The Secure Generation of RSA Moduli Using Poor RNG

We discuss a procedure, which should be called Lenstra's fix, for producing secure RSA moduli even when the random number generation is very poor. RSA is uniquely vulnerable to low entropy random number generation. If n = pq and n' = pq' are two (public) moduli, then the computation gcd(n,n') = p factors both moduli and totally compromises the security of both systems. Following a suggestion of A. K. Lenstra and his coauthors in [1] we present an algorithm for generating p and q that avoids this attack without changing the method of random number generation. If the probability is P that in the world two random primes p and p' are generated the same, then the probability that n = n' will only be P 2. It is much more likely that p = p' and q  q', in which case gcd(n,n') = p factors n and n' The damage done when n = n' is incomparably less. The owners of n and n' can access each other's accounts, but they are safe from attacks by others. Moreover, this is the same risk that any other cryptosystems face. The proposal is to generate p randomly and then choose q = f(p,k), where f(p,k) is the function f(p,k) = 1 + [2 2k /p]. Here [x] denotes the integer part of x. For example, [3.14] = 3.