tarcieri
commented
7 months ago The primary reason for limiting the value of is so that the value of private exponent does not turn out to be so small that one could do exhaustive search of d.
That is one reason, but not the only reason. The other is to keep public key operations fast. The choice of (1 << 33) - 1 matches ring, where that was based on Adam Langley's recommendations (i.e. what was used in the Go implementation of RSA) and observations of a potential "RSADoS" with very large public exponents (though it seems it should probably be (1 << 32) - 1 instead to match his recommendation of 2^32-1).
See:
- https://www.imperialviolet.org/2012/03/16/rsae.html
- https://www.imperialviolet.org/2012/03/17/rsados.html
You can use whatever value for e you'd like via the RsaPublicKey::new_unchecked constructor, but given the above, and absent a real-world use case, I would be hesitant to increase the value and if anything it seems like it should probably be decreased to 2^32-1.
sumanthakur1976
The latest NIST specification allows public exponent $e$ to be in the range of $2^{16} + 1$ and $2^{256} - 1$ (inclusive) (Page 39 of SP-800-56B rev 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf)
The current code, however, artificially limits the maximum value of $e$ to $2^{64} - 1$, which is unnecessary. The primary reason for limiting the value of $e$ is so that the value of private exponent $d$ does not turn out to be so small that one could do exhaustive search of $d$. But limiting the value to $2^{64}$ is an overkill, especially given that minimal modulus size if no smaller than $2048$ bits.
Will appreciate if this could be extended to the actual NIST specified values.