Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

Abstract.

We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order \(\frac{1}{4} \log_2 N\) bits of P.

Author information

Affiliations

Authors

Additional information

Received 21 December 1995 and revised 11 August 1996

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Coppersmith, D. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. Cryptology 10, 233–260 (1997). https://doi.org/10.1007/s001459900030

Download citation

  • Key words. Polynomial, RSA, Factoring.