On finding small solutions of modular multivariate polynomial equations

Abstract

Let P(x) ≡ 0(mod N) be a modular multivariate polynomial equation, in m variables, and total degree k with a small root x0. We show that there is an algorithm which determines c (≥ 1) integer polynomial equations (in m variables) of total degree polynomial in cmklog N, in time polynomial in cmklog N, such that each of the equations has x0 as a root. This algorithm is an extension of Coppersmith's algorithm [2], which guarantees only one polynomial equation. It remains an open problem to determine x0 from these linearly independent equations (which may not be algebraically independent) in polynomial time. The algorithm can be used to attack an RSA scheme with small exponent in which a message is padded with random bits in multiple locations. Given two encryptions of the same underlying message with multiple random paddings of total size about 1/9 of the length N (for exponent 3 RSA), the algorithm can be used to obtain the message.