Simple Backdoors for RSA Key Generation

1
Simple Backdoors for RSA Key Generation

• Scott Dial

2
Overview

• Some Necessary Theorems
• The Scenario
• Four Methods
• Conclusions

3
Important Notation

• n represents the magnitude of n in bits
• 240 11110000b 8
• nm represents the concatenation of n and m in
  there respective order
• 10110101 10110101
• n?m represents the m MSBs of n
• n?m represent the m LSBs of n

4
Wieners Method

• Suppose we are given (n, e), and d lt 4v(n)/3,
  then we can compute the whole of d and factor n
  in poly(n).
• Loosely d lt n/4

5
Coppersmiths Method

• Suppose we are given (n, e) and n/4 bits of p,
  then we can factor n in poly(n).

6
Theorem 1 Boneh

• Let t be an integer in the rangen/4, ...,
  n/2 and e be a prime in the range 2t, ,
  2t1. Suppose we are given (n, e), and the t
  most significant bits of d. Then we can compute
  the whole of d and factor n in time poly(n).

7
Theorem 2 Boneh

• Let t be an integer in the range1, , n/2
  and e be an integer in the range 2t, , 2t1.
  Suppose we are given (n, e), the t most
  significant bits of d, and the n/4 least
  significant bits of d. Then we can factor n in
  time poly(n).

8
Theorem 3 Slakmon

• Let t be an integer in the range1, , n -
  F(n) and d be an integer in the range 1, ,
  2n - F(n) - t/2. Suppose we are given (n, e),
  and the n - F(n) - t most significant bits of n
  - F(n). Then we can factor n in time poly(n).

9
The Scenario (Users)

• A Black-Box
• No Knowledge of The Generation
• Produces tuples (p, q, e, d)
• The Challenge
• Distinguish Good Keys From Bad Keys
• External Analysis Only

10
The Scenario (Creators)

• Generate RSA tuples (p, q, e, d)
• Through (n, e) volunteer enough information to
  apply partial knowledge factoring on n
• Create a backdoor discretely
• Indistinguishable subliminal channel

11
A Backdoor

• Let ß be a backdoor key
• Let pß be a permutation of odd integers smaller
  than n to themselves
• Several Choices
• Advantages/Disadvantages

12
The RSA Algorithm

• 1 Generate random primes p and q,n pq, a k
  bit integer.
• 2 Generate a random odd e such thate lt k
• 3 Goto 2 until gcd(e, F(n)) 1
• 4 Compute d e-1 mod F(n)
• 5 Return (p, q, d, e)

13
Algorithm 1 (RSA-HSDß)

• 1 Generate random primes p and q,n pq, a k
  bit integer
• 2 Generate a random odd d such that gcd(d, F(n))
  1 and d lt k/4
• 3 Compute e d-1 mod F(n), e pß(e)
• 4 Goto 2 until gcd(e, F(n)) 1
• 5 Compute d e-1 mod F(n)
• 6 Return (p, q, d, e)

14
Attack 1 (RSA-HSDß)

• 1 Given (n, e), compute e pß-1(e)
• 2 Compute d from (n, e) using Wieners low
  exponent attack
• 3 Given (e, d) factor n as p, q
• 4 Return (p, q)

15
Algorithm 2 (RSA-HSPEß)

• 1 Generate random primes p and q,n pq, a k
  bit integer.
• 2 Generate a random prime e such that gcd(e,
  F(n)) 1 and e k/4
• 3 Compute d e-1 mod F(n),dH d?k/4, e
  pß(dHe)
• 4 Goto 2 until gcd(e, F(n)) 1
• 5 Compute d e-1 mod F(n)
• 6 return (p, q, d, e)

16
Attack 2 (RSA-HSPEß)

• 1 Given (n, e), compute (dHe) pß-1(e)
• 2 Compute d from (n, dH, e) using BDF low public
  prime exponent attack (Theorem 1) with partial
  knowledge of private exponent.
• 3 Given (e, d) factor n as p,q.
• 4 return (p, q)

