Journal of Cryptology

, Volume 10, Issue 4, pp 233–260

Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

  • Don Coppersmith

DOI: 10.1007/s001459900030

Cite this article as:
Coppersmith, D. J. Cryptology (1997) 10: 233. doi:10.1007/s001459900030


We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order \(\frac{1}{4} \log_2 N\) bits of P.

Key words. Polynomial, RSA, Factoring.

Copyright information

© 1997 International Association for Criptologic Rese 1997

Authors and Affiliations

  • Don Coppersmith
    • 1
  1. 1.IBM Research, T. J. Watson Research Center US