It is highly likely that this is the work of a troll.
The RSA subkey that was factored has an invalid self-signature in hpa's public key[1], which means that it wasn't really hpa who added the subkey. Since the sks-keyserver pool doesn't verify signatures[2], anyone could have inserted that subkey. So anyone could have purposefully picked an exploitable RSA subkey, added a fake signature to it, and uploaded it to the sks-keyserver pool.
Luckily, GPG will drop the subkey when retrieving hpa's public key since it doesn't have a valid self-signature. But for anyone scanning all the public keys without verifying signatures (for research, etc.), this key might get recognized and cause a shitstorm. Which is exactly what has happened.
So far, there's no evidence that there is a conspiracy to weaken RSA keys. There is only evidence that someone inserted a bogus subkey into hpa's public key. There will be evidence of a conspiracy if we find a weak RSA key in the strongset that has a valid self-signature.
I feel like everyone is being quick to write this off as "some random, harmless error", probably because the focus is that RSA is not broken, rather than asking what this was really about.
"The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key."
I'd be curious to explore that further.
This kernel developer has been targeted in the past:
"During that time, attackers were able to monitor the activities of anyone using the kernel.org servers known as Hera and Odin1, as well as personal computers belonging to senior Linux developer H. Peter Anvin. The self-injecting rootkit known as Phalanx had access to a wealth of sensitive data, possibly including private keys used to sign and decrypt e-mails and remotely log in to servers. A follow-up advisory a few weeks later opened the possibility that still other developers may have fallen prey to the attackers."
Edit: The key in question was created the day before this post by HPA regarding the compromise:
If I wanted to poison HPA with a fake key, why would I create a degenerate one? A fake key with strong factors would have gone unnoticed, at least by this analysis.
At first glance, I thought the keys were the same. I'm undecided if this was deliberate or unintentional. If this was unintentional, perhaps by corruption, how likely would the result generate such an easily factorable key?
Random errors likely generate easily factorable keys. Each prime removes 1/N numbers. So 2 removes 1/2 of possible numbers. 3 remove 1/3 of the remaining possible numbers etc. Just 2, 3, 5, 7, 11, 13 remove 80% of possible random numbers.
For anybody who wants to think about how such entry happened, it seems that the difference among the two presented numbers is in exactly 32 bytes (256 bits):
starting from the 162nd byte if I counted correctly, which means the first 5 * 32+1 (or 2 * 80+1) bytes are the same, then 32 bytes differ.
(The "easily factorable" number has two bytes which are represented as "bad1" in hex).
But thinking about the 256 bits, that's exactly the size of a block on which a typical symmetrical cypher can operate, which suggests some kind of a bug, although the offset of 161 byte is a bit strange.
The human would probably just change a few bits to achieve the same effect, not 256, unless he wanted to encode some message, and it doesn't look so. But see also the post of lawnchair_larry here.
The 161 bytes offset might be explained by corruption in an encoded version of the key. 161 bytes in binary data would be ~ 216 chars in base64. With an (unusual) line length of 72 the corruption would start exactly at the 4th line.
But: Mail clients should use 78 chars per text line, and GPG encodes base64 in lines of 64 chars length, so ignore my theory ;-).
Is there any sort of statistical analyses which could give some idea of whether those bits were generated randomly, by a human, or perhaps came from some other key?
They are just 256 bits. And if they come from a cypher they certainly can't be distinguished from the pure random bits or from the bits from any other key.
But if they come from some other key unmodified it would be possible to scan for the match, and it's a fast operation, as soon as we have the keys in which we'd like to search.
I was wondering about the possibility of distinguishing between a human opening a keyfile (I believe they are encoded in base64?) and manually overwriting pieces of it with random rubbish, or something else; humans make very poor RNGs, as anyone who has tried "randomly" mashing a keyboard will notice.
Please resist complaining about downvotes, as the site guidelines ask. Most unfairly downvoted comments get corrective upvotes after a while—that's what happened in the GP's case. Comments like this one, though, just add noise.
Or the much simpler counter, anything with a factor of three ain't a 'real' 4096 bit RSA key. Even if it was in use, it would say nothing about RSA. Referring to it as a "4096 bit RSA key" is a red herring.
Meanwhile, on the original post, the author is acting like HN was tampering with the ranking of the article because it started doing poorly after people realized that a real key wasn't factored:
> "Update II : Amusingly enough, it seems Hacker News hand-diddled their story list to remove this discussion. Way to go Ydumbinator crew!" [0]
Popescu is waging a pathetic little personal war against FetLife [1]. He's a textbook example of a self-deluded crypto-narcissist who, if there's any justice on this earth, will see his comeuppance. People like him always do.
[1] He's been scraping the profiles of young women (specifically) and posting links, names, and hometowns on his blog. Yes, as technologists, we know that this kind of indexing is trivial. That's no reason, as a decent human being, to terrorize innocent people.
His >50% MPOE[1] stake is at least 1.4 million coins (valuated by the last trade).
If you're skeptical of numbers on webpages (c.f. "EmptyGox"), MPEx's trivially traceable addresses[2] currently contain around five thousand coins; tracking down the rest is left as an exercise for the skeptical sleth.
Maybe I'm reading it wrong but according to that there is ~10m shares outstanding at a price of 0.00028btc per share. Doesn't that make it worth around 2800 btc not 2.8m?
The RSA subkey that was factored has an invalid self-signature in hpa's public key[1], which means that it wasn't really hpa who added the subkey. Since the sks-keyserver pool doesn't verify signatures[2], anyone could have inserted that subkey. So anyone could have purposefully picked an exploitable RSA subkey, added a fake signature to it, and uploaded it to the sks-keyserver pool.
Luckily, GPG will drop the subkey when retrieving hpa's public key since it doesn't have a valid self-signature. But for anyone scanning all the public keys without verifying signatures (for research, etc.), this key might get recognized and cause a shitstorm. Which is exactly what has happened.
So far, there's no evidence that there is a conspiracy to weaken RSA keys. There is only evidence that someone inserted a bogus subkey into hpa's public key. There will be evidence of a conspiracy if we find a weak RSA key in the strongset that has a valid self-signature.
[1]: https://gist.github.com/anonymous/ba23ca66d2ca249e6f84#file-...
[2]: https://lists.gnupg.org/pipermail/gnupg-devel/2015-March/029...