In cryptography, the **RSA problem** summarizes the task of performing an RSA private-key operation given only the public key. The RSA algorithm raises a *message* to an *exponent*, modulo a composite number *N* whose factors are not known. As such, the task can be neatly described as finding the *e*th roots of an arbitrary number, modulo N. For large RSA key sizes (in excess of 1024 bits), no efficient method for solving this problem is known; if an efficient method is ever developed, it would threaten the current or eventual security of RSA-based cryptosystems—both for public-key encryption and digital signatures.

More specifically, the RSA problem is to efficiently compute *P* given an RSA public key (*N*, *e*) and a ciphertext *C* ≡ *P**e* (**mod** *N*). The structure of the RSA public key requires that *N* be a large semiprime (i.e., a product of two large prime numbers), that 2 < *e* < *N*, that *e* be coprime to φ(*N*), and that 0 ≤ *C* < *N*. *C* is chosen randomly within that range; to specify the problem with complete precision, one must also specify how *N* and *e* are generated, which will depend on the precise means of RSA random keypair generation in use.

As of 2010, the most efficient means known to solve the RSA problem is to first factor the modulus *N*, which is believed to be impractical if *N* is sufficiently large (see integer factorization). The RSA key setup routine already turns the public exponent *e*, with this prime factorization, into the private exponent *d*, and so exactly the same algorithm allows anyone who factors *N* to obtain the *private key*. Any *C* can then be decrypted with the private key.

Just as there are no proofs that integer factorization is computationally difficult, there are also no proofs that the RSA problem is similarly difficult. By the above method, the RSA problem is at least as easy as factoring, but it might well be easier. Indeed, there is strong evidence pointing to this conclusion: that a method to break the RSA method cannot be converted necessarily into a method for factoring large semiprimes. This is perhaps easiest to see by the sheer overkill of the factoring approach: the RSA problem asks us to decrypt *one* arbitrary ciphertext, whereas the factoring method reveals the private key: thus decrypting *all* arbitrary ciphertexts, and it also allows one to perform arbitrary RSA private-key encryptions. Along these same lines, finding the decryption exponent *d* indeed *is* computationally equivalent to factoring *N*, even though the RSA problem does not ask for *d*. An algorithm for this is, for example, given here.

In addition to the RSA problem, RSA also has a particular mathematical structure that can potentially be exploited *without* solving the RSA problem directly. To achieve the full strength of the RSA problem, an RSA-based cryptosystem must also use a padding scheme like OAEP, to protect against such structural problems in RSA.

### Other articles related to "rsa problem, rsa, problems, problem":

**RSA Problem**

... See also

**RSA**Factoring Challenge, Integer factorization records, and Shor's algorithm The security of the

**RSA**cryptosystem is based on two mathematical

**problems**the

**problem**of factoring ... Full decryption of an

**RSA**ciphertext is thought to be infeasible on the assumption that both of these

**problems**are hard, i.e ... The

**RSA problem**is defined as the task of taking th roots modulo a composite recovering a value such that, where is an

**RSA**public key and is an

**RSA**ciphertext ...

### Famous quotes containing the word problem:

“What had really caused the women’s movement was the additional years of human life. At the turn of the century women’s life expectancy was forty-six; now it was nearly eighty. Our groping sense that we couldn’t live all those years in terms of motherhood alone was “the *problem* that had no name.” Realizing that it was not some freakish personal fault but our common *problem* as women had enabled us to take the first steps to change our lives.”

—Betty Friedan (20th century)