Generating RSA moduli with a predetermined portion

This paper reviews and generalizes a method to generate RSA moduli with a predetermined portion. The potential advantages of the resulting methods are discussed. Both the storage and the computational requirements of the RSA cryptosystem can be considerably reduced. The constructions are as efficient as generation of regular RSA moduli, and the resulting moduli do not seem to offer less security than regular RSA modul

Elementary Attestation of Cryptographically Useful Composite Moduli

This paper describes a non-interactive process allowing a prover to convince a verifier that a modulus $n$ is the product of two primes ($p,q$) of about the same size. A further heuristic argument conjectures that $p-1$ and $q-1$ have sufficiently large prime factors for cryptographic applications. The new protocol relies upon elementary number-theoretic properties and can be implemented efficiently using very few operations. This contrasts with state-of-the-art zero-knowledge protocols for RSA modulus proper generation assessment. The heuristic argument at the end of our construction calls for further cryptanalysis by the community and is, as such, an interesting research question in its own right

Twin RSA

We introduce Twin RSA, pairs of RSA moduli (n, n+ 2), and formulate several questions related to it. Our main questions are: is Twin RSA secure, and what is it good for? © Springer-Verlag Berlin Heidelberg 2005

Simple backdoors to RSA key generation

We present extremely simple ways of embedding a backdoor in the key generation scheme of RSA. Three of our schemes generate two genuinely random primes $p$ and $q$ of a given size, to obtain their public product $n=pq$. However they generate private/public exponents pairs $(d,e)$ in such a way that appears very random while allowing the author of the scheme to easily factor $n$ given only the public information $(n,e)$. Our last scheme, similar to the PAP method of Young and Yung, but more secure, works for any public exponent $e$ such as $3,17,65537$ by revealing the factorization of $n$ in its own representation. This suggests that nobody should rely on RSA key generation schemes provided by a third party

On the possibility of constructing meaningful hash collisions for public keys

It is sometimes argued that finding meaningful hash collisions might prove difficult. We show that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed by Wang et al. We present some simple results, investigate what we can and cannot (yet) achieve, and formulate some open problems of independent interest. We are not yet aware of truly interesting practical implications. Nevertheless, our results may be relevant for the practical assessment of the recent hash collision results. For instance, we show how to construct two different X.509 certificates that contain identical signatures. © Springer-Verlag Berlin Heidelberg 2005

Speeding-Up Elliptic Curve Cryptography Algorithms

During the last decades there has been an increasing interest in Elliptic curve cryptography (ECC) and, especially, the Elliptic Curve Digital Signature Algorithm (ECDSA) in practice. The rather recent developments of emergent technologies, such as blockchain and the Internet of Things (IoT), have motivated researchers and developers to construct new cryptographic hardware accelerators for ECDSA. Different types of optimizations (either platform dependent or algorithmic) were presented in the literature. In this context, we turn our attention to ECC and propose a new method for generating ECDSA moduli with a predetermined portion that allows one to double the speed of Barrett\u27s algorithm. Moreover, we take advantage of the advancements in the Artificial Intelligence (AI) field and bring forward an AI-based approach that enhances Schoof\u27s algorithm for finding the number of points on an elliptic curve in terms of implementation efficiency. Our results represent algorithmic speed-ups exceeding the current paradigm as we are also preoccupied by other particular security environments meeting the needs of governmental organizations

Kleptographic (algorithmic) backdoors in the RSA key generator

Рассмотрены основные виды алгоритмических закладок. Представлен способ построения асимметричных клептографических закладок в генераторе ключей RSA, позволяющий владельцу ключа закладки (разработчику или авторизованной спецслужбе) получать доступ к пользовательскому ключу, сгенерированному инфицированным алгоритмом. Сформулированы теоремы, иллюстрирующие работоспособность описанных алгоритмов, оценена вычислительная сложность этих алгоритмов. Продемонстрирована стойкость построенных закладок к некоторым классам атак даже при условии, что противник знает используемые методы и имеет доступ к исходному коду ключевого генератора

On the Possibility of a Backdoor in the Micali-Schnorr Generator

In this paper, we study both the implications and potential impact of backdoored parameters for two RSA-based pseudorandom number generators: the ISO-standardized Micali-Schnorr generator and a closely related design, the RSA PRG. We observe, contrary to common understanding, that the security of the Micali-Schnorr PRG is not tightly bound to the difficulty of inverting RSA. We show that the Micali-Schnorr construction remains secure even if one replaces RSA with a publicly evaluatable PRG, or a function modeled as an efficiently invertible random permutation. This implies that any cryptographic backdoor must somehow exploit the algebraic structure of RSA, rather than an attacker\u27s ability to invert RSA or the presence of secret keys. We exhibit two such backdoors in related constructions: a family of exploitable parameters for the RSA PRG, and a second vulnerable construction for a finite-field variant of Micali-Schnorr. We also observe that the parameters allowed by the ISO standard are incompletely specified, and allow insecure choices of exponent. Several of our backdoor constructions make use of lattice techniques, in particular multivariate versions of Coppersmith\u27s method for finding small solutions to polynomials modulo integers