An Efficient All-to-All GCD Algorithm for Low Entropy RSA Key Factorization

TL;DR

This paper introduces a novel binary tree batch GCD algorithm that significantly improves the efficiency of detecting shared prime factors in RSA keys, enhancing the practicality of low entropy RSA key factorization attacks.

Contribution

The paper presents a new binary tree batch GCD algorithm that outperforms existing methods in runtime, enabling more efficient low entropy RSA key factorization.

Findings

The binary tree batch GCD algorithm is approximately 6 times faster than the remainder tree approach.

The new algorithm maintains similar asymptotic complexity but offers practical runtime improvements.

Performance gains are especially notable when many RSA keys share prime factors.

Abstract

RSA is an incredibly successful and useful asymmetric encryption algorithm. One of the types of implementation flaws in RSA is low entropy of the key generation, specifically the prime number creation stage. This can occur due to flawed usage of random prime number generator libraries, or on computers where there is a lack of a source of external entropy. These implementation flaws result in some RSA keys sharing prime factors, which means that the full factorization of the public modulus can be recovered incredibly efficiently by performing a computation GCD between the two public key moduli that share the prime factor. However, since one does not know which of the composite moduli share a prime factor a-priori, to determine if any such shared prime factors exist, an all-to-all GCD attack (also known as a batch GCD attack, or a bulk GCD attack) can be performed on the available public keys so as to recover any shared prime factors. This study describes a novel all-to-all batch GCD algorithm, which will be referred to as the binary tree batch GCD algorithm, that is more efficient than the current best batch GCD algorithm (the remainder tree batch GCD algorithm). A comparison against the best existing batch GCD method (which is a product tree followed by a remainder tree computation) is given using a dataset of random RSA moduli that are constructed such that some of the moduli share prime factors. This proposed binary tree batch GCD algorithm has better runtime than the existing remainder tree batch GCD algorithm, although asymptotically it has nearly identical scaling and its complexity is dependent on how many shared prime factors exist in the set of RSA keys. In practice, the implementation of the proposed binary tree batch GCD algorithm has a roughly 6x speedup compared to the standard remainder tree batch GCD approach.