LOGBOOK

HELP

Quiz Entry - updated: 2026.07.10

Why is a short public exponent (e.g. $e = 2^{16}+1$) acceptable for RSA signatures, even though short exponents are risky for RSA encryption?

Signature security rests on the secret exponent $d$, not on $e$ being large, so a small $e$ is fine — and it makes verification very fast. For encryption the roles flip: a small public exponent can leak the plaintext, which is why encryption needs padding like OAEP.

The public exponent $e$ drives the public operation — verifying a signature ($m = s^e \bmod N$) or encrypting ($c = m^e \bmod N$). For signatures, anything an attacker would forge is built with the secret exponent $d$; the size of $e$ gives them no help, so a small value such as $2^{16}+1 = 65537$ costs nothing in security. What it buys is speed: a short $e$ has very few 1-bits, so square-and-multiply verification is extremely fast — cheap enough to run on low-power smart cards.

For encryption the same shortcut is dangerous. A small $e$ applied to a small or unpadded message can let an attacker recover the plaintext directly — for instance, if $m^e < N$ then no modular wrap-around happens and taking an ordinary integer $e$-th root undoes the encryption. That is why encryption must randomise and pad the message (OAEP), whereas signing can safely keep $e$ small.

Go deeper:

From Quiz: KRYPTOG / Digital Signatures and Advanced Public Key Techniques | Updated: Jul 10, 2026