Simple Backdoors on RSA Modulus by Using RSA ... - Semantic Scholar

IEICE TRANS. FUNDAMENTALS, VOL.E92–A, NO.9 SEPTEMBER 2009

2326

PAPER

Simple Backdoors on RSA Modulus by Using RSA Vulnerability Hung-Min SUN† , Mu-En WU†† , Nonmembers, and Cheng-Ta YANG†††a) , Member

SUMMARY This investigation proposes two methods for embedding backdoors in the RSA modulus N = pq rather than in the public exponent e. This strategy not only permits manufacturers to embed backdoors in an RSA system, but also allows users to choose any desired public exponent, such as e = 216 + 1, to ensure efficient encryption. This work utilizes lattice attack and exhaustive attack to embed backdoors in two proposed methods, called RSASBLT and RSASBES , respectively. Both approaches involve straightforward steps, making their running time roughly the same as that of normal RSA key-generation time, implying that no one can detect the backdoor by observing time imparity. key words: cryptography, RSA, backdoor, lattice reduction technique, exhaustive search

1.

Introduction

RSA [19] is a conventionally employed public key cryptosystem worldwide, but is not necessarily trustworthy in cryptographic devices. In general, a cryptographic device remains a black-box, so users are obliged to trust the internal design of the device, and have no access to it in order to verify the authenticity and integrity of the software. However, a cryptographic device may contain a backdoor mechanism, through which a user’s key information can be leaked to the manufacturer of the cryptographic device. The backdoor mechanism gives the manufacturer an exclusive ability to obtain the secret leaked information. However, it can also be employed in the design of “AutoEscrowing Key” systems [23]. A key escrow system [2], [7], [9], [16] is a system in which third-party agencies, including law enforcement agencies, have backdoor keys in order to read encrypted messages. The backdoor keys are escrowed among two or more agencies. The key escrow agencies can combine their shares of the backdoor keys and then compute the private key via some protocol which is embedded in the black-box known to the reverse-engineers. Thus, third-party agencies have the access to recover the plaintext from the ciphertext when they want to examine some suspicious communication. Applying the backdoor mechanisms to the key escrow Manuscript received January 13, 2009. Manuscript revised April 26, 2009. † The author is with National Tsing Hua University, Hsinchu, Taiwan, 30013, ROC. †† The author is with Institute of Informaion Science, Academia Sinica, Taiwan, ROC. ††† The author is with Southern Taiwan University, Tainan, Taiwan 710 ROC. a) E-mail: [email protected] DOI: 10.1587/transfun.E92.A.2326

systems has many advantages; it involves no lengthy communications between users and escrow agents; it allows users to generate their own keys at any time, and it keeps the private keys secret even when the device is reverseengineered. Anderson (1993) [1] proposed an RSA trapdoor in which p and q are generated according to a specific formula. The manufacturer can factor the RSA modulus N and break the system by holding a secret constant adopted inthe formula. However, his scheme has been proven to be insecure by Kaliski [15], since anyone can detect the existence of the trapdoor using lattice reduction techniques. This is the first method that embedding backdoor in the structure of p and q. Young and Yung (1996) [23] presented a mechanism called “SETUP” (Secretly Embedded Trapdoor with Universal Protection) which enables a manufacturer to obtain a user’s secret from some stage of the output process of the device without being noticed, yet protects against attacks by others. A SETUP gives the manufacturer having an advantage over a true attacker in obtaining the user’s secret, where “a true attacker” denotes an attacker, who is not a reverseengineer, wants to break the system. Young and Yung have proposed various backdoors for RSA key generation since 1996 [23]–[26]. In their methods, the manufacturer owns a public and secret key pair of some public-key cryptosystem, such as RSA, ElGamal, Rabin, and ECDDH. The manufacturer’s public key is adopted to encrypt the information, enabling p to be generated. The encrypted information is embedded in the modulus N. Therefore, the manufacturer can easily derive p and recover the user’s private key by decrypting the information embedded in the modulus N. Young and Yung’s backdoor mechanisms [24]–[26] allow no one except the manufacturer to determine whether a given key is a SETUP key in polynomial time, even if the device is reverse-engineered. A subclass of SETUP mechanisms is further called Strong-SETUP. However, a drawback of Young and Yung’s systems is that the running time does not match the standard RSA key-generation time. To alleviate this disadvantage, Cr´epeau and Slakmon [8] developed four symmetric simple backdoor schemes, namely RSA-HSDβ , RSA-HSPEβ , RSA-HSEβ and RSA-HPβ . A specific RSA attack [3]–[5], [18], [22] is employed for each approach, and all the information required to mount the attack is permuted using the manufacturer’s secret key and then embedded in the public key e or N. Because these four

