# Implement an E=3 RSA Broadcast attack

Assume you're a Javascript programmer. That is, you're using a naive
handrolled RSA to encrypt without padding.

Assume you can be coerced into encrypting the same plaintext three
times, under three different public keys. You can; it's happened.

Then an attacker can trivially decrypt your message, by:

- Capturing any 3 of the ciphertexts and their corresponding pubkeys
- Using the CRT to solve for the number represented by the three
  ciphertexts (which are residues mod their respective pubkeys)
- Taking the cube root of the resulting number

The CRT says you can take any number and represent it as the
combination of a series of residues mod a series of moduli. In the
three-residue case, you have:

    result =
      (c_0 * m_s_0 * invmod(m_s_0, n_0)) +
      (c_1 * m_s_1 * invmod(m_s_1, n_1)) +
      (c_2 * m_s_2 * invmod(m_s_2, n_2)) mod N_012

where:

    c_0, c_1, c_2 are the three respective residues mod
    n_0, n_1, n_2

    m_s_n (for n in 0, 1, 2) are the product of the moduli
    EXCEPT n_n --- ie, m_s_1 is n_0 * n_2

    N_012 is the product of all three moduli

To decrypt RSA using a simple cube root, leave off the final modulus
operation; just take the raw accumulated result and cube-root it.