Quiz Entry - updated: 2026.07.14
Why are small public exponents (like e=3) dangerous for RSA encryption but safe for RSA signatures?
With e=3 and schoolbook RSA encryption, an attacker who intercepts the same message encrypted to 3 different recipients can recover the plaintext using the Chinese Remainder Theorem. This attack doesn't apply to signatures.
* CRT stitches the three low-exponent ciphertexts into m³ over a big-enough modulus, so it becomes a plain integer whose ordinary cube root is m. *
The small-exponent attack on encryption ($e = 3$):
- Alice sends the same message $m$ to three recipients with public keys $(3, N_1)$, $(3, N_2)$, $(3, N_3)$
- Eve intercepts: $c_1 = m^3 \mod N_1$, $c_2 = m^3 \mod N_2$, $c_3 = m^3 \mod N_3$
- Using CRT, Eve combines these three equations to find $m^3 \mod (N_1 \cdot N_2 \cdot N_3)$
- Since $m < N_i$ for each $i$, we have $m^3 < N_1 \cdot N_2 \cdot N_3$
- So $m^3$ is just a regular integer → Eve computes the regular cube root → plaintext recovered!
Why signatures are safe with small e:
- When signing, the signer uses their private key $d$ (which is large)
- The verifier uses $e = 3$ only to check the signature
- The attack above requires multiple encryptions of the same plaintext — this doesn't apply to verification
- Small $e$ actually makes verification faster, which is desirable
The solution for encryption: OAEP padding adds random data before encryption, so the same message never produces the same padded plaintext → CRT attack is impossible.
Go deeper:
Coppersmith's attack — Håstad's broadcast attack (Wikipedia) — the formal name for this low-exponent broadcast break.
Chinese remainder theorem (Wikipedia) — the tool that combines the intercepted ciphertexts.