Small solutions to polynomial equations, and low exponent RSA vulnerabilities

We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N = P Q if we are given the high order 5 log2 N bits of P. © 1997 International Association for Cryplologic Research.