Simple Backdoors for RSA Key Generation

Scott DialScott Dial

OverviewOverview

Some Necessary TheoremsSome Necessary Theorems The ScenarioThe Scenario Four MethodsFour Methods ConclusionsConclusions

Important NotationImportant Notation

||nn| represents the magnitude of | represents the magnitude of nn in bits in bits |240| = |11110000b| = 8|240| = |11110000b| = 8

nn::mm represents the concatenation of n represents the concatenation of n and m in there respective orderand m in there respective order 1011:0101 = 101101011011:0101 = 10110101

nnmm represents the represents the mm MSBs of MSBs of nn nnmm represent the represent the mm LSBs of LSBs of nn

Wiener’s MethodWiener’s Method

Suppose we are given (Suppose we are given (nn, , ee), and ), and dd < < 44√(√(nn)/3, then we can compute the whole )/3, then we can compute the whole of of dd and factor and factor nn in poly(| in poly(|nn|).|). Loosely |Loosely |d|d| < | < |nn|/4|/4

Coppersmith’s MethodCoppersmith’s Method

Suppose we are given (Suppose we are given (nn, , ee) and |) and |nn|/4 |/4 bits of bits of pp, then we can factor n in poly(|, then we can factor n in poly(|nn|).|).

Theorem 1 [Boneh]Theorem 1 [Boneh]

Let t be an integer in the range[|n|/4, ..., |n|/2] and e be a prime in the range [2t, …, 2t+1]. Suppose we are given (n, e), and the t most significant bits of d. Then we can compute the whole of d and factor n in time poly(|n|).

Theorem 2 [Boneh]Theorem 2 [Boneh]

Let t be an integer in the range[1, …, |n|/2] and e be an integer in the range [2t, …, 2t+1]. Suppose we are given (n, e), the t most significant bits of d, and the |n|/4 least significant bits of d. Then we can factor n in time poly(|n|).

Theorem 3 [Slakmon]Theorem 3 [Slakmon]

Let t be an integer in the range[1, …, |n - Φ(n)|] and d be an integer in the range [1, …, 2|n - Φ(n)| - t/2]. Suppose we are given (n, e), and the |n - Φ(n)| - t most significant bits of n - Φ(n). Then we can factor n in time poly(|n|).

The Scenario (Users)The Scenario (Users)

A Black-BoxA Black-Box No Knowledge of The GenerationNo Knowledge of The Generation Produces tuples (Produces tuples (pp, , qq, , ee, , dd))

The ChallengeThe Challenge Distinguish Good Keys From Bad KeysDistinguish Good Keys From Bad Keys External Analysis OnlyExternal Analysis Only

The Scenario (Creators)The Scenario (Creators)

Generate RSA tuples (Generate RSA tuples (pp, , qq, e, , e, dd)) Through (Through (nn, , ee) volunteer enough information ) volunteer enough information

to apply partial knowledge factoring on nto apply partial knowledge factoring on n

Create a backdoor discretelyCreate a backdoor discretely Indistinguishable subliminal channelIndistinguishable subliminal channel

A BackdoorA Backdoor

Let Let ββ be a backdoor key be a backdoor key Let Let ππββ be a permutation of odd integers be a permutation of odd integers

smaller than smaller than nn to themselves to themselves Several ChoicesSeveral Choices Advantages/DisadvantagesAdvantages/Disadvantages

The RSA AlgorithmThe RSA Algorithm

1: Generate random primes 1: Generate random primes pp and and qq,,nn := := pqpq, a , a kk bit integer. bit integer.

2: Generate a random odd 2: Generate a random odd ee such that such that||ee| | << kk

3: Goto 2 until gcd(3: Goto 2 until gcd(ee, , ΦΦ((nn)) = 1)) = 1 4: Compute 4: Compute dd := := ee-1-1 mod mod ΦΦ((nn)) 5: Return (5: Return (pp, , qq, , dd, , ee))

Algorithm 1 (RSA-HSDAlgorithm 1 (RSA-HSDββ))

1: Generate random primes 1: Generate random primes pp and and qq,,nn := := pqpq, a , a kk bit integer bit integer

2: Generate a random odd 2: Generate a random odd δδ such that such that gcd(gcd(δδ, , ΦΦ((nn)) = 1 and |)) = 1 and |δδ| | << kk/4/4

