Fast Variants of RSA

Transcription

1 Fast Varants of RSA Dan Boneh Hovav Shacham Abstract We survey four varants of RSA desgned to speed up RSA decrypton and sgnng. We only consder varants that are backwards compatble n the sense that a system usng one of these varants can nteroperate wth systems usng standard RSA. 1 Introducton RSA [12] s the most wdely deployed publc key cryptosystem. It s used for securng web traffc, e-mal, and some wreless devces. Snce RSA s based on arthmetc modulo large numbers t can be slow n constraned envronments. For example, 1024-bt RSA decrypton on a small handheld devce such as the PalmPlot III can take as long as 30 seconds. Smlarly, on a heavly loaded web server, RSA decrypton sgnfcantly reduces the number of SSL requests per second that the server can handle. Typcally, one mproves RSA s performance usng specal-purpose hardware. Current RSA coprocessors can perform as many as 10,000 RSA decryptons per second (usng a 1024-bt modulus) and even faster processors are comng out. In ths paper we survey four smple varants of RSA that are desgned to speed up RSA decrypton n software. We emphasze backwards compatblty: A system usng one of these varants for fast RSA decrypton should be able to nteroperate wth systems that are bult for standard RSA. Moreover, exstng Certfcate Authortes must be able to respond to a certfcate request for a varant-rsa publc key. We begn the paper wth a bref revew of RSA. We then descrbe the followng varants for speedng up RSA decrypton: Batch RSA [8]: do a number of RSA decryptons for approxmately the cost of one. Mult-factor RSA [7, 14]: use a a modulus of the form N = pqr or N = p 2 q. Rebalanced RSA [16]: speed up RSA decrypton by shftng most of the work to the encrypter. The securty of these varants s an open research problem. We cannot show that an attack on these varants would mply an attack on the standardzed verson of RSA (as descrbed, e.g., n ANSI X9.31). Therefore, when usng these varants, one can only rely on the fact that so far none of them has been shown to be weak. The RSA trapdoor permutaton s used for both publc key encrypton and dgtal sgnatures. Snce the exact applcaton of RSA s orthogonal to the dscusson n ths paper we use termnology consstent wth the applcaton to publc key encrypton. All the RSA varants we dscuss apply equally well to dgtal sgnatures, where they speed up RSA sgnng. 1

2 1.1 Revew of the basc RSA system We revew the basc RSA publc key system and refer to [10] for more nformaton. We descrbe three consttuent algorthms: key generaton, encrypton, and decrypton. Key generaton: The key generaton algorthm takes a securty parameter n as nput. Throughout the paper we use n = 1024 as the standard securty parameter. The algorthm generates two (n/2)-bt prmes, p and q, and sets N pq. Next, t pcks some small value e that s relatvely prme to ϕ(n) = (p 1)(q 1). The value e s called the encrypton exponent, and s usually chosen as e = The RSA publc key conssts of the two ntegers N, e. The RSA prvate key s an nteger d satsfyng e d = 1 mod ϕ(n). Typcally, one sends the publc key N, e to a Certfcate Authorty (CA) to obtan a certfcate for t. Encrypton: To encrypt a message X usng an RSA publc key N, e, one frst formats the btstrng X to obtan an nteger M n Z N = {0,...,N 1}. Ths formattng s often done usng the PKCS #1 standard [1, 9]. The cphertext s then computed as C M e mod N. (Other methods for formattng X pror to encrypton are descrbed elsewhere n ths ssue.) Decrypton: To decrypt a cphertext C the decrypter uses ts prvate key d to compute the e th root of C by computng M C d mod N. Snce both d and N are large numbers (each approxmately n bts long) ths s a lengthy computaton for the decrypter. The formattng operaton from the encrypton algorthm s then reversed to obtan the orgnal bt-strng X from M. Note that d must be a large number (on the order of N) snce otherwse the RSA system s nsecure [3, 16]. It s standard practce to employ the Chnese Remander Theorem (CRT) for RSA decrypton. Rather than compute M C d (mod N), one evaluates: M p C dp p (mod p) M q C dq q (mod q) Here d p = d mod p 1 and d q = d mod q 1. Then one uses the CRT to calculate M from M p and M q. Ths s approxmately four tmes as fast as evaluatng C d mod N drectly [10, p. 613]. 2 Batch RSA Fat [8] observed that, when usng small publc exponents e 1 and e 2 for the same modulus N, t s possble to decrypt two cphertexts for approxmately the prce of one. Suppose C 1 s a cphertext obtaned by encryptng some M 1 usng the publc key N, 3, and C 2 s a cphertext for some M 2 usng N, 5. To decrypt, we must compute C 1/3 1 and C 1/5 2 mod N. Fat observed that by settng A = (C1 5 C3 2 )1/15 we obtan: C 1/3 1 = A10 C 3 1 C2 2 and C 1/5 2 = A6 C 2 1 C 2 (1) Hence, at the cost of computng a sngle 15th root and some addtonal arthmetc, we are able to decrypt both C 1 and C 2. Computng a 15th root takes the same tme as a sngle RSA decrypton. Ths batchng technque s only worthwhle when the publc exponents e 1 and e 2 are small (e.g., 3 and 5). Otherwse, the extra arthmetc requred s too expensve. Also, one can only batch-decrypt cphertexts encrypted usng the same modulus and dstnct publc exponents. Ths s essental t s known [13, Appendx A] that one cannot apply such algebrac technques to 2

