
Unsafe RSA primes conjectured - jjgreen
https://mathoverflow.net/questions/283767/
======
srcmap
A related public key news:

[https://arstechnica.com/information-
technology/2017/10/crypt...](https://arstechnica.com/information-
technology/2017/10/crypto-failure-cripples-millions-of-high-security-
keys-750k-estonian-ids/)

It compromises the TPM 1.2 and Microsoft Bitlocker HDD encruption.

The researchers also scanned the Internet for fingerprinted keys and quickly
found hits in a variety of surprising places. They found 447 fingerprinted
keys—237 of them factorizable—used to sign GitHub submissions, some for very
popular software packages. GitHub has since been notified of the fingerprinted
keys and is in the process of getting users to change them.

The researchers also found 2,892 PGP keys used for encrypted e-mail, 956 of
which were factorizable. The researchers speculated that the majority of the
PGP keys were generated using the Yubikey 4, which allows owners to use the
faulty library to create on-chip RSA keys. Other functions of the USB device,
including U2F authentication, remain unaffected. Yubico has more details here.

~~~
slackingoff2017
What are the odds that this was intentional? TPM and Bitlocker have been two
of the biggest conjectured targets of compromise. To the point that most
security people/libraries use neither. Maybe they were right?

If this is true one of Stackoverflow comments is quite chilling

 _It would be a terrible idea and it would raise suspicions of a deliberate
trapdoor if the primes for RSA were chosen from a quadratic progression rather
than randomly_

~~~
tptacek
That comment isn't intended to be "chilling"; it's intended to be the
opposite.

This is a _terrible_ cryptographic backdoor. If you're going to backdoor
cryptography, you do it cryptographically, so that only you and your partners
can decrypt it (this is called a "NOBUS" backdoor, for "nobody but us"). The
only reason nobody found the Infineon bug already is that nobody seriously
looked for it.

The most plausible explanation for the Infineon bug is also the most
widespread: there's prime number generation advice for quickly generating
primes on low-power devices like smartcards, and that advice was badly flawed.

(This isn't the first time primegen bugs have created factorable public keys
in the wild; Henninger has a similar attack relating to p =
randomprime(start=0), q = randomprime(start=p)).

~~~
slackingoff2017
Don your shiny crinkly hats, but after
[https://en.m.wikipedia.org/wiki/Dual_EC_DRBG](https://en.m.wikipedia.org/wiki/Dual_EC_DRBG)
I started believing that NSA involvement is not subtle in their exploits.

They only need to fool laymen, and backdoored primes are an easy way to do so.
The number of true cryptography experts beyond their walls is a dozen in the
world at best. Case in point
[https://en.m.wikipedia.org/wiki/Daniel_J._Bernstein](https://en.m.wikipedia.org/wiki/Daniel_J._Bernstein)
. And BTW he's been sued by the US government for ???. Thank God the EFF has
decent funding.

~~~
EwanToo
Do you honestly believe that China and Russia don't take cryptography
seriously, and between them only employ a tiny handful of experts...?

~~~
slackingoff2017
The opposite. Government entities suck up all the world's crypto experts
leaving very few working in the publics interest.

~~~
tptacek
You mean except for every professor, postdoc, and grad student working in
every crypto research group at every large CS department in the world?

------
wybiral
How many primes within the usual range generated for RSA happen to fit the
form 27 _a^2 + 27_ a + 7?

~~~
cobbal
Assuming at least 768 bits (an RSA number of this size has been factored), the
gaps between such numbers are more than 10^232. Even if every number of this
form was prime, the prime number theorem tells us we can expect one out of
every 10^229 primes to be weak.

There could or course be a larger class of such easy primes, but it seems like
it's extremely unlikely a prime of this particular form would ever be
generated by chance.

~~~
jabot
Thanks for that answer.

These "weak" primes are perfect for backdoors, however, if you know about them
being weak, and noone else does.

~~~
peoplewindow
Very likely that they've been used for that.

I once talked to someone who had worked at a company in the 90s that was
shipping crypto software. This was shortly after Snowden, so the topic of
backdoors came up. He said that back in those days, they'd been visited by the
NSA and told to change the primes they were using, otherwise they wouldn't get
export clearance. He said they couldn't figure out what was different about
the primes they were given - the number passed primality testing, so they
switched to using them to avoid being denied export clearance. His theory was
that they were pseudoprimes that somehow passed testing because primality
tests were statistical and not definitive.

But I guess this is an alternative explanation that would also make sense.

------
TomatoSauceCat
Just another example of the type of ignorance we have been dealing with ever
since the day RSA was invented. Unfortunately people still don't get the
Rivest-Silverman paper: [http://people.csail.mit.edu/rivest/RivestSilverman-
AreStrong...](http://people.csail.mit.edu/rivest/RivestSilverman-
AreStrongPrimesNeededForRSA.pdf)

To be brief, there exists infinitely many algorithms that rule out classes of
so-called "weak primes", or "weak moduli." Such attacks are meaningless
because you will not know which algorithm will crack a randomly chosen modulus
until you try it. By trying algorithm after algorithm similar nature to this,
your expected run time is exponential before you find one that works. Which
essentially means that the concepts of "weak moduli" and "weak primes" are
misnomers.

For an algorithm like this to be meaningful, the density of primes that it
rules out needs to be significant. In this case, it is insignificant (it is
exponentially small).

------
AlexCoventry
Why is this significant?

~~~
tonysdg
Because it means that some RSA keys may be weaker than others. Without diving
too far into the mathematics of it, the RSA cryptosystem (and indeed, many
asymmetric-key cryptosystems) is based on the notion that multiplying two
gigantic prime numbers together to get another gigantic non-prime number is
easy; but taking a gigantic non-prime number and figuring out which two prime
numbers were multiplied together is incredibly hard. This conjecture, if true,
means that for some gigantic non-prime numbers, it is easier than expected
(even if only slightly so) to figure out which two prime numbers were used.

~~~
tptacek
He's asking why, if you only have a 2^-730 chance of generating one of these
primes at random, would you care about that risk? Single-bit memory or
computation faults can devastate the security of cryptographic operations, and
they're multiple orders of magnitude more likely to _recur_ in a single
computation than generating those particular primes.

~~~
peoplewindow
Because it lets you ship crypto-systems with keys that appear to be strong on
inspection but which are actually weak (if you deliberately want to ship
backdoored crypto).

~~~
tptacek
There are lots of ways to ship those systems without a "backdoor" that
involves keys that will never occur once in the wild, let alone repeatedly.
Why would they use an elaborate scheme that _screams_ tampering?

------
nimbius
Werner Koch is starting to look less like a quack after the discovery of this
conjecture. He's been pushing to deprecate gpg RSA in general, and is
evidenced to have taken a step toward this goal in the latest 2.1 release with
ed25519 support.

~~~
AlexCoventry
What's his reasoning, and how does this conjecture fit into it?

------
phkahler
It has always been the case that RSA keys should not have primes of certain
forms. IIRC there are some forms that are preferred too.

------
marcosdumay
How long until we actually start using curve 25519 for everything?

EDIT: On a second though, a backdoored curve 25519 implementation might be
even harder to discover, because any backdoored PRNG could be used, and there
are no outstanding structure to them... My comment only makes sense if those
keys were generated by mistake.

------
jwilk
Please use the original title.

