Stronger security proofs for RSA and Rabin bits

The RSA and Rabin encryption functions are respectively defined as E-N(x) = x(e) mod N and E-N(x) = x(2) mod N, where N is a product of two large random primes p, q and e is relatively prime to phi(N). We present a simpler and tighter proof of the result of Alexi et al. [ACGS] that the following problems are equivalent by probabilistic polynomial time reductions: (1) given E-N(x) find x; (2) given E-N(x) predict the least-significant bit of x with success probability 1/2 + 1/ poly(n), where N has n bits. The new proof consists of a more efficient algorithm for inverting the RSA/Rabin function with the help of an oracle that predicts the least-significant bit of x. It yields provable security guarantees for RSA message bits and for the RSA random number generator for modules N of practical size.