Is RSA provably secure in the sense of Douglas Stinson's ``provable security''?












4














Here's a quote from Douglas Stinson:




“[i]f a cryptosystem can be ‘broken’ in some specific way, then it
would be possible to efficiently solve some well-studied problem that
is thought to be difficult. For example, it may be possible to prove a
statement of the type “a given cryptosystem is secure if a given
integer n cannot be factored.” [...] [B]ut it must be understood that
this approach only provides a proof of security relative to some other
problem, not an absolute proof of security. This is a similar
situation to proving that a problem is NP-complete [...].”




Source: Stinson, D. R. (2006). Cryptography, Theory and Practice. Chapman
and Hall, CRC, 3rd edition. Chapter 2, section 2.1, page 45.



Does this apply to RSA? Suppose I find the private exponent by some other way other than factoring $n$. Then I would have broken RSA without factoring.



So although Stinson's example mentions factoring, we can't immediately think of RSA here because there's no proof that factoring is the only way to recover a private key. What do you say?






rsa provable-security







share|improve this question


















  • 1




    Well, the security of RSA (with a secure padding scheme) is provably reducible to the RSA problem. But I'm not sure if that's really the kind of answer you're looking for.
    – Ilmari Karonen
    Dec 8 at 18:40






  • 1




    @IlmariKaronen Technically the RSA problem is a "well-studied problem that is thought to be difficult".
    – Maeher
    Dec 8 at 18:42










  • @IlmariKaronen Perhaps I could put my question this way: if I have $n$, the composite, $e$ the public exponent and $d$, the private exponent, is there a known method to find $phi(n)$ (or to factor $n$)?
    – user45491
    Dec 8 at 18:48






  • 4




    Yes, there is.
    – Ilmari Karonen
    Dec 8 at 18:53






  • 2




    @user45491 no, finding a private key ($d$) is not the necessary condition for broking PKE scheme. E.g., if an attacker is able to find just a forgery - a signature of some message, the scheme is already broken, although the attacker can't find the private key.
    – Mihas Koypish
    Dec 8 at 20:02


















4














Here's a quote from Douglas Stinson:




“[i]f a cryptosystem can be ‘broken’ in some specific way, then it
would be possible to efficiently solve some well-studied problem that
is thought to be difficult. For example, it may be possible to prove a
statement of the type “a given cryptosystem is secure if a given
integer n cannot be factored.” [...] [B]ut it must be understood that
this approach only provides a proof of security relative to some other
problem, not an absolute proof of security. This is a similar
situation to proving that a problem is NP-complete [...].”




Source: Stinson, D. R. (2006). Cryptography, Theory and Practice. Chapman
and Hall, CRC, 3rd edition. Chapter 2, section 2.1, page 45.



Does this apply to RSA? Suppose I find the private exponent by some other way other than factoring $n$. Then I would have broken RSA without factoring.



So although Stinson's example mentions factoring, we can't immediately think of RSA here because there's no proof that factoring is the only way to recover a private key. What do you say?






rsa provable-security







share|improve this question


















  • 1




    Well, the security of RSA (with a secure padding scheme) is provably reducible to the RSA problem. But I'm not sure if that's really the kind of answer you're looking for.
    – Ilmari Karonen
    Dec 8 at 18:40






  • 1




    @IlmariKaronen Technically the RSA problem is a "well-studied problem that is thought to be difficult".
    – Maeher
    Dec 8 at 18:42










  • @IlmariKaronen Perhaps I could put my question this way: if I have $n$, the composite, $e$ the public exponent and $d$, the private exponent, is there a known method to find $phi(n)$ (or to factor $n$)?
    – user45491
    Dec 8 at 18:48






  • 4




    Yes, there is.
    – Ilmari Karonen
    Dec 8 at 18:53






  • 2




    @user45491 no, finding a private key ($d$) is not the necessary condition for broking PKE scheme. E.g., if an attacker is able to find just a forgery - a signature of some message, the scheme is already broken, although the attacker can't find the private key.
    – Mihas Koypish
    Dec 8 at 20:02
















4












4








4


2





Here's a quote from Douglas Stinson:




“[i]f a cryptosystem can be ‘broken’ in some specific way, then it
would be possible to efficiently solve some well-studied problem that
is thought to be difficult. For example, it may be possible to prove a
statement of the type “a given cryptosystem is secure if a given
integer n cannot be factored.” [...] [B]ut it must be understood that
this approach only provides a proof of security relative to some other
problem, not an absolute proof of security. This is a similar
situation to proving that a problem is NP-complete [...].”




Source: Stinson, D. R. (2006). Cryptography, Theory and Practice. Chapman
and Hall, CRC, 3rd edition. Chapter 2, section 2.1, page 45.



