Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

@article{Coppersmith1997SmallST,
title={Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities},
author={Don Coppersmith},
journal={Journal of Cryptology},
year={1997},
volume={10},
pages={233-260}
}
• D. Coppersmith
• Published 1 September 1997
• Mathematics, Computer Science
• Journal of Cryptology
Abstract. We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order $\frac{1}{4} \log_2 N$ bits of P.
718 Citations

Topics from this paper

Application of ECM to a class of RSA keys
This method combines continued fractions, Coppersmith's lattice-based technique for finding small roots of bivariate polynomials and H. W. Lenstra's elliptic curve method (ECM) for factoring to show that these exponents are of improper use in RSA cryptosystems.
Factoring multi-power RSA moduli with primes sharing least or most significant bits
• Computer Science, Mathematics
Groups Complex. Cryptol.
• 2016
It is shown that if t ≥ 1/(1+r)log p, then it is possible to compute the prime decomposition of N in polynomial time in log N, which can be used to mount attacks against several cryptographic protocols that are based on the moduli N.
Factoring RSA moduli with primes sharing bits in the middle
• Mathematics, Computer Science
Applicable Algebra in Engineering, Communication and Computing
• 2017
This work addresses the problem of factoring a large RSA modulus $$N=pq$$N= pq with p and q sharing a portion of bits in the middle and suggests that such integers are not appropriate for cryptographic purposes.
A new RSA vulnerability using continued fractions
• Computer Science
2008 IEEE/ACS International Conference on Computer Systems and Applications
• 2008
This work shows that the RSA public key system is insecure if delta < 1-alpha/2, and its result is deterministic polynomial time and an extension of Coppersmith's result on a factorization.
Factoring Multi-power RSA Modulus N = p r q with Partial Known Bits
• Mathematics, Computer Science
ACISP
• 2013
A polynomial-time algorithm to solve the fundamental problem of factors large integers with classical computers, and it is shown that even if a small proportion of bits in the secret primes is leaked, one may efficiently factor.
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent
Two approaches that both use a modular bivariate polynomial equation with a small root of f(x, y) over Z are introduced that prove that one can extract the desired root of this equation inPolynomial time.
A new attack on RSA with two or three decryption exponents
Let N=pq be an RSA modulus, i.e. the product of two large unknown primes of equal bit-size. In this paper, we describe an attack on RSA in the presence of two or three exponents ei with the same
Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach
• J. Coron
• Computer Science, Mathematics
CRYPTO
• 2007
An analogous simplification but with the same asymptotic complexity as Coppersmith's algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction is described.
New Results on Solving Linear Equations Modulo Unknown Divisors and its Applications
• Mathematics, Computer Science
IACR Cryptol. ePrint Arch.
• 2014
This paper considers two variants of Herrmann-May’s equations, and proposes some new techniques to solve them, obtaining a few by far the best analytical/experimental results for RSA and its variants.
Factoring multi power RSA moduli with a class of secret exponents
• Mathematics
• 2015
Abstract In this paper, we consider the RSA variant based on the key equation ed ≡ 1 (mod φ(N)) where N = prq, r ≥ 2. We show that if the secret exponent d is close to any multiple of the prime