CISPA
Browse

Breaking RSA Generically Is Equivalent to Factoring, with Preprocessing.

Download (886.04 kB)
conference contribution
posted on 2024-09-04, 06:57 authored by Dana Dachman-Soled, Julian LossJulian Loss, Adam O'Neill
We investigate the relationship between the classical RSA and factoring problems when preprocessing is considered. In such a model, adversaries can use an unbounded amount of precomputation to produce an "advice" string to then use during the online phase, when a problem instance becomes known. Previous work (e.g., [Bernstein, Lange ASIACRYPT '13]) has shown that preprocessing attacks significantly improve the runtime of the best-known factoring algorithms. Due to these improvements, we ask whether the relationship between factoring and RSA fundamentally changes when preprocessing is allowed. Specifically, we investigate whether there is a superpolynomial gap between the runtime of the best attack on RSA with preprocessing and on factoring with preprocessing. Our main result rules this out with respect to algorithms that perform generic computation on the RSA instance x^e od N yet arbitrary computation on the modulus N, namely a careful adaptation of the well-known generic ring model of Aggarwal and Maurer (Eurocrypt 2009) to the preprocessing setting. In particular, in this setting we show the existence of a factoring algorithm with polynomially related parameters, for any setting of RSA parameters. Our main technical contribution is a set of new information-theoretic techniques that allow us to handle or eliminate cases in which the Aggarwal and Maurer result does not yield a factoring algorithm in the standard model with parameters that are polynomially related to those of the RSA algorithm. These techniques include two novel compression arguments, and a variant of the Fiat-Naor/Hellman tables construction that is tailored to the factoring setting.

History

Editor

Aggarwal D

Primary Research Area

  • Algorithmic Foundations and Cryptography

Name of Conference

Conference on Information-Theoretic Cryptography (ITC)

Journal

ITC

Volume

304

Page Range

8:1-8:1

Publisher

Schloss Dagstuhl - Leibniz-Zentrum für Informatik

BibTeX

@conference{Dachman-Soled:Loss:O'Neill:2024, title = "Breaking RSA Generically Is Equivalent to Factoring, with Preprocessing.", author = "Dachman-Soled, Dana" AND "Loss, Julian" AND "O'Neill, Adam", editor = "Aggarwal, Divesh", year = 2024, month = 8, journal = "ITC", pages = "8:1--8:1", publisher = "Schloss Dagstuhl - Leibniz-Zentrum für Informatik" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC