Abstract
We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form x i + c.
Here c is fixed and x i denotes small integers of the attacker’s choosing.
The attack comes in two flavors:
-
A first version is illustrated here by producing selective roots of the form x i + c in \(L_n(\frac{1}{3}, \sqrt[3]{\frac{32}{9}})\). This matches the special number field sieve’s (snfs) complexity.
-
A second variant computes arbitrary e-th roots in \(L_n(\frac{1}{3}, \gamma)\) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used.
This addresses in particular the One More rsa Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then \(\sqrt[3]{\frac{32}{9}}\).
Constraining the oracle to roots of the form \(\sqrt[e]{x_i + c} \bmod n\) increases γ.
Both methods are faster than factoring n using the gnfs \((L_n(\frac{1}{3}, \sqrt[3]{\frac{64}{9}}))\).
This sheds additional light on rsa’s malleability in general and on rsa’s resistance to affine forgeries in particular – a problem known to be polynomial for \(x_i > \sqrt[3]{n}\), but for which no algorithm faster than factoring was known before this work.
Chapter PDF
Similar content being viewed by others
References
Aoki, K., Franke, J., Kleinjung, T., Lenstra, A., Osvik, D.: Electronic newsgroup posting announcing the factorization of the 1039-th Mersenne number by the snfs (May 21, 2007), http://www.loria.fr/zimmerma/records/21039-
Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme. Journal of Cryptology 16(3), 185–215 (2003)
Buhler, J.P., Lenstra, A.K., Pollard, J.M.: Factoring integers with the number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) The development of the number field sieve. LMN, vol. 1554, pp. 50–94. Springer, Heidelberg (1993)
Brier, É., Clavier, C., Coron, J.-S., Naccache, D.: Cryptanalysis of RSA signatures with fixed-pattern padding. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 433–439. Springer, Heidelberg (2001)
Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006)
Coron, J.-S., Naccache, D., Stern, J.P.: On the Security of RSA padding. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)
De Jonge, W., Chaum, D.: Attacks on some RSA signatures. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 18–27. Springer, Heidelberg (1986)
Eberly, W., Giesbrecht, M., Giorgi, P., Storjohann, A., Villard, G.: Solving sparse rational linear systems. In: Trager, B.M. (ed.) ISSAC 2006, pp. 63–70. ACM Press, New York (2006)
Eberly, W., Giesbrecht, M., Giorgi, P., Storjohann, A., Villard, G.: Faster inversion and other black box matrix computations using efficient block projections. In: Brown, C.W. (ed.) ISSAC 2007, pp. 143–150. ACM Press, New York (2007)
Girault, M., Misarksy, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)
Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Mathematics of Computation 242(72), 953–967 (2003)
Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) AMCP 1998. LNM, vol. 1554, pp. 11–42. Springer, Heidelberg (1993)
Lenstra, A.K., Shparlinski, I.: Selective forgery of RSA signatures with fixed-pattern padding. In: Proceedings of the 5-th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography. LNCS, vol. 2274, pp. 228–236. Springer, Heidelberg (2002)
Misarsky, J.-F.: A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In: Proceedings of Crypto 1997. LNCS, vol. 1294, pp. 221–234. Springer, Heidelberg (1997)
Misarsky, J.-F.: How (not) to design RSA signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 14–28. Springer, Heidelberg (1998)
Montgomery, P.L.: Square roots of products of algebraic numbers. In: W. Gautschi, Ed., Mathematics of Computation 1943–1993: A Half-Century of Computational Mathematics, vol. 48 of Proc. Sympos. Appl. Math., pp. 567–571. AMS (1994)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)
RSA Laboratories, pkcs #1 : RSA cryptography specifications, version 2.0 (September 1998)
Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. a 345(1676), 409–423 (1993)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Joux, A., Naccache, D., Thomé, E. (2007). When e-th Roots Become Easier Than Factoring. In: Kurosawa, K. (eds) Advances in Cryptology – ASIACRYPT 2007. ASIACRYPT 2007. Lecture Notes in Computer Science, vol 4833. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76900-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-76900-2_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76899-9
Online ISBN: 978-3-540-76900-2
eBook Packages: Computer ScienceComputer Science (R0)