In RSA, each person should have a unique modulus and private exponent,
i.e., a unique private key. The public exponent, on the other hand, can
be common to a group of users without security being compromised. Some
public exponents in common use today are 3 and 216+1; because these
numbers are small, the public-key operations (encryption and signature
verification) are fast relative to the private key operations
(decryption and signing). If one public exponent becomes a standard,
software and hardware can be optimized for that value.
In public-key systems based on discrete logarithms, such as ElGamal,
Diffie-Hellman, or DSS, it has often been suggested that a group of
people should share a modulus. This would make breaking a key more
attractive to an attacker, however, because one could break every key
with only slightly more effort than it would take to break a single
key. To an attacker, therefore, the average cost to break a key is much
lower with a common modulus than if every key has a distinct modulus.
Thus one should be very cautious about using a common modulus; if a
common modulus is chosen, it should be very large.