Sciweavers

ASIACRYPT
2007
Springer

When e-th Roots Become Easier Than Factoring

14 years 6 months ago
When e-th Roots Become Easier Than Factoring
We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two flavors: – A first version is illustrated here by producing selective roots of the form xi + c in Ln(1 3 , 3 q 32 9 ). This matches the special number field sieve’s (snfs) complexity. – A second variant computes arbitrary e-th roots in Ln(1 3 , γ) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used. This addresses in particular the One More rsa Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then 3 q 32 9 . If the oracle is constrained to roots of the form e √ xi + c mod n then γ = 3 √ 6. Both methods are faster than factoring n using the gnfs (Ln(1 3 , 3 q...
Antoine Joux, David Naccache, Emmanuel Thomé
Added 07 Jun 2010
Updated 07 Jun 2010
Type Conference
Year 2007
Where ASIACRYPT
Authors Antoine Joux, David Naccache, Emmanuel Thomé
Comments (0)