220.127.116.11 Should a key pair be shared among users?
Users who share a private key can impersonate one another (that is, sign messages as one another and decrypt messages intended for one another), so in general, private keys should not be shared among users. However, some parts of a key may be shared, depending on the algorithm (see Question3.6.12).
In RSA, while each person should have a unique modulus and private exponent (that is, a unique private key), the public exponent can be common to a group of users without security being compromised. Some public exponents in common use today are 3 and 216+1; because these numbers are small, the public key operations (encryption and signature verification) are fast relative to the private key operations (decryption and signing). If one public exponent becomes standard, software and hardware can be optimized for that value. However, the modulus should not be shared.
In public-key systems based on discrete logarithms, such as Diffie-Hellman, DSA, and ElGamal (see Question 3.6.1, Section 3.4, and Question 3.6.8), a group of people can share a set of system parameters, which can lead to simpler implementations. This is also true for systems based on elliptic curve discrete logarithms. It is worth noting, however, that this would make breaking a key more attractive to an attacker because it is possible to break every key with a given set of system parameters with only slightly more effort than it takes to break a single key. To an attacker, therefore, the average cost to break a key is much lower with a set common parameters than if every key had a distinct set of parameters.