Ý nghĩa của: '' Nếu bao thanh toán số nguyên lớn là khó, thì phá RSA là khó, 'là không được chứng minh

Tôi đã đọc CLRS và được cho biết:

Nếu bao thanh toán số nguyên lớn là dễ dàng, thì việc phá vỡ hệ thống mật mã RSA là dễ dàng.

Điều này có ý nghĩa với tôi bởi vì với kiến ​​thức về và q , thật dễ dàng để tạo ra khóa bí mật mà kiến ​​thức về khóa công khai. Mặc dù, nó giải thích câu nói ngược lại, điều mà tôi không hiểu lắm:$p$$q$

Tuyên bố ngược lại, rằng nếu bao thanh toán các số nguyên lớn là khó, thì phá vỡ RSA là khó, không được chứng minh.

Tuyên bố trên chính thức có nghĩa là gì? Nếu chúng ta cho rằng bao thanh toán là khó (theo một cách chính thức nào đó), tại sao điều đó không ngụ ý rằng việc phá vỡ hệ thống tiền điện tử RSA là khó?

Bây giờ hãy xem xét rằng nếu chúng tôi giả định rằng bao thanh toán là khó khăn ... và chúng tôi đã phát hiện ra rằng điều đó có nghĩa là hệ thống mật mã RSA khó bị phá vỡ. Điều đó chính thức có nghĩa là gì?

The easiest way to think about it is to think of the contrapositive.

The statement:

if factoring large integers is hard, then breaking RSA is hard

is equivalent to the following:

if breaking RSA is easy, then factoring large integers is easy

This statement has not been proven.

What they're saying is, assume we have an algorithm that solves factoring in polynomial time. Then we can use it to construct an algorithm that solves RSA in polynomial time.

But, there could be some other way to crack RSA that doesn't involve factoring integers. It's possible that we will find we can crack RSA in a way that doesn't let us factor integers in polynomial time.

In short, we know that RSA is at least as easy as factoring. There are two possible outcomes: RSA and factoring are of equivalent difficulty, or RSA is a strictly easier problem than factoring. We don't know which is the case.

The existence of a hard way does not imply there is no easy way.

There may be a number of ways to break RSA and we only need to find one of them.

One of these ways is factoring a large integer, so if that is easy we can do it this way and RSA is broken. This is also the only way we know yet. If it is unfeasible to do that, we can still find another, computationally less demanding way to perform our task without the need to explicitly calculate p and q from n.

To prove RSA is broken, we need to prove that one way to do it is easy.

To prove RSA is safe, we need to prove that all ways to do it are hard.

Finally, your statement is unproven because it is unproven that no other, easier method exists that extracts information from a cyphertext.

One additional way to look at it, is that breaking RSA requires only a special case of factoring, which may or may not be easy regardless of the general question of factoring.

As a simple example, consider the case that factoring is indeed difficult, but only for numbers with $3$ different factors. Factoring composite numbers with only two different factors (as used in RSA) may still be easy.

It means that the RSA problem seems (at this time) to be more specific than factoring.

So the RSA problem is this: knowing a semiprime $pq$ and some exponent $e,$ and a value $v,$ find the $m$ such that $v \equiv m^e \mod pq$. (I actually got this wrong in my original answer, so that my phrasing of the RSA problem was equivalent to factoring up to some PP algorithm. Whoops! So you're not alone in being confused at the details here.)

The factoring problem is this: knowing a semiprime $pq,$ find both $p$ and $q$.

If you can efficiently solve the factoring problem, then you can efficiently solve the RSA problem: take the semiprime, factor it, use some theorems about prime moduluses to calculate an inverse exponent $d$ which reveals all ciphertexts as $m \equiv v^d$. (In fact these theorems are how the setup for RSA works: we know the two primes during the setup phase.)

However, it is not known that solving this above problem for arbitrary messages $m$ will tell you anything about the factors of the modulus or the exponents involved. It might or it might not; we don't know. Many smart people have presumably looked at the problem but nothing obvious has jumped out at any of them. So it's not known that the factoring problem is solved by solutions to the RSA problem (plus polynomial effort), only that the RSA problem is solved by solutions to the factoring problem (plus polynomial effort).

In fact in 1998 Boneh and Venkatesan published a proof that a certain simple class of algorithms (plus, times, exponents, no XOR/NAND type stuff) cannot be used to turn an RSA-problem solution into a factoring algorithm. The argument had a simple ingenuity to it: by manipulating those arithmetic operations mathematically, we can find out that the "reduction algorithm" (for precision: this is the algorithm which uses an RSA "oracle" for a semiprime to factor that semiprime) turns out to be a factoring algorithm in its own right, so that we can modify it to a variant which makes no calls to its oracle. So we have a trichotomy: either (a) there is no such reduction algorithm, or (b) the reduction algorithm does not have a nice arithmetic interpretation or (c) factoring is polynomial-time just like the reduction algorithm was.

RSA depends on two abstract mathematical tasks that are believed to be hard: integer factoring, as you know, but also the discrete logarithm problem. You can break RSA if you can quickly factor a number that's the product of two large unknown primes; but you can also break RSA if you can quickly find $\log_e C$ in the finite group $\mathbb{Z}_{m}$, where $e$ and $m$ are the public RSA exponent and modulus, and $C$ is the ciphertext.

These two mathematical tasks are related, but (if I remember correctly) it's believed that a solution to one would not imply a solution to the other. I don't know if they are the only two ways to break RSA mathematically.