3 batch the decrypton of two cphertexts encrypted wth the same publc key (e.g., we cannot batch compute C 1/3 1 and C 1/3 2 ). Fat generalzed the above observaton to the decrypton of a batch of b RSA cphertexts. We have b parwse relatvely prme publc keys e 1,...,e b, all sharng a common modulus N. Furthermore, we have b encrypted messages C 1,...,C b, where C s encrypted usng the exponent e. We wsh to compute M = C 1/e for = 1,...,b. Fat descrbes ths b-batch process usng a bnary tree. For small values of b (b 8), one can use a drect generalzaton of (1). One sets e e, and A 0 Ce/e (where the ndces range over 1,...,b). Then one calculates A A 1/e 0 = b. For each one computes M as: =1 C1/e M = C 1/e = C (α 1)/e A α j Cα /e j j where α = { 1 mod e 0 mod e j (for j ) (2) Ths b-batch requres b modular nversons where as Fat s tree based method requres 2b modular nversons, but fewer auxlary multplcatons. Note that snce b and the e s are small the exponents n Equaton (2) are also small. 2.1 Improvng the performance of batch RSA In [13] the authors show how to use batch RSA wthn the Apache web server to mprove the performance of the SSL handshake. Ths requres changng the web server archtecture. They also descrbe several natural mprovements to batch RSA. We menton a few of these mprovements here. Batch dvson: Modular nverson s much slower than modular multplcaton. Usng a trck due to Montgomery we compute all b nversons n the batch algorthm for the cost of a sngle nverson and a few more multplcatons. The dea s to nvert x and y by computng α (xy) 1 and settng x 1 y α and y 1 x α. Thus we obtan the nverses of both x and y at the cost of a sngle modular nverson and three multplcatons. More generally, we use the followng fact [6, p. 481]: Fact. Let x 1,...,x n be elements of Z N. All n nverses x 1 1,...,x 1 n can be obtaned at the cost of one nverson and 3n multplcatons. Consequently, only a sngle modular nverson s requred for the entre batchng procedure. Global Chnese Remander: In Secton 1.1 we mentoned that RSA decrypton uses the CRT to speed up the computaton of C d mod N. Ths dea extends naturally to batch decrypton. We run the entre batchng algorthm modulo p, and agan modulo q, then use the CRT on each of the b pars C 1/e mod p, C 1/e mod q to obtan the b decryptons M = C 1/e mod N. Smultaneous Multple Exponentaton: Smultaneous multple exponentaton [10, 14.6] s a method for calculatng a u b v mod m wthout frst evaluatng a u and b v. It requres approxmately as many multplcatons as does a sngle exponentaton wth the larger of u or v as exponent. Such products of exponents are a large part of the batchng algorthm. Smultaneous multple exponentaton cuts the tme requred to perform them by close to 30%. 2.2 Performance of batch RSA Table 1 lsts the runnng tme for stand-alone batch-rsa decrypton, usng OpenSSL on a machne wth a 750 MHz Pentum III and 256 MB RAM, runnng Deban Lnux. In all experments, the smallest possble values for the encrypton exponents e were used. 3

