Why is 65537 always coprime to φ(N) in RSA?

Question

Implementation of the RSA cryptosystem often uses the number $65537$ as a public exponent. It is a requirement that such numbers have an inverse modulo $\varphi(N)$, where $N$ is usually a product of two large primes $p, q$ of similar size. So 65537 must be coprime to $\varphi(N)$ for all $N = pq$. Why is 65537 always coprime to $\varphi(N)$ for all such $N$?

I found many questions and answers about 65537, but usually, people are interested in the efficiency and security of such exponents. I'm interested in its number-theoretic properties, which past questions don't seem to answer.

Answer 1

$65537$ is not always coprime to $\varphi(N)$ in RSA¹. But it often is, because:

• It often² is chosen $e=F_4=2^{(2^4)}+1=65537$ in RSA, and then the requirement³ that $e$ is coprime to $\varphi(N)$ translates to $65537$ coprime to $\varphi(N)$. Because $e=65537$ is prime, this can be checked as $p\bmod e\ne1$ and $q\bmod e\ne1$, or the primes $p$ and $q$ generated to match these conditions.
• Even when it is chosen another other $e$ : because $65537$ is a not-too-small-prime, when we choose a large prime $p$, it's unlikely that $p\bmod65537=1$ (probability $1/65536$). Same for $q$. Thus the probability that $65537$ is not coprime to $\varphi(N)=(p-1)(q-1)$ is next to $1/32768$ (or $0$ if the chosen $e$ is a multiple of $65537$).

---

¹ Small counterexample: $p=917519=14\times65537+1$, $q=820681$, $N=p\,q=752990410439$, $\varphi(N)=(p-1)(q-1)=752988672240$, $\gcd(\varphi(N),65537)=65537$, $e=17$, $d=177173805233$ or $d=15819089753$.

² The reasons of this common choice are many (and debated), including that

• The form $e=2^k+1$ give the fastest ratio of (time to raise to the odd power $e$ modulo $N$) over ($\log e$): we square $k$ times, then multiply by the original number.
• Prime $e$ slightly simplify the choice of factors of $N$ such that $e$ is coprime with $\varphi(N)$, and the above form of $e$ is prime for $e=F_i=2^{(2^i)}+1$ with $i\in\{0,1,2,3,4\}$. Notice that to validate that a prime $p$ is suitable w.r.t. a prime $e$, it's enough to check that $p\bmod e\ne1$, when in the general case of a composite $e$ we need to check that $\gcd(p-1,e)=1$.
• Larger $e$ protect to some degree against some attacks on obsolete, generally insecure RSA encryption practices including RSAES-PKCS1-v1_5
• $e=F_4=2^{(2^4)}+1=65537$ has (thus) been recommended as the minimum value by several security authorities and standards.

³ Without this requirement, textbook RSA would often encipher two plaintexts into the same ciphertext, making decryption impossible.

Answer 2

There is no known weakness for any public exponent for RSA, as long as the public exponent $e$ is relatively prime to $\varphi(n)$ and the proper padding scheme is used. Fermat's primes are preferable due to the efficiency and 65537 is a common choice.

While generating an RSA key, we select $e$ first and then we find the primes $p$, $q$, such that $(p−1)$,$(q−1)$ are relatively prime to $e$. This check ensures the coprimality of $e$ and $\varphi(n)$.

In addition, if we pick $p$ and $q$ as safe primes -which are in the form of $2r+1$ where $r$ is a prime- we don't need this step.

Answer 3

The choice of 65537 is popular because it is a prime number $2^{16}+1$. There might be more reasons, but ones that come to mind are:

• It's prime, but not a large number so it's easy on the division units of hardware. It only takes me 17 multiplies to use it.
• It only has two prime factors: 2 and 32769. For 65537 to not be co-prime to $\phi(N)$, it would need to share a prime factor with 65537.

So, given that 65537 is a prime number, the only way it could share a factor with $\phi(N)$ is if 65537 divides $(p−1)$ or $(q−1)$, because $\phi(N)=(p−1)(q−1)$.