2

Recently I read some papers related to RSA Brown16,AM09,BNPS01 and I learned that there is a variant problem of RSA is The oracle RSA problem (or one more RSA Problem) is $m+1$ copies of the classic RSA problem except that the solver gets $m$ accesses to an oracle for solving the classic RSA problem. The input is $\left(n, e, y_1, \ldots, y_{m+1}\right)$, and the output is $\left(x_1, \ldots, x_{m+1}\right)$, such that $x_i^e \equiv y_i \bmod n$. Before generating its output, the solver may select any $\left(w_1, \ldots, w_m\right)$ and receive $\left(z_1, \ldots, z_m\right)$ such that $z_i^e \equiv w_i \bmod n$

Note that if factoring reduces to RSA, then there exists a polynomially bounded function $m: \mathbb{N} \rightarrow \mathbb{N}$ such that The oracle RSA problem is easy. But [AM09] tells us that such a reduction is likely to exist, so should we not use the oracle RSA problem?

On the other hand, the generic model of computation (GRA:generic ring algorithm) used in [AM09], the relation queries they consider are equality queries, Why don't we consider more relations? Is it because there are no more relations? I don't quite understand one sentence in the abstract. ‘Our results imply that any attempt at breaking RSA without factoring $N$ will be non-generic and hence will have to manipulate the particular bit-representation of the input in $Z_N$ ’ Could you give me an example that is non-generic but efficient? How much impact does this reduction have on the oracle RSA problem?

constantine
  • 311
  • 2
  • 12

1 Answers1

3

About the Generic Model of Computation, in "On the Analysis of Cryptographic Assumptions in the Generic Ring Model" by Jager and Schwenk they state that,

"We prove in the generic ring model that computing the Jacobi symbol of an integer modulo $n$ is equivalent to factoring."

However, it is also stated that,

"Since there are simple and efficient non-generic algorithms which compute the Jacobi symbol, this provides an example of a natural computational problem which is hard in the generic ring model, but easy to solve if elements of $\mathbb{Z}_p$ are given in their standard representation as integer."

Therefore, you can see that in the computation of the Jacobi symbol, while "normally" there is an efficient computation, the generic ring model can be considered a big restriction (since now it becomes "difficult").

Thus, I suppose it could be subjective if the reduction in [AM09] actually tell us a lot about the equivalence of the RSA and factoring problems. (Jager and Schwenk also state that "Thus, a proof in the generic ring model is unfortunately not a very strong indicator for the hardness of a computational problem in the standard model.")

Alex Them
  • 350
  • 3
  • 8