Skip to main content

HΓ₯stad’s Broadcast Attack: Low Exponent Meets Multiple Recipients

Hamdaan AliApril 3, 2025About 5 minDevOpsSecuriryMathematicsArticle(s)blogfreecodecamp.orgdevopssecuritymathmathematics

HΓ₯stad’s Broadcast Attack: Low Exponent Meets Multiple Recipients κ΄€λ ¨

The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS
The RSA algorithm was introduced in 1978 in the seminal paper, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...
The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS
The RSA algorithm was introduced in 1978 in the seminal paper, ”A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...

In 1985, Johan HΓ₯stad’s highlighted the broadcast attack that illustrates the danger of a low exponent, ee, when the same message is sent to multiple parties as a broadcast.

Imagine Alice wants to send the same plaintext message M to three different recipients. Each recipient has their own RSA public key with modulus N1N_1, N2N_{2}, N3N_{3}, but for speed all use e=3e=3 (a common practice historically). Alice encrypts M with each public key, yielding ciphertexts:

C1=M3β€…modβ€…N1C2=M3β€…modβ€…N2C3=M3β€…modβ€…N3 \begin{align*} C_{1}=M^{3}\:\text{mod}\:N_{1}\\ C_{2}=M^{3}\:\text{mod}\:N_{2}\\ C_{3}=M^{3}\:\text{mod}\:N_{3} \end{align*}

Eve, who intercepts all three C1C_{1}, C2C_{2}, C3C_{3} can recover MM without breaking any single RSA key.

Since each NiN_{i} is different (and we assume they are pairwise coprime, as RSA keys should be), the attacker can use the Chinese Remainder Theorem (CRT) to combine the three congruences x≑Ci(modβ€…Ni)x\equiv{C}_{i}\left(\text{mod}\:N_{i}\right). Note that at this point Eve only has C1C_1, C2C_{2} and C3C_{3}. They do not have the plaintext MM or M3M^{3} and yet they can reconstruct M3M^{3} with the intercepted data. To understand the Chinese Remainder Theorem and this reconstruction, you may follow this: CRT, RSA, and Low Exponent Attacks.

There is a unique solution modulo N1N2N3N_{1}N_{2}N_{3} for xx, and that solution turns out to be an integer, x=M3x=M^{3} (because the true integer M3 is smaller than the product N1N2N3N_{1}N_{2}N_{3} of each M<NiM\lt{N}_{i}). In essence, CRT lets Eve reconstruct M3M^{3} exactly. Once they have M3M^{3} as an ordinary integer, they simply take the cube root to find MM. There’s no need to factor any modulus or invert the RSA function – the math falls out due to the low exponent.

The sequence diagram below aims to provide a high-level understanding of the attack:

Sequence Diagram: HΓ₯stad’s Broadcast Attack
Sequence Diagram: HΓ₯stad’s Broadcast Attack

Now let’s see this attack in action with a sample:

Suppose three different RSA public keys all use exponent e=3e=3, with moduli nb=187n_{b}=187 (for Bob),
nc=115n_{c}=115 (for Carol), and nd=87n_{d}=87 (for Dave).

These nin_{i} are pairwise coprime (gcd\text{gcd} of each pair is 11). Now assume the same plaintext message MM is encrypted with each public key. Let’s take a concrete MM. For example with M=42M=42, we will have:

cb=M3β€…modβ€…nbcc=M3β€…modβ€…nccd=M3β€…modβ€…nd \begin{align*} c_{b}&=M^{3}\:\text{mod}\:n_{b}\\ c_{c}&=M^{3}\:\text{mod}\:n_{c}\\ c_{d}&=M^{3}\:\text{mod}\:n_{d} \end{align*}

On calculating these, we have:

cb=423β€…modβ€…187=36cc=423β€…modβ€…115=28cd=423β€…modβ€…87=51 \begin{align*} c_{b}&=42^{3}\:\text{mod}\:187&=36\\ c_{c}&=42^{3}\:\text{mod}\:115&=28\\ c_{d}&=42^{3}\:\text{mod}\:87&=51 \end{align*}

So the three ciphertexts observed are 3636, 2828, and 5151, respectively. Eve who knows nbn_{b}, ncn_{c}, ndn_{d} and these ciphertexts can now recover MM as follows:

  • Eve will compute the total modulus N=nbβ‹…ncβ‹…nd=187Γ—115Γ—87=1,870,935N=n_{b}\cdot{n}_{c}\cdot{n}_{d}=187\times{115}\times{87}=1,870,935. (This is the modulus for the combined system of congruences).
  • Now Eve will compute the partial products for each congruence:

