Should a Public Key or Private Key be Shared Among Users?

Users who share a key can impersonate one another (i.e., sign messages as one another and decrypt messages intended for one another), so in general keys should not be shared among users. However, some parts of a key may be shared, depending on the algorithm.

In RSA, while each person should have a unique modulus and private exponent (i.e., a unique private key), the public exponent can be common to a group of users without security being compromised. Some public exponents in common use today are 3 and 216+1 ; because these numbers are small, the public-key operations (encryption and signature verification) are fast relative to the private-key operations (decryption and signing). If one public exponent becomes standard, software and hardware can be optimized for that value. However, the modulus should not be shared.

In public-key systems based on discrete logarithms, such as Diffie-Hellman, DSA, and ElGamal (see Question 24, Question 26, and Question 29), a group of people can share a prime, which can lead to simpler implementations. It is worth noting, however, that this would make breaking a key more attractive to an attacker because it is possible to break every key with a given prime with only slightly more effort than it takes to break a single key. To an attacker, therefore, the average cost to break a key is much lower with a common prime than if every key has a distinct prime. Thus, if a common prime is chosen in a discrete-logarithm system, it should be large.

| Question 118 |