The Cryptography Handbook: Exploring RSA PKCSv1.5, OAEP, and PSS
The RSA algorithm was introduced in 1978 in the seminal paper, âA Method for Obtaining Digital Signatures and Public-Key Cryptosystemsâ. Over the decades, as RSA became integral to secure communications, various vulnerabilities and attacks have emerg...
Beyond determinism and malleability exploits, textbook RSA is also vulnerable to Low-Exponent Attacks. Using a small public exponent like e=3 (or sometimes 17) was popular because it used to speed up encryption and signature verification. But this soon turned out to be a security concern.
When RSA uses a small public exponent (say, e=3) and the plaintext is very short (so that M3 is smaller than the modulus n), the encryption does not âwrap aroundâ modulo n. Mathematically:
c=M3modnâ=M3ââ(if M3<n)â
Letâs understand this with an easy example:
Consider our plaintext to be: M=5. We compute M3 as M3=53=125. Now assume n is a 4096âbit number which is large compared to 125. In this case, the ciphertext is simply c=125. Eve intercepting c=125 can compute the cube root of 125 to get the plaintext: 3125â=5 thus recovering M directly.
This shows that if M is small enough, the ciphertext leaks the plaintext when e is low.