Stefan Wüller
ABSTRACT
The manufacturer of an asymmetric backdoor for a public key cryptosystem manipulates the key generation process in such a way that he can extract the private key or other secret information from the user's public key by involving his own public/private key pair. All asymmetric backdoors in major public key cryptosystems including RSA differ substantially in their implementation approaches and in their quality in satisfying backdoor related properties like confidentiality and concealment. While some of them meet neither of these two properties very well, others provide a high level of confidentiality but none of them is concealing, which limits their use for covert implementation. In this paper we introduce two novel asymmetric RSA backdoors, both following the approach to embed bits of one of the RSA prime factors in the user's public RSA modulus. While our first backdoor provides confidentiality for a sufficiently large key length, it might be detected under certain circumstances. The second backdoor extends the first one such that it additionally provides concealment and is thus particularly suitable for covert implementation.
- D. Aggarwal and U. Maurer. Breaking RSA Generically is Equivalent to Factoring. In Advances in Cryptology - EUROCRYPT 2009, volume 5479 of Lecture Notes in Computer Science, pages 36--53. Springer Berlin Heidelberg, 2009.Google Scholar
Digital Library
- R. J. Anderson. A Practical RSA Trapdoor. Journal of Electronics Letters, 29(11):995, 1993.Google ScholarCross Ref
- G. Arboit. Two Mathematical Security Aspects of the RSA Cryptosystem. PhD thesis, McGill University - School of Computer Science, 2008. Google ScholarDigital Library
- D. Coppersmith. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology, 10(4):233--260, 1997. Google ScholarDigital Library
- C. Crépeau and A. Slakmon. Simple Backdoors for RSA Key Generation. In Topics in Cryptology - CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 403--416. Springer Berlin Heidelberg, 2003. Google ScholarDigital Library
- M. Joye. RSA Moduli with a Predetermined Portion: Techniques and Applications. In Information Security Practice and Experience, volume 4991 of Lecture Notes in Computer Science, pages 116--130. Springer Berlin Heidelberg, 2008. Google ScholarDigital Library
- M. Joye, P. Paillier, and S. Vaudenay. Efficient Generation of Prime Numbers. In Cryptographic Hardware and Embedded Systems - CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages 340--354. Springer Berlin Heidelberg, 2000. Google ScholarDigital Library
- A. M. Legendre. Essai sur la Théorie des Nombres par A. M. Legendre. Paris, Duprat, 1808.Google Scholar
- A. May. Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring. In Advances in Cryptology - CRYPTO '04, volume 3152 of Lecture Notes in Computer Science, pages 213--219. Springer Berlin Heidelberg, 2004.Google Scholar
- M. O. Rabin. Digitalized Signatures and Public-Key Functions as Intracable as Factorization. Technical report, Massachusetts Institute of Technology, 1979. Google ScholarDigital Library
- The OpenSSL Project. OpenSSL: The Open Source Toolkit for SSL/TLS. www.openssl.org, April 2003.Google Scholar
- A. Young and M. Yung. The Dark Side of Black-Box Cryptography or: Should We Trust Capstone? In Advances in Cryptology - CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 89--103. Springer Berlin Heidelberg, 1996. Google ScholarDigital Library
- A. Young and M. Yung. Kleptography: Using Cryptography Against Cryptography. In Advances in Cryptology - EUROCRYPT '97, volume 1233 of Lecture Notes in Computer Science, pages 62--74. Springer Berlin Heidelberg, 1997. Google ScholarDigital Library
- A. Young and M. Yung. Malicious Cryptography: Kleptographic Aspects. In Topics in Cryptology - CT-RSA 2005, volume 3376 of Lecture Notes in Computer Science, pages 7--18. Springer Berlin Heidelberg, 2005. Google ScholarDigital Library
- A. Young and M. Yung. A Space Efficient Backdoor in RSA and Its Applications. In Selected Areas in Cryptography, volume 3897 of Lecture Notes in Computer Science, pages 128--143. Springer Berlin Heidelberg, 2006. Google ScholarDigital Library
- A. Young and M. Yung. A Timing-Resistant Elliptic Curve Backdoor in RSA. In Information Security and Cryptology, volume 4990 of Lecture Notes in Computer Science, pages 427--441. Springer Berlin Heidelberg, 2008. Google ScholarDigital Library
Index Terms
- Information Hiding in the RSA Modulus
Recommendations
RSA-OAEP Is Secure under the RSA Assumption
Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor ...
Efficient identity-based RSA multisignatures
A digital multisignature is a digital signature of a message generated by multiple signers with knowledge of multiple private keys. In this paper, an efficient RSA multisignature scheme based on Shamir's identity-based signature (IBS) scheme is ...
Identity-based ring signatures from RSA
Shamir proposed in 1984 the first identity-based signature scheme, whose security relies on the RSA problem. A similar scheme was proposed by Guillou and Quisquater in 1988. Formal security of these schemes was not argued and/or proved until many years ...
Comments