[Cryptography] Conjecturally unsafe RSA primes $p=27a^2+27a+7$

Georgi Guninski guninski at guninski.com
Wed Oct 18 09:06:02 EDT 2017


We got strong numerical evidence that primes of the form $p=27a^2+27a+7$
are unsafe for cryptographic reasons since they can be found in the

Consider the following generic factoring algorithm for factoring
$n$ which is divisible by $p$. Suppose you known an elliptic curve
in Weierstrass form with known multiple $m$ of the order of $E$ modulo
$p$. Let $\psi_n$ denote the $n$-th division polynomial of $E$.

Choose random integer $X$. If $X$ is the $x$ coordinate on $E$ modulo
then $\psi_m(X) \equiv 0 \pmod{p}$. If it is not, $\psi_m(X)$ need not
vanish modulo $p$. By selecting few random $X$ we probabilistically find
$p$ from $\gcd(n,\psi_m(X))$.

that if $p=27a^2+27a+7$ and $kronecker(2k^3,p)= -1$ then the order of
$y^2=x^3+2k^3$ is $p$. In this case $n$ is multiple of the order, so we
can use the above algorithm by trying in addition random $k$.

We found $200$ bit factor with pari/gp in just few seconds.

> Are these conjecturally unsafe RSA primes known?

More information about the cryptography mailing list