Strong RSA assumption

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In cryptography, the strong RSA assumption states that the RSA problem is intractable even when the solver is allowed to choose the public exponent e (for e ≥ 3). More specifically, given a modulus N of unknown factorization, and a ciphertext C, it is infeasible to find any pair (Me) such that C ≡ M e mod N.

The strong RSA assumption was first used for constructing signature schemes provably secure against existential forgery without resorting to the random oracle model.


  • Barić N., Pfitzmann B. (1997) Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees. In: Fumy W. (eds) Advances in Cryptology — EUROCRYPT ’97. EUROCRYPT 1997. Lecture Notes in Computer Science, vol 1233. Springer, Berlin, Heidelberg. doi:10.1007/3-540-69053-0_33
  • Fujisaki E., Okamoto T. (1997) Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski B.S. (eds) Advances in Cryptology — CRYPTO '97. CRYPTO 1997. Lecture Notes in Computer Science, vol 1294. Springer, Berlin, Heidelberg. doi:10.1007/BFb0052225
  • Ronald Cramer and Victor Shoup. 1999. Signature schemes based on the strong RSA assumption. In Proceedings of the 6th ACM conference on Computer and communications security (CCS ’99). Association for Computing Machinery, New York, NY, USA, 46–51. doi:10.1145/319709.319716
  • Ronald L. Rivest and Burt Kaliski. 2003. RSA Problem. pdf file