## On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators (2000)

Venue: | Journal of Cryptology |

Citations: | 17 - 0 self |

### BibTeX

@ARTICLE{Goldreich00onthe,

author = {Oded Goldreich and Rehovot Israel and Vered Rosen},

title = {On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators},

journal = {Journal of Cryptology},

year = {2000},

volume = {16},

pages = {2003}

}

### Years of Citing Articles

### OpenURL

### Abstract

Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This write-up is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction One-way functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...

### Citations

621 |
How to generate cryptographically strong sequences of pseudorandom bits
- UM, MICALI
- 1984
(Show Context)
Citation Context ...though many of them can be adapted to work in other algebraic structures as well. A concept tightly connected to one-way functions is the notion of hard-core predicates, introduced by Blum and Micali =-=[BM]-=-. A polynomial-time predicate b is called a hard-core of a function f , if all efficient algorithm, given f(x), can guess b(x) with success probability only negligibly better than half. Blum and Mical... |

303 |
Digitalized Signatures and Public-key Functions as Intractable as Factorization
- Rabin
- 1979
(Show Context)
Citation Context ...r [BBS], hereafter referred to as the "BBS generator ", is based on the above paradigm, taking f to be the modular squaring function, where the modulus N is a Blum integer. 2 Since, as shown=-= by Rabin [R1]-=-, the problem of factoring N can be reduced to the problem of extracting square roots in the multiplicative group mod N , the function f is a one-way function assuming the intractability of factoring ... |

196 | Probabilistic algorithm for testing primality - Rabin - 1980 |

143 | Foundations of Cryptography (Fragments of a Book). Available at http://www.wisdom.weizmann.ac.il/home/oded/public_html/frag.html Exposure-Resilient Functions and All-or-Nothing Transforms 469
- Goldreich
(Show Context)
Citation Context ...refix of G(s i\Gamma1 ), for every 1sisp(n) (i.e.,si s i = G(s i\Gamma1 )). Theorem 4.7 If G is a pseudorandom generator then so is G 0 . 18 Theorem 4.7 is a generalization of Theorem 3.3.3 proven in =-=[G]-=- (regarding a generator producing n+ 1 bits from an n bit seed). Observe that for every l(n) output bits of G 0 , one evaluation of G is required. Using our generator GN;g as the building block, we ob... |

138 |
RSA and Rabin Functions: Certain Parts are as Hard as the Whole
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ...oring Blum integers. Additionally, Blum, Blum and Shub showed that f induces a permutation over the set of quadratic residues in the multiplicative group mod N , and using the results of Alexi et.al. =-=[ACGS]-=- and Vazirani and Vazirani [VV], this implies that the least significant bit constitutes a hard-core predicate for f . The BBS generator is by far more efficient than the Blum-Micali generator. 3 In p... |

98 | Explicit constructions of linear size superconcentrators - GABBER, GALIL - 1979 |

86 |
Universal Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...function in the family F we are using. Additionally, we lose a small quantity of pseudorandom bits when applying the extracting function. Hastad et.al. [HSS] used a universal family of hash functions =-=[CW]-=- in their construction of a pseudorandom generator. The quality parameter achieved by this family of functions is exponentially small in n (and therefore has the best possible quality). However, a uni... |

69 | A sample of samplers { a computational perspective on sampling (survey
- Goldreich
- 1997
(Show Context)
Citation Context ...icular, we present a method of choosing a random n-bit prime using only a linear number of random bits. This translates to a hitting problem which can be solved efficiently using methods described in =-=[G2]. 4.1 Our -=-construction vs. the HSS construction Looking at Theorem 3.2, the first construction that comes to mind is a "pseudorandom generator" that takes a seed r of length dn=2e and outputs g r mod ... |

58 |
cient and Secure PseudoRandom Number Generation
- Vazirani, Vazirani, et al.
- 1984
(Show Context)
Citation Context ..., Blum, Blum and Shub showed that f induces a permutation over the set of quadratic residues in the multiplicative group mod N , and using the results of Alexi et.al. [ACGS] and Vazirani and Vazirani =-=[VV]-=-, this implies that the least significant bit constitutes a hard-core predicate for f . The BBS generator is by far more efficient than the Blum-Micali generator. 3 In particular, for every polynomial... |

54 | Security Preserving Amplification of Hardness - Goldreich, Impagliazzo, et al. - 1990 |