4 batch key sze sze (unbatched) Table 1: RSA decrypton tme, n mllseconds, as a functon of batch and key sze Wth standard 1024-bt keys, batchng mproves performance sgnfcantly. Wth b = 4, RSA decrypton s accelerated by a factor of 2.6; wth b = 8, by a factor of almost 3.5. Note that a batch sze of more than eght s probably not useful for common applcatons, snce watng for many decrypton requests to be queued can sgnfcantly ncrease latency. batch Server load sze (unbatched) Table 2: SSL handshakes per second as a functon of batch sze bt keys. We also menton batch-rsa performance as a component of a larger system a web server handlng SSL traffc. An archtecture for such a system s descrbed n [13]. Table 2 gves the number of full SSL handshakes per second that the batch-rsa web server can handle, when bombarded wth concurrent HTTP HEAD requests by a test clent. Here server load s the number of smultaneous connecton threads the clent makes to the server. Under heavy load, batch RSA can mprove the number of full SSL handshakes per second by a factor of approxmately The Downsde of Batch RSA Batch RSA can lead to a sgnfcant mprovement n RSA decrypton tme. Nevertheless, there are a few dffcultes wth usng the batchng technque: When usng batch RSA, the decrypton server must mantan at least as many RSA certfcates as there are dstnct keys n a batch. Unfortunately, current Certfcate Authortes charge per certfcate ssued regardless of the publc key n the certfcate. Hence, the cost of certfcates mght outwegh the benefts n performance. For optmal performance, batchng requres RSA publc keys wth very small publc exponents (e = 3, 5, 7, 11,...). Although all known attacks on the resultng system are prevented by approprate paddng, RSA as usually deployed uses a larger publc exponent (e = 65537). 3 Mult-factor RSA The second RSA varant s based on modfyng the structure of the RSA modulus. Here there are two proposals. The frst [7] uses a modulus of the form N = pqr. When N s 1024 bts, each prme s approxmately 341 bts. We refer to ths as mult-prme RSA. The second proposal [14] 4

5 uses an RSA modulus of the form N = p 2 q and leads to an even greater speedup. Both methods are fully backwards compatble snce the resultng publc-keys are ndstngushable from standard RSA publc keys (where N = pq). 3.1 Mult-prme RSA: N = pqr We begn wth mult-prme RSA [7]. We descrbe key generaton, encrypton, and decrypton. We then dscuss the performance of the scheme and analyze ts securty. Key generaton: The key generaton algorthm takes as nput a securty parameter n and an addtonal parameter b. It generates an RSA publc/prvate key par as follows: Step 1: Generate b dstnct prmes p 1,...,p b each n/b -bts long. Set N b =1 p. For a 1024-bt modulus we can use at most b = 3 (.e., N = pqr), for securty reasons dscussed below. Step 2: Pck the same e used n standard RSA publc keys, namely e = Then compute d = e 1 mod ϕ(n). As usual, we must ensure that e s relatvely prme to ϕ(n) = b =1 (p 1). The publc key s N, e ; the prvate key s d. Encrypton: Gven a publc key N, e, the encrypter encrypts exactly as n standard RSA. Decrypton: Decrypton s done usng the Chnese Remander Theorem (CRT). Let r = d mod p 1. To decrypt a cphertext C, one frst computes M = C r mod p for each, 1 b. One then combnes the M s usng the CRT to obtan M = C d mod N. The CRT step takes neglgble tme compared to the b exponentatons. Performance. We compare the decrypton work usng the above scheme to the work done when decryptng a normal RSA cphertext. Recall that standard RSA decrypton usng CRT requres two full exponentatons modulo n/2-bt numbers. In mult-prme RSA decrypton requres b full exponentatons modulo n/b bt numbers. Usng basc algorthms computng x d mod p takes tme O(log d log 2 p). When d s on the order of p the runnng tme s O(log 3 p). Therefore, the asymptotc speedup of mult-prme RSA over standard RSA s smply: 2 (n/2) 3 b (n/b) 3 = b2 /4 For 1024-bt RSA, we can use at most b = 3 (.e., N = pqr), whch gves a theoretcal speedup of approxmately 2.25 over standard RSA decrypton. Our experments (mplemented usng the GMP bgnum lbrary) show that n practce we get a speed-up by a factor of 1.73 over standard RSA. Securty. The securty of mult-factor RSA depends on the dffculty of factorng ntegers of the form N = p 1 p b for b > 2. The fastest known factorng algorthm (the number feld seve) cannot take advantage of ths specal structure of N. However, one has to make sure that the prme factors of N do not fall wthn the range of the Ellptc Curve Method (ECM), whch s analyzed n [15]. Currently, 256-bt prme factors are consdered wthn the bounds of ECM, snce the work to fnd such factors s wthn range of the work needed for the RSA-512 factorng project [5]. Consequently, for 1024-bt modul one should not use more than three factors. 5

