Skip to main content
SpringerLink
Log in

A Timing-Resistant Elliptic Curve Backdoor in RSA

  • Conference paper
Information Security and Cryptology (Inscrypt 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4990))

Included in the following conference series:

Abstract

We present a fast algorithm for finding pairs of backdoor RSA primes (p,q) given a security parameter. Such pairs posses an asymmetric backdoor that gives the designer the exclusive ability to factor n = pq, even when the key generation algorithm is public. Our algorithm uses a pair of twisted curves over GF(2257) and we present the first incremental search method to generate such primes. The search causes the \(\frac{1}{2}\)log(n)+O(log(log(n))) least significant bits of n to be modified during key generation after p is selected and before q is determined. However, we show that this is tolerable by using point compression and ECDH. We also present the first rigorous experimental benchmarks of an RSA asymmetric backdoor and show that our OpenSSL-based implementation outperforms OpenSSL RSA key generation. Our application is highly efficient key recovery. Of independent interest, we motivate the need to find large binary twists. We present the twist we generated and how we found it.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. von Ahn, L., Hopper, N.J.: Public-Key Steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004)

    Google Scholar 

  2. Aho, A., Hopcroft, J., Ullman, J.: Data Structures and Algorithms, p. 281. Addison-Wesley, Reading (1983)

    MATH  Google Scholar 

  3. Anderson, R.J.: A Practical RSA Trapdoor. Electronics Letters 29(11) (1993)

    Google Scholar 

  4. American National Standards Institute. ANSI X9.17: Financial institution key management (wholesale). ASC X9 Secretariat—ABA (1985)

    Google Scholar 

  5. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st Annual ACM CCCS, pp. 62–73 (1993)

    Google Scholar 

  6. Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Eurocrypt 1996, pp. 178–189 (1996)

    Google Scholar 

  7. Crépeau, C., Slakmon, A.: Simple Backdoors for RSA Key Generation. In: The Cryptographers Track at the RSA Conference, pp. 403–416 (2003)

    Google Scholar 

  8. Daemen, J., Rijmen, V.: The Block Cipher Rijndael. In: Smart Card Research and Applications—CARDIS 1998, pp. 277–284 (2000)

    Google Scholar 

  9. Damgård, I., Landrock, P., Pomerance, C.: Average Case Error Estimates for the Strong Probable Prime Test. Math. Comp. 61(203), 177–194 (1993)

    Article  MATH  MathSciNet  Google Scholar 

  10. NIST (2002) FIPS 180-2, Secure Hash Standard (SHS). Change notice (Feb, 2004) introduces SHA-224.

    Google Scholar 

  11. Gaudry, P.: A comparison and a combination of SST and AGM algorithms for counting points on elliptic curves in characteristic 2. In: Advances in Cryptology—Asiacrypt 2002, pp. 311–327 (2002)

    Google Scholar 

  12. Gaudry, P., Hess, F., Smart, N.: Constructive and Destructive Facets of Weil Descent on Elliptic Curves. J. of Cryptology 15, 19–46 (2002)

    Article  MathSciNet  Google Scholar 

  13. Joux, A., Nguyen, K.: Separating DDH from CDH in Cryptographic Groups. Journal of Cryptology 16(4), 239–247 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  14. Kaliski, B.S.: A Pseudo-Random Bit Generator Based on Elliptic Logarithms. In: Advances in Cryptology—Crypto 1986, pp. 84–103 (1986)

    Google Scholar 

  15. Kaliski, B.S.: Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools, Feb. 1988. PhD Thesis. MIT, Cambridge (1988)

    Google Scholar 

  16. Kaliski, B.S.: One-Way Permutations on Elliptic Curves. Journal of Cryptology 3(3), 187–199 (1991)

    Article  MATH  MathSciNet  Google Scholar 

  17. Kaliski, B.: Anderson’s RSA trapdoor can be broken. Electronics Letters 29(15), 1387–1388 (1993)

    Article  Google Scholar 

  18. Kocher, P.: Timing Attacks on Implementations of DH, RSA, DSS, and Other Systems. In: Advances in Cryptology—Crypto 1996, pp. 104–113 (1996)

    Google Scholar 

  19. Kucner, D., Kutylowski, M.: Stochastic Kleptography Detection. In: Public-Key Cryptography and Computational Number Theory, pp. 137–149 (2001)

    Google Scholar 

  20. Miller, G.L.: Riemann’s Hypothesis and Tests for Primality. J. Comp. Syst. Sci. 13(3), 300–317 (1976)

    MATH  Google Scholar 

  21. Menezes, A., van Oorschot, P., Vanstone, S.: Vanstone. Handbook of Applied Cryptography. In: Table 4.4, Note 4.51 (ii), p. 148. CRC Press, Boca Raton (1997)

    Google Scholar 

  22. Möller, B.: Improved Techniques for Fast Exponentiation. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 298–312. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  23. Möller, B.: A Public-Key Encryption Scheme with Pseudo-Random Ciphertexts. In: ESORICS 2004, pp. 335–351 (2004)

    Google Scholar 

  24. OpenSSL version 0.9.8. On the web at http://www.openssl.org

  25. PKCS #1 v2.1: RSA Cryptography Standard. RSA Labs (Jun 14, 2002)

    Google Scholar 

  26. Rabin, M.O.: Probabilistic Algorithms for Testing Primality. J. Number Th. 12, 128–138 (1980)

    Article  MATH  MathSciNet  Google Scholar 

  27. Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. CACM 21(2), 120–126 (1978)

    MATH  MathSciNet  Google Scholar 

  28. Satoh, T., Skjernaa, B., Taguchi, Y.: Fast computation of canonical lifts of elliptic curves and its application to point counting. Finite Fields and Their Applications 9, 89–101 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  29. Schoof, R.: Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p. In: Mathematics of Computation, vol. 44, pp. 483–494 (1985)

    Google Scholar 

  30. Vanstone, S.A., Mullin, R.C., Agnew, G.B.: Elliptic curve encryption systems. US Patent 6,141,420, Filed: (Jan 29, 1997)

    Google Scholar 

  31. Vercauteren, F., Preneel, B., Vanderwalle, J.: A memory efficient version of Satoh’s algorithm. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 1–13. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  32. Young, A., Yung, M.: The Dark Side of Black-Box Cryptography, or: Should we trust Capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)

    Google Scholar 

  33. Young, A., Yung, M.: Kleptography: Using Cryptography Against Cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997)

    Google Scholar 

  34. Young, A., Yung, M.: A Space Efficient Backdoor in RSA and its Applications. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 128–143. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cryptovirology Labs,  

    Adam L. Young

  2. Columbia University,  

    Moti Yung

Authors
  1. Adam L. Young
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Moti Yung
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Dingyi Pei Moti Yung Dongdai Lin Chuankun Wu

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Young, A.L., Yung, M. (2008). A Timing-Resistant Elliptic Curve Backdoor in RSA. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds) Information Security and Cryptology. Inscrypt 2007. Lecture Notes in Computer Science, vol 4990. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79499-8_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-79499-8_33

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-79498-1

  • Online ISBN: 978-3-540-79499-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation