[openssl-dev] common factors in (p-1) and (q-1)
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Aug 1 02:06:59 UTC 2015
On Fri, Jul 31, 2015 at 11:31:08PM +0000, paul at securecottage.com wrote:
> I have checked through the key generation code of the openssl ssl code.
Not carefully enough...
> I
> hacked it to report the greatest common divisor of p-1 and q-1. I then ran
> 100 key generations. It only had greatest common divisors of 2, 4 , 8, and
> 16. There were no other primes reported besides small powers of 2.
The reason is that all the pseudo-primes generated for testing are
sieved to avoid numbers that are congruent to either 0 or 1 mod p
for each of the first 2048 primes other than 2 (2 is avoided by
forcing the low bit to 1).
Thus any odd factor of (p-1) or (q-1) is necessarily larger than
the 2048th prime or 17863. To see an appreciable chance of such
a common factor you need O(20000) trials.
While a check to avoid gcd(p-1, q-1) > 2 is not too expensive, it
is not clear that it is worth the trouble. Perhaps it should be
done anyway, just because we can, but I am not convinced.
--
Viktor.
More information about the openssl-dev
mailing list