When e-th Roots Become Easier Than Factoring

  • Antoine Joux
  • David Naccache
  • Emmanuel Thomé
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4833)


We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form x i  + c.

Here c is fixed and x i denotes small integers of the attacker’s choosing.

The attack comes in two flavors:
  • A first version is illustrated here by producing selective roots of the form x i  + c in \(L_n(\frac{1}{3}, \sqrt[3]{\frac{32}{9}})\). This matches the special number field sieve’s (snfs) complexity.

  • A second variant computes arbitrary e-th roots in \(L_n(\frac{1}{3}, \gamma)\) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used.

    This addresses in particular the One More rsa Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then \(\sqrt[3]{\frac{32}{9}}\).

    Constraining the oracle to roots of the form \(\sqrt[e]{x_i + c} \bmod n\) increases γ.

Both methods are faster than factoring n using the gnfs \((L_n(\frac{1}{3}, \sqrt[3]{\frac{64}{9}}))\).

This sheds additional light on rsa’s malleability in general and on rsa’s resistance to affine forgeries in particular – a problem known to be polynomial for \(x_i > \sqrt[3]{n}\), but for which no algorithm faster than factoring was known before this work.


rsa factoring nfs roots 


  1. 1.
    Aoki, K., Franke, J., Kleinjung, T., Lenstra, A., Osvik, D.: Electronic newsgroup posting announcing the factorization of the 1039-th Mersenne number by the snfs (May 21, 2007),
  2. 2.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme. Journal of Cryptology 16(3), 185–215 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Buhler, J.P., Lenstra, A.K., Pollard, J.M.: Factoring integers with the number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) The development of the number field sieve. LMN, vol. 1554, pp. 50–94. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  4. 4.
    Brier, É., Clavier, C., Coron, J.-S., Naccache, D.: Cryptanalysis of RSA signatures with fixed-pattern padding. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 433–439. Springer, Heidelberg (2001)Google Scholar
  5. 5.
    Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S., Naccache, D., Stern, J.P.: On the Security of RSA padding. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    De Jonge, W., Chaum, D.: Attacks on some RSA signatures. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 18–27. Springer, Heidelberg (1986)Google Scholar
  8. 8.
    Eberly, W., Giesbrecht, M., Giorgi, P., Storjohann, A., Villard, G.: Solving sparse rational linear systems. In: Trager, B.M. (ed.) ISSAC 2006, pp. 63–70. ACM Press, New York (2006)CrossRefGoogle Scholar
  9. 9.
    Eberly, W., Giesbrecht, M., Giorgi, P., Storjohann, A., Villard, G.: Faster inversion and other black box matrix computations using efficient block projections. In: Brown, C.W. (ed.) ISSAC 2007, pp. 143–150. ACM Press, New York (2007)Google Scholar
  10. 10.
    Girault, M., Misarksy, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Mathematics of Computation 242(72), 953–967 (2003)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Lenstra, A.K., Lenstra Jr., H.W. (eds.) AMCP 1998. LNM, vol. 1554, pp. 11–42. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  13. 13.
    Lenstra, A.K., Shparlinski, I.: Selective forgery of RSA signatures with fixed-pattern padding. In: Proceedings of the 5-th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography. LNCS, vol. 2274, pp. 228–236. Springer, Heidelberg (2002)Google Scholar
  14. 14.
    Misarsky, J.-F.: A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In: Proceedings of Crypto 1997. LNCS, vol. 1294, pp. 221–234. Springer, Heidelberg (1997)Google Scholar
  15. 15.
    Misarsky, J.-F.: How (not) to design RSA signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 14–28. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Montgomery, P.L.: Square roots of products of algebraic numbers. In: W. Gautschi, Ed., Mathematics of Computation 1943–1993: A Half-Century of Computational Mathematics, vol. 48 of Proc. Sympos. Appl. Math., pp. 567–571. AMS (1994)Google Scholar
  17. 17.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)Google Scholar
  18. 18.
    RSA Laboratories, pkcs #1 : RSA cryptography specifications, version 2.0 (September 1998)Google Scholar
  19. 19.
    Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. London Ser. a 345(1676), 409–423 (1993)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Antoine Joux
    • 1
  • David Naccache
    • 2
  • Emmanuel Thomé
    • 3
  1. 1.DGA and Université de Versailles, UVSQ PRISM 45 avenue des États-Unis, F-78035 Versailles CEDEXFrance
  2. 2.École normale supérieure, Équipe de cryptographie, 45 rue d’Ulm, F-75230 Paris CEDEX 05France
  3. 3.INRIA Lorraine, LORIA, CACAO – bâtiment A, 615 rue du Jardin botanique, F-54602 Villiers-lès-Nancy CEDEXFrance

Personalised recommendations