3

I need some help with the following statement from the book A Graduate Course in Applied Cryptography* - Dan Boneh and Victor Shoup, in 8.10.1 The key derivation problem, page 320 of v0.5:

Later, we will see examples of number-theoretic transformations that are widely used in public-key cryptography. Looking ahead a bit, we will see that for a large, composite modulus $N$, if $x$ is chosen at random modulo $N$, and an adversary is given $y := x^3 \bmod N$, it is hard to compute $x$.

To be specific, my doubt is related to how do we really prove that RSA problem can keep hard, despite small and known exponents $x^3 \bmod N$, for an adversary who doesn't know $x$. The authors said that "we will see examples" in the book. But I couldn't find them. Can you please give me some direction for such proof?

muru
  • 113
  • 4
Paollo
  • 65
  • 6

1 Answers1

12

Can you please give me some direction for such proof?

You're looking for a proof that the RSA problem is hard? No such proof is known (even in the specific case of $e=3$). Furthermore, there is no known reduction to a 'more fundamental' problem, such as factorization or discrete log.

The closest we can get is a proof that if you can find the 'decryption exponent', that is, the value $d$ such that $y^d \equiv x \pmod N$, you can factor $N$ (and using the value $d$ is how the holder of the RSA private key recovers $x$ in practice). However, this does not show that there isn't another way (that's easier than factoring) to recover $x$.

The only 'proof' we have that the RSA problem is hard is 'lots of smart people have looked for a way to solve it, and they haven't found one'

poncho
  • 154,064
  • 12
  • 239
  • 382