Small Encryption Exponent

Question

I am trying to crack an unpadded RSA set up for a homework.

I have public key (R,e) and encrypted message E.

R:=1189873858375600120035497781492406260116261348762168101523668479976252918878873543993974091515716923413521166189;
e:=7;
E:=935688997292570230577548538417371291686892187342525833188430568797480485753147343888751799688783739259397891334;

Obviously, the attack that I'm supposed to use has something to do with the size of the public encryption exponent but I'm struggling to see exactly how to use it.

I understand the relationship between e, d and φ(n) and understand that there is an integer k < min{e, d} such that φ(n) = (e ∗ d − 1)/k but I don't understand how I can use that fact to brute force discover φ(n).

It appears that the solution comes from doing some kind of search from 1..k but since d is still unknown, I don't really see how to take advantage of that.

Can someone enlighten me, please?

Answer 1

The question is from Problem 2 in Assignment 6 given here. It looks much like a straight instance of the RSA problem: we want to find $x\in\mathbb N$ such that $x^e=E\bmod R$ and $x<R$, given $R$, $E$, $e=7$, with $E$ expected to be the product of two unknown primes $p,q$ such that $e$ is coprime with $(p-1)\cdot(q-1)$.

It is correct that knowing none of $d$, $\varphi(R)$ or $\lambda(R)$, nor the factorization of $R$, we can't solve the problem by massaging $e\cdot d\equiv1\pmod{\varphi(R)}$ or $e\cdot d\equiv1\pmod{\lambda(R)}$ with $e$ small.

The fact that $e$ is small would help if it turned out that $E$ (or $i\cdot R+E$ for some small $i$) was an exact power of $e$; for this would allow to find $x$ by extracting an $e$-th root. For random parameters, this happens with odds about ${R^{1/e-1}}$, thus decreasing with $e$. But $R$ is so big that theses odds are vanishingly low for $e\ge2$. In fact, any small odd $e>2$ is believed a safe choice in RSA when $x$ is random or properly padded.

The most classic avenue to solve an RSA problem is to factor the public modulus $R$. This is how Part 1 of Assignment 2 was done, for $R$ of 276 bits. In the present problem, $R$ is 367-bit, therefore brute force factorization is feasible (it was feasible in 1995 by means available to academics; see this answer). However it would require a significant effort, and I do not know that Maple's built-in factorization primitive would factor a properly chosen 367-bit RSA modulus in reasonable time.

We should not rule out factorization though: in this course, Alice (which, we are told, has $R,e$ as public key) has in Assignment 4 made unconventional and rather poor choice of key; so there is a chance that $R$ was not properly chosen and can be factored with little effort, using some of the factorization methods likely alluded to in the course.

Hint 1: The problem can be solved with practically any big-number calculator offering modular exponentiation, without even writing an iterative program.

Hint 2: (Hover mouse to see it)

Alice may have put too much emphasis on being ultra-resistant to trial division for a given magnitude of $R$.