1993
DOI: 10.1049/el:19930929
|View full text |Cite
|
Sign up to set email alerts
|

Anderson's RSA trapdoor can be broken

Abstract: The RSA trapdoor proposed in Ross Anderson's recent letter can be broken. A recent letter by Ross Anderson 1] proposes a \trapdoor" in the RSA public-key cryptosystem 5] whereby a hardware device generates RSA primes

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1

Citation Types

0
5
0

Year Published

1995
1995
2023
2023

Publication Types

Select...
4
3
1

Relationship

0
8

Authors

Journals

citations
Cited by 11 publications
(5 citation statements)
references
References 2 publications
0
5
0
Order By: Relevance
“…Anderson (1993) proposed a back door in the generator of the 512 bit RSA key. The security of the leaking information throughout the hidden channel was estimated as weak because Kaliski (1993) proposed a method for breaking such kind of back door. Young and Yung (1996) introduced the concept of SETUP (secretly embedded trapdoor with universal protection) attacks.…”
Section: General Attacks On Rsamentioning
confidence: 99%
“…Anderson (1993) proposed a back door in the generator of the 512 bit RSA key. The security of the leaking information throughout the hidden channel was estimated as weak because Kaliski (1993) proposed a method for breaking such kind of back door. Young and Yung (1996) introduced the concept of SETUP (secretly embedded trapdoor with universal protection) attacks.…”
Section: General Attacks On Rsamentioning
confidence: 99%
“…For any vulnerable 2n-bit semi-prime N = pq, let t, t < β be (m/2)-bit random numbers that coprime with β, and let p = π β (t) • β + t and q = π β (t ) • β + t . Given N and β, it is possible to compute tt = N mod β, then factor the m-bit number tt , and finally compute p and q. Kaliski [26] proved that it is possible to discover the backdoor by either computing the continued fraction p/q, because the expansion likely contains an approximation of the fraction π β (t)/π β (t ), or by finding a reduced basis of a suitable lattice built on the primes of two vulnerable moduli. He also showed that the backdoor can be detected by the lattice method when 14 or more non-factored vulnerable moduli are available.…”
Section: Symmetric Backdoorsmentioning
confidence: 99%
“…The search interval for π 1 + ν 1 is[20, 110]. The search interval for π 2 + ν 2 is[26, 182]. Eventually, the brute force search phase yields the following candidates:…”
mentioning
confidence: 99%
“…For any vulnerable 2n-bit semi-prime N = pq, let t, t < √ β be (m/2)-bit random numbers coprime with β, and let p = π β (t) • β + t and q = π β (t ) • β + t . Given N and β, it is possible to compute tt = N mod β, then factor the m-bit number tt , and finally compute p and q. Kaliski [25] proves that it is possible to discover the backdoor by either computing the continued fraction p/q, because the expansion likely contains an approximation of the fraction π β (t)/π β (t ), or by finding a reduced basis of a suitable lattice built on the primes of two vulnerable moduli. He also shows that the backdoor can be detected by the lattice method when 14 or more non-factored vulnerable moduli are available.…”
Section: Symmetric Backdoorsmentioning
confidence: 99%