Another way to break RSA is to find a technique to compute *e*^{th} roots
*mod n*. Since *c*=*m*^{e}, the *e*^{th} root of *c* is the message *m*. This
attack would allow someone to recover encrypted messages and forge
signatures even without knowing the private key. This attack is not known
to be equivalent to factoring. No methods are currently known that attempt
to break RSA in this way.

The attacks just mentioned are the only ways to break RSA in such a way
as to be able to recover all messages encrypted under a given key.
There are other methods, however, which aim to recover single messages;
success would not enable the attacker to recover other messages
encrypted with the same key.

The simplest single-message attack is the guessed plaintext attack. An
attacker sees a ciphertext, guesses that the message might be ``Attack
at dawn'', and encrypts this guess with the public key of the
recipient; by comparison with the actual ciphertext, the attacker knows
whether or not the guess was correct. This attack can be thwarted by
appending some random bits to the message. Another single-message
attack can occur if someone sends the same message m to three others,
who each have public exponent *e*=3. An attacker who knows this and sees
the three messages will be able to recover the message m. There are
also some ``chosen ciphertext'' attacks, in which the attacker creates
some ciphertext and gets to see the corresponding plaintext, perhaps by
tricking a legitimate user into decrypting a fake message.

Of course, there are also attacks that aim not at RSA itself but at a given insecure implementation of RSA; these do not count as ``breaking RSA'' because it is not any weakness in the RSA algorithm that is exploited, but rather a weakness in a specific implementation. For example, if someone stores his private key insecurely, an attacker may discover it. One cannot emphasize strongly enough that to be truly secure RSA requires a secure implementation; mathematical security measures, such as choosing a long key size, are not enough. In practice, most successful attacks will likely be aimed at insecure implementations and at the key management stages of an RSA system. See Section 3.3 for discussion of secure key management in an RSA system.