# Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

@article{Coppersmith1997SmallST,
title={Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities},
author={Don Coppersmith},
journal={Journal of Cryptology},
year={1997},
volume={10},
pages={233-260}
}
• D. Coppersmith
• Published 1 September 1997
• Mathematics, Computer Science
• Journal of Cryptology
Abstract. We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order $\frac{1}{4} \log_2 N$ bits of P.
718 Citations

## Topics from this paper

Application of ECM to a class of RSA keys
This method combines continued fractions, Coppersmith's lattice-based technique for finding small roots of bivariate polynomials and H. W. Lenstra's elliptic curve method (ECM) for factoring to show that these exponents are of improper use in RSA cryptosystems.
Factoring multi-power RSA moduli with primes sharing least or most significant bits
• Computer Science, Mathematics
Groups Complex. Cryptol.
• 2016
It is shown that if t ≥ 1/(1+r)log p, then it is possible to compute the prime decomposition of N in polynomial time in log N, which can be used to mount attacks against several cryptographic protocols that are based on the moduli N.
Factoring RSA moduli with primes sharing bits in the middle
• Mathematics, Computer Science
Applicable Algebra in Engineering, Communication and Computing
• 2017
This work addresses the problem of factoring a large RSA modulus $$N=pq$$N= pq with p and q sharing a portion of bits in the middle and suggests that such integers are not appropriate for cryptographic purposes.
A new RSA vulnerability using continued fractions
• Computer Science
2008 IEEE/ACS International Conference on Computer Systems and Applications
• 2008
This work shows that the RSA public key system is insecure if delta < 1-alpha/2, and its result is deterministic polynomial time and an extension of Coppersmith's result on a factorization.
Factoring Multi-power RSA Modulus N = p r q with Partial Known Bits
• Mathematics, Computer Science
ACISP
• 2013
A polynomial-time algorithm to solve the fundamental problem of factors large integers with classical computers, and it is shown that even if a small proportion of bits in the secret primes is leaked, one may efficiently factor.
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent
Two approaches that both use a modular bivariate polynomial equation with a small root of f(x, y) over Z are introduced that prove that one can extract the desired root of this equation inPolynomial time.
A new attack on RSA with two or three decryption exponents
Let N=pq be an RSA modulus, i.e. the product of two large unknown primes of equal bit-size. In this paper, we describe an attack on RSA in the presence of two or three exponents ei with the same
Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach
• J. Coron
• Computer Science, Mathematics
CRYPTO
• 2007
An analogous simplification but with the same asymptotic complexity as Coppersmith's algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction is described.
New Results on Solving Linear Equations Modulo Unknown Divisors and its Applications
• Mathematics, Computer Science
IACR Cryptol. ePrint Arch.
• 2014
This paper considers two variants of Herrmann-May’s equations, and proposes some new techniques to solve them, obtaining a few by far the best analytical/experimental results for RSA and its variants.
Factoring multi power RSA moduli with a class of secret exponents
• Mathematics
• 2015
Abstract In this paper, we consider the RSA variant based on the key equation ed ≡ 1 (mod φ(N)) where N = prq, r ≥ 2. We show that if the secret exponent d is close to any multiple of the prime

## References

SHOWING 1-10 OF 14 REFERENCES
Finding a Small Root of a Univariate Modular Equation
We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3.
Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known
A method to solve integer polynomial equations in two variables, provided that the solution is suitably bounded, and how to find the factors of N = PQ if the authors are given the high order ((1/4) log2 N) bits of P is presented.
Solving Simultaneous Modular Equations of Low Degree
• J. Håstad
• Mathematics, Computer Science
SIAM J. Comput.
• 1988
It is shown that a protocol by Broder and Dolev is insecure if RSA with a small exponent is used and the RSA cryptosystem used with asmall exponent is not a good choice to use as a public-key cryptos system in a large network.
Protocol Failures for RSA-Like Functions Using Lucas Sequences and Elliptic Curves
• Computer Science
Security Protocols Workshop
• 1996
We show that the cryptosystems based on Lucas sequences and on elliptic curves over a ring are insecure when a linear relation is known between two plaintexts that are encrypted with a “small” public
Low-Exponent RSA with Related Messages
• Computer Science
EUROCRYPT
• 1996
A new class of attacks against RSA with low encrypting exponent is presented, enabling the recovery of plaintext messages from their ciphertexts and a known polynomial relationship among the messages, provided that the cipher Texts were created using the same RSA public key with low encryption exponent.
Optimal Asymmetric Encryption
• Computer Science
EUROCRYPT
• 1994
A slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack.
Factoring polynomials with rational coefficients
• Mathematics, Computer Science
• 1982
In this paper we present a polynomial-time algorithm to solve the following problem: given a non-zero polynomial fe Q(X) in one variable with rational coefficients, find the decomposition of f into
NP-Complete Decision Problems for Binary Quadratics
• Computer Science, Mathematics
J. Comput. Syst. Sci.
• 1978
Efficient Factoring Based on Partial Information
• Computer Science
EUROCRYPT
• 1985
This paper examines the assumption that factoring large composite integers is computationally difficult when the cryptanalyst has “side information” available.
A method for obtaining digital signatures and public-key cryptosystems
• Computer Science
CACM
• 1978
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key, soriers or other secure means are not needed to transmit keys.