There's an interesting real-world RSA bug related to yours: in the absence of proper padding, it's possible that e=3 RSA of a small plaintext might not wrap the modulus. A similar cube root operation produces a signature that naive implementations (the ones that check the digest embedded in a signature block, but not the padding) will validate, despite the attacker lacking the signing key. That bug bit Firefox's NSS library; for a little while, it was possible to use a short Python script to forge any certificate.
(That bug is due to Bleichenbacher, who called it a "pencil-and-paper" attack in the rump session he presented it in).
e=3 RSA isn't insecure per se, but it does magnify the impact of other vulnerabilities, and so it's best avoided.
As my literal not-making-this-up favorite HN commenter and someone who has previously expressed an interest in crypto, I'd love it if sometime you could take some time to demolish our crypto challenges. I'd be happy to send them all at once to you.
I have signed up for the first set of challenges, although I doubt I'll do well on them. I'm not very good at that kind of challenge--with crypto I tend to do better on the theory side [1] than on the practical side when it comes to dealing with breaking things.
[1] by "theory" I mean vigorous and convincing hand waving and white board diagramming...
https://github.com/saltstack/salt/commit/5dd304276ba5745ec21...
There's an interesting real-world RSA bug related to yours: in the absence of proper padding, it's possible that e=3 RSA of a small plaintext might not wrap the modulus. A similar cube root operation produces a signature that naive implementations (the ones that check the digest embedded in a signature block, but not the padding) will validate, despite the attacker lacking the signing key. That bug bit Firefox's NSS library; for a little while, it was possible to use a short Python script to forge any certificate.
(That bug is due to Bleichenbacher, who called it a "pencil-and-paper" attack in the rump session he presented it in).
e=3 RSA isn't insecure per se, but it does magnify the impact of other vulnerabilities, and so it's best avoided.
As my literal not-making-this-up favorite HN commenter and someone who has previously expressed an interest in crypto, I'd love it if sometime you could take some time to demolish our crypto challenges. I'd be happy to send them all at once to you.