Meaning of: "'If factoring large integers is hard, then breaking RSA is hard,' is unproven"

Question

I was reading CLRS and is said:

If factoring large integers is easy, then breaking the RSA cryptosystem is easy.

Which makes sense to me because with the knowledge of $p$ and $q$, it is easy to create the secret key which the knowledge of the public key. Though, it explains the converse statement, which I don't quite understand:

The converse statement, that if factoring large integers is hard, then breaking RSA is hard, is unproven.

What does the statement above formally mean? If we assume factoring is hard (in some formal way), why does that not imply that breaking the RSA crypto system is hard?

Now consider that if we assumed that factoring is hard...and that we discovered that it meant that the RSA cryptosystem is hard to break. What would that formally mean?

Answer 1

The easiest way to think about it is to think of the contrapositive.

The statement:

if factoring large integers is hard, then breaking RSA is hard

is equivalent to the following:

if breaking RSA is easy, then factoring large integers is easy

This statement has not been proven.

What they're saying is, assume we have an algorithm that solves factoring in polynomial time. Then we can use it to construct an algorithm that solves RSA in polynomial time.

But, there could be some other way to crack RSA that doesn't involve factoring integers. It's possible that we will find we can crack RSA in a way that doesn't let us factor integers in polynomial time.

In short, we know that RSA is at least as easy as factoring. There are two possible outcomes: RSA and factoring are of equivalent difficulty, or RSA is a strictly easier problem than factoring. We don't know which is the case.

Answer 2

The existence of a hard way does not imply there is no easy way.

There may be a number of ways to break RSA and we only need to find one of them.

---

One of these ways is factoring a large integer, so if that is easy we can do it this way and RSA is broken. This is also the only way we know yet. If it is unfeasible to do that, we can still find another, computationally less demanding way to perform our task without the need to explicitly calculate p and q from n.

---

To prove RSA is broken, we need to prove that one way to do it is easy.

To prove RSA is safe, we need to prove that all ways to do it are hard.

---

Finally, your statement is unproven because it is unproven that no other, easier method exists that extracts information from a cyphertext.

Answer 3

One additional way to look at it, is that breaking RSA requires only a special case of factoring, which may or may not be easy regardless of the general question of factoring.

As a simple example, consider the case that factoring is indeed difficult, but only for numbers with $3$ different factors. Factoring composite numbers with only two different factors (as used in RSA) may still be easy.

Answer 4

It means that the RSA problem seems (at this time) to be more specific than factoring.

So the RSA problem is this: knowing a semiprime $pq$ and some exponent $e,$ and a value $v,$ find the $m$ such that $v \equiv m^e \mod pq$. (I actually got this wrong in my original answer, so that my phrasing of the RSA problem was equivalent to factoring up to some PP algorithm. Whoops! So you're not alone in being confused at the details here.)

The factoring problem is this: knowing a semiprime $pq,$ find both $p$ and $q$.

If you can efficiently solve the factoring problem, then you can efficiently solve the RSA problem: take the semiprime, factor it, use some theorems about prime moduluses to calculate an inverse exponent $d$ which reveals all ciphertexts as $m \equiv v^d$. (In fact these theorems are how the setup for RSA works: we know the two primes during the setup phase.)

However, it is not known that solving this above problem for arbitrary messages $m$ will tell you anything about the factors of the modulus or the exponents involved. It might or it might not; we don't know. Many smart people have presumably looked at the problem but nothing obvious has jumped out at any of them. So it's not known that the factoring problem is solved by solutions to the RSA problem (plus polynomial effort), only that the RSA problem is solved by solutions to the factoring problem (plus polynomial effort).

In fact in 1998 Boneh and Venkatesan published a proof that a certain simple class of algorithms (plus, times, exponents, no XOR/NAND type stuff) cannot be used to turn an RSA-problem solution into a factoring algorithm. The argument had a simple ingenuity to it: by manipulating those arithmetic operations mathematically, we can find out that the "reduction algorithm" (for precision: this is the algorithm which uses an RSA "oracle" for a semiprime to factor that semiprime) turns out to be a factoring algorithm in its own right, so that we can modify it to a variant which makes no calls to its oracle. So we have a trichotomy: either (a) there is no such reduction algorithm, or (b) the reduction algorithm does not have a nice arithmetic interpretation or (c) factoring is polynomial-time just like the reduction algorithm was.

Answer 5

RSA depends on two abstract mathematical tasks that are believed to be hard: integer factoring, as you know, but also the discrete logarithm problem. You can break RSA if you can quickly factor a number that's the product of two large unknown primes; but you can also break RSA if you can quickly find $\log_e C$ in the finite group $\mathbb{Z}_{m}$, where $e$ and $m$ are the public RSA exponent and modulus, and $C$ is the ciphertext.

These two mathematical tasks are related, but (if I remember correctly) it's believed that a solution to one would not imply a solution to the other. I don't know if they are the only two ways to break RSA mathematically.