[openssl-dev] common factors in (p-1) and (q-1)

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Fri Jul 31 23:43:07 UTC 2015 

I think adding the recommended check would be beneficial. Considering the frequency of ‎key generation, performance impact shouldn't matter all that much. 

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: paul at securecottage.com
Sent: Friday, July 31, 2015 19:31
To: mancha
Reply To: openssl-dev at openssl.org
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-dev] common factors in (p-1) and (q-1)

Hi Mancha,

Since p*q-1==(p-1)*(q-1)+(p-1)+q-1) any prime that divides (p-1) and 
(q-1) will divide all 4 of the terms in the definition of p*q-1. Thus 
it will be a common factor in the totient.

I have checked through the key generation code of the openssl ssl 
code. I hacked it to report the greatest common divisor of p-1 and 
q-1. I then ran 100 key generations. It only had greatest common 
divisors of 2, 4 , 8, and 16. There were no other primes reported 
besides small powers of 2.

So there doesn't seem to be a practical problem with common divisors 
in the openssl code.

Still, I think this is a theoretical problem. There should be a 
gcd(p-1,q-1)>16 check for the two primes in key generation.

Paul


Quoting mancha <mancha1 at zoho.com>:

> On Fri, Jul 31, 2015 at 02:36:03AM +0000, paul at securecottage.com wrote:
>>
>> Hi there,
>>
>> I have looked at the RSA protocol a bit and have concluded that
>>
>> 1) common factors in (p-1) and (q-1) are also in the factorisation of
>> (p*q-1). 2) by factoring (p*q-1) you can come up with candidates for
>> squares in the totient. 3) you can also come up with d mod
>> commonfactor^2 if there is a common factor.
>>
>> the math is shown in my wikipedia users page math blog at:
>>
>> https://en.wikipedia.org/wiki/User:Endo999#The_Bad_Stuff_That_Happens_When_There_Are_Common_Factors_Between_.28P-1.29_and_.28Q-1.29
>
> [SNIP]
>
> Hi. How are you finding a common factor f such that f|(p-1) and f|(q-1)?
>
> Thanks.
>
> --mancha
>
> -- https://twitter.com/mancha140



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150731/db182751/attachment.bin>

More information about the openssl-dev mailing list