3: Compute 3: Compute εε = = δδ-1-1 mod mod ΦΦ((nn), ), ee := := ππββ((εε)) 4: Goto 2 until gcd(4: Goto 2 until gcd(ee, , ΦΦ((nn)) = 1)) = 1 5: Compute 5: Compute dd := := ee-1-1 mod mod ΦΦ((nn)) 6: Return (6: Return (pp, , qq, , dd, , ee))

Attack 1 (RSA-HSDAttack 1 (RSA-HSDββ))

1: Given (1: Given (nn, , ee), compute ), compute εε = = ππββ-1-1((ee))

2: Compute 2: Compute δδ from ( from (nn, , εε) using Wiener’s ) using Wiener’s low exponent attacklow exponent attack

3: Given (3: Given (εε,, δδ) factor ) factor nn as as pp, , qq 4: Return (4: Return (pp, , qq))

Algorithm 2 (RSA-HSPEAlgorithm 2 (RSA-HSPEββ))

1: Generate random primes 1: Generate random primes pp and and qq,,nn := := pqpq, a , a kk bit integer. bit integer.

2: Generate a random prime 2: Generate a random prime εε such that gcd( such that gcd(εε, , ΦΦ((nn)) = 1 and |)) = 1 and |εε| = | = kk/4/4

3: Compute 3: Compute δδ := := εε-1-1 mod mod ΦΦ((nn),),δδHH := := δδkk/4/4, , ee := := ππββ((δδHH::εε))

4: Goto 2 until gcd(4: Goto 2 until gcd(εε, , ΦΦ((nn)) = 1)) = 1 5: Compute 5: Compute dd := := ee-1-1 mod mod ΦΦ((nn)) 6 : return (6 : return (pp, , qq, , dd, , ee))

Attack 2 (RSA-HSPEAttack 2 (RSA-HSPEββ))

1: Given (1: Given (nn, , ee), compute (), compute (δδHH::εε) := ) := ππββ-1-1((ee))

2: Compute 2: Compute δδ from ( from (nn, , δδHH, , εε) using BDF ) using BDF low public prime exponent attack low public prime exponent attack (Theorem 1) with partial knowledge of (Theorem 1) with partial knowledge of private exponent.private exponent.

3: Given (3: Given (εε, , δδ) factor ) factor nn as as p,q.p,q. 4: return (4: return (pp, , qq))

Algorithm 3 (RSA-HSEAlgorithm 3 (RSA-HSEββ))

1: Generate random primes 1: Generate random primes pp and and qq,,nn := := pqpq, a , a kk bit integer bit integer

2: Generate a random 2: Generate a random εε such that such thatgcd(gcd(εε, , ΦΦ((nn)) = 1 and |)) = 1 and |εε| = | = tt

3: Compute 3: Compute δδ := := εε-1-1 mod mod ΦΦ((nn), ), δδHH := := δδtt, , δδLL := := δδkk/4/4, , ee := := ππββ((δδHH::δδLL::εε))

4: Goto 2 until gcd(4: Goto 2 until gcd(ee, , ΦΦ((nn)) = 1)) = 1 5: Compute 5: Compute dd := := ee-1-1 mod mod ΦΦ((nn)) 6: Return (6: Return (pp, , qq, , dd, , ee))

Attack 3 (RSA-HSEAttack 3 (RSA-HSEββ))

1: Given (n, e), compute1: Given (n, e), compute((δδHH::δδLL::εε) := ) := ππββ

-1-1((ee)) 2: Compute 2: Compute δδ from ( from (nn, , δδHH, , δδLL, , εε) using ) using

BDF low public exponent attack BDF low public exponent attack (Theorem 2) with partial knowledge of (Theorem 2) with partial knowledge of private exponent.private exponent.

3: Given (3: Given (εε, , δδ) factor ) factor nn as as pp, , qq 4: Return (4: Return (pp, , qq))

Choice of Choice of ππββ

ππββ((xx) = ) = xx (2 (2ββ))||xx||

ππββ((xx) = DES) = DESββ((xx))

ππββ((xx) = AES) = AESββ((xx))

ππββ((xx) = ) = xx-1-1 mod mod ββ

ππββ((xx) = (x + 2) = (x + 2ββ) mod () mod (n n + 1)+ 1)

ππββ((xx) = ((2) = ((2αα + 1)x + 2 + 1)x + 2ββ) mod () mod (n n + 1 - 2+ 1 - 2mm))

Some ProblemsSome Problems

Relies on choosing specific exponents Relies on choosing specific exponents from specific subsets.from specific subsets.

