RSA public keys consist of two values, the Modulus (N) and the Exponent (e).

Most modern RSA implementations use a fixed exponent value of e = 65537. This is both a value that is efficient to calculate and that avoids some possible attacks.

In theory RSA can be used with very small exponents, the smallest possible value is e = 3 and has been used in the past. However very small exponent values enable some attacks:

- Various variations of Coppersmith's attack rely on small exponents, Wikipedia has a good overview.
- Bleichenbacher's signature forgery attack and variations like BERserk.

These small exponent attacks rely on implementation flaws and can be avoided by carefully implementing RSA padding. However it is generally a good idea to systemically avoid implementation flaws if possible, therefore it is recommended to avoid small exponents.

Another possible issue with exponents are small private exponents, which allow the Boneh/Durfee attack. Keys with a small private exponent would in almost all cases have a large public exponent.

By choosing the default value of e = 65537 one avoids both small public exponent and small private exponent attacks. Also very generally standardizing cryptographic parameters is a good thing, therefore it is recommend that all RSA keys should use e = 65537.