Mbedtls_rsa_gen_key Range of public exponent

Hi, I am looking at mbedtls test suite for rsa mbedtls/test_suite_rsa.data at development · Mbed-TLS/mbedtls · GitHub

In mbedtls/library/rsa.c, function mbedtls_rsa_gen_key(), it is said that

This generation method follows the RSA key pair generation procedure of
FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.

However, for the first test of RSA Generate Key, an exponent of 3 (less than 2^16) is given, and the expected result is still 0 ( success)
image

The expected result is MBEDTLS_ERR_RSA_BAD_INPUT_DATA? Or should the suite test with minimum of 65537 for a success result? Or am I misunderstand something?

Thanks for reading,

P.s. In the code, despite saying the comment before the function that 2^16<exponent<2^256, the function only make sure that exponent >= 3
image

UPDATE: Sorry if my question was unclear. The code comment said that it follow the keypair generation procedure of FIPS 186-4 IF 2^16 < public exponent < 2^256. But why not strictly enforcing the FIPS required range (return MBEDTLS_ERR_RSA_BAD_INPUT_DATA if exponent < 65537 ), instead you only check if public exponent is not smaller than 3 ?

Hi Kay,

First, to explain the comment, it does say that the method follows FIPS if the exponent is >2^16. That specific comment doesn’t say anything about the case of an exponent <2^16.

In general, Mbed TLS follows official specifications where applicable. But the library does not always enforce that non-compliant inputs are rejected. It depends on the function and on the specification.

Regarding RSA public exponents, there is some debate in the cryptography and compliance community of whether to require a public exponent that isn’t “too small”. Using 3 is not inherently insecure. There were attacks on early uses of RSA with small exponents, but that was due to the lack of proper padding (such as PKCS#1 padding modes, which is all Mbed TLS supports unless you call mbedtls_rsa_public() directly). A small public exponent may make some side channel or fault injection attacks easier, but there’s no consensus that the small exponent really helps the attacker. If you’re interested in the topic, I recommend padding - What security authorities and standards reject $e=3$ in RSA, when, and with what rationale? - Cryptography Stack Exchange and the references cited there.

Since 3 has a significant performance benefit over 2^16+1 when verifying signatures or encrypting data, and it is secure and permitted by some authorities, the library permits it.

If the exponent is between 2^16 and 2^256 then the key generation procedure compiles with FIPS 186-4. Specifically it uses a Miller-Rabin probabilistic test with the number of iterations specified in FIPS 186-4.

FIPS 186-4 doesn’t allow smaller exponents, so if the exponent is 2^16, the FIPS specification doesn’t say what parameters to use for Miller-Rabin. To use the library in a FIPS-compliant way, you must not use a smaller public exponent. The library itself won’t prevent you.

Best regards,
Gilles Peskine
Mbed TLS developer