Does this apply to RSA? Suppose I find the private exponent by some other way other than factoring $n$. Then I would have broken RSA without factoring.



So although Stinson's example mentions factoring, we can't immediately think of RSA here because there's no proof that factoring is the only way to recover a private key. What do you say?






rsa provable-security







share|improve this question













Here's a quote from Douglas Stinson:




“[i]f a cryptosystem can be ‘broken’ in some specific way, then it
would be possible to efficiently solve some well-studied problem that
is thought to be difficult. For example, it may be possible to prove a
statement of the type “a given cryptosystem is secure if a given
integer n cannot be factored.” [...] [B]ut it must be understood that
this approach only provides a proof of security relative to some other
problem, not an absolute proof of security. This is a similar
situation to proving that a problem is NP-complete [...].”




Source: Stinson, D. R. (2006). Cryptography, Theory and Practice. Chapman
and Hall, CRC, 3rd edition. Chapter 2, section 2.1, page 45.



Does this apply to RSA? Suppose I find the private exponent by some other way other than factoring $n$. Then I would have broken RSA without factoring.



So although Stinson's example mentions factoring, we can't immediately think of RSA here because there's no proof that factoring is the only way to recover a private key. What do you say?






rsa provable-security




rsa provable-security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 8 at 18:31









user45491

665




665








  • 1




    Well, the security of RSA (with a secure padding scheme) is provably reducible to the RSA problem. But I'm not sure if that's really the kind of answer you're looking for.
    – Ilmari Karonen
    Dec 8 at 18:40






  • 1




    @IlmariKaronen Technically the RSA problem is a "well-studied problem that is thought to be difficult".
    – Maeher
    Dec 8 at 18:42










  • @IlmariKaronen Perhaps I could put my question this way: if I have $n$, the composite, $e$ the public exponent and $d$, the private exponent, is there a known method to find $phi(n)$ (or to factor $n$)?
    – user45491
    Dec 8 at 18:48






  • 4




    Yes, there is.
    – Ilmari Karonen
    Dec 8 at 18:53






  • 2




    @user45491 no, finding a private key ($d$) is not the necessary condition for broking PKE scheme. E.g., if an attacker is able to find just a forgery - a signature of some message, the scheme is already broken, although the attacker can't find the private key.
    – Mihas Koypish
    Dec 8 at 20:02
















  • 1




    Well, the security of RSA (with a secure padding scheme) is provably reducible to the RSA problem. But I'm not sure if that's really the kind of answer you're looking for.
    – Ilmari Karonen
    Dec 8 at 18:40






  • 1




    @IlmariKaronen Technically the RSA problem is a "well-studied problem that is thought to be difficult".
    – Maeher
    Dec 8 at 18:42










  • @IlmariKaronen Perhaps I could put my question this way: if I have $n$, the composite, $e$ the public exponent and $d$, the private exponent, is there a known method to find $phi(n)$ (or to factor $n$)?
    – user45491
    Dec 8 at 18:48






  • 4




    Yes, there is.
    – Ilmari Karonen
    Dec 8 at 18:53






  • 2




    @user45491 no, finding a private key ($d$) is not the necessary condition for broking PKE scheme. E.g., if an attacker is able to find just a forgery - a signature of some message, the scheme is already broken, although the attacker can't find the private key.
    – Mihas Koypish
    Dec 8 at 20:02










1




1




Well, the security of RSA (with a secure padding scheme) is provably reducible to the RSA problem. But I'm not sure if that's really the kind of answer you're looking for.
– Ilmari Karonen
Dec 8 at 18:40




Well, the security of RSA (with a secure padding scheme) is provably reducible to the RSA problem. But I'm not sure if that's really the kind of answer you're looking for.
– Ilmari Karonen
Dec 8 at 18:40




1




1




@IlmariKaronen Technically the RSA problem is a "well-studied problem that is thought to be difficult".
– Maeher
Dec 8 at 18:42




@IlmariKaronen Technically the RSA problem is a "well-studied problem that is thought to be difficult".
– Maeher
Dec 8 at 18:42












@IlmariKaronen Perhaps I could put my question this way: if I have $n$, the composite, $e$ the public exponent and $d$, the private exponent, is there a known method to find $phi(n)$ (or to factor $n$)?
– user45491
Dec 8 at 18:48




@IlmariKaronen Perhaps I could put my question this way: if I have $n$, the composite, $e$ the public exponent and $d$, the private exponent, is there a known method to find $phi(n)$ (or to factor $n$)?
– user45491
Dec 8 at 18:48




