Abstract
Let P(x) ≡ 0(mod N) be a modular multivariate polynomial equation, in m variables, and total degree k with a small root x0. We show that there is an algorithm which determines c (≥ 1) integer polynomial equations (in m variables) of total degree polynomial in cmklog N, in time polynomial in cmklog N, such that each of the equations has x0 as a root. This algorithm is an extension of Coppersmith's algorithm [2], which guarantees only one polynomial equation. It remains an open problem to determine x0 from these linearly independent equations (which may not be algebraically independent) in polynomial time. The algorithm can be used to attack an RSA scheme with small exponent in which a message is padded with random bits in multiple locations. Given two encryptions of the same underlying message with multiple random paddings of total size about 1/9 of the length N (for exponent 3 RSA), the algorithm can be used to obtain the message.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Daniel Bleichenbacher, On the Security of the KMOV Public Key Cryptosystem, in Proc. Crypto 97, LNCS 1294, pp 235–248.
Don Coppersmith, Finding a Small Root of a Univariate Modular Equation, in Eurocrypt 96, LNCS 1070, pp 155–165.
D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, Low exponent RSA with related messages, Proc. Eurocrypt 96.
M. Franklin,and M. Reiter, A linear protocol failure for RSA with exponent three, presented at CRYPTO95 rump session.
N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and Coding, LNCS 1355, M. Darnell, Ed. Springer-Verlag, 1997, pages 131–142
K. Koyama, U. Maurer, T. Okamata, and S. Vanstone, New public-key schemes based on elliptic curves over the ring Zn. In Advances in Cryptology — CRYPTO 91, LNCS vol. 576, pp 252–266.
D.E. Knuth, The art of computer programming, Vol 1, Fundamental algorithms, Addison Wesley 1973
D.E. Knuth, The art of computer programming, Vol 2, Seminumerical algorithms, Addison Wesley 1981
N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48(177):203–209,1987.
LiDIA, A C+ + Library For Computational Number Theory, http://www.informatik.thdarmstadt.de/TI/LiDIA/
A.K. Lenstra, H.W. Lenstra, and L. Lovász, Factoring Polynomials with Rational Coefficients, in Mathematische Annalen, Vol. 261, pp 515–534, 1982
R.L. Rivest, A. Shamir and L. Adleman, A method of obtaining digital signatures and public-key cryptosystems, CACM, Vol 21, no. 2, Feb 1978.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jutla, C.S. (1998). On finding small solutions of modular multivariate polynomial equations. In: Nyberg, K. (eds) Advances in Cryptology — EUROCRYPT'98. EUROCRYPT 1998. Lecture Notes in Computer Science, vol 1403. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0054124
Download citation
DOI: https://doi.org/10.1007/BFb0054124
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64518-4
Online ISBN: 978-3-540-69795-4
eBook Packages: Springer Book Archive