When e-th Roots Become Easier Than Factoring

We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two flavors: – A first version is illustrated here by producing selective roots of the form xi + c in Ln( 1 3 , 3 q 32 9 ). This matches the special number field sieve’s (snfs) complexity. – A second variant computes arbitrary e-th roots in Ln( 1 3 , γ) after a subexponential number of oracle queries. The constant γ depends on the type of oracle used. This addresses in particular the One More rsa Inversion problem, where the e-th root oracle is not restricted to numbers of a special form. The aforementioned constant γ is then 3 q 32 9 . If the oracle is constrained to roots of the form e √ xi + c mod n then γ = 3 √ 6. Both methods are faster than factoring n using the gnfs (Ln( 1 3 , 3 q 64 9 )). This sheds additional light on rsa’s malleability in general and on rsa’s resistance to affine forgeries in particular – a problem known to be polynomial for xi > 3 √ n, but for which no algorithm faster than factoring was known before this work.