 So, what happens if we try to apply RSA to a multi-party communication? And Ben Franklin knew exactly what would happen, because he once said three may keep a secret, provided the two of them are dead. And the problem is that we run into some difficulties if we're communicating the same message to different people. And so, the setup we have here is we're going to suppose we have a group of people using an RSA system with public moduli and one and two and so on. We'll assume these moduli are relatively prime, because as we saw, if they're not relatively prime, then we can use the greatest common divisor of some of them to recover what the factorizations of the moduli are. So we assume that everybody chooses their moduli carefully enough so that there are no common factors among the public moduli. We'll assume that all of the public exponents being used are the same. This isn't an absolute requirement, and the attack can be modified to accommodate different exponents. We'll leave that as an exercise for the viewer, but for right now, we'll assume that the public exponent is the same. And suppose I have some person, Zachary, and they're going to send a message, P, to at least E of these people. If, who's listening in on this conversation, can recover the plain text by using the Chinese remainder theorem algorithm. So why does that work? Well, let's consider why single-party RSA works. In single-party RSA, we have some message P, our public exponent, and our public modulus, and our ciphertext is going to be P2 power e mod n. And the reason that this works, or the reason that it could potentially fail, is if P to the e is strictly less than our modulus, then P to the e is just whatever the value is. It's not going to be reduced at all. And P to the e is going to be our ciphertext, and this is an equality. And I can solve the equality very easily by taking the e-th root of the ciphertext. So for example, if my exponent is 3, my modulus 187, my message 2, 2 to the third mod 187 is just 8, and if I want to recover the plain text, I'll take the cube root of 8, and that's going to recover my value. So the difficulty of breaking RSA is when P to the power e is greater than n, greater than our modulus, then our modulo arithmetic removes our ability to solve this equation easily. Well, suppose I have my plain text message P sent to several people. So I have P to the e, and I compute it m1, m2, and so on. These are all of our numbers taken mod our respective moduli. The Chinese remainder theorem allows me to find a single value that satisfies all of these moduli at the same time. And I can find a single number that's going to solve all of these congruences. And remember, the thing about the Chinese remainder algorithm is that it gives me a range of values. So my solution is actually going to be a value congruent to mod n1 times n2 times, and so on, the product of the different moduli. Now, I do know that whatever my value of P is, whatever the plain text message actually is, it has to be less than the minimum of all of these moduli. So I know that the P to the power e is going to be less than the product of all of these. And so what that means is that when I solve the Chinese remainder problem here, that solution is going to be an eth power. And I can solve the congruence very easily and recover the original plain text message P. Well, let's see how this might work. So I'll have Alice, Bob, and Charlie, and we'll have an RSA system using e equals 3 and respective public moduli 629, 2173, 1159. Now, my exponent is 3. I need at least three different moduli. So Zachary sends a message to the three of them, and he sends 529 to Alice, 414 to Bob, and 558 to Charlie. Now, in order for Eve to determine what the message is, she has to solve, she has to solve this system of congruences. Now, if Zachary was only communicating to Alice, Eve would just have this congruence to solve, and that's very difficult. Because Zachary is communicating to Bob and Charlie, Eve also has two other congruences that she can make use of, and this allows her to use the Chinese remainder problem algorithm. And so she finds that this number is congruent to 529 mod 629, this number congruent to 414 mod 2173, and this number congruent to 558 mod 1159. And so this number is congruent to 0 mod 2173, this number is congruent to 0 mod 629 and 1159, and this number is congruent to 0 mod 2173 and 629. So that means when I add these numbers together, I preserve the individual congruences. So it turns out that the smallest solution will be the sum of these numbers reduced by reduced modulo the product of the three moduli, and the smallest solution is going to be 15625. Well, this is a perfect cube, and so what I can do is I can then recover what the original message is, p is equal to 25, and there's my original plain text. Now we might think about how we can defend against this particular type of attack, and so the first thought might be, well, suppose I don't encrypt p, but I encrypt some linear function of p. That way I'm not sending the same value to everyone, and it seems like this is a good idea, because this will keep us from applying the algorithm for solving the Chinese remainder problem, but it doesn't work. And Heusstead himself showed that this can't actually work. The proof goes far beyond what I want to talk about, but it turns out that a better defense against this, or a defense will actually work, is we have to use a sufficiently large value of e, and typically the recommendations that we see come down to choosing an e that's larger than 2 to the power 16, 65, 536. And intuitively you can see why this is going to work out. Remember that I need to solve a Chinese remainder problem using e different congruences, and the more congruences I have, the more difficult that problem becomes. And if I use a very large value of e, the difficulty here is I'm going to need on the order of about 2 to the 32nd power congruences to solve.