6 3.2 Mult-power RSA: N = p 2 q One can further speed up RSA decrypton usng a modulus of the form N = p b 1 q where p and q are n/b bts each [14]. When N s 1024-bts long we can use at most b = 3,.e., N = p 2 q. The two prmes p, q are then each 341 bts long. Key generaton: The key generaton algorthm takes as nput a securty parameter n and an addtonal parameter b. It generates an RSA publc/prvate key par as follows: Step 1: Generate two dstnct n/b -bt prmes, p and q, and compute N p b 1 q. Step 2: Use the same publc exponent e used n standard RSA publc keys, namely e = Compute d e 1 mod (p 1)(q 1). Step 3: Compute r 1 d mod p 1 and r 2 d mod q 1. The publc key s N, e ; the prvate key s p, q, r 1, r 2. Encrypton: Same as n standard RSA. Decrypton: To decrypt a cphertext C usng the prvate key p, q, r 1, r 2 one does: Step 1: Compute M 1 C r 1 mod p and M 2 C r 2 mod q. Thus M1 e = C mod p and Me 2 = C mod q. Step 2: Usng Hensel lftng [6, p. 137] construct an M 1 such that (M 1 )e = C mod p b 1. Hensel lftng s much faster than a full exponentaton modulo p b 1. Step 3: Usng CRT, compute an M Z N such that M = M 1 mod pb 1 and M = M 2 mod q. Then M = C d mod N s a proper decrypton of C. Performance. We compare the work requred to decrypt usng mult-power RSA to that requred for standard RSA. For mult-power RSA, decrypton takes two full exponentatons modulo (n/b)- bt numbers, and b 2 Hensel lftngs. Snce the Hensel-lftng s much faster than exponentaton, we focus on the tme for the two exponentatons. As noted before, a full exponentaton usng basc modular arthmetc algorthms takes cubc tme n the sze of the modulus. So, the speedup of mult-power RSA over standard RSA s approxmately: 2 (n/2) 3 2 (n/b) 3 = b3 /8 For 1024-bt RSA, b should agan be at most three (.e., N = p 2 q), gvng a theoretcal speedup of about 3.38 over standard RSA decrypton. Our experments (mplemented usng GMP and takng e = 65537) show that n practce we get a speed-up by a factor of 2.30 over standard RSA. Securty. The securty of mult-power RSA depends on the dffculty of factorng ntegers of the form N = p b 1 q. As for mult-prme RSA, one has to make sure that the prme factors of N do not fall wthn the capabltes of ECM (and the ECM mprovement for N = p 2 q [11]). Consequently, for 1024-bt modul one can use at most b = 3,.e., N = p 2 q. In addton, we note that the Lattce Factorng Method (LFM) [4], desgned to factor ntegers of the form N = p u q for large u, cannot effcently factor ntegers of the form N = p 2 q when N s 1024 bts long. 6

