In my project I'm using the value of public exponent of 4451h. I thought it's safe and ok until I started to use one commercial RSA encryption library. If I use this exponent with this library, it throws exception.
I contacted developpers of this library and got the following reply: "This feature is to prevent some attacks on RSA keys. The consequence is that the exponent value is limited to {3, 5, 17, 257 or 65537}. Deactivating this check is still being investigated, as the risks may be great."
It's the first time in my life I hear that values other than {3, 5, 17, 257 or 65537} are used to break RSA. I knew only of using 3 with improper padding being vulnerable.
Is that really so? Surely, I can use another library, but after such answer I worried about security of my solution.
Like Yuval said, there is a performance reason: if you use $e = 2^k + 1$ for some (small) $k$, then computing $x^e \mod n$ is going to be faster than for most other exponents. Taking $k=16$ is very common and gives $e = 65537$, while taking $k$ equal to 1,2,4 or 8 give the other values in your library. Also, as these are (Fermat) primes, all $n = pq$ with $p \mod e \neq 1$ and $q \mod e \neq 1$ will give a valid $(n,e)$-combination, and many libraries build their $n$ this way, for efficient testing and generation of $n$. A small $e$ is potentially dangerous because of so-called broadcast attacks (sending 3 times the same message with $e = 3$ to 3 different people (with different moduli) compromises the message), even though this can be thwarted by padding, and small $e$ are thus often avoided. But in principle any large enough $e$ that is coprime with $\phi(n)$ can be used, provided that $d$ is not too small etc. So this library has chosen to optimize its generation and testing (take shortcuts that can be made for these choices of $e$) and disallow other $e$. There are standards that always take 65537 for $e$ (so you don't have to transmit that info), so this library is even flexible compared to that.