When e-th Roots Become Easier Than Factoring

  • Antoine Joux
  • David Naccache
  • Emmanuel Thomé
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4833)

Abstract

We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c.

Here c is fixed and xi denotes small integers of the attacker’s choosing.

The attack comes in two flavors:
  • A first version is illustrated here by producing selective roots of the form xi + c in \(L_n(\frac{1}{3}, \sqrt[3]{\frac{32}{9}})\). This matches the special number field sieve’s (snfs) complexity.

  • A second variant computes arbitrarye-th roots in \(L_n(\frac{1}{3}, \gamma)\) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used.

    This addresses in particular the One More rsa Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then \(\sqrt[3]{\frac{32}{9}}\).

    Constraining the oracle to roots of the form \(\sqrt[e]{x_i + c} \bmod n\) increases γ.

Both methods are faster than factoring n using the gnfs\((L_n(\frac{1}{3}, \sqrt[3]{\frac{64}{9}}))\).

This sheds additional light on rsa’s malleability in general and on rsa’s resistance to affine forgeries in particular – a problem known to be polynomial for \(x_i > \sqrt[3]{n}\), but for which no algorithm faster than factoring was known before this work.

Keywords

rsa factoring nfs roots 

References

  1. 1.
    Aoki, K., Franke, J., Kleinjung, T., Lenstra, A., Osvik, D.: Electronic newsgroup posting announcing the factorization of the 1039-th Mersenne number by the snfs (May 21, 2007), http://www.loria.fr/zimmerma/records/21039-
  2. 2.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme. Journal of Cryptology 16(3), 185–215 (2003)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Buhler, J.P., Lenstra, A.K., Pollard, J.M.: Factoring integers with the number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) The development of the number field sieve. LMN, vol. 1554, pp. 50–94. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  4. 4.
    Brier, É., Clavier, C., Coron, J.-S., Naccache, D.: Cryptanalysis of RSA signatures with fixed-pattern padding. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 433–439. Springer, Heidelberg (2001)Google Scholar
  5. 5.
    Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S., Naccache, D., Stern, J.P.: On the Security of RSA padding. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    De Jonge, W., Chaum, D.: Attacks on some RSA signatures. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 18–27. Springer, Heidelberg (1986)Google Scholar
  8. 8.
    Eberly, W., Giesbrecht, M., Giorgi, P., Storjohann, A., Villard, G.: Solving sparse rational linear systems. In: Trager, B.M. (ed.) ISSAC 2006, pp. 63–70. ACM Press, New York (2006)CrossRefGoogle Scholar
  9. 9.
    Eberly, W., Giesbrecht, M., Giorgi, P., Storjohann, A., Villard, G.: Faster inversion and other black box matrix computations using efficient block projections. In: Brown, C.W. (ed.) ISSAC 2007, pp. 143–150. ACM Press, New York (2007)Google Scholar
  10. 10.
    Girault, M., Misarksy, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Mathematics of Computation 242(72), 953–967 (2003)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) AMCP 1998. LNM, vol. 1554, pp. 11–42. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  13. 13.
    Lenstra, A.K., Shparlinski, I.: Selective forgery of RSA signatures with fixed-pattern padding. In: Proceedings of the 5-th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography. LNCS, vol. 2274, pp. 228–236. Springer, Heidelberg (2002)Google Scholar
  14. 14.
    Misarsky, J.-F.: A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In: Proceedings of Crypto 1997. LNCS, vol. 1294, pp. 221–234. Springer, Heidelberg (1997)Google Scholar
  15. 15.
    Misarsky, J.-F.: How (not) to design RSA signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 14–28. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Montgomery, P.L.: Square roots of products of algebraic numbers. In: W. Gautschi, Ed., Mathematics of Computation 1943–1993: A Half-Century of Computational Mathematics, vol. 48 of Proc. Sympos. Appl. Math., pp. 567–571. AMS (1994)Google Scholar
  17. 17.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)Google Scholar
  18. 18.
    RSA Laboratories, pkcs #1 : RSA cryptography specifications, version 2.0 (September 1998)Google Scholar
  19. 19.
    Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. a 345(1676), 409–423 (1993)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Antoine Joux
    • 1
  • David Naccache
    • 2
  • Emmanuel Thomé
    • 3
  1. 1.DGA and Université de Versailles, UVSQ PRISM 45 avenue des États-Unis, F-78035 Versailles CEDEXFrance
  2. 2.École normale supérieure, Équipe de cryptographie, 45 rue d’Ulm, F-75230 Paris CEDEX 05France
  3. 3.INRIA Lorraine, LORIA, CACAO – bâtiment A, 615 rue du Jardin botanique, F-54602 Villiers-lès-Nancy CEDEXFrance

Personalised recommendations