On Finding Small Solutions of Modular Multivariate Polynomial Equations

Abst rac t . Let P(x) -0 (rood N) be a modular multivariate polynomial equation, in m variables, and total degree k with a small root x0. We show that there is an algorithm which determines c(~ 1) integer polynomial equations (in m variables) of total degree polynomial in cmklog N, in time polynomial in craklog N, such that each of the equations has xo as a root. This algorithm is an extension of Coppersmith's algorithm [2], which guarantees only one polynomial equation. It remains an open problem to determine xo from these linearly independent equations (which may not be algebraically independent) in polynomial time. The algorithm can be used to attack an RSA scheme with small exponent in which a message is padded with random bits in multiple locations. Given two encryptions of the same underlying message with multiple random paddings of total size about 1/9 of the length N (for exponent 3 RSA), the algorithm can be used to obtain the message.