Content uploaded by Mahmoud M. Almazari
Author content
All content in this area was uploaded by Mahmoud M. Almazari on Jul 01, 2022
Content may be subject to copyright.
RSA Private Keys and the Presence of Weak Keys: An Evaluation
Mahmoud M. Almazaria,Eyad S. Taqieddina,Ahmed S. Shatnawiband Zakarea AlSharab
aDepartment of Network Engineering and Security, Jordan University of Science and Technology, Irbid, 21110, Jordan.
bDepartment of Software Engineering, Jordan University of Science and Technology, Irbid, 21110, Jordan.
ARTICLE INFO
Keywords:
RSA Attacks
Two Private Keys
Universal RSA Key
RSA Factorization
Weak RSA Keys
RSA FIPS Conditions
ABSTRACT
Numerous applications that rely on assymmetric cryptography use the RSA algorithm. It can
be applied to digital signatures and the encryption of sensitive data. The secure storage of the
private key is essential for the algorithm’s strength. Finding ways to use factorization or other
heuristics to determine the value of the private key was the goal of several academic efforts.
The Euler totient or the Carmichael functions are both used in this study to analyze the private
key properties and demonstrate the existence of many private keys for the same public key. We
further demonstrate that a universal key that complies with the FIPS standard exists. Moreover,
by taking advantage of a condition imposed by FIPS recommendations, we present a new method
for attacking the RSA modulus (N). The attack is based on the value of the private key being
greater than 2𝑛∕2 with 𝑛representing the modulus size.
1. Introduction
The RSA encryption algorithm was invented by by Ron Rivest, Adi Shamir, and Len Adleman as an asymmetric
cipher to deliver privacy and authenticity of messages (Rivest, Shamir, and Adleman,1978). It is widely used for
electronic payments, secure e-mail, and other web traffic requiring secure data transfer. The algorithm is based on
number theory in its core with a straightforward procedure as listed below
1. Two large prime numbers, 𝑝and 𝑞, are chosen to compute the RSA modulus 𝑁=𝑝⋅𝑞
2. Compute the Euler totient function, which represent the order of the multiplicative group 𝑍∗
𝑁, as 𝜙(𝑛) =
(𝑝− 1) ⋅(𝑞− 1)
3. Choose a value of 𝑒, the encryption exponent, that is relatively prime to 𝜙(𝑁)and use it to compute 𝑑, the
decryption exponent, such that 𝑒⋅𝑑≡1 mod 𝜙(𝑁)
Note that any integer d that is coprime with the Euler totient function and satisfies the condition 𝑑𝑒−1
𝜙(𝑛)=𝑘where 𝑘
is an integer, is considered a private key. The pair (𝑁, 𝑒)is used as the public key and the value of 𝑑must be secretly
stored. To encrypt a message, 𝑀, we use the public key to compute the cipher message, 𝐶, as 𝐶=𝑀𝑒mod 𝑁.
Decryption is done in the reverse by computing 𝑀=𝐶𝑑mod 𝑁. One possible attack against RSA is to factorize 𝑁
to 𝑝and 𝑞and then run the steps above. However, factorization itself was shown to run in exponential or sub-exponential
time. This paper covers multiple contributions. We first present an analysis of the private key and prove the existence
of more than just two keys as has been presented in (Ibrishimova,2017). Therefore demonstrating that this holds true
for both implementations of the Charmichael function and the Euler totient function. We also show that RSA has a
universal key as well as a set of weak keys. Finally, we present an attack to factor N when specific conditions are
satisfied.
2. The First Set of Private Keys
Referring to (1), if we take 𝑑1as the private key for some 𝑘1=𝛼, we can find another private key, 𝑑2using a
second integer 𝑘2=𝛼+𝑒for some integer 𝑒∈ℕ. In other words, the second private key in the first set of the private
keys will be
𝑑2=(𝛼+𝑒).𝜙(𝑛)+1
𝑒(1)
∗Mahmoud M. Almazari
mmalmazari16@cit.just.edu.jo (M.M. Almazari); eyadtaq@just.edu.jo (E.S. Taqieddin); ahmedshatnawi@just.edu.jo
(A.S. Shatnawi); zmalshara@just.edu.jo (Z. AlShara)
Mahmoud M. Almazari et al. Page 1 of 7
Evaluation of Weak RSA Private Keys
Corollary 2.0.1. The first set of the private keys, denoted as 𝑑𝑥, for a given public key (𝑛, 𝑒), is:
𝑑𝑥=(𝛼+𝑋.𝑒).𝜙(𝑛)+1
𝑒(2)
Proof:
𝑑𝑥=𝛼.𝜙(𝑛) + 𝑋.𝑒.𝜙(𝑛)+1
𝑒=𝑋.𝑒.𝜙(𝑛)
𝑒+𝛼.𝜙(𝑛)+1
𝑒=𝑋.𝜙(𝑛)
1+𝛼.𝜙(𝑛)+1
𝑒
The second part of the sum is 𝑑1, thus 𝑑𝑥=𝑋.𝜙(𝑛) + 𝑑1,∀𝑋∈ℕ. Accordingly, the distance between any two
successive keys in the first set is 𝜙(𝑛). Next, we show that the key 𝑑𝑋is a valid key that can be used to decrypt the
ciphertext 𝐶to yield the plaintext (𝑀).
𝐶𝑑𝑋mod 𝑁
𝐶(𝑋.𝜙(𝑛)+𝑑1)mod 𝑁
((𝐶𝑋.𝜙(𝑛)mod 𝑁)∗(𝐶𝑑1mod 𝑁)) mod 𝑁
((1) ∗ (𝐶𝑑1mod 𝑁)) mod 𝑁=𝑀
According to Euler’s Theorem, the first term in the multiplication reduces to 1. Note that (𝐶𝑑1mod 𝑁)yields 𝑀,
according to the RSA algorithm presented in 1.
