2

I am new in cryptography domain and try to build some understanding on RSA key pair generation.

My doubt is on RSA public key exponent value . Can exponent be any value (prime or non prime numbers)? i am not getting proper answer for this.

if someone has useful link for this please help to share.

Regards Nikhil

nikhil
  • 21
  • 1
  • 2
  • Related: http://crypto.stackexchange.com/questions/8454/what-security-authorities-and-standards-reject-e-3-in-rsa-when-and-with-what – otus Sep 29 '15 at 07:18

2 Answers2

2

The exponent and the totient of the modulus should be coprime. (i.e. $\gcd(\varphi(p\cdot q),e)=1$) The easiest way to reduce the chances of them sharing factors is to make the exponent prime. There is a tiny chance that the totient of the modulus will have the exponent as a factor, making them not coprime, but it's a simple check for $\varphi(p\cdot q)\equiv 0\pmod e$ (should be false). I'm not fully keen on the details as to why exactly, but I believe it's due to biases that are present if the exponent and the totient share factors.

Though this is easy to get around, as the exponent doesn't need to be unique to each key. It's common practice to simply use a fixed value of 65537 and perform the check mentioned above.

Daffy
  • 2,389
  • 17
  • 29
  • @fgrieu I meant that making it prime greatly reduces the chance of them sharing factors. I see how my wording could have been interpreted that way though. I'll edit it. And yes, I meant 1, whoops. Cryptography and 5am do not mix. Also, thanks for the formatting tips! – Daffy Sep 29 '15 at 09:05
1

Yes, the exponent can be any odd value greater than 1.

We usually insist on prime values of $e$; why is this? Well, it does make generating key pairs a bit easier.

When we generate an RSA key pair, standard practice is to pick a public exponent $e$, and then select primes $p$ and $q$ that work with that $e$. And, by work, I mean that $gcd(e, p-1) = 1$ and $gcd(e, q-1) = 1$. Now, if $e$ is prime, these requirements are equivalent to $p \ne 1 \pmod e$ and $q \ne 1 \pmod e$; these are easier to test than explicitly computing the gcd (and if you are using sieving to find your primes, it's easy to stir in this additional relation into the sieve). If $e$ wasn't prime, we'd either need to explicitly compute the gcd, or use the relations $p \ne 1 \bmod f$ for all prime factors $f$ of $e$. Neither would be infeasible (or even all that difficult); however the prime case is easier.

Now, there is a counterargument in favor of composite values of $e$; it's that the RSA problem with a composite $e$ can be reduced to the RSA problem with all the prime factors of $e$; for example, the RSA problem with $e=33$ is hard if either the RSA problem with $e=3$ or the RSA problem with $e=11$ is hard. I've never heard anyone make this argument (possibly because we have no evidence that any odd $e > 1$ makes the RSA problem easier than any other)

poncho
  • 147,019
  • 11
  • 229
  • 360
  • It should be noted that when you generate a RSA key pair, you need to invert $e$ modulo $p-1$ and $q-1$; the natural algorithm for that is the extended GCD (binary GCD is easiest to implement) so you end up computing the GCD anyway. – Thomas Pornin Sep 30 '15 at 01:52
  • @ThomasPornin: yes, but you don't need to do it as a part of searching for the primes... – poncho Sep 30 '15 at 03:46