Conversation
|
Somewhat nitpicking, but if q = 1 mod 65537, then that does not mean that it is unusable for RSA in general, only that it is unusable with e = 65537. FIPS 186-5 (the current NIST standard, that includes RSA) only mandates that 2^16 < e < 2^256, not specifically that e be equal to 65537, even though that value is traditional. Keys with larger public exponents are a thing that exists (weirdly, mostly in some German certificate authorities, I don't know why German CAs are fond of larger exponents). PKCS#1 is less picky: it allows down to e = 3, which has a bad reputation for mostly mythical reasons, but makes public key operations substantially faster. On a different note, I am not sure how it took 30 CPU minutes to generate such a q. On my fairly basic PC (2.3 GHz x86 CPU from 2021), this Sage script finds a new 1024-bit prime q such that q = 1 mod 65537 in an average time of about 63 milliseconds: proof.arithmetic(False)
def find_q_1mod65537(size):
assert 32 <= size
assert size <= 16384
while True:
q = 1 + randint(3*2**(size - 18), 2**(size - 16))*65537
if (q & 1) == 0:
q += 65537
if q.bit_length() != size:
continue
while not q.is_prime():
q += 65537*2
if q.bit_length() == size:
return q |
2 participants
See readme for details. Not exactly groundbreaking stuff, but took about 30 CPU minutes to find.