Small solutions to polynomial equations, and low exponent RSA vulnerabilities

被引：454

作者：

Coppersmith, D

机构：

[1] IBM Research, T. J. Watson Research Center, Yorktown Heights

来源：

JOURNAL OF CRYPTOLOGY | 1997年 / 10卷 / 04期

关键词：

polynomial; RSA; factoring;

D O I：

10.1007/s001459900030

中图分类号：

TP301 [理论、方法];

学科分类号：

081202 ;

摘要：

We show how to find sufficiently small integer solutions to a polynomial in a single variable module N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N = P Q if we are given the high order 1/4 log(2) N bits of P.

引用

页码：233 / 260

页数：28

共 15 条

[1] Bellare M., 1995, Lecture Notes Comp. Sci, V950, P92, DOI [DOI 10.1007/BFB0053428, 10.1007/BFb0053428]
[2] Coppersmith D, 1996, LECT NOTES COMPUT SC, V1070, P178
[3] COPPERSMITH D, 1996, LECT NOTES COMPUT SC, V1070, P1
[4] COPPERSMITH D, 1995, 19905 IBM RC
[5] COPPERSMITH D, LNCS, V1070, P96
[6] FRANKLIN M, RUMP SESS CRYPT 95
[7] SOLVING SIMULTANEOUS MODULAR EQUATIONS OF LOW DEGREE
HASTAD, J
[J]. SIAM JOURNAL ON COMPUTING, 1988, 17 (02) : 336 - 341
[8] JOYE M, 1996, CAMBR WORKSH CRYPT P
[9] Knuth Donald, 1981, ART COMPUTER PROGRAM, V2
[10] FACTORING POLYNOMIALS WITH RATIONAL COEFFICIENTS
LENSTRA, AK
LENSTRA, HW
LOVASZ, L
[J]. MATHEMATISCHE ANNALEN, 1982, 261 (04) : 515 - 534

← 1 2 →