[cryptography] Duplicate primes in lots of RSA moduli

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Feb 18 01:57:08 EST 2012


Adam Back <adam at cypherspace.org> writes:

>Further the fact that the entropy seeding is so bad that some implementations
>are generating literally the same p value (but seemingly different q values)
>I would think you could view the fact that this can be detected and
>efficiently exploited via batch GCD as an indication of an even bigger
>problem.

Do we know that this is accidental rather than deliberate?  A cute
"optimisation" for keygen would be to only randomly generate one half of the
{p,q} pair.  It's plenty of randomness after all, surely you don't really need
both to be generated randomly, only one will do, and it'll halve the keygen
time...

Peter.



More information about the cryptography mailing list