By Published on

Cracking the "Small" Exponent — A Full Write-Up of “Exponope” (THCON 2026)

Cracking the "Small" Exponent — A Full Write-Up of “Exponope” (THCON 2026)

In RSA cryptography, efficiency often comes at a price. While developers might be tempted to use small public exponents to speed up encryption and lower latency, they risk falling into one of the oldest traps in the book. 

Try this challenge yourself! --> Challenge File

In the Exponope challenge, the author takes that risk literally:

  • “Our cryptography expert just announced he's implemented a Secure way of encryption... he lowered the exponent used to a tiny value and claims the security impact is negligible.”
  • Flag Format: THC{...}

For beginners: When a developer mentions "lowering the exponent" to a "tiny value," they are likely referring to the RSA public exponent e

  • If e is small and the message m is not sufficiently padded, the encrypted message:

c = me (mod N) might not actually wrap around the modulus N

  • If me < N, the encryption is just a simple power, and the "ciphertext" can be cracked by taking the e-th root. 
  • Even if me is slightly larger than N, we can still test small multiples of N to find the original message. 

Therefore: The vulnerability is a Low Exponent Attack. 

In RSA:

c ≡ me (mod N)

Which can be written as:

me = c + k · N

Where k is some integer ≥ 0. If e and m are both small enough such that me < N, then k = 0. In this case, the modulus N is irrelevant, and the message is simply the integer e-th root of the ciphertext:

m = e√c

Let's walk through the process of identifying the weak exponent and extracting the flag. 

Stage 1: Analyzing the Evidence

The challenge files provided a .txt file which contains two massive hex values:

  • N: The RSA modulus (a very large number).
  • ciphertext (c): The encrypted message.
Cracking the "Small" Exponent — A Full Write-Up of “Exponope” (THCON 2026)

The hint specifically points to a "tiny" exponent. Usually, in RSA, e = 65537 is the standard. Small values typically refer to e = 3 or e = 5

Stage 2: The First Attempt (The e=3 Assumption)


Initially, I assumed the "tiny value" was the most common weak exponent: e = 3. I wrote a script to check if c + kN was a perfect cube for small values of k.

Cracking the "Small" Exponent — A Full Write-Up of “Exponope” (THCON 2026)

Output: None

The script finished with no output. This meant e = 3 was not the exponent used, or the message was much larger than I anticipated.

Stage 3: Broadening the Search

Since e = 3 failed, I needed to automate the search for other "tiny" exponents. 

I modified the script to iterate through a list of small prime numbers (3, 5, 7, 11, 17) and check for perfect roots.

Cracking the "Small" Exponent — A Full Write-Up of “Exponope” (THCON 2026)

Stage 4: The Breakthrough

Upon executing the expanded search, the script skipped e = 3 and immediately hit a match on e = 5

Cracking the "Small" Exponent — A Full Write-Up of “Exponope” (THCON 2026)

Because k=0, it means that m5 was actually smaller than the modulus N

The encryption never even performed a "modulo" operation. The ciphertext was simply the message raised to the 5th power.

FINAL FLAG: THC{u_n3eD_@_bett3r_eXp0neNT}

Conclusion

This challenge serves as a textbook example of why the public exponent e matters. Using a small e like 3 or 5 is not inherently "broken" if strong, randomized padding (like OAEP) is used. 

However, when a message is encrypted directly (Raw RSA) and the exponent is small enough that me < N, the security of the RSA algorithm completely collapses. In this case, "efficiency" was the enemy of security.