Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 May 2016 02:34:51 +0300
From: Alexander Cherepanov <>
Subject: Re: broken RSA keys

On 2016-05-04 15:42, Solar Designer wrote:
> Now to the point: some of the keys do look to me like they're a result
> of software bugs in key generation.  Specifically, as it was noticed and
> noted by many before, Phuctor's list of broken keys includes many with
> non-prime e of the form intended_e*(2^32+1) - that is, with the 32-bit
> value duplicated across 64 bits.  (I wrote it that way to show that all
> such e's are non-prime.)

Indeed. From 225 keys listed at, 
152 ones have modulus and exponent divisible by 2**32+1:

$ curl -s |
 >   perl -Mbigint -ln0e 'print join " ", map { $_ % (2**32 + 1) } ($1, 
$2) while m{RSA Modulus .N.:.*?<td>(\d+)<.*?<td>(\d+)<}sg' |
 >   grep -c '^0 0$'

Modulus and exponent are divisible by 2**32+1 or not simultaneously.

Alexander Cherepanov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.