[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*Subject*: Conjecturally unsafe RSA primes $p=27a^2+27a+7$*From*: guninski at guninski.com (Georgi Guninski)*Date*: Wed, 18 Oct 2017 16:04:13 +0300

We got strong numerical evidence that primes of the form $p=27a^2+27a+7$ are unsafe for cryptographic reasons since they can be found in the factorization. Consider the following generic factoring algorithm for factoring $n$ which is divisible by $p$. Suppose you known an elliptic curve in Weierstrass form with known multiple $m$ of the order of $E$ modulo $p$. Let $\psi_n$ denote the $n$-th division polynomial of $E$. Choose random integer $X$. If $X$ is the $x$ coordinate on $E$ modulo $p$ then $\psi_m(X) \equiv 0 \pmod{p}$. If it is not, $\psi_m(X)$ need not vanish modulo $p$. By selecting few random $X$ we probabilistically find $p$ from $\gcd(n,\psi_m(X))$. [This question](https://mathoverflow.net/questions/283758/conjecture-the-number-of-points-modulo-p-of-certain-elliptic-curve-is-p-or) conjectures that if $p=27a^2+27a+7$ and $kronecker(2k^3,p)= -1$ then the order of $y^2=x^3+2k^3$ is $p$. In this case $n$ is multiple of the order, so we can use the above algorithm by trying in addition random $k$. We found $200$ bit factor with pari/gp in just few seconds. > Are these conjecturally unsafe RSA primes known?

- Prev by Date:
**jimbellproject.org is looking for volunteers: The coming lawsuit** - Next by Date:
**"CO2 close to lowest levels ever for our planet"** - Previous by thread:
**Graph theory question** - Next by thread:
**[RUS] Russia-gate proof finally - Explosive story of Kremlin plot to undermine US Democracy using post-election puppy ads (+ other "news")** - Index(es):