, Volume 10, Issue 4, pp 233-260
Date: 01 Nov 1997

Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access

Abstract.

We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order \(\frac{1}{4} \log_2 N\) bits of P.

Received 21 December 1995 and revised 11 August 1996