RSA is an incredibly successful and useful asymmetric encryption algorithm. One of the types of implementation flaws in RSA is low entropy of the key generation, specifically the prime number creation stage. This can occur due to flawed usage of random prime number generator libraries, or on computers where there is a lack of a source of external entropy. These implementation flaws result in some RSA keys sharing prime factors, which means that the full factorization of the public modulus can be recovered incredibly efficiently by performing a computation GCD between the two public key moduli that share the prime factor. However, since one does not know which of the composite moduli share a prime factor a-priori, to determine if any such shared prime factors exist, an all-to-all GCD attack (also known as a batch GCD attack, or a bulk GCD attack) can be performed on the available public keys so as to recover any shared prime factors. This study describes a novel all-to-all batch GCD algorithm, which will be referred to as the binary tree batch GCD algorithm, that is more efficient than the current best batch GCD algorithm (the remainder tree batch GCD algorithm). A comparison against the best existing batch GCD method (which is a product tree followed by a remainder tree computation) is given using a dataset of random RSA moduli that are constructed such that some of the moduli share prime factors. This proposed binary tree batch GCD algorithm has better runtime than the existing remainder tree batch GCD algorithm, although asymptotically it has nearly identical scaling and its complexity is dependent on how many shared prime factors exist in the set of RSA keys. In practice, the implementation of the proposed binary tree batch GCD algorithm has a roughly 6x speedup compared to the standard remainder tree batch GCD approach.

翻译：RSA是一种极为成功且实用的非对称加密算法。RSA的实现缺陷之一在于密钥生成过程中的低熵问题，尤其是素数创建阶段。该问题可能源于随机素数生成器库的错误使用，或计算机缺乏外部熵源。这些实现缺陷导致部分RSA密钥共享素数因子，这意味着通过计算共享素数因子的两个公钥模数之间的最大公约数（GCD），可极其高效地恢复公钥模数的完整因子分解。然而，由于无法预先得知哪些复合模数共享素数因子，为了确定是否存在此类共享素数因子，可对现有公钥执行全对全GCD攻击（也称为批量GCD攻击或批量GCD攻击），从而恢复任何共享素数因子。本研究提出了一种新型全对全批量GCD算法（称为二叉树批量GCD算法），其效率优于当前最优的批量GCD算法（余数树批量GCD算法）。通过使用一组随机构造的RSA模数数据集（其中部分模数共享素数因子），与现有最优批量GCD方法（基于乘积树与余数树计算）进行了对比。所提出的二叉树批量GCD算法运行时优于现有余数树批量GCD算法，尽管其渐近扩展性几乎一致，且复杂度取决于RSA密钥集中共享素数因子的数量。实际应用中，该二叉树批量GCD算法的实现相较于标准余数树批量GCD方法实现了约6倍的加速。