[openssl-dev] common factors in (p-1) and (q-1)

mancha mancha1 at zoho.com
Mon Aug 3 12:48:56 UTC 2015 

On Sun, Aug 02, 2015 at 12:59:49AM +0000, paul at securecottage.com wrote:
> 
> I'd like to thank several people for looking into my assertion that it
> is possible for common factors in p-1 and q-1 to leak from the
> factorisation of n-1.

Hi Paul.

I came across a paper by Mckee and Pinch [1] you might be interested in.
They describe an algo to factor n=pq when a common factor b of (p-1) and
(q-1) is known. Fortunately (for RSA), their algo is O(N^(1/4)/b) so to
just break even with GNFS the factor needs to be quite large:

modulus (n)   common factor (b)
(bits)        (bits)
 512            64
1024           169
2048           395
3072           629
4096           868

A literature review might uncover other interesting (and more recent)
ways to leverage common factors.

> (factorisation of p*q-1 is shown):
> 
> n-1 = 2 * 3^3 * 7 * 13 * 67 * 2399 * 28559 *
> 5485062554686449262177590194597345407327047899375366044215091312099734701911004226037445837630559113651708968440813791318544450398897628
> 67234233761906471233193768567784328338581360170038166729050302672416075037390699071355182394190448204086007354388034161296410061846686501
> 4941425056336718955019

Here's a slight improvement to my initial decomposition: 2 * 3^3 * 7 *
13 * 67 * 2399 * 28559 * 475108039391 * 2304683693240273 *
27081000093637206233815756979 *
184975060461462389844824492821434552152567410456158418229544246514131718793664172374877783767032501925392596713947281388784630550689770489020593012165694501623162932662905453122620777823162028887054350359842476275647758696138793577667109927

Note: factoring the last term in my product is left as an exercise to
the reader.

> Any rsa key generation in SAFE mode will always have a gcd(p-1,q-1)=2,
> so SAFE mode always avoids common factors.
> 
> My conclusion is that openssl code can have common factors (must be
> above 17863) in its rsa keys every 20,000 key generations or so when
> not generated in SAFE mode, and that at this time approximately 30
> bits of the totient will be revealed out of the 1024 bits of the full
> totient. There is, of course, no way of knowing which of the 20,000
> key generations will have the common factors.
> 
> Most people felt that the check (for gcd(p-1,q-1)> 16) was possible
> but they were not sure it was worth doing.
> 
> I'd like to point out from a cyber-attack possibility the check is
> worth doing.

Safe primes (p=2q+1) play an important role in Diffie-Hellman to avoid
subgroup confinement attacks. I just confirmed OpenSSL does indeed use
them for DH; from dh_builtin_genparams: 

  if (!BN_generate_prime_ex(ret->p, prime_len, 1, t1, t2, cb))
      goto err;

So, OpenSSL users are already quite used to whatever performance hit
is associated with them.

> As such it is appropriate that some checks be made at
> RSA_generate_key_ex() to make sure that the other software hasn't
> returned a bad key.  Openssl software is a significant part of the
> Internet security infastructure and so it would obviously be the
> target of hacking and cyber infiltration.  Some redundant checks are
> appropriate because of this.
> 
> A gcd(p-1,q-1)>16 check will disallow less than 1 percent of the
> currently acceptable keys, won't take much time to run, and would
> defeat cyber attempts to create a key with a significant common factor
> within it.
> 
> Thanks
> 
> Paul Cheffers

Given the low costs, one would be hard-pressed to find an intelligent
objection to your suggestion. Thanks for bringing this up.

--mancha (https://twitter.com/mancha140)

---
[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.1333
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150803/e99dbf1a/attachment.sig>

More information about the openssl-dev mailing list