Finding a Small Root of a Univariate Modular Equation
نویسنده
چکیده
We show how to solve a polynomial equation (mod N ) of degree k in a single variable z, as long as there is a solution smaller than “Ik. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N . With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N .
منابع مشابه
Finding Small Solutions to Small Degree Polynomials
This talk is a brief survey of recent results and ideas concerning the problem of finding a small root of a univariate polynomial mod N , and the companion problem of finding a small solution to a bivariate equation over Z. We start with the lattice-based approach from [2,3], and speculate on directions for improvement.
متن کاملFinding Small Solutions of a Class of Simultaneous Modular Equations and Applications to Modular Inversion Hidden Number Problem and Inversive Congruential Generator
In this paper we revisit the modular inversion hidden number problem and the inversive congruential pseudo random number generator and consider how to more efficiently attack them in terms of fewer samples or outputs. We reduce the attacking problem to finding small solutions of systems of modular polynomial equations of the form ai+bix0+cixi+x0xi = 0 (mod p), and present two strategies to cons...
متن کاملRoot Isolation of Zero-dimensional Polynomial Systems with Linear Univariate Representation
In this paper, a linear univariate representation for the roots of a zero-dimensional polynomial equation system is presented, where the roots of the equation system are represented as linear combinations of roots of several univariate polynomial equations. The main advantage of this representation is that the precision of the roots can be easily controlled. In fact, based on the linear univari...
متن کاملTR-2011004: Acceleration of Newton's Polynomial Factorization: Army of Constraints, Convolution, Sylvester Matrices, and Partial Fraction Decomposition
We try to arm Newton’s iteration for univariate polynomial factorization with greater convergence power by shifting to a larger basic system of multivariate constraints. The convolution equation is a natural means for a desired expansion of the basis for this iteration versus the classical univariate method, which is more vulnerable to foreign distractions from its convergence course. Compared ...
متن کاملAcceleration of Newton’s Polynomial Factorization: Army of Constraints, Convolution, Sylvester Matrices, and Partial Fraction Decomposition
We try to arm Newton’s iteration for univariate polynomial factorization with greater convergence power by shifting to a larger basic system of multivariate constraints. The convolution equation is a natural means for a desired expansion of the basis for this iteration versus the classical univariate method, which is more vulnerable to foreign distractions from its convergence course. Compared ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 1996