When e-th roots become easier than factoring

Abstract

We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and x i denotes small integers of the attacker's choosing. The attack comes in two flavors: - A first version is illustrated here by producing selective roots of the form xi + c in Ln(1/3, 3√9/32). This matches the special number field sieve's (SNFS) complexity. - A second variant computes arbitrary e-th roots in Ln(1/3,γ) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used. This addresses in particular the One More RSA Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then 3√32/9. Constraining the oracle to roots of the form e√xi + c mod n increases γ. Both methods are faster than factoring n using the GNFS (Ln(1/3, 3√64/9)). This sheds additional light on RSA'S malleability in general and on RSA's resistance to affine forgeries in particular - a problem known to be polynomial for xi > 3√n, but for which no algorithm faster than factoring was known before this work. © International Association for Cryptology Research 2007.