7 4 Rebalanced RSA In standard RSA, encrypton and sgnature verfcaton are much faster than decrypton and sgnature generaton. In some applcatons, one would lke to have the reverse behavor. For example, when a cell phone needs to generate an RSA sgnature that wll be later verfed on a fast server one would lke sgnng to be easer than verfyng. Smlarly, SSL web browsers (dong RSA encrypton) typcally have dle cycles to burn whereas SSL web servers (dong RSA decrypton) are overloaded. In ths secton we descrbe a varant of RSA that enables us to rebalance the dffculty of encrypton and decrypton: we speed up RSA decrypton by shftng the work to the encrypter. Ths varant s based on a proposal by Wener [16] (see also [2]). Note that we cannot smply speedup RSA decrypton by usng a small value of d snce as soon as d s less than N RSA s nsecure [16, 3]. The trck s to choose d such that d s large (on the order of N), but d mod p 1 and d mod q 1 are small numbers. As before, we descrbe key generaton, encrypton, and decrypton. Key generaton: The key generaton algorthm takes two securty parameters n and k where k n/2. Typcally n = 1024 and k = 160. It generates an RSA key as follows: Step 1: Generate two dstnct (n/2)-bt prmes p and q wth gcd(p 1, q 1) = 2. Compute N pq. Step 2: Pck two random k-bt values r 1 and r 2 such that gcd(r 1, p 1) = 1, and gcd(r 2, q 1) = 1, and r 1 = r 2 mod 2 Step 3: Fnd a d such that d = r 1 mod p 1 and d = r 2 mod q 1. Step 4: Compute e d 1 mod ϕ(n). The publc key s N, e ; the prvate key s p, q, r 1, r 2. We need to explan how to fnd d n Step 3. One usually uses the Chnese Remander Theorem (CRT). Unfortunately, p 1 and q 1 are not relatvely prme (they are both even) and consequently the theorem does not apply. However, (p 1)/2 s relatvely prme to (q 1)/2. Furthermore, r 1 = r 2 mod 2. Let a = r 1 mod 2. Then usng CRT we can fnd an element d such that d = r 1 a 2 (mod p 1 2 ) and d = r 2 a 2 (mod q 1 2 ) Now, observe that the requred d n Step 3 s smply d = 2d + a. Indeed, d = r 1 mod p 1 and d = r 2 mod q 1. In Step 4, we must justfy why d s nvertble modulo ϕ(n). Recall that gcd(r 1, p 1) = 1 and gcd(r 2, q 1) = 1. It follows that gcd(d, p 1) = 1 and gcd(d, q 1) = 1. Consequently gcd(d, (p 1)(q 1)) = 1. Hence, d s nvertble modulo ϕ(n) = (p 1)(q 1). For securty reasons descrbed below we take k = 160, although other larger values are acceptable. Note that e s very large on the order of N. Ths s unlke standard RSA, where e typcally equals All Certfcate Authortes we tested were wllng to generate certfcates for such RSA publc keys. Encrypton: Encrypton usng the publc key N, e s dentcal to encrypton n standard RSA. The only ssue s that snce e s much larger than n standard RSA, the encrypter must be wllng to accept such publc keys. At the tme of ths wrtng all browsers we tested were wllng to accept such keys. The only excepton s Mcrosoft s Internet Explorer (IE) IE allows a maxmum of 32 bts for e. 7

8 Decrypton: To decrypt a cphertext C usng the prvate key p, q, r 1, r 2 one does: Step 1: Compute M 1 C r 1 mod p and M 2 C r 2 mod q. Step 2: Usng the CRT compute an M Z N such that M = M 1 mod p and M = M 2 mod q. Note that M = C d mod N. Hence, the resultng M s a proper decrypton of C. Performance. We compare the work requred to decrypt usng the above scheme to that requred usng standard RSA. Recall that decrypton tme for standard RSA wth CRT s domnated by two full exponentatons modulo (n/2)-bt numbers. In the scheme presented above, the bulk of the decrypton work s n the two exponentatons n Step 1, but n each of these the exponent s only k bts long. Snce modular exponentaton takes tme lnear n the exponent s bt-length, we get a speedup of (n/2)/k over standard RSA. For a 1024-bt modulus and 160-bt exponent (k = 160), ths gves a theoretcal speedup of about 3.20 over standard RSA decrypton. Our experments (mplemented usng GMP) show that n practce we get a speed-up by a factor of 3.06 over standard RSA. Securty. It s an open research problem whether RSA usng values of d as above s secure. Snce d s large, the usual small-d attacks [16, 3] do not apply. The best known attack on ths scheme s descrbed n the followng lemma [2]. Lemma. Let N, e be an RSA publc key wth N = pq. Let d Z be the correspondng RSA prvate exponent satsfyng d = r 1 mod p 1 and d = r 2 mod q 1 wth r 1 < r 2. Then gven N, e an adversary can expose the prvate key d n tme O( r 1 log r 1 ). The above attack shows that, to obtan securty of 2 80, both r 1 and r 2 must be at least 160 bts long. Consequently, for securty reasons k should not be less than Conclusons We surveyed four varants of RSA desgned to speed up RSA decrypton and be backwardscompatble wth standard RSA. Table 3 gves the decrypton speedup factors for each of these varants usng a 1024-bt RSA modulus. Batch RSA s fully backwards-compatble, but requres the decrypter to obtan and manage multple publc keys and certfcates. The two mult-factor RSA technques are promsng n that they are fully backwards compatble. The rebalanced RSA method gves a large speedup, but only works wth peer applcatons that properly mplement standard RSA, and so are wllng to accept RSA certfcates wth a large encrypton-exponent e. Currently, Internet Explorer rejects all RSA certfcates where e s more than 32 bts long. Multfactor RSA and rebalanced RSA can be combned to gve an addtonal speedup. All these varants can take advantage of advances n algorthms for modular arthmetc (e.g., modular multplcaton and exponentaton) on whch RSA s bult. Method Speedup Comment Batch RSA, b = Requres multple certfcates Mult-prme, N = pqr 1.73 Mult-power, N = p 2 q 2.30 e = Rebalanced, k = Incompatble wth Internet Explorer Table 3: Comparson of RSA varants. Expermental speedup factors for 1024-bt keys. 8

