Finding a Small Root of a Univariate Modular Equation

  • Don Coppersmith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1070)


We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N. With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N.


  1. 1.
    D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, “Low Exponent RSA with Related Messages,” Proceedings of Eurocrypt 96.Google Scholar
  2. 2.
    M. Franklin and M. Reiter, “A Linear Protocol Failure for RSA with Exponent Three,” presented at the rump session, Crypto 95, but not in the proceedings.Google Scholar
  3. 3.
    A. K. Lenstra, H. W. Lenstra and L. Lovasz, “Factoring Polynomials with Integer Coefficients,” Matematische Annalen 261 (1982), 513–534.MathSciNetGoogle Scholar
  4. 4.
    B. Vallée, M. Girault and P. Toffin, “How to Guess -th Roots Modulo n by Reducing Lattice Bases,” Proceedings of AAECC-6, Springer LNCS 357 (1988) 427–442.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Don Coppersmith
    • 1
  1. 1.T.J. Watson Research CenterIBM ResearchYorktown HeightsUSA

Personalised recommendations