53 | Tiny families of functions with random properties: A qualitysize trade-off for hashing. RSA: Random Structures and Algorithms
- Goldreich, Wigderson
- 1997
(Show Context)
Citation Context ... pseudorandom generator which nearly doubles the length of its input. The key tool used is a construction by Goldreich and Wigderson of a tiny family of functions which has good extraction properties =-=[GW]-=-. We also discuss how the parameters of the generator (a composite N 2 N n and an element g 2 Z N ) can be chosen in a randomness-efficient way (which is polynomial-time). In particular, we present a ... |

35 | Deterministic simulation - Ajtai, Komlos, et al. - 1987 |

33 |
How to generate factored random numbers
- Bach
- 1988
(Show Context)
Citation Context ... dependent iterations of the loop using only O(n) random bits (rather than doing O(n) independent iterations using O(n 2 ) random bits). We will use, however, a probabilistic primality tester of Bach =-=[Bach]-=-, which is a randomness-efficient version of the Miller-Rabin [M, R2] primality tester. Theorem 4.8 (randomness efficient primality tester [Bach]): There exists a probabilistic polynomial time algorit... |

30 | The Discrete Logarithm Modulo a Composite Hides
- Hastad, Schrift, et al.
- 1993
(Show Context)
Citation Context ...hrift and Shamir showed that under the factoring intractability assumption, all the bits in f N;g are individually hard, and that the upper d n 2 e bits and lower d n 2 e bits are simultaneously hard =-=[HSS]-=-. In the same setting (and under the same assumption that factoring is hard), we show that no efficient algorithm can tell apart f N;g (r) from f N;g (R), where r is a random d n 2 e-bit string and R ... |

18 |
Simultaneous security of bits in the discrete log
- Peralta
- 1986
(Show Context)
Citation Context ...om generators as well as improving other applications. However, the best known result regarding the simultaneous security of bits in f P;g is due to Long and Wigderson [LW], Kalisky [Kal] and Peralta =-=[P]-=-, who showed that O(log n) bits are simultaneously secure, where n is the size of the modulus P . Stronger results were demonstrated when the modulus was taken to be a composite, thus allowing to rela... |

13 |
The discrete logarithm hides O(log n) bits
- Long, Wigderson
- 1988
(Show Context)
Citation Context ...ion of more efficient pseudorandom generators as well as improving other applications. However, the best known result regarding the simultaneous security of bits in f P;g is due to Long and Wigderson =-=[LW]-=-, Kalisky [Kal] and Peralta [P], who showed that O(log n) bits are simultaneously secure, where n is the size of the modulus P . Stronger results were demonstrated when the modulus was taken to be a c... |

11 |
A simple secure unpredictable pseudo-random number generator
- Blum, Blum, et al.
- 1986
(Show Context)
Citation Context ...general paradigm that constructs an iterative pseudorandom generator, given any length preserving one-way permutation f , and a hard-core predicate b for f . The Blum-Blum-Shub pseudorandom generator =-=[BBS], hereafte-=-r referred to as the "BBS generator ", is based on the above paradigm, taking f to be the modular squaring function, where the modulus N is a Blum integer. 2 Since, as shown by Rabin [R1], t... |

11 |
Two issues in public key cryptography. RSA bit security and a new knapsack type system
- Chor
- 1985
(Show Context)
Citation Context ... probability, ord N (g) cannot be too small. Specifically, Proposition 3.4 implies that with overwhelming probability ord N (g) is greater than P +Q \Gamma 1. Therefore, as was first observed by Chor =-=[Chor]-=-, we can solve the two equations P +Q \Gamma 1 = S (according to Fact 1) and P \Delta Q = N for the unknowns P and Q and thus factor N . 3.2 Proof of Main Lemma The proof of Lemma 3.3 is basically a r... |

1 | Naslund: The security of idividual RSA bits - Hastad, M - 1998 |

1 | Eigenvalues and expansionsof regular graphs - Kahale - 1995 |

1 |
A pseudo-random bit generatorbased on elliptic logarithms
- Kaliski
- 1987
(Show Context)
Citation Context ...ficient pseudorandom generators as well as improving other applications. However, the best known result regarding the simultaneous security of bits in f P;g is due to Long and Wigderson [LW], Kalisky =-=[Kal]-=- and Peralta [P], who showed that O(log n) bits are simultaneously secure, where n is the size of the modulus P . Stronger results were demonstrated when the modulus was taken to be a composite, thus ... |

1 | Riemann's hypothesis and tests for priamlity - Miller - 1976 |

1 | On the security of modular exponentiation, technical report MCS00-20 - Rosen - 2000 |