
Ask HN: Should an RSA public exponent be prime? - cr0bar_uk
I&#x27;ve done some research and found conflicting answers.. should an RSA public exponent (used in GPG etc) be prime? Is there a security risk in using non-prime numbers?
======
tptacek
1\. Technical answer: an RSA public exponent needs to be coprime with the
modulus, which is not the same as requiring that it be prime.

2\. Pragmatic answer: prime numbers are generally coprime with the modulus,
and so they're an easy answer, and so RSA public exponents tend to be prime.

3\. Best-practice answer: just use 65537, in all cases. The other popular
answer is 3, which is mathematically fine, but leaves less room for
implementation error; there are some implementation flaws for which attacks
are untenable with e=65537.

4\. Long-term answer: don't use RSA. RSA is well on its way to obsolescence.
Most problems you'd ever want to solve with RSA are better solved with
Curve25519 (for DH) and Ed25519 (for signing). Not coincidentally, these are
the algorithms implemented by Nacl, the only crypto library you should
consider using.

5\. Scolding answer: if you have to ask, please don't try to implement any of
this yourself. It is _very_ difficult to get RSA right.

~~~
sdevlin
I think e needs to be coprime with phi(N) rather than N itself. This is so you
can find d = e^-1 mod phi(N), which would otherwise not exist.

Of course, if e shares a factor with N, you have bigger problems.

~~~
tptacek
Oh, duh. Of course. :)

