N Using RSA with Low Exponent in a Public Key Network

  • Johan Hastad
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 218)


We consider the problem of solving systems of equations Pi(x) ≡ 0 (mod ni) i = 1...k where Pi are polynomials of degree d and the ni are distinct relatively prime numbers and x < min ni. We prove that if k > d(d+1)/2 we can recover x in polynomial time provided ni > > 2k. This shows that RSA with low exponent is not a good alternative to use as a public key cryptosystem in a large network. It also shows that a protocol by Broder and Dolev [4] is insecure if RSA with low exponent is used.


  1. [1]
    Alexi W., Chor B., Goldreich O. and Schnorr C.P. “RSA/Rabin Bits are 1/2 + 1/poly(logN) Secure” FOCS 1984 pp 449–457Google Scholar
  2. [2]
    Awerbuch B., Chor B., Goldwasser S. and Micali S. “Provably Secure Coin Flip in a Byzantine Environment”, manuscript in preparation.Google Scholar
  3. [3]
    Blum M. and Goldwasser S. “An efficient Probabilistic Public Key Encryption Scheme which Hides all Partial Information” Presented in Crypto 1984Google Scholar
  4. [4]
    Broder A.Z. and Dolev D. “Flipping Coins in Many Pockets” FOCS 1984 pp 157–170Google Scholar
  5. [5]
    Cassels J.W.S. “Geometry of Numbers” Springer 1959Google Scholar
  6. [6]
    Goldwasser S. and Micali S. “Probabilistic Encryption” JSCC 28 270–299Google Scholar
  7. [7]
    Lenstra A.K., Lenstra H.W. and Lovasz L. “Factoring Polynomials with Integer Coefficients” Matematische Annalen 261 (1982) 513–534MathSciNetGoogle Scholar
  8. [8]
    Rivest R.L., Shamir A. and Adleman L. “A Method for Obtaining Digital Signatures and Public Key Cryptosystems” CACM 21–2 February 1978.Google Scholar
  9. [9]
    Schnorr C.P. “A Hierarchy of Polynomial Basis Reduction Algorithms”, manuscriptGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1986

Authors and Affiliations

  • Johan Hastad
    • 1
  1. 1.MITUSA

Personalised recommendations