[Cryptography] 1023 nails in the coffin of 1024 RSA...

James Cloos cloos at jhcloos.com
Sun Oct 5 14:03:38 EDT 2014

>>>>> "i" == ianG  <iang at iang.org> writes:

i> (some skepticism about whether this there is really a break in
i> OpenSSL, but the rumour mill will no doubt throw mud on the 1024
i> bit part as well...)

i> He claimed:

i>     The bug originates in this lines of rsa_gen.c:

i>     117 bitsp=(bits+1)/2;
i>     118 bitsq=bits-bitsp;

i> the main problem being that the rounding of 1025 isn't downwards but
i> upwards, resulting in bitsp= 513 and bitsq=511, which, supposedly,
i> later on the code and due to compiler optimizations, causes the bug.

In order for that mis-rounding to occur, the compiler must mis-optimize
the code.

The /2 will get changed to >>1 (right shift).  Because bits in an int
rather than an unsigned int, that will be an arithmetic right shift.

The +1 might get converted to an INCrement.

To round up, the optimizer would then need to swap the order of the
increment and the shift.

If the compiler is mis-optimizing that, it is not surprising that it
might also mis-optimize something else later on, resulting in an
exploitable bug.

But it would have to be specific to an architecture and compiler.

James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

More information about the cryptography mailing list