Advertisement

Simple Backdoors for RSA Key Generation

  • Claude Crépeau
  • Alain Slakmon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2612)

Abstract

We present extremely simple ways of embedding a backdoor in the key generation scheme of RSA. Three of our schemes generate two genuinely random primes p and q of a given size, to obtain their public product n = pq. However they generate private/public exponents pairs (d, e) in such a way that appears very random while allowing the author of the scheme to easily factor n given only the public information (n, e). Our last scheme, similar to the PAP method of Young and Yung, but more secure, works for any public exponent e such as 3, 17, 65537 by revealing the factorization of n in its own representation. This suggests that nobody should rely on RSA key generation schemes provided by a third party.

Keywords

Digital Signature Scheme Public Exponent Original Loop Time Poly Subliminal Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than n 0.292, Information Theory, IEEE Transactions on, 46 (2000), pp. 1339–1349. 405zbMATHCrossRefMathSciNetGoogle Scholar
  2. [2]
    D. Boneh, G. Durfee, and Y. Frankel, An attack on RSA given a small fraction of the private key bits, in Advances in Cryptology-AsiaCrypt’ 98, K. Ohta and D. Pei, eds., Berlin, 1998, Springer-Verlag, pp. 25–34. Lecture Notes in Computer Science Volume 1514. 405CrossRefGoogle Scholar
  3. [3]
    D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology-EuroCrypt’ 96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178–189. Lecture Notes in Computer Science Volume 1070. 405, 412Google Scholar
  4. [4]
    C. Crépeau and S. Wong, The RSA hidden small exponent method, in http://crypto.cs.mcgill.ca/~crepeau/RSA, 2001. 411
  5. [5]
    B. DE Weger, Cryptanalysis of RSA with small prime difference, Applicable Algebra in Engineering, Communication and Computing, 13 (2002), pp. 17–28. 406zbMATHCrossRefMathSciNetGoogle Scholar
  6. [6]
    M. Joye, P. Paillier, and S. Vaudenay, Efficient generation of prime numbers, in CHES 2000, Ç. K. Koç and C. Paar, eds., Berlin, 2000, Springer-Verlag, pp. 340–354. Lecture Notes in Computer Science Volume 1965. 405, 415Google Scholar
  7. [7]
    A. K. Lenstra, Generating RSA moduli with a predetermined portion, in Advances in Cryptology-AsiaCrypt’ 98, K. Ohta and D. Pei, eds., Berlin, 1998, Springer-Verlag, pp. 1–10. Lecture Notes in Computer Science Volume 1514. 406, 415CrossRefGoogle Scholar
  8. [8]
    G. L. Miller, Riemann’s hypothesis and tests for primality, J. Comput. System Sci., 13 (1976), pp. 300–317. 405zbMATHMathSciNetGoogle Scholar
  9. [9]
    R. L. Rivest and A. Shamir, Efficient factoring based on partial information., in Advances in Cryptology-EuroCrypt’ 85, F. Pichler, ed., Berlin, 1985, Springer-Verlag, pp. 31–34. Lecture Notes in Computer Science Volume 219. 405CrossRefGoogle Scholar
  10. [10]
    R. L. Rivest, A. Shamir, and L. M. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM, 21 (1978), pp. 120–126. 405zbMATHCrossRefMathSciNetGoogle Scholar
  11. [11]
    A. Slakmon, Sur des méthodes et algorithmes de factorisation et leur application en cryptologie, Master’s thesis, Université de Montréal, dépt. IRO, 2000. 406Google Scholar
  12. [12]
    S. Vaudenay, Private e-mail communication., 2 may 2001. 411Google Scholar
  13. [13]
    M. Wiener, Cryptanalysis of short RSA secret exponents, Information Theory, IEEE Transactions on, 36 (1990), pp. 553–558. 405zbMATHCrossRefMathSciNetGoogle Scholar
  14. [14]
    A. Young and M. Yung, The dark side of “black-box” cryptography, or: Should we trust Capstone?, in Advances in Cryptology-Crypto’ 96, N. Koblitz, ed., Berlin, 1996, Springer-Verlag, pp. 89–103. Lecture Notes in Computer Science Volume 1109. 406, 412, 413CrossRefGoogle Scholar
  15. [15]
    —,Kleptography: Using cryptography against cryptography, in Advances in Cryptology-EuroCrypt’ 97, W. Fumy, ed., Berlin, 1997, Springer-Verlag, pp. 62–74. Lecture Notes in Computer Science Volume 1233. 406Google Scholar
  16. [16]
    —,The prevalence of kleptographic attacks on discrete-log based cryptosystems, in Advances in Cryptology-Crypto’ 97, B. Kaliski, ed., Berlin, 1997, Springer-Verlag, pp. 264–276. Lecture Notes in Computer Science Volume 1294. 406CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Claude Crépeau
    • 1
  • Alain Slakmon
    • 2
  1. 1.School of Computer ScienceMcGill UniversityMontréal (Québec)Canada
  2. 2.Département de mathématiquesCollège de Bois-de-BoulogneMontréal (Québec)Canada

Personalised recommendations