Is choosing $1$ as a public exponent valid in RSA?

Question

I know it will not encrypt anything. But is $1$ valid as a public exponent in an RSA public key?

Answer 1

TL;DR: it is a matter of conventions and context that $e=1$ is allowed or not.

Definitions of RSA vary:

• The original RSA article asks to first choose the private exponent $d$ as « a large, random integer which is relatively prime to $(p−1)\cdot(q−1)$ », then to compute $e$ as « the “multiplicative inverse” of $d$, modulo $(p−1)\cdot(q−1)$ ». This makes it extremely improbable that $e=1$, but allows it. Later descriptions of RSA tend to choose $e$ first.
• PKCS#1 v1.5 / RFC 2313 asks to « select a positive integer $e$ as its public exponent ». That allows $e=1$.
• PKCS#1 v2.0 / RFC 2437 states « the public exponent $e$ is an integer between $3$ and $n-1$ satisfying $\gcd(e,\lambda(n))=1$, where $\lambda(n)=\operatorname{lcm}(p-1,q-1)$ ». That does not allow $e=1$, but still allows $e=\lambda(n)+1$ and $e=(p−1)\cdot(q−1)+1$, and perhaps a few other values of $e$ that are such that $x\mapsto x^e\bmod n$ is the identity function over $[0,n)$ just as it is for $e=1$. PKCS#1 v2.2 has the same prescription for $e$.
• FIPS 186-4 states « the exponent $e$ shall be an odd positive integer such that $2^{16}<e<2^{256}$ », and that forbids $e=1$. Combined with $d=e^{-1}\bmod\operatorname{lcm}(p-1,q-1)$ and a minimum for $d$, that makes it impossible $x\mapsto x^e\bmod n$ is the identity function.

For computer implementations, that depends on if an explicit test against $e=1$ is present or not. Both exist.

Sometime, public keys with $e=1$ or $e=\lambda(n)+1$ (which is more rarely disallowed by software) are used in test keys, or in reverse-engineering, in order to allow easy analysis of padding. Of course, such keys must not be used for encryption or signature of valuable data.