Factoring “short-sleeve” RSA keys with polynomials

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials
• Blog Title: Factoring “short-sleeve” RSA keys with polynomials
• Suggested Section: Crypto > Public-Key Crypto > RSA Attacks; optionally add notes under Crypto for DSA weak private exponent recovery and SSH public key auditing

🎯 Content Summary

Trail of Bits describes a real-world cryptographic key-generation failure that produced RSA and DSA private keys whose big-integer limbs contain many regularly spaced zero bits. The authors call these “short-sleeve” keys because only a small contiguous part of each limb is filled with random data while the rest of the limb is zero. This is not just a statistical weakness: for many affected RSA keys, the public modulus can be factored quickly using polynomial factorization, allowing rec...

🔧 Technical Details

Scanning public keys for short-sleeve structure: Public RSA moduli can be searched for sparse, regularly spaced zero-bit blocks aligned to suspected limb boundaries. If a big-integer implementation fills only part of each limb with randomness, the public modulus may show repeated all-zero regions. Useful sources for detection include Certificate Transparency logs, TLS scans, SSH scans, PGP key collections, and tools such as badkeys and badkeys standalone.

Factoring structured RSA moduli with polynomials: If RSA primes p and q are short-sleeved, represent the public modulus n = p*q in base B = 2^w, where w is the limb width. Convert base-B digits into a polynomial f_n(x). Because evaluating at B preserves multiplication, short-sleeve factors with small coefficients can make 🤖 Agent Actions

Using the repo to inspect crypto/RSA/DSA coverage and pick the best single file to update.
I found the best fit is the existing RSA attacks page: it already covers RSA key-generation failures, is concise, and avoids spreading the same concept across multiple files. I’m adding the new technique there with a brief cross-primitive note about DSA exponent recovery from the same limb bug.
Done.

Updated:

• src/crypto/public-key/rsa/README.md

Added:

• Detection of short-sleeve / sparse RSA moduli
• Polynomial factorization workflow for structured RSA keys
• Shifted limb leakage note
• The byte-to-limb RNG bug pattern that causes this weakness
• Brief DSA private exponent recovery note from the same bug class
• Final References section with the blog + badkeys links

Validation:

• File structure checked successfully
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials

Content Categories: Based on the analysis, this content was categorized under "Crypto > Public-Key Crypto > RSA Attacks; optionally add notes under Crypto for DSA weak private exponent recovery and SSH public key auditing".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0