Small exponent attack on RSA

Is RSA secure if the private exponent is ``small''? Not if you send the same message to many people, even if you use different public bases $n$ for each message. This is called ``Hastad's broadcast attack''.

Suppose that the exponent $d$ is small, for example, $d=3$. Let the private keys be $(n_1,3)$, $(n_2,3)$, $(n_3,3)$, where each $n_i$ is a product of two large secret primes, and where the message $m$ satisfies $m<n_i$. Assume that $n_1,n_2,n_3$ are pairwise relatively prime. Suppose that you send the same RSA encrypted message $m$ to $d=3$ people. The idea is very simple. Assume $m^3$ (mod $n_1$) is intercepted, as is $m^3$ (mod $n_2$) and also $m^3$ (mod $n_3$). (This assumption is a standard hypothesis when constructing an attack, since the encrypted messages are presumably traveling in the open). The Chinese remainder theorem allows one to determine $m^3$ (mod $n_1n_2n_3$). But since $m<n_1$, $1\leq i\leq 3$, we must have $m^3<n_1n_2n_3$. Thus, $m^3<n_1n_2n_3$ really is just $m^3$. So take the cube root, and you have the message.