Restrictive forced subsets foil easilyRestrictive forced subsets foil easily S = {S = {dd | gcd( | gcd(dd, , ΦΦ((nn)) = 1 and )) = 1 and dd = ( = (xx::xx)})}

IndistinguishabilityIndistinguishability

Algorithm 4 (RSA-HPAlgorithm 4 (RSA-HPββ(e)(e)))

1: Pick a random prime 1: Pick a random prime pp of appropriate size, such that of appropriate size, such that gcd(gcd(ee, , pp - 1) = 1 - 1) = 1

2: Pick a random odd 2: Pick a random odd q`q` of appropriate size, set of appropriate size, set n`n` := := pq`pq`, a , a kk bit integer. bit integer.

3: Compute 3: Compute ττ := := n`n`kk/8/8, , μμ := := ππββ((ppkk/4/4), and ), and λλ := := n`n`55kk/8/8 4: Set 4: Set nn := ( := (ττ::μμ::λλ) and) and

qq := := nn//pp + (1 + (1 1)/2 so that it is odd 1)/2 so that it is odd 5: While gcd(5: While gcd(ee, , qq – 1) > 1 or – 1) > 1 or qq is composite do: is composite do:

Pick a random even Pick a random even mm such that | such that |mm| = | = kk/8,/8,qq := := qq mm and and nn := := pqpq

6: Compute 6: Compute dd := := ee-1-1 mod mod ΦΦ((nn)) 7: Return (7: Return (pp, , qq, , dd, , ee))

Attack 4 (RSA-HPAttack 4 (RSA-HPββ))

1: Given n, compute1: Given n, computeppkk/4/4 := := ππββ

-1-1((nn33kk/8/8kk/4/4)) 2: Factor 2: Factor nn as as pp,,qq using Coppersmith’s using Coppersmith’s

partial information attack.partial information attack. 3: Return (3: Return (pp, , qq))

Problems And A New Problems And A New ππββ

ππββ((xx) = ) = xx (2 (2ββ))||xx||

((n`n` nn))33kk/8/8kk/4/4 = ( = (p`p` pp))kk/4/4

ππββ((xx) = ) = xx-1-1 mod mod ββ nn33kk/8/8kk/4/4ppkk/4/4 - 1 is a multiple of - 1 is a multiple of ββ

New PermutationsNew Permutations ππββ,,μμ((xx) = () = (x x (2 (2μμ))||xx||))-1-1 mod mod ββ

ππββ,,μμ((xx) = () = (xx-1-1 mod mod ββ)) (2 (2μμ))||ββ||

ConclusionsConclusions

Potentially impossible to distinguish Potentially impossible to distinguish backdoored RSA key tuplesbackdoored RSA key tuples Never trust key tuples provided to youNever trust key tuples provided to you

The extra backdoor could potentially The extra backdoor could potentially weaken the RSA key tuplesweaken the RSA key tuples

A ChallengeA Challenge

http://crypto.cs.mcgill.ca/~crepeau/RSA/http://crypto.cs.mcgill.ca/~crepeau/RSA/ RSA-HSE, RSA-HSE, ππββ((xx) = ) = xx ββ Distinguish broken keys from real RSA keysDistinguish broken keys from real RSA keys Determine the backdoor keyDetermine the backdoor key

ReferencesReferences

D. Boneh and G. Durfee, Cryptanalysis of rsa with private key d less than n0.292, Information Theory, IEEE Transactions on, 46 (2000), pp. 1339-1349.

C. CrC. Crépeau and A. Slakmon, épeau and A. Slakmon, Simple backdoors for Simple backdoors for RSA key generationRSA key generation, , http://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdfhttp://crypto.cs.mcgill.ca/~crepeau/PDF/CS02.pdf, 18 , 18 Oct 2002.Oct 2002.

D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Advances in Cryptology - EuroCrypt '96, U. Maurer, ed., Berlin, 1996, Springer-Verlag, pp. 178-189. Lecture Notes in Computer Science Volume 1070.