[openssl-dev] common factors in (p-1) and (q-1)
Hilarie Orman
ho at cs.arizona.edu
Mon Aug 3 16:04:55 UTC 2015
On Mon, 3 Aug 2015 at 14:09:33 +0000 Viktor Dukhovni wrote:
> On Mon, Aug 03, 2015 at 12:07:18AM -0600, Hilarie Orman wrote:
> > > > 1. Use strong primes as in Rivest/Silverman. Simply described,
> > > > choose large primes r and s. Choose small factors i and j, gcd(i, j)
> > > > = 1. Find p such that 1+2*i*r is prime and q such that 1+2*j*s is
> > > > prime.
> >
> > > That's expensive to do.
> >
> > Twice as expensive. Is that really expensive?
> Perhaps the algorithm used to generate strong (Sophie Germain)
> primes in OpenSSL is not optimal, but it is noticeably slow.
> The probability that both p and 2*p+1 are prime (taking p=11 mod
> 12 to avoid obvious problems mod 2 and 3) is I would guess the
> square of the probability that p alone is prime. For P around 1024
> bits, 1 in ~350 odd numbers of that size is prime, so only 1 in
> ~350^2 candidates will be a strong prime.
> Now, you've relaxed the conditions to admit i!=1 and j!=1, by what
> algorithm does one quickly find i so that 1 + 2ir is also prime.
Because you can search through many 1+2*i*r combinations without the
need to generate a new base prime, the search is much faster than
for Sophie Germain primes.
> It seems to be me, and just finding p = 3 mod 4 some prime, and q
> any other prime with gcd(p-1, q-1) = 2 is a lot faster. For each
> of p,q we already ensure that the residue modulo each of the first
> 2047 odd primes is neither 0 nor 1, so exceptions will be very
> rare.
About one time in 20K. For running time comparisons to strong primes,
the devil is in the details.
> > > > 2. Find large primes p and q such that gcd(p^2-1, q^2-1) < 10^6.
> >
> > > This is much cheaper, but why (p^2-1, q^2-1), rather than just
> > > (p-1, q-1). What use is a common factor (other than 2) of (p+1,
> > > q-1) or (p+1, q+1)?
> >
> > Rules out Lucas sequences.
> What problem does that avoid for RSA?
Common factors in p+-1, q+-1 can be exploited to use Lucas sequences
to factor pq.
10^6 is a heuristic. It will be about a million times as hard get
a Lucas attack rolling if small factors are eliminated.
Hilarie
More information about the openssl-dev
mailing list