4




4




Yes, there is.
– Ilmari Karonen
Dec 8 at 18:53




Yes, there is.
– Ilmari Karonen
Dec 8 at 18:53




2




2




@user45491 no, finding a private key ($d$) is not the necessary condition for broking PKE scheme. E.g., if an attacker is able to find just a forgery - a signature of some message, the scheme is already broken, although the attacker can't find the private key.
– Mihas Koypish
Dec 8 at 20:02






@user45491 no, finding a private key ($d$) is not the necessary condition for broking PKE scheme. E.g., if an attacker is able to find just a forgery - a signature of some message, the scheme is already broken, although the attacker can't find the private key.
– Mihas Koypish
Dec 8 at 20:02












1 Answer
1






active

oldest

votes


















13














Every cryptosystem is "provably secure" under at least one hardness assumption: the assumption that it cannot be broken. Hence, the only question which matters is whether a cryptosystem is provably secure under a well-known and well-studied assumption.



This is kind of the case for RSA, but in a somewhat unsatisfying way: the IND-CPA security of RSA with appropriate padding can be reduced to the RSA problem (extracting $e$-th roots mod $n$), which is a well-studied assumption... But only because this is the one underlying the RSA cryptosystem, and we have been using the cryptosystem a lot in the past decades.



Something much more satisfying would be to reduce it to a problem which had long been studied before, in different context; the most natural such candidate is indeed factoring. Unfortunately, we do not know of a reduction from RSA to the hardness of factoring integers - in fact, we even have proofs that it will be hard to find such a reduction (in a well defined sense).



We have, however, many other cryptosystems which can be reduced to factoring; the earliest example of this kind is the cryptosystem of Rabin.






share|improve this answer





















  • The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
    – user45491
    Dec 10 at 23:46










  • Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
    – user45491
    Dec 10 at 23:47











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64684%2fis-rsa-provably-secure-in-the-sense-of-douglas-stinsons-provable-security%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









13














Every cryptosystem is "provably secure" under at least one hardness assumption: the assumption that it cannot be broken. Hence, the only question which matters is whether a cryptosystem is provably secure under a well-known and well-studied assumption.



This is kind of the case for RSA, but in a somewhat unsatisfying way: the IND-CPA security of RSA with appropriate padding can be reduced to the RSA problem (extracting $e$-th roots mod $n$), which is a well-studied assumption... But only because this is the one underlying the RSA cryptosystem, and we have been using the cryptosystem a lot in the past decades.



Something much more satisfying would be to reduce it to a problem which had long been studied before, in different context; the most natural such candidate is indeed factoring. Unfortunately, we do not know of a reduction from RSA to the hardness of factoring integers - in fact, we even have proofs that it will be hard to find such a reduction (in a well defined sense).



We have, however, many other cryptosystems which can be reduced to factoring; the earliest example of this kind is the cryptosystem of Rabin.






share|improve this answer





















  • The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
    – user45491
    Dec 10 at 23:46










  • Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
    – user45491
    Dec 10 at 23:47
















13














Every cryptosystem is "provably secure" under at least one hardness assumption: the assumption that it cannot be broken. Hence, the only question which matters is whether a cryptosystem is provably secure under a well-known and well-studied assumption.



This is kind of the case for RSA, but in a somewhat unsatisfying way: the IND-CPA security of RSA with appropriate padding can be reduced to the RSA problem (extracting $e$-th roots mod $n$), which is a well-studied assumption... But only because this is the one underlying the RSA cryptosystem, and we have been using the cryptosystem a lot in the past decades.



Something much more satisfying would be to reduce it to a problem which had long been studied before, in different context; the most natural such candidate is indeed factoring. Unfortunately, we do not know of a reduction from RSA to the hardness of factoring integers - in fact, we even have proofs that it will be hard to find such a reduction (in a well defined sense).



We have, however, many other cryptosystems which can be reduced to factoring; the earliest example of this kind is the cryptosystem of Rabin.






share|improve this answer





















  • The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
    – user45491
    Dec 10 at 23:46










  • Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
    – user45491
    Dec 10 at 23:47














13












13








13






Every cryptosystem is "provably secure" under at least one hardness assumption: the assumption that it cannot be broken. Hence, the only question which matters is whether a cryptosystem is provably secure under a well-known and well-studied assumption.



This is kind of the case for RSA, but in a somewhat unsatisfying way: the IND-CPA security of RSA with appropriate padding can be reduced to the RSA problem (extracting $e$-th roots mod $n$), which is a well-studied assumption... But only because this is the one underlying the RSA cryptosystem, and we have been using the cryptosystem a lot in the past decades.



Something much more satisfying would be to reduce it to a problem which had long been studied before, in different context; the most natural such candidate is indeed factoring. Unfortunately, we do not know of a reduction from RSA to the hardness of factoring integers - in fact, we even have proofs that it will be hard to find such a reduction (in a well defined sense).