9 Acknowledgments The authors thank Ar Juels for hs comments on prelmnary versons of ths paper. References [1] M. Bellare and P. Rogaway. Optmal Asymmetrc Encrypton. In A. De Sants, ed, Proceedngs of Eurocrypt 94, vol. 950 of Lecture Notes n Computer Scence (LNCS), pp Sprnger-Verlag, [2] D. Boneh. Twenty Years of Attacks on the RSA Cryptosystem. Notces of the Amercan Mathematcal Socety, 46(2): , Feb [3] D. Boneh and G. Durfee. Cryptanalyss of RSA wth Prvate Key d Less than n IEEE Transactons on Informaton Theory, 46(4): , Jul Early verson n Proceedngs of Eurocrypt 99. [4] D. Boneh, G. Durfee, and N. Howgrave-Graham. Factorng N = p r q for Large r. Proceedngs of Crypto 99, vol of LNCS, pp Sprnger-Verlag, [5] S. Cavallar, B. Dodson, A. K. Lenstra, W. Loen, P. Montgomery, B. Murphy, H. Rele, K. Aardal, J. Glchrst, G. Gullerm, P. Leyland, J. Marchand, F. Moran, A. Muffett, C. Putnam, P. Zmmermann, Factorzaton of a 512-Bt RSA Modulus, Proceedngs of Eurocrypt 2000, vol of Lecture Notes n Computer Scence (LNCS), pp. 1 11, Sprnger-Verlag, [6] H. Cohen. A Course n Computatonal Algebrac Number Theory, vol 138 of Graduate Texts n Mathematcs. Sprnger-Verlag, 1996 [7] T. Collns, D. Hopkns, S. Langford, and M. Sabn. Publc Key Cryptographc Apparatus and Method. US Patent #5,848,159. Jan [8] A. Fat. Batch RSA. In G. Brassard, ed., Proceedngs of Crypto 89, vol. 435 of LNCS, pp Sprnger-Verlag, [9] RSA Labs. Publc Key Cryptography Standards (PKCS), Number 1 Verson 2.0. Verson 2.1 draft s avalable at [10] A. Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Appled Cryptography. CRC Press, [11] E.Okamoto, R.Peralta. Faster Factorng of Integers of a Specal Form, IEICE Transactons on Fundamentals of Electroncs, Communcatons, and Computer Scences, E79-A, n.4 (1996). [12] R. Rvest, A. Shamr, and L. Adleman. A Method for Obtanng Dgtal Sgnatures and Publc Key Cryptosystems. Commun. of the ACM, 21(2): Feb [13] H. Shacham and D. Boneh. Improvng SSL Handshake Performance va Batchng. In D. Naccache, ed., Proceedngs of RSA 2001, vol of LNCS, pp Sprnger-Verlag, [14] T. Takag. Fast RSA-type Cryptosystem Modulo p k q. In H. Krawczyk, ed., Proceedngs of Crypto 98, vol of LNCS, pp Sprnger-Verlag,

10 [15] R. Slverman and S. Wagstaff Jr. A Practcal Analyss of the Ellptc Curve Factorng Algorthm. Math. Comp. 61(203): Jul [16] M. Wener. Cryptanalyss of Short RSA Secret Exponents. IEEE Trans. on Info. Th. 36(3): May