Attacks on some RSA signatures
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
A Multiplicative Attack Using LLL Algorithm on RSA Signatures with Redundancy
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
How (not) to Design RSA Signature Schemes
PKC '98 Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Selective Forgery of RSA Signatures with Fixed-Pattern Padding
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Solving sparse rational linear systems
Proceedings of the 2006 international symposium on Symbolic and algebraic computation
Faster inversion and other black box matrix computations using efficient block projections
Proceedings of the 2007 international symposium on Symbolic and algebraic computation
Selective forgery of RSA signatures using redundancy
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
An algorithm to solve the discrete logarithm problem with the number field sieve
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Breaking RSA Generically Is Equivalent to Factoring
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Oracle-Assisted Static Diffie-Hellman Is Easier Than Discrete Logarithms
Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
Square root algorithms for the number field sieve
WAIFI'12 Proceedings of the 4th international conference on Arithmetic of Finite Fields
Another look at affine-padding RSA signatures
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
| Hi-index | 0.00 |
We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker's choosing. The attack comes in two flavors: - A first version is illustrated here by producing selective roots of the form xi + c in Ln(1/3, 3√32/9). This matches the special number field sieve's (SNFS) complexity. - A second variant computes arbitrary e-th roots in Ln (1/3, γ) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used. This addresses in particular the One More rsa Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then 3√32/9. Constraining the oracle to roots of the form e√xi + c mod n increases γ. Both methods are faster than factoring n using the GNFS (Ln(1/3, 3√64/9)). This sheds additional light on rsa's malleability in general and on rsa's resistance to affine forgeries in particular - a problem known to be polynomial for xi 3√n, but for which no algorithm faster than factoring was known before this work.