LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Why are small public exponents (like e=3) dangerous for RSA encryption but safe for RSA signatures?

With e=3 and schoolbook RSA encryption, an attacker who intercepts the same message encrypted to 3 different recipients can recover the plaintext using the Chinese Remainder Theorem. This attack doesn't apply to signatures.

The same m sent to three e=3 recipients is recovered by CRT plus an ordinary cube root

* CRT stitches the three low-exponent ciphertexts into m³ over a big-enough modulus, so it becomes a plain integer whose ordinary cube root is m. *

The small-exponent attack on encryption ($e = 3$):

  1. Alice sends the same message $m$ to three recipients with public keys $(3, N_1)$, $(3, N_2)$, $(3, N_3)$
  2. Eve intercepts: $c_1 = m^3 \mod N_1$, $c_2 = m^3 \mod N_2$, $c_3 = m^3 \mod N_3$
  3. Using CRT, Eve combines these three equations to find $m^3 \mod (N_1 \cdot N_2 \cdot N_3)$
  4. Since $m < N_i$ for each $i$, we have $m^3 < N_1 \cdot N_2 \cdot N_3$
  5. So $m^3$ is just a regular integer → Eve computes the regular cube root → plaintext recovered!

Why signatures are safe with small e:

  • When signing, the signer uses their private key $d$ (which is large)
  • The verifier uses $e = 3$ only to check the signature
  • The attack above requires multiple encryptions of the same plaintext — this doesn't apply to verification
  • Small $e$ actually makes verification faster, which is desirable

The solution for encryption: OAEP padding adds random data before encryption, so the same message never produces the same padded plaintext → CRT attack is impossible.

Go deeper:

From Quiz: KRYPTOG / RSA | Updated: Jul 14, 2026