Simple Backdoors for RSA Key Generation
- 794 Downloads
We present extremely simple ways of embedding a backdoor in the key generation scheme of RSA. Three of our schemes generate two genuinely random primes p and q of a given size, to obtain their public product n = pq. However they generate private/public exponents pairs (d, e) in such a way that appears very random while allowing the author of the scheme to easily factor n given only the public information (n, e). Our last scheme, similar to the PAP method of Young and Yung, but more secure, works for any public exponent e such as 3, 17, 65537 by revealing the factorization of n in its own representation. This suggests that nobody should rely on RSA key generation schemes provided by a third party.
KeywordsDigital Signature Scheme Public Exponent Original Loop Time Poly Subliminal Channel
Unable to display preview. Download preview PDF.
- D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology-EuroCrypt’ 96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178–189. Lecture Notes in Computer Science Volume 1070. 405, 412Google Scholar
- C. Crépeau and S. Wong, The RSA hidden small exponent method, in http://crypto.cs.mcgill.ca/~crepeau/RSA, 2001. 411
- M. Joye, P. Paillier, and S. Vaudenay, Efficient generation of prime numbers, in CHES 2000, Ç. K. Koç and C. Paar, eds., Berlin, 2000, Springer-Verlag, pp. 340–354. Lecture Notes in Computer Science Volume 1965. 405, 415Google Scholar
- A. Slakmon, Sur des méthodes et algorithmes de factorisation et leur application en cryptologie, Master’s thesis, Université de Montréal, dépt. IRO, 2000. 406Google Scholar
- S. Vaudenay, Private e-mail communication., 2 may 2001. 411Google Scholar
- —,Kleptography: Using cryptography against cryptography, in Advances in Cryptology-EuroCrypt’ 97, W. Fumy, ed., Berlin, 1997, Springer-Verlag, pp. 62–74. Lecture Notes in Computer Science Volume 1233. 406Google Scholar