Are there any other commonly used exponents? Why are they selected?
Asked
Active
Viewed 3,487 times
2 Answers
4
Here is the beginning of that answer from info security stackexchange for the reader’s convenience:
There is no known weakness for any short or long public exponent for RSA, as long as the public exponent is "correct" (i.e. relatively prime to p-1 for all primes p which divide the modulus).
If you use a small exponent and you do not use any padding for encryption and you encrypt the exact same message with several distinct public keys, then your message is at risk: if $e = 3,$ and you encrypt message $m$ with public keys $n_1,n_2,n_3$ then you have $c_i= m^3 \pmod{n_i}$ and use the chinese remainder theorem to recover the message by a non modular cube root extraction.
The weakness, here, is not the small exponent; rather, it is the use of an improper padding (namely, no padding at all) for encryption.
kodlu
- 25,146
- 2
- 30
- 63
2
We want a number co-prime with p-1 and q-1. We also want modular exponentiation tp be efficient. For this purpose we want it to be a small number with few set bits. To meet the co-prime requirement we can pick a prime number and verify and we are reasonably likely to succeed.
For all these together we are looking at small primes of the form: $2^n+1$ known as Fermat primes. These numbers leads to efficient public key operations.
Using 3 is an obvious choice but some don't like it, partly due to real attacks when not padding and partly irrational fear. slightly larger such primes became popular.
Meir Maor
- 12,053
- 1
- 24
- 55