17
Algorithm 3 (RSA-HSEß)

• 1 Generate random primes p and q,n pq, a k
  bit integer
• 2 Generate a random e such thatgcd(e, F(n)) 1
  and e t
• 3 Compute d e-1 mod F(n), dH d?t, dL
  d?k/4, e pß(dHdLe)
• 4 Goto 2 until gcd(e, F(n)) 1
• 5 Compute d e-1 mod F(n)
• 6 Return (p, q, d, e)

18
Attack 3 (RSA-HSEß)

• 1 Given (n, e), compute(dHdLe) pß-1(e)
• 2 Compute d from (n, dH, dL, e) using BDF low
  public exponent attack (Theorem 2) with partial
  knowledge of private exponent.
• 3 Given (e, d) factor n as p, q
• 4 Return (p, q)

19
Choice of pß

• pß(x) x ? (2ß)?x
• pß(x) DESß(x)
• pß(x) AESß(x)
• pß(x) x-1 mod ß
• pß(x) (x 2ß) mod (n 1)
• pß(x) ((2a 1)x 2ß) mod (n 1 - 2m)

20
Some Problems

• Relies on choosing specific exponents from
  specific subsets.
• Restrictive forced subsets foil easily
• S d gcd(d, F(n)) 1 and d (xx)
• Indistinguishability

21
Algorithm 4 (RSA-HPß(e))

• 1 Pick a random prime p of appropriate size,
  such that gcd(e, p - 1) 1
• 2 Pick a random odd q of appropriate size, set
  n pq, a k bit integer.
• 3 Compute t n?k/8, µ pß(p?k/4), and ?
  n?5k/8
• 4 Set n (tµ?) andq ?n/p? (1 ? 1)/2 so
  that it is odd
• 5 While gcd(e, q 1) gt 1 or q is composite do
• Pick a random even m such that m k/8,q q
  ? m and n pq
• 6 Compute d e-1 mod F(n)
• 7 Return (p, q, d, e)

22
Attack 4 (RSA-HPß)

• 1 Given n, computep?k/4 pß-1(n?3k/8?k/4)
• 2 Factor n as p,q using Coppersmiths partial
  information attack.
• 3 Return (p, q)

23
Problems And A New pß

• pß(x) x ? (2ß)?x
• (n ? n)?3k/8?k/4 (p ? p)?k/4
• pß(x) x-1 mod ß
• n?3k/8?k/4p?k/4 - 1 is a multiple of ß
• New Permutations
• pß,µ(x) (x ? (2µ)?x)-1 mod ß
• pß,µ(x) (x-1 mod ß) ? (2µ)?ß

24
Conclusions

• Potentially impossible to distinguish backdoored
  RSA key tuples
• Never trust key tuples provided to you
• The extra backdoor could potentially weaken the
  RSA key tuples

25
A Challenge

• http//crypto.cs.mcgill.ca/crepeau/RSA/
• RSA-HSE, pß(x) x ? ß
• Distinguish broken keys from real RSA keys
• Determine the backdoor key

26
References

• D. Boneh and G. Durfee, Cryptanalysis of rsa with
  private key d less than n0.292, Information
  Theory, IEEE Transactions on, 46 (2000), pp.
  1339-1349.
• C. Crépeau and A. Slakmon, Simple backdoors for
  RSA key generation, http//crypto.cs.mcgill.ca/cr
  epeau/PDF/CS02.pdf, 18 Oct 2002.
• D. Coppersmith, Finding a small root of a
  bivariate integer equation factoring with high
  bits known, in Advances in Cryptology - EuroCrypt
  '96, U. Maurer, ed., Berlin, 1996,
  Springer-Verlag, pp. 178-189. Lecture Notes in
  Computer Science Volume 1070.