message with small order in RSA signature

Question

It is know that elements from $[1..N-1]$, where $N$ is RSA modulus can have different orders. So some of the elements can have very small order generating subgroup of only few elements.

Now, if the adversary for a message chooses $m$ that has small order, the adversary does not have to know the private exponent $d$ to forge the signature for this $m$, since the same signature can be produced using smaller exponent $x$ $(d \equiv x \mod ord(m))$, which can be found easier than the private exponent $d$.

Why is this not a concern in RSA signature scheme?

Update: The cyclic attack does not depend on the order of $m$. The answer should be related to the distribution of orders for elements in $[1..N-1]$. Since the order of element divides $\phi(n)$, the choice of $p$ and $q$ should have some effect on the feasibility of this attack.

Answer 1

The order $o$ of an element $m\in(\mathbb Z/pq\mathbb Z)^\times = (\mathbb Z/p\mathbb Z)^\times\times(\mathbb Z/q\mathbb Z)^\times$ is the least common multiple of its (multiplicative) orders modulo $p$ and modulo $q$.

If this order $o$ is known to the attacker (or at least small enough that one can find it, e.g., by baby-step giant-step), then the attacker can factor $N=pq$ if the multiplicative order of $m$ modulo $p$ differs from its order modulo $q$: The attacker raises $m$ to the power of $\frac{o}{r}$ for all prime factors $r$ of $o$, until modulo one prime factor of $N$, but not the other, the order of $m$ divides $\frac{o}{r}$, which can be detected by $0<\mathrm{gcd}(m^\frac{o}{r}-1\bmod N, N)<N$, breaking the RSA.

So what you are asking for allows the attacker either to break RSA or to find an element $m\ne 1$ that has simultaneously the same small multiplicative order $o$ for unknown primes $p$ and $q$ given just their product $N$, which I'd expect to be a hard problem ($m$ is modulo $p$ a $(\frac{p-1}{o})$-th, modulo $q$ a $(\frac{q-1}{o})$-th power).