c 2009 The Institute of Electronics, Information and Communication Engineers Copyright 

SUN et al.: SIMPLE BACKDOORS ON RSA MODULUS BY USING RSA VULNERABILITY

2327

schemes do not involve complicated steps, the running times are roughly equivalent to the normal RSA key-generation time. However, only a limited range of e can be generated in the first three schemes. The limitation of e is impractical, because e = 216 + 1 is usually selected in the RSA cryptosystem. In the fourth scheme (RSA-HPβ ), the backdoor is embedded in the structure of prime p and q. Thus one can choose desired public exponent. However, a concern is that whether the prime p and q distribute uniform randomly enough in their key-generation algorithm. In fact, up to now, there is no research about the security proof of their schemes. Consequently, in our proposed methods we do not apply this strategy, but instead of embedding backdoor in the relation of the hidden RSA system. Thus, the primes p and q in our proposed schemes are uniform distributed. This work provides two new methodologies for building backdoor mechanisms. The proposed methods, like those of Cr´epeau and Slakmon’s schemes, do not involve complicated steps, making their running time close to the normal RSA key-generation time. However, unlike the first three of Cr´epeau and Slakmon’s schemes, these backdoors are embedded in N, not in e. The two proposed methods, called RSASBLT and RSASBES , are based on the lattice attack on small CRT-exponent and the exhaustive search attack, respectively. Note that both proposed backdoor schemes are symmetric backdoors, which belong to the same type of Cr´epeau and Slakmon’s simple backdoor schemes [8]. A symmetric backdoor is used for the black-box that has the property of tamper-proof. Thus, one may assume that if the black-box is tampered, users will be aware of the attacker existing. The other type of backdoor is asymmetric backdoor, which the black-box has the property of tamper-resistant. The famous asymmetric backdoors are SETUP mechanisms, which were proposed by A. Young and M. Yung [23]–[26]. However, we do not consider such type (asymmetric backdoor) in this paper. Also, in [26] Young and Yung proposed a SETUP mechanism which is timing-resistant. Since our proposed schemes are “simple,” which means that we cannot distinguish normal RSA system and our proposed schemes according to the different key-generation time, we do not consider this issue in the paper. However, we actually provide the comparison of keygeneration time to show how “simple” our schemes are. The remainder of this paper is organized as follows. Section 2 explains the notations used in this paper, and briefly reviews rebalanced RSA. Section 3 describes the lattice-based attack against small CRT-exponent RSA and the exhaustive search attack on small-k RSA, which are applied to construct the proposed backdoor mechanisms. Section 4 presents two novel methods for embedding the backdoor for RSA key generation. Section 5 depicts the experimental results of the key sets generated by the proposed methods. Finally, the paper is concluded in Sect. 6. 2.

