public exponent;modulus;algorithm;discrete logarithms;prime;signing">
### Question 117. Should a Public Key or Private Key be Shared Among Users?

Users who share a key can impersonate one another (i.e., sign messages
as one another and decrypt messages intended for one another), so in general
keys should not be shared among users. However, some parts of a key may
be shared, depending on the algorithm.

In RSA, while each person should have a unique modulus and private exponent
(i.e., a unique private key), the public exponent can be common to a group
of users without security being compromised. Some public exponents in common
use today are *3* and *2*^{16}+1 ; because these numbers are small,
the public-key operations (encryption and signature verification) are fast
relative to the private-key operations (decryption and signing). If one
public exponent becomes standard, software and hardware can be optimized
for that value. However, the modulus should not be shared.

In public-key systems based on discrete logarithms, such as Diffie-Hellman,
DSA, and ElGamal (see Question 24, Question
26, and Question 29), a group of people can share
a prime, which can lead to simpler implementations. It is worth noting,
however, that this would make breaking a key more attractive to an attacker
because it is possible to break every key with a given prime with only
slightly more effort than it takes to break a single key. To an attacker,
therefore, the average cost to break a key is much lower with a common
prime than if every key has a distinct prime. Thus, if a common prime is
chosen in a discrete-logarithm system, it should be large.