Nb=Nnb=1,870,935187=10,005Nc=Nnc=1,870,935115=16,269Nd=Nnd=1,870,93587=21,505 \begin{align*} N_{b}&=\frac{N}{n_{b}}&=\frac{1,870,935}{187}&=10,005\\ N_{c}&=\frac{N}{n_{c}}&=\frac{1,870,935}{115}&=16,269\\ N_{d}&=\frac{N}{n_{d}}&=\frac{1,870,935}{87}&=21,505 \end{align*}

  • At this point, Eve needs the inverses of each NiN_i modulo its corresponding nin_{i}:
    • First Eve computes Mb=(Nb)βˆ’1β€…modβ€…nbM_{b}=\left(N_{b}\right)^{βˆ’1}\:\text{mod}\:n_{b}, i.e. the number MbM_{b} such that Nbβ‹…Mb≑1β€…(modβ€…187)N_{b}\cdot{M}_{b}\equiv{1}\:\left(\text{mod}\:187\right). In this case, Nb=10005N_{b}=10005. Using the extended Euclidean algorithm, Eve can find Mb=2M_{b}=2 (since 10005Γ—2=20010≑1(modβ€…187)10005\times{2}=20010\equiv{1}\left(\text{mod}\:187\right)).
    • Then Eve computes Mc=(Nc)βˆ’1β€…modβ€…ncM_{c}=\left(N_{c}\right)^{βˆ’1}\:\text{mod}\:n_{c}. Here Nc=16269N_{c}=16269. The inverse mod 115115 turns out to be Mc=49M_{c}=49 (For verification: 16269Γ—49≑1(modβ€…115)16269\times{49}\equiv{1}\left(\text{mod}\:115\right)).
    • Next up, Eve computes Md=(Nd)βˆ’1β€…modβ€…ndM_{d}=\left(N_{d}\right)^{βˆ’1}\:\text{mod}\:n_{d}. For Nd=21505N_{d}=21505, the inverse mod 8787 is Md=49M_{d}=49 as well (coincidentally the same value in this case, since 21505Γ—49≑1(modβ€…87)21505\times{49}\equiv{1}\left(\text{mod}\:87\right)).

Now Eve reconstructs the combined value using the Chinese Remainder Theorem for three congruencies. The construction of this formula is beyond the scope of this handbook, but to completely understand how this springs into action, you may go through this video: CRT, RSA and Low Exponent Attacks.

C=cbβ‹…Nbβ‹…Mb+ccβ‹…Ncβ‹…Mc+cdβ‹…Ndβ‹…Mdβ€…(modβ€…N) \begin{align*} C&=c_{b}\cdot{N}_{b}\cdot{M}_{b}+c_{c}\cdot{N}_{c}\cdot{M}_{c}+c_{d}\cdot{N}_{d}\cdot{M}_{d}\:\left(\text{mod}\:N\right) \end{align*}

On substituting the numbers:

C=36β‹…10005β‹…2+28β‹…16269β‹…49+51β‹…21505β‹…49β€…(modβ€…1,870,935) \begin{align*} C=36\cdot{10005}\cdot{2}+28\cdot{16269}\cdot{49}+51\cdot{21505}\cdot{49}\:\left(\text{mod}\:1,870,935\right) \end{align*}

Let’s carefully evaluate each term:

36β‹…10005β‹…2=720,36028β‹…16269β‹…49=22,341,34851β‹…21505β‹…49=5,37,40,995 \begin{align*} 36\cdot{10005}\cdot{2}&=720,360\\ 28\cdot{16269}\cdot{49}&=22,341,348\\ 51\cdot{21505}\cdot{49}&=5,37,40,995 \end{align*}

Summing these gives a raw total of 7,20,360+2,23,21,068+5,37,40,995=7,67,82,4237,20,360+2,23,21,068+5,37,40,995=7,67,82,423. Now reduce this modulo N=1,870,935N=1,870,935:

C≑7,67,82,423(modβ€…1,870,935)C=74,088 \begin{align*} C\equiv{7,67,82,423}&\left(\text{mod}\:1,870,935\right)\\ &C=74,088 \end{align*}

Now Eve will simply take the cube root of C:β€…740883=42C:\:\sqrt[3]{74088}=42, which is the original plaintext.
Eve has successfully recovered MM.

The key takeaway from these attacks is that without proper defenses. RSA alone does not satisfy modern definitions of security. It is not resistant to chosen-plaintext or chosen-cipher text attacks. This gap between the theoretical one-way function (RSA’s trapdoor permutation) and a secure encryption scheme became evident as implementers found that naive RSA could be β€œbroken” by various clever tricks.

To counter these weaknesses, standards bodies introduced padding schemes to strengthen RSA encryption. In the following sections, you will learn about each of these paddings schemes and how they’ve been exploited over the years.

MIT Licensed | Copyright Β© 2022-present Chan Hee Lee
Copyright Β© 2025 Hamdaan Ali