Preliminaries

This section explains the notations used in the paper and

shortly review RSA-CRT, which will be employed to construct the first proposed backdoor mechanism for RSA key generation. 2.1 Description of Notations The notations are used throughout this paper as follows. • N: The RSA modulus satisfying N = pq, where p and q are 512-bit primes. • Eβ : The secret kept by the manufacturer in RSASBLT and RSASBES . • Kβ : The parameter used in RSASBES . • n, ne , nE , nK : The bit-lengths of N, e, Eβ , and Kβ respectively. • ncrt : The bit-length of CRT-exponent d p (or dq ). • m: The security parameter. (m is often set to 40 since the exhaustive search in 240 is feasible.) 2.2 CRT-Decryption and Rebalanced RSA Quisquater and Couvreur [17] took advantage of Chinese Remainder Theorem (CRT) [14] to speed up RSA decryption. Such technique is called CRT-decryption. In CRTdecryption, two half-sized modular exponentiations are required. The first modular exponentiation gives the result C p ≡ C d p (mod p), where d p ≡ d (mod p − 1); the second gives the result Cq ≡ C dq (mod q), where dq ≡ d (mod q − 1). These two results can be easily combined to obtain the final result M ≡ C d (mod N) by using CRT. Since the lengths of moduli (p and q) in CRT-decryption are the half length of N, such an approach, called RSA-CRT, achieves 4 times faster in decryption compared to the standard RSA system (d ≈ N). The detail of CRT-decryption can refer to [21]. Moreover, one can further reduce the decryption time by carefully choosing d so that both d p and dq are small. This approach was suggested by Wiener [22], called Rebalanced RSA. In the key generation phase one first selects two small CRT-exponents d p and dq , which are combined, via the CRT, to obtain the secret exponent d satisfying d p ≡ d (mod p − 1) and dq ≡ d (mod q − 1). Note that d p and dq are usually set to be the smallest possible size, 160 bits, for the reason of against currently best factoring algorithm, whose   complexity is O(min{ d p log d p , dq log dq }). Since the decryption time depends on the bit-size of d p and dq , not on the bit-size of d, the decryption of Rebalanced RSA is the most efficient in all kinds of RSA variants. 3.

Previous Attacks on RSA

This section describes two attacks on RSA which will be used later for devising our first two backdoor mechanisms. One is lattice-based attack proposed by Coppersmith [6]. Lattice technique is usually used to apply breaking small exponent RSA [21]. The other is exhaustive search attack employed to break RSA when k is smaller than 240 in RSA

IEICE TRANS. FUNDAMENTALS, VOL.E92–A, NO.9 SEPTEMBER 2009

2328

equation: ed = k(p − 1)(q − 1) + 1. Now, we first describe the main theorem employed in the lattice-based attack as follows. Theorem 1: (Trivariate Linear Modular Equation [11]) Consider a trivariate linear modular polynomial f (x, y, z) (mod M), where M and at least one of non-constant coefficient of f are relatively prime, we can find three linearly independent polynomials fi (x, y, z) for i = 1, 2, 3 such that the root (x0 , y0 , z0 ) of f (x, y, z) (mod M) is also a root of each fi (x, y, z) (mod M). Also, if |x0 | < X, |y0 | < Y, |z0 | < Z and XYZ < M, then (x0 , y0 , z0 ) is also a root of each of the three polynomials over the integers. Furthermore, if f1 , f2 , and f3 are also algebraically independent, then we can  compute (x0 , y0 , z0 ). We omit the proof of Theorem 1 and refer the reader to [11]. From CRT-key equations, we have ed p − 1 + k p = k p p and edq − 1 + kq = kq q. Multiplying together these two equations yields     e2 d p dq + e d p kq − 1 + dq (k p − 1) −k p kq (N − 1) − k p − kq + 1 = 0 (1) Set the modular equation f (x, y, z) = ex − (N − 1)y + z (mod e2 ). In particular, we are looking for (x0 , y0 , z0 ) = (d p (kq −1)+dq (k p −1), k p kq , −k p −kq +1). Applying Theorem 1 to the equation (1), we deduce some insecure relationships between the RSA key lengths. We summarize them in Case 1. For more details, see [21]. Case 1: (for small CRT-exponent RSA) If the lengths of keys satisfy the following inequalities, small CRT-exponent RSA could be broken with the latticebased attack. Note that m is set to 40 such that the exhaustive search is feasible. 5ncrt + 2ne < 2n + m 6ncrt + 3ne < 5n/2 + m The first inequality 5ncrt + 2ne < 2n + m is derived by applying Theorem 1 to the equation (1), and setting the modulus M to e2 . Similarly, the second inequality is derived by setting the modulus M to N. Both boundaries of the above two inequalities are close to the results, which was published in Crypto 2007, of Jochemsz, and May [12]. Moreover, we also introduce a simple attack on RSA, which focus on attacking small k. The detail can be referred to [20]. Case 2: (for small k RSA) Generally, the bit-length of d is as long as that of k. However, there still exist some RSA variants with “small k” but “larger d,” such as the RSA variant in [20]. What we use to devise our backdoor RSASBES is such a RSA variant. Considering the RSA equation ed = k(N+1−(p+q))+1, we get the equation:

