[Crypto] Is it proven that breaking RSA is equivalent to factoring as of 2021?

Solution 1:

There is no proof that the integer factorization is computationally difficult and similarly, there is no proof that the RSA problem is similarly difficult.

The RSA problem

RSA problem is finding the $P$ given the public key $(n,e)$ and a ciphertext $C$ computed with $C \equiv P^e \pmod n$.

Factoring $\implies $ the RSA problem

This is the easiest part. If we can solve the factoring problem then we can solve the RSA problem by factoring the modulus $n$. This implies that the RSA problem is at least as easy as factoring. This doesn't eliminate the case that it might well be easier.

The RSA problem $\stackrel{?}{\implies} $ Factoring

The most well-known work on the reverse of the problem goes back to 1998

  • D. Boneh and R. Venkatesan Breaking RSA may not be equivalent to factoring

    We provide evidence that breaking low-exponent RSA cannot be equivalent to factoring integers. We show that an algebraic reduction from factoring to breaking low-exponent RSA can be converted into an efficient factoring algorithm. Thus, in effect an oracle for breaking RSA does not help in factoring integers. Our result suggests an explanation for the lack of progress in proving that breaking RSA is equivalent to factoring. We emphasize that our results do not expose any weakness in the RSA system.

Here, we should note that the RSA problem is the decryption of a specific ciphertext, whereas the factoring reveals the private key $d$ thus all ciphertext under encrypted the same public key.

If we consider the problem of finding the private exponent $d$ then it is proven by Miller to be computationally equivalent to factoring $n$;

  • 1976 Riemann's Hypothesis and Tests for Primality

The below work went on the generic ring model ( in short: a ring has no special property than being a ring) and show the equivalence;

  • 2009 - Divesh Aggarwal and Ueli Maurer - Breaking RSA Generically is Equivalent to Factoring

We show that a generic ring algorithm for breaking RSA in $\mathbb Z_N$ can be converted into an algorithm for factoring the corresponding RSA-modulus $N$. Our results imply that any attempt at breaking RSA without factoring $N$ will be non-generic and hence will have to manipulate the particular bit-representation of the input in $\mathbb Z_N$. This provides new evidence that breaking RSA may be equivalent to factoring the modulus.

This work creates a strong belief in the reverse problem; factoring is equivalent to the RSA problem, however, no proof yet!

Also a notable work on comparing $e$-th root algorithm with the factoring algorithms to see the trend;

  • 2007: Antoine Joux and David Naccache and Emmanuel Thomé When $e$-th Roots Become Easier Than Factoring

    We show that computing $e$-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form $x_i+c$.

As a result, we still have;

$$\text{the RSA problem} \stackrel{?}{\implies} \text{Factoring }$$

If factoring can be solved in polynomial time ( a common belief noted by Meir Moar) then by using the reduction from Hamiltonian Path to Factoring as Haldeman did in their DNA factoring then with the Karp's 21 reductions we can solve the $NP$-complete problems in polynomial time with factoring.

Dan Boneh's article with 977 citations is a good starting point to see the RSA's 20 years;

  • 1999: Dan Boneh - Twenty Years of Attacks on the RSA Cryptosystem

Solution 2:

No, it's not proved that solving the RSA problem [that is, finding $x$ from the value of $x^e\bmod n$ for unknown random integer $x$ in interval $[0,n)$, and $(n,e)$ a proper RSA key ] is equivalent to factoring.

It's even widely believed that does not hold, for $e$ of fixed magnitude (as used in practice) in particular. Trivially, ability to factor implies ability to solve the RSA problem. But there is no evidence whatsoever that the converse holds.

Finding a working private key $(n,d)$ from a proper RSA public key $(n,e)$ is proven equivalent to factoring, and is not the RSA problem.

Breaking RSA in the sense that has in cryptographic practice (deciphering a ciphertext or forging a signature with knowledge of the public key $(n,e)$ but not a private key) is no more difficult than breaking the RSA problem (thus no more difficult than factoring). More often that not, side channel attacks, implementations errors, or poor padding make it easier.

Tags:

Rsa

Factoring

Related

[Crypto] secp256k1: is it theoretically possible to generate same signature with different key, message hash and k? [Crypto] How to get exact number of slots in HElib? Such as 256, 4096 [Crypto] Is a LFSR sufficient for post-processing a biased TRNG? [Crypto] Is it possible that a SHA256 hash has the same hex character over and over again? [Crypto] Prime factorization (102 digits) [Crypto] Hash of a ciphertext [Crypto] Period finding for Quantum Computers [Crypto] Use slow hashing to reduce digest size? [Crypto] Why is the market for cryptographic primitives non-commercialized? [Crypto] Why are $\lceil 1/\operatorname{entropy-per-bit} \rceil$ number of bits not sufficient to generate an unbiased bit? [Crypto] Is there an encryption scheme that is url-safe AND compact? [Crypto] AES GCM : is it acceptable to return the wrong plaintext if the tag is incorrect?

Recent Posts