1

Given access to a 2048 bit public key, a large corpus of 2048 bit plain text messages and their signatures (RSA-PSS with SHA256 as the hash and MGF) are any of the following statements correct:

  1. Increasing the number of of messages available significantly increases the likelihood an attacker can reverse the private key
  2. Decreasing the plain text message size significantly increases the likelihood an attacker can reverse the private key

Note: by significantly I mean "before the heat death of the universe" becomes a few hundred years. If instead it becomes half the heat death of the universe, I'm less interested.

Joshka
  • 113
  • 4

1 Answers1

2

We don't know any forgery algorithm which can do a better job if there are more signed messages available, or smaller signed messages available.

The best way we know to forge messages is to factor $n$. The best algorithm we know to factor $n = pq$ when $2^{1023} < p < q < 2^{1024}$ are (near) uniform random primes, the general number field sieve, costs more than $e^{(\log n)^{1/3} (\log \log n)^{2/3}}$, and uses only the modulus $n$, without reference to any signed messages.

The standard PSS security theorem is that if you had an algorithm to forge signatures, then someone could use your signature forger as a subroutine in a program to invert $x \mapsto x^e \bmod n$ with essentially the same probability of success as the forger, and as many additional modular exponentiations as the forger makes hash or signing queries. Consequently, PSS forgery can't be much cheaper than computing $e^{\mathit{th}}$ roots, but we don't know any way to actually do it besides factoring $n$ in order to compute $e^{\mathit{th}}$ roots in the first place.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230