all 4 preimages ofy under RabinN. Hence, assuming that factoring is intractable, the above yields a collection of trapdoor one-way functions.

For a special subclass of the integers, known asBlum Integers, the function

RabinN(·) defined above induces a permutation on the quadratic residues moduloN. We say that r is a quadratic residue mod N if there exists an integerxsuch that r_≡ x2_mod_N_{. We denote by} _Q

N the set of quadratic residues in the multiplicative group modN, and say thatN is a Blum Integer if it is the product of two primes each congruent to 3 mod 4. It can be shown that when N is a Blum integer, each element in QN has a unique square root which is also inQN, and it follows that in this case the function

RabinN(·) induces a permutation overQN. Hence, assuming that factoring Blum Integers is intractable, the above is a collection of trapdoor (one-way) permutations.

Appendix B

Randomized

Computations

The purpose of this appendix is to demonstrate the usage of randomization in a variety of computational settings. Our choice is governed by the desire to focus on the randomization aspect of the solution and avoid any compli- cated details which are due to other aspects of the computational problem. Thus, we avoid any example which requires substantial problem-specific background. We stress that our presentation is merely aimed atdemonstrating

the usage of randomization, and that no attempt was made to present a coherent theory of randomized computation.

Our examples are grouped in three (subjective) categories:

1. Traditional algorithmic problems. Here we considerrandomized algo- rithmsfor graph theoretic problems such as finding a perfect matching, algebraic problems such as testing polynomial identity, and approxima- tion problems such as approximating the number of satisfying assign- ments to a DNF formula.

2. Traditional complexity questions. Here we present results such as the

randomized reductions of Approximate Counting to _{N P}, and of SAT to unique-SAT.

3. Distributed and Parallel Computing. Here we considerrandomized pro- cedures fordistributed tasks such as Testing String Equality, Byzantine Agreement, and routing in networks.

For a more systematic and much wider exposition, the reader is referred to the textbookRandomized Algorithms by Motwani and Raghavan [276].

B.1 Randomized Algorithms

Conspicuous omissions in this category include some of the most well-known randomized algorithms (e.g., many in the domain of computational number theory), as well as the Markov Chain approach to approximate counting. As stated above, the reason for these omissions is that these algorithms either require specialized (and unrelated to randomness) background or are quite involved to present and/or analyze.

In document Modern Cryptography, Probalistic Proofs and Pseudorandomness - Free Computer, Programming, Mathematics, Technical Books, Lecture Notes and Tutorials (Page 146-150)