Despite the fundamental importance of delay functions, repeated squaring in RSA groups (Rivest, Shamir and Wagner ’96) is the only candidate offering both a useful structure and a realistic level of practicality. Somewhat unsatisfyingly, its sequentiality is provided directly by assumption (i.e., the function is assumed to be a delay function). We prove sharp thresholds on the sequentiality of all generic-ring delay functions relative to an RSA modulus based on the hardness of factoring in the standard model. In particular, we show that generically speeding-up repeated squaring (even with a preprocessing stage and any polynomial number parallel processors) is equivalent to factoring. More generally, based on the (essential) hardness of factoring, we prove that any generic-ring function is in fact a delay function, admitting a sharp sequentiality threshold that is determined by our notion of sequentiality depth. Moreover, we show that generic-ring functions admit not only sharp sequentiality thresholds, but also sharp pseudorandomness thresholds.
|Original language||American English|
|Title of host publication||Advances in Cryptology - CRYPTO 2020 - 40th Annual International Cryptology Conference, Proceedings|
|Editors||Daniele Micciancio, Thomas Ristenpart|
|Number of pages||29|
|State||Published - 2020|
|Event||40th Annual International Cryptology Conference, CRYPTO 2020 - Santa Barbara, United States|
Duration: 17 Aug 2020 → 21 Aug 2020
|Name||Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)|
|Conference||40th Annual International Cryptology Conference, CRYPTO 2020|
|Period||17/08/20 → 21/08/20|
Bibliographical noteFunding Information:
L. Rotem and G. Segev—Supported by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253). L. Rotem—Supported by the Adams Fellowship Program of the Israel Academy of Sciences and Humanities.
© International Association for Cryptologic Research 2020.