Abstract
We present a fast algorithm for finding pairs of backdoor RSA primes (p,q) given a security parameter. Such pairs posses an asymmetric backdoor that gives the designer the exclusive ability to factor n = pq, even when the key generation algorithm is public. Our algorithm uses a pair of twisted curves over GF(2257) and we present the first incremental search method to generate such primes. The search causes the \(\frac{1}{2}\)log(n)+O(log(log(n))) least significant bits of n to be modified during key generation after p is selected and before q is determined. However, we show that this is tolerable by using point compression and ECDH. We also present the first rigorous experimental benchmarks of an RSA asymmetric backdoor and show that our OpenSSL-based implementation outperforms OpenSSL RSA key generation. Our application is highly efficient key recovery. Of independent interest, we motivate the need to find large binary twists. We present the twist we generated and how we found it.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
von Ahn, L., Hopper, N.J.: Public-Key Steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004)
Aho, A., Hopcroft, J., Ullman, J.: Data Structures and Algorithms, p. 281. Addison-Wesley, Reading (1983)
Anderson, R.J.: A Practical RSA Trapdoor. Electronics Letters 29(11) (1993)
American National Standards Institute. ANSI X9.17: Financial institution key management (wholesale). ASC X9 Secretariat—ABA (1985)
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st Annual ACM CCCS, pp. 62–73 (1993)
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Eurocrypt 1996, pp. 178–189 (1996)
Crépeau, C., Slakmon, A.: Simple Backdoors for RSA Key Generation. In: The Cryptographers Track at the RSA Conference, pp. 403–416 (2003)
Daemen, J., Rijmen, V.: The Block Cipher Rijndael. In: Smart Card Research and Applications—CARDIS 1998, pp. 277–284 (2000)
Damgård, I., Landrock, P., Pomerance, C.: Average Case Error Estimates for the Strong Probable Prime Test. Math. Comp. 61(203), 177–194 (1993)
NIST (2002) FIPS 180-2, Secure Hash Standard (SHS). Change notice (Feb, 2004) introduces SHA-224.
Gaudry, P.: A comparison and a combination of SST and AGM algorithms for counting points on elliptic curves in characteristic 2. In: Advances in Cryptology—Asiacrypt 2002, pp. 311–327 (2002)
Gaudry, P., Hess, F., Smart, N.: Constructive and Destructive Facets of Weil Descent on Elliptic Curves. J. of Cryptology 15, 19–46 (2002)
Joux, A., Nguyen, K.: Separating DDH from CDH in Cryptographic Groups. Journal of Cryptology 16(4), 239–247 (2003)
Kaliski, B.S.: A Pseudo-Random Bit Generator Based on Elliptic Logarithms. In: Advances in Cryptology—Crypto 1986, pp. 84–103 (1986)
Kaliski, B.S.: Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools, Feb. 1988. PhD Thesis. MIT, Cambridge (1988)
Kaliski, B.S.: One-Way Permutations on Elliptic Curves. Journal of Cryptology 3(3), 187–199 (1991)
Kaliski, B.: Anderson’s RSA trapdoor can be broken. Electronics Letters 29(15), 1387–1388 (1993)
Kocher, P.: Timing Attacks on Implementations of DH, RSA, DSS, and Other Systems. In: Advances in Cryptology—Crypto 1996, pp. 104–113 (1996)
Kucner, D., Kutylowski, M.: Stochastic Kleptography Detection. In: Public-Key Cryptography and Computational Number Theory, pp. 137–149 (2001)
Miller, G.L.: Riemann’s Hypothesis and Tests for Primality. J. Comp. Syst. Sci. 13(3), 300–317 (1976)
Menezes, A., van Oorschot, P., Vanstone, S.: Vanstone. Handbook of Applied Cryptography. In: Table 4.4, Note 4.51 (ii), p. 148. CRC Press, Boca Raton (1997)
Möller, B.: Improved Techniques for Fast Exponentiation. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 298–312. Springer, Heidelberg (2003)
Möller, B.: A Public-Key Encryption Scheme with Pseudo-Random Ciphertexts. In: ESORICS 2004, pp. 335–351 (2004)
OpenSSL version 0.9.8. On the web at http://www.openssl.org
PKCS #1 v2.1: RSA Cryptography Standard. RSA Labs (Jun 14, 2002)
Rabin, M.O.: Probabilistic Algorithms for Testing Primality. J. Number Th. 12, 128–138 (1980)
Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. CACM 21(2), 120–126 (1978)
Satoh, T., Skjernaa, B., Taguchi, Y.: Fast computation of canonical lifts of elliptic curves and its application to point counting. Finite Fields and Their Applications 9, 89–101 (2003)
Schoof, R.: Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p. In: Mathematics of Computation, vol. 44, pp. 483–494 (1985)
Vanstone, S.A., Mullin, R.C., Agnew, G.B.: Elliptic curve encryption systems. US Patent 6,141,420, Filed: (Jan 29, 1997)
Vercauteren, F., Preneel, B., Vanderwalle, J.: A memory efficient version of Satoh’s algorithm. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 1–13. Springer, Heidelberg (2001)
Young, A., Yung, M.: The Dark Side of Black-Box Cryptography, or: Should we trust Capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)
Young, A., Yung, M.: Kleptography: Using Cryptography Against Cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997)
Young, A., Yung, M.: A Space Efficient Backdoor in RSA and its Applications. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 128–143. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Young, A.L., Yung, M. (2008). A Timing-Resistant Elliptic Curve Backdoor in RSA. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds) Information Security and Cryptology. Inscrypt 2007. Lecture Notes in Computer Science, vol 4990. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79499-8_33
Download citation
DOI: https://doi.org/10.1007/978-3-540-79499-8_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79498-1
Online ISBN: 978-3-540-79499-8
eBook Packages: Computer ScienceComputer Science (R0)