On the Validity of the Φ-Hiding Assumption in Cryptographic Protocols

Most cryptographic protocols, in particular asymmetric protocols, are based on assumptions about the computational complexity of mathematical problems. The Φ-Hiding assumption is such an assumption. It states that if p1 and p2 are small primes exactly one of which divides φ(N), where N is a number whose factorization is unknown and φ is Euler’s totient function, then there is no polynomialtime algorithm to distinguish which of the primes p1 and p2 divides φ(N) with a probability significantly greater than 1/2. In this paper, it will be shown that the Φ-Hiding assumption is not valid when applied to a modulus N = PQ, where P,Q > 2 are primes, e > 0 is an integer and P hides the prime in question. This indicates that cryptographic protocols using such moduli and relying on the Φ-Hiding assumption must be handled with care.