International Association for Cryptologic Research (IACR)
Abstract
Special purpose factoring algorithms have discouraged the adoption of multi-power RSA, even in a post-quantum setting. We revisit the known attacks and find that a general recommendation against repeated factors is unwarranted. We find that one-terabyte RSA keys of the form n=p12p23p35p47⋯piπi⋯p20044225287 are competitive with one-terabyte RSA keys of the form n=p1p2p3p4⋯pi⋯p231. Prime generation can be made to be a factor of 100000 times faster at a loss of at least 1 but not more than 17 bits of security against known attacks. The range depends on the relative cost of bit and qubit operations under the assumption that qubit operations cost 2c bit operations for some constant c