Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities (original) (raw)
- 4660 Accesses
- 567 Citations
- 19 Altmetric
- 1 Mention
- Explore all metrics
Abstract.
We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order \(\frac{1}{4} \log_2 N\) bits of P.
Article PDF
Author information
Authors and Affiliations
- IBM Research, T. J. Watson Research Center , Yorktown Heights, NY 10598, U.S.A., US
Don Coppersmith
Additional information
Received 21 December 1995 and revised 11 August 1996
Rights and permissions
About this article
Cite this article
Coppersmith, D. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities.J. Cryptology 10, 233–260 (1997). https://doi.org/10.1007/s001459900030
- Published: 01 November 1997
- Issue date: September 1997
- DOI: https://doi.org/10.1007/s001459900030