Abstract
We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N 1/k. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N. With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, “Low Exponent RSA with Related Messages,” Proceedings of Eurocrypt 96.
M. Franklin and M. Reiter, “A Linear Protocol Failure for RSA with Exponent Three,” presented at the rump session, Crypto 95, but not in the proceedings.
A. K. Lenstra, H. W. Lenstra and L. Lovasz, “Factoring Polynomials with Integer Coefficients,” Matematische Annalen 261 (1982), 513–534.
B. Vallée, M. Girault and P. Toffin, “How to Guess ℓ-th Roots Modulo n by Reducing Lattice Bases,” Proceedings of AAECC-6, Springer LNCS 357 (1988) 427–442.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1996 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coppersmith, D. (1996). Finding a Small Root of a Univariate Modular Equation. In: Maurer, U. (eds) Advances in Cryptology — EUROCRYPT ’96. EUROCRYPT 1996. Lecture Notes in Computer Science, vol 1070. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-68339-9_14
Download citation
DOI: https://doi.org/10.1007/3-540-68339-9_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-61186-8
Online ISBN: 978-3-540-68339-1
eBook Packages: Springer Book Archive