We have, however, many other cryptosystems which can be reduced to factoring; the earliest example of this kind is the cryptosystem of Rabin.






share|improve this answer












Every cryptosystem is "provably secure" under at least one hardness assumption: the assumption that it cannot be broken. Hence, the only question which matters is whether a cryptosystem is provably secure under a well-known and well-studied assumption.



This is kind of the case for RSA, but in a somewhat unsatisfying way: the IND-CPA security of RSA with appropriate padding can be reduced to the RSA problem (extracting $e$-th roots mod $n$), which is a well-studied assumption... But only because this is the one underlying the RSA cryptosystem, and we have been using the cryptosystem a lot in the past decades.



Something much more satisfying would be to reduce it to a problem which had long been studied before, in different context; the most natural such candidate is indeed factoring. Unfortunately, we do not know of a reduction from RSA to the hardness of factoring integers - in fact, we even have proofs that it will be hard to find such a reduction (in a well defined sense).



We have, however, many other cryptosystems which can be reduced to factoring; the earliest example of this kind is the cryptosystem of Rabin.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 8 at 18:48









Geoffroy Couteau

8,06511532




8,06511532












  • The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
    – user45491
    Dec 10 at 23:46










  • Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
    – user45491
    Dec 10 at 23:47


















  • The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
    – user45491
    Dec 10 at 23:46










  • Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
    – user45491
    Dec 10 at 23:47
















The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
– user45491
Dec 10 at 23:46




The RSA problem asks us to recover the plain text m from (N, e). If I find a way to get d without factoring, I'll be able to recover any m. If I get d, I also factor N. This is not a reduction of RSA to factoring because there may some way to get m without getting d (and so without factoring N).
– user45491
Dec 10 at 23:46












Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
– user45491
Dec 10 at 23:47




Your first paragraph is very well put. Thank you. Your second paragraph is equally good. Your third paragraph I'm still grasping --- but I think I understood it, as expressed in my previous comment. Your last paragraph makes your answer the best thing I could get --- although I had to think about the whole thing for a couple of days. Thank you so much for sharing your very insightful knowledge. Very grateful.
– user45491
Dec 10 at 23:47


















draft saved

draft discarded




















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64684%2fis-rsa-provably-secure-in-the-sense-of-douglas-stinsons-provable-security%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Plaza Victoria

Image
Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
Read more

Puebla de Zaragoza

Image
Para otros usos de este término, véase Puebla (desambiguación). Heroica Puebla de Zaragoza Localidad De arriba a abajo de izquierda a derecha: Estrella de Puebla, Volcán Popocatépetl, Catedral de Puebla, Monumento a Ignacio Zaragoza, Estadio Cuauhtémoc, Angelópolis y Vista panorámica de la ciudad. Escudo Otros nombres: El relicario de América/ La ciudad de los Ángeles/ La Angelópolis Lema: Muy noble y muy leal ciudad de Puebla de los Ángeles Heroica Puebla de Zaragoza Localización de Heroica Puebla de Zaragoza en México Heroica Puebla de Zaragoza Localización de Heroica Puebla de Zaragoza en Puebla Mapa interactivo Coordenadas 19°03′05″N 98°13′04″O  /  19.051388888889, -98.217777777778 Coordenadas: 19°03′05″N 98°13′04″O  /  19.051388888889, -98.217777777778 Idioma oficial Español Entidad Localidad  • País   México  • Estado Puebla  • Municipio Puebla Presidente municipal Claudia Rivera Vivanc
Read more

Musa

Image
Para el género de plantas, véase Musa (planta). Apolo y la Nueve Musas En la mitología griega, las musas (en griego antiguo μοῦσαι « mousai» ) son, según los escritores más antiguos, las divinidades inspiradoras de las Artes: cada una de ellas está relacionada con ramas artísticas y del conocimiento. Son hijas de Zeus y de Mnemósine, compañeras del séquito de Apolo, dios olímpico de la música y patrón de las bellas artes, quien tuvo romances con cada una de ellas, dejando descendientes. Bajaban a la tierra a susurrar ideas e inspirar a aquellos mortales que las invocaran. En la época más arcaica eran las ninfas inspiradoras de las fuentes, en las cuales eran adoradas. Finalmente, alrededor de los siglos VIII-VII a. C. [ 1 ] ​ prevaleció en todo el territorio de la Hélade la adoración de las nueve Musas, que son Calíope, Clío, Erato, Euterpe, Melpómene, Polimnia, Talía, Terpsícore y Urania. El culto a las musas era originalmente de Tracia y Beocia, y fueron de vital impo
Read more