It is proved that RSA least significant bit is 1/2 plus 1/log**c N secure, for any constant c (where N is the RSA modulus). This means that an adversary, given the ciphertext, cannot guess the least significant bit of the plaintext with probability better than 1/2 plus 1/log**c N, unless he can break RSA. The following related results are also obtained: (1) the log log N least significant bits are simultaneously 1/2 plus 1/log**c N; and (2) the above also holds for Rabin's encryption function. The results imply that Rabin/RSA encryption can be directly used for pseudorandom bits generation, provided that factoring/inverting RSA is hard.