Here $c$ is fixed and $x_i$ denotes small integers of the attacker's choosing.
Several variants of the attack are presented, with varying assumptions on the oracle, and goals ranging from selective to universal forgeries. The computational complexity of the attack is $L_n(\frac{1}{3}, \sqrt[3]{\frac{32}{9}})$ in most significant situations, which matches the {\sl special} number field sieve's ({\sc snfs}) complexity.
This sheds additional light on {\sc rsa}'s malleability in general and on {\sc rsa}'s resistance to affine forgeries in particular -- a problem known to be polynomial for $x_i > \sqrt[3]{n}$, but for which no algorithm faster than factoring was known before this work.
Category / Keywords: public-key cryptography / Publication Info: RSA, NFS, factoring, digital signatures Date: received 12 Nov 2007 Contact author: Emmanuel Thome at normalesup org Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20071118:222051 (All versions of this report) Short URL: ia.cr/2007/424 Discussion forum: Show discussion | Start new discussion