[cryptography] Duplicate primes in lots of RSA moduli

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Feb 18 01:57:08 EST 2012

Adam Back <adam at cypherspace.org> writes:

>Further the fact that the entropy seeding is so bad that some implementations
>are generating literally the same p value (but seemingly different q values)
>I would think you could view the fact that this can be detected and
>efficiently exploited via batch GCD as an indication of an even bigger

Do we know that this is accidental rather than deliberate?  A cute
"optimisation" for keygen would be to only randomly generate one half of the
{p,q} pair.  It's plenty of randomness after all, surely you don't really need
both to be generated randomly, only one will do, and it'll halve the keygen


More information about the cryptography mailing list