(p + q) ≡ N + 1 + k−1 (mod e)

(2)

The unknown parameter of right side of (2) is k. Hence, as long as the following two subsequent conditions are satisfied, we can break the RSA cryptosystem. 1. k is so small enough that an exhaustive search can be mounted to try all its possible values. 2. The bit length of (p + q) is smaller than or equivalent to the bit length of e. According to the above two conditions, since p + q < e or p + q ≈ e, the value p + q can be computed exactly by N + 1 + k−1 (mod e) + je, where j is small and can be exhaustively tried. Moreover, since k is small enough, we can try all possible values of k to compute all possible values of (p + q). By checking whether αN+1−(p+q) ≡ 1 ( mod N) for a random α, we can find the correct value of (p+q) and break the system. Considering the computational ability today, we can exhaustively search a number whose bit-length is less than or equal to 40. Thus we suggest that the parameter k used in our backdoor mechanism should not be larger than 240 . 4.

The Proposed Simple RSA Backdoors

Based on two attacking techniques introduced in the previous section, we devise two simple RSA backdoor cryptosystems. One is RSASBLT (Simple Backdoor based on Lattice Technique), and the other is RSASBES (Simple Backdoor based on Exhaustive Search). Both of them embed the backdoor in the RSA modulus N so the choice of public exponent e is not restricted. Our security goal is that the users cannot distinguish if the backdoor is embedded in the cryptosystem or not. Thus the system is like the normal cryptosystem in the viewpoint of the users. As for the manufacturers, knowing the embedded backdoor is sufficient for the manufacturers to break the system. Moreover, we also show that two schemes have roughly the same running time as the normal RSA key generation. Before introducing two backdoor schemes, we show a lemma which will be used in the key generation algorithms of RSASBLT and RSASBES first. Lemma 2: Let a and b be two relatively prime integers (i.e., gcd(a, b) = 1). For every integer h there exists a unique pair of integers (uh , vh ) satisfying auh − bvh = 1, where  (h − 1)b < uh < hb and (h − 1)a < vh < ha. Note that in lemma 2 we can use extended Euclician algorithm [14] to compute two integers x and y satisfying ax − by = 1. Then, by setting uh = x + tb and vh = y + ta, where t is any integer, uh and vh can be increased (or decreased) to the desirable sizes. For example, in lemma 2, we can choose t = h − bx  (or t = h − ay ) to satisfying (h − 1)b < uh < hb and (h − 1)a < vh < ha. 4.1 Simple Backdoor Based on Lattice Technique (RSASBLT ) According to the lattice-based attacks on small CRT-

SUN et al.: SIMPLE BACKDOORS ON RSA MODULUS BY USING RSA VULNERABILITY

2329

exponent RSA shown in Case 1 of Sect. 3, there are two insecure relationships among the key lengths. Letting ne = n/2, we rewrite the relationships as follows: (1) 5ncrt < n + m; (2) 6ncrt < n + m. Consequently, we simplify the two inequalities to ncrt