# Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

@article{Coppersmith1997SmallST, title={Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities}, author={Don Coppersmith}, journal={Journal of Cryptology}, year={1997}, volume={10}, pages={233-260} }

Abstract. We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order
$\frac{1}{4} \log_2 N$ bits of P.

## Topics from this paper

## 718 Citations

Application of ECM to a class of RSA keys

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2006

This method combines continued fractions, Coppersmith's lattice-based technique for finding small roots of bivariate polynomials and H. W. Lenstra's elliptic curve method (ECM) for factoring to show that these exponents are of improper use in RSA cryptosystems.

Factoring multi-power RSA moduli with primes sharing least or most significant bits

- Computer Science, MathematicsGroups Complex. Cryptol.
- 2016

It is shown that if t ≥ 1/(1+r)log p, then it is possible to compute the prime decomposition of N in polynomial time in log N, which can be used to mount attacks against several cryptographic protocols that are based on the moduli N.

Factoring RSA moduli with primes sharing bits in the middle

- Mathematics, Computer ScienceApplicable Algebra in Engineering, Communication and Computing
- 2017

This work addresses the problem of factoring a large RSA modulus $$N=pq$$N= pq with p and q sharing a portion of bits in the middle and suggests that such integers are not appropriate for cryptographic purposes.

A new RSA vulnerability using continued fractions

- Computer Science2008 IEEE/ACS International Conference on Computer Systems and Applications
- 2008

This work shows that the RSA public key system is insecure if delta < 1-alpha/2, and its result is deterministic polynomial time and an extension of Coppersmith's result on a factorization.

Factoring Multi-power RSA Modulus N = p r q with Partial Known Bits

- Mathematics, Computer ScienceACISP
- 2013

A polynomial-time algorithm to solve the fundamental problem of factors large integers with classical computers, and it is shown that even if a small proportion of bits in the secret primes is leaked, one may efficiently factor.

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

- Mathematics, Computer ScienceCRYPTO
- 2002

Two approaches that both use a modular bivariate polynomial equation with a small root of f(x, y) over Z are introduced that prove that one can extract the desired root of this equation inPolynomial time.

A new attack on RSA with two or three decryption exponents

- Mathematics
- 2013

Let N=pq be an RSA modulus, i.e. the product of two large unknown primes of equal bit-size. In this paper, we describe an attack on RSA in the presence of two or three exponents ei with the same…

Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach

- Computer Science, MathematicsCRYPTO
- 2007

An analogous simplification but with the same asymptotic complexity as Coppersmith's algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction is described.

New Results on Solving Linear Equations Modulo Unknown Divisors and its Applications

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2014

This paper considers two variants of Herrmann-May’s equations, and proposes some new techniques to solve them, obtaining a few by far the best analytical/experimental results for RSA and its variants.

Factoring multi power RSA moduli with a class of secret exponents

- Mathematics
- 2015

Abstract In this paper, we consider the RSA variant based on the key equation ed ≡ 1 (mod φ(N)) where N = prq, r ≥ 2. We show that if the secret exponent d is close to any multiple of the prime…

## References

SHOWING 1-10 OF 14 REFERENCES

Finding a Small Root of a Univariate Modular Equation

- Mathematics, Computer ScienceEUROCRYPT
- 1996

We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3.…

Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known

- Mathematics, Computer ScienceEUROCRYPT
- 1996

A method to solve integer polynomial equations in two variables, provided that the solution is suitably bounded, and how to find the factors of N = PQ if the authors are given the high order ((1/4) log2 N) bits of P is presented.

Solving Simultaneous Modular Equations of Low Degree

- Mathematics, Computer ScienceSIAM J. Comput.
- 1988

It is shown that a protocol by Broder and Dolev is insecure if RSA with a small exponent is used and the RSA cryptosystem used with asmall exponent is not a good choice to use as a public-key cryptos system in a large network.

Protocol Failures for RSA-Like Functions Using Lucas Sequences and Elliptic Curves

- Computer ScienceSecurity Protocols Workshop
- 1996

We show that the cryptosystems based on Lucas sequences and on elliptic curves over a ring are insecure when a linear relation is known between two plaintexts that are encrypted with a “small” public…

Low-Exponent RSA with Related Messages

- Computer ScienceEUROCRYPT
- 1996

A new class of attacks against RSA with low encrypting exponent is presented, enabling the recovery of plaintext messages from their ciphertexts and a known polynomial relationship among the messages, provided that the cipher Texts were created using the same RSA public key with low encryption exponent.

Optimal Asymmetric Encryption

- Computer ScienceEUROCRYPT
- 1994

A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.

Factoring polynomials with rational coefficients

- Mathematics, Computer Science
- 1982

In this paper we present a polynomial-time algorithm to solve the following problem: given a non-zero polynomial fe Q(X) in one variable with rational coefficients, find the decomposition of f into…

NP-Complete Decision Problems for Binary Quadratics

- Computer Science, MathematicsJ. Comput. Syst. Sci.
- 1978

Efficient Factoring Based on Partial Information

- Computer ScienceEUROCRYPT
- 1985

This paper examines the assumption that factoring large composite integers is computationally difficult when the cryptanalyst has “side information” available.

A method for obtaining digital signatures and public-key cryptosystems

- Computer ScienceCACM
- 1978

An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key, soriers or other secure means are not needed to transmit keys.