The lower your public exponent in RSA, the faster you can verify signatures. So e=3 is still used quite often in embedded applications. It can be secure if used properly, but for most cases, it is safer to use 65537 as that can protect you from actual exploitation even if you have a variety of implementation bugs.
Hell, even if you do send just one message and do pad it, but the padding sucks (i.e. is known to the adversary) and e is small, you can use Coppersmith's theorem to break the encryption.
This is really just reason number 242151205 why you shouldn't attempt to build your own crypto system.
This is really just reason number 242151205 why you shouldn't attempt to build your own crypto system.
No, it's reason 242151205 why you should read the established standards. RFC 3447 says "use RSA-OAEP for encryption and RSA-PSS for signing".
If you have security flaws due to doing something non-standard in any field other than cryptography, people will say you're an idiot. Why does cryptography get a free pass with "oh well, we all know that stuff's hard"?
I don't think that's correct. Coppersmith's attack requires at least 2 messages. You're talking about the paper "Low-Exponent RSA with Related Messages (1996)" right?
No... what I'm referring to is given in http://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf -- basically using LLL to bring the numbers down to below the RSA modulo. (I know it works, because I wrote Mathematica code to implement it. :) )
