This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Re: [openssl-dev] common factors in (p-1) and (q-1)

Skip to site navigation (Press enter)

Re: [openssl-dev] common factors in (p-1) and (q-1)

Viktor Dukhovni Fri, 31 Jul 2015 11:47:11 -0700

On Fri, Jul 31, 2015 at 11:19:39AM -0700, Bill Cox wrote:

> Cool observation.  From running a bit of Python code, it looks like the
> probability that GCD(p-1, p-q) == 4 is a bit higher than 15%, at least for
> random numbers between 2048 and 4096 bits long.  It looks like putting in a
> GCD(p-1, q-1) check will slow down finding suitable p and q by around a
> factor of 6.5.
A smaller slow-down would be incurred one were to restrict both of
p,q to 3 mod 4. In that case 2 would be the largest common even
factor of (p-1) and (q-1), and any appreciably large common odd
factor (necessarily above 17863 due to how each of p/q is chosen)
would be very rare.

Is there a good argument for adding the gcd test?  How big does
the common factor have to be for any information it might provide
to be substantially useful in finding 1/e mod phi(m)?

The larger the common factor is, the smaller the probability of
p-1 and q-1 sharing it (for a given sufficiently large prime factor
"r" of (p-1), the probability of (q-1) also having that factor is
1/(r-1)).  If say "r" needs be 80 bits long to be useful in attacking
RSA 1024, then only ~1 in 2^80 (p-1,q-1) pairs will have such a
common factor, which is sufficiently rare not warrant any attention.

Also one still needs to be able to fully factor (n-1).  After tens
of thousands of trials, I managed to generate a (p,q,n) triple with
a 1024-bit modulus n in which (p-1,q-1) have a common odd factor.

    n = 

    e = F_4 = 65537

    gcd(p-1,q-1) = 2 * 28559

What can the OP tell us about d, p or q?  Can anyone produce a full 
factorization of n - 1?

openssl-dev mailing list
To unsubscribe: []

Reply via email to