What are common RSA sign exponent?

Question

Are there any difference between RSA encryption/decryption exponent and RSA sign/check exponent?

Answer 1

None. The public key of an RSA public/private pair consists of an exponent and a modulus, whether it's being used to sign or encrypt. The most common exponent is 0x10001.

The Wikipedia article on RSA is pretty good.

Answer 2

There is no difference between an RSA key intended for signing/verification versus one intended for encryption/decryption in terms of modulus - however the value of the key usage extension in the X509 certificate will differ.

To summarise the detailed answers to Should RSA public exponent be only in {3, 5, 17, 257 or 65537} due to security considerations?) over at security.stackexchange.com:

In theory, all common implementations should allow you to use any prime > 2, but Fermat numbers - numbers of the form 2^n + 1, e.g. 3, 5, 17, 257, 65537 - that are known to be prime are often favoured because they speed up calculations on one side of the operation (encrypt/decrypt, sign/verify) - and 65537 is probably the most common exponent in use at this point in time (2020/11).

However, your specific implementation may restrict the maximum value you can use in practice.

Answer 3

There is no structural difference between a RSA key pair used for signing and one used for encryption decryption. In theory, you could use one pair for both, but this opens up ways for new attacks, so it isn't recommended.

On the other hand, there are differences between private and public exponents:

• The public exponent can be relatively small, which shortens the key size and speeds up encryption and signature verification. As Charlie Martin said, 0x10001 = 2^16 + 1 = 65537 is a common choice.

• The private exponent, on the other hand, is derived from public key and the modulus' factorization, and usually in the size order of the modulus itself. As it shall stay private, it can't be small (otherwise it is easy to guess), and it also needs to fulfill the arithmetic relation to the public exponent, which makes it automatically large.

  This makes naive signing/decryption slower than the corresponding public operations, but on the other hand, it is possible to speed this up a bit up by using the decomposition of the modulus and the Chinese Remainder Theorem, i.e. calculating modulo p and q separately instead of modulo m = p·q and then combining the results.

Note that we distinguish between public (encryption/verification) and private (decryption/signing) exponents, not between signing/verification and encryption/decryption exponents.