Finding a Small Root of a Univariate Modular Equation
We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N. With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N.
- 1.D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, “Low Exponent RSA with Related Messages,” Proceedings of Eurocrypt 96.Google Scholar
- 2.M. Franklin and M. Reiter, “A Linear Protocol Failure for RSA with Exponent Three,” presented at the rump session, Crypto 95, but not in the proceedings.Google Scholar
- 4.B. Vallée, M. Girault and P. Toffin, “How to Guess ℓ-th Roots Modulo n by Reducing Lattice Bases,” Proceedings of AAECC-6, Springer LNCS 357 (1988) 427–442.Google Scholar