RSA is an incredibly successful and useful asymmetric encryption algorithm. One of the types of implementation flaws in RSA is low entropy of the key generation, specifically the prime number creation stage. This can occur due to flawed usage of random prime number generator libraries, or on computers where there is a lack of a source of external entropy. These implementation flaws result in some RSA keys sharing prime factors, which means that the full factorization of the public modulus can be recovered incredibly efficiently by performing a computation GCD between the two public key moduli that share the prime factor. However, since one does not know which of the composite moduli share a prime factor a-priori, to determine if any such shared prime factors exist, an all-to-all GCD attack (also known as a batch GCD attack, or a bulk GCD attack) can be performed on the available public keys so as to recover any shared prime factors. This study describes a novel all-to-all batch GCD algorithm, which will be referred to as the binary tree batch GCD algorithm, that is more efficient than the current best batch GCD algorithm (the remainder tree batch GCD algorithm). A comparison against the best existing batch GCD method (which is a product tree followed by a remainder tree computation) is given using a dataset of random RSA moduli that are constructed such that some of the moduli share prime factors. This proposed binary tree batch GCD algorithm has better runtime than the existing remainder tree batch GCD algorithm, although asymptotically it has nearly identical scaling and its complexity is dependent on how many shared prime factors exist in the set of RSA keys. In practice, the implementation of the proposed binary tree batch GCD algorithm has a roughly 6x speedup compared to the standard remainder tree batch GCD approach.

翻译：RSA是一种极其成功且实用的非对称加密算法。RSA的实现缺陷类型之一在于密钥生成阶段（特别是素数生成阶段）的低熵问题。这可能是由于随机素数生成器库的错误使用，或是在缺乏外部熵源的计算机上所致。此类实现缺陷会导致部分RSA密钥共享素数因子，这意味着通过对共享素数因子的两个公钥模数执行GCD计算，即可极其高效地恢复公钥模数的完整因式分解。然而，由于无法先验获知哪些合数模数共享素数因子，为检测此类共享素数因子的存在，可对现有公钥集合执行全对全GCD攻击（亦称批量GCD攻击或批量GCD计算），以恢复所有共享素数因子。本研究提出一种新型的全对全批量GCD算法（称为二叉树批量GCD算法），其效率优于当前最优的批量GCD算法（余数树批量GCD算法）。通过在人工构建的随机RSA模数数据集（其中部分模数预设共享素数因子）上进行测试，本文给出了与现有最优批量GCD方法（采用乘积树结合余数树计算）的对比结果。虽然该二叉树批量GCD算法在渐进复杂度上与现有余数树算法近乎相同（其计算复杂度取决于RSA密钥集合中共享素数因子的数量），但其实际运行时间更优。实验表明，所提出的二叉树批量GCD算法相较于标准余数树批量GCD方法可实现约6倍的加速比。