A space efficient backdoor in RSA and its applications

Abstract

In this paper we present an RSA backdoor that, for example, can be used for a hardware-based RSA key recovery system. The system is robust in the sense that a successful reverse-engineer is not able to obtain previous nor future RSA private keys that have been/will be generated within the key generation device. The construction employs the notion of two elliptic curves in which one is the "twist" of the other. We present a proof in the random oracle model that the generated RSA key pairs that are produced by the cryptographic black-box are computationally indistinguishable (under ECDDH) from "normal" RSA key pairs, thus ensuring the integrity of the outputs. Furthermore, the security level of the key recovery mechanism is nearly identical to that of the key pair being generated. Thus, the solution provides an "equitable" level of security for the end user. This solution also gives a number of new kleptographic applications. © Springer-Verlag Berlin Heidelberg 2006.