Add rsa.phi-not-coprime-e.2048.txt

[ctz]

See readme for details. Not exactly groundbreaking stuff, but took about 30 CPU minutes to find.

[pornin]

Somewhat nitpicking, but if q = 1 mod 65537, then that does not mean that it is unusable for RSA in general, only that it is unusable with e = 65537. FIPS 186-5 (the current NIST standard, that includes RSA) only mandates that 2^16 < e < 2^256, not specifically that e be equal to 65537, even though that value is traditional. Keys with larger public exponents are a thing that exists (weirdly, mostly in some German certificate authorities, I don't know why German CAs are fond of larger exponents). PKCS#1 is less picky: it allows down to e = 3, which has a bad reputation for mostly mythical reasons, but makes public key operations substantially faster.

On a different note, I am not sure how it took 30 CPU minutes to generate such a q. On my fairly basic PC (2.3 GHz x86 CPU from 2021), this Sage script finds a new 1024-bit prime q such that q = 1 mod 65537 in an average time of about 63 milliseconds:

proof.arithmetic(False)

def find_q_1mod65537(size):
    assert 32 <= size
    assert size <= 16384
    while True:
        q = 1 + randint(3*2**(size - 18), 2**(size - 16))*65537
        if (q & 1) == 0:
            q += 65537
        if q.bit_length() != size:
            continue
        while not q.is_prime():
            q += 65537*2
        if q.bit_length() == size:
            return q