Closed sumanthakur1976 closed 7 months ago
The primary reason for limiting the value of is so that the value of private exponent does not turn out to be so small that one could do exhaustive search of d.
That is one reason, but not the only reason. The other is to keep public key operations fast. The choice of (1 << 33) - 1
matches ring, where that was based on Adam Langley's recommendations (i.e. what was used in the Go implementation of RSA) and observations of a potential "RSADoS" with very large public exponents (though it seems it should probably be (1 << 32) - 1
instead to match his recommendation of 2^32-1).
See:
You can use whatever value for e
you'd like via the RsaPublicKey::new_unchecked
constructor, but given the above, and absent a real-world use case, I would be hesitant to increase the value and if anything it seems like it should probably be decreased to 2^32-1.
The ring documentation also notes that the Windows CryptoAPI implementation of RSA uses a 32-bit DWORD
to represent the public exponent, so from a purely interop perspective there is little reason to support larger values since Windows won't support them: https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-rsapubkey?redirectedfrom=MSDN
Ok, thanks, I'll make the changes locally.
The latest NIST specification allows public exponent $e$ to be in the range of $2^{16} + 1$ and $2^{256} - 1$ (inclusive) (Page 39 of SP-800-56B rev 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf)
The current code, however, artificially limits the maximum value of $e$ to $2^{64} - 1$, which is unnecessary. The primary reason for limiting the value of $e$ is so that the value of private exponent $d$ does not turn out to be so small that one could do exhaustive search of $d$. But limiting the value to $2^{64}$ is an overkill, especially given that minimal modulus size if no smaller than $2048$ bits.
Will appreciate if this could be extended to the actual NIST specified values.