3. The Existence of A Second Set of Private Keys
The Carmichael function, as opposed to the Euler totient function, is used in present-day implementations of the
PKCS#1 standard. The Carmichael function allows for the generation of a private key that is both unique and of the
shortest possible size. In this section, we demonstrate the impact of the Carmichael function and the conditions in
which a second private key that is not part of the first set of private keys will exist. In addition, we’ll talk about the
conditions under which a second private key will exist.
Theorem 3.1. Euler’s totient theorem states that if gcd(n, a) = 1, 𝑛and 𝑎are positive integers then, 𝑎𝜙(𝑛)≡1 (mod 𝑛)
Also, using the reduced totient function (Carmichael function) 𝑎𝜆(𝑛)≡1 (mod 𝑛)
Theorem 3.2. The unique factorization theorem states that every positive integer (𝑛≥2) can be represented in exactly
and only one way as a product of prime powers:
𝑛=
𝑘
∏
𝑖=1
𝑝𝑛𝑖
𝑖
where 𝑝1< 𝑝2<⋯< 𝑝𝑘are primes and the 𝑛𝑖are positive integers.
Referring to 3.2,𝜆(𝑛) = 𝛼𝛽1
1×𝛼𝛽2
2×𝛼𝛽3
3×⋯. Let 𝛿be an integer such that 𝛿=𝛾𝜈1
1×𝛾𝜈2
2×𝛾𝜈3
3
⋯, where 𝛾𝑥could
be equal to 𝛼𝑥. Then
𝑎𝛿.𝜆(𝑛)≡1 (mod 𝑛)
(𝑎𝜆(𝑛)mod 𝑛)𝛿= 1𝛿= 1
The Carmichael function is equal to the least common multiple of (𝑝− 1) and (𝑞− 1), due to the fact that 𝑝and
𝑞are odd numbers, then one of the common factors of 𝑝− 1 and 𝑞− 1 is 2 (i.e. GCD(𝑝− 1, 𝑞 − 1) ≥2, and 𝛿≥2).
As a consequence 𝜙(𝑛)≠𝜆(𝑛). However, for a private key computed as 𝑑1=𝑒−1 mod 𝜙(𝑛)and another private key
𝑑2=𝑒−1 mod 𝜆(𝑛), where 𝜆(𝑛) = 𝜙(𝑛)∕𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) then, there is a possibility that 𝑑1≠𝑑2which yields in
generating a new set of private keys, 𝑑𝑦, and the existence of a second private key. However, there are some conditions
where some keys in the set 𝑑𝑥will be equal to a key in the set 𝑑𝑦, as we present next.
Theorem 3.3. Based on Euler theorem and RSA:
𝑑𝑥×𝑒−𝛼×𝜙(𝑛)=1
and the second set will be
𝑑𝑦×𝑒−𝛽×𝜙(𝑛)
𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) = 1
Mahmoud M. Almazari et al. Page 2 of 7
Evaluation of Weak RSA Private Keys
Now, if 𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1)|𝛽then 𝑑𝑥≡𝑑𝑦. In other words, if 𝛽and 𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) are relatively prime, then
𝑑𝑥≠𝑑𝑦.
Corollary 3.3.1. The second set of the private keys will be
𝑑𝑦=(𝛽+𝑋.𝑒).𝜆(𝑛)+1
𝑒,and 𝛽=
𝑑𝑦0×𝑒− 1
𝜆(𝑛)(3)
With a proof similar to that in section 1, it can be shown that the distance between any two successive keys in the
second set is 𝜆(𝑛). One interesting observation is that there is no strict relation between 𝛼in the first set of the private
keys and 𝛽in the second. However, if 𝑑𝑥≡𝑑𝑦then
𝛽=𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) × 𝛼(4)
where 𝛼is calculated based on totient function, and 𝛽is calculated based on the reduced totient function, as shown
earlier. We illustrate this with a couple of examples.
Example 1:
𝑞= 100049,𝑝= 465947,𝑒= 1303 Then, 𝜆(𝑛) = 1792960208 and 𝜙(𝑛) = 46616965408.
The private key using 𝜙(𝑛),𝑑= 24471223591 and the private key using 𝜆(𝑛),𝑑= 1162740887
Example 2:
𝑞= 100019,𝑝= 465989,𝑒= 1303 Then, 𝜆(𝑛) = 23303593892 and 𝜙(𝑛) = 46607187784
The private key using 𝜙(𝑛),𝑑= 3219222487 and the private key using 𝜆(𝑛),𝑑= 3219222487
In the first example, it is clear that the two keys are not equal. This is further supported by the fact that the values
of 𝛼= 684 and 𝛽= 845 with the 𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) = 26 do not hold in Eqn. (4). Nevertheless, in the second example,
the two keys are equal. Note that 𝛼= 90 and 𝛽= 180 with the 𝑔𝑐𝑑 (𝑝− 1, 𝑞 − 1) = 2 which satisfy Eqn. (4). The
equality between the keys in the two sets is not necessarily dependent on their position in the set. A key in the set 𝑑𝑥
at position 𝑖can equal a key in 𝑑𝑦at position 𝑗, where 𝑖≠𝑗, according to Eqn. (4). The question becomes, how do we
determine the values of 𝑖and 𝑗to relate these two set together?
Considering the distance between the first keys in both sets, (𝑑𝑥)and (𝑑𝑦),
𝑑𝑥0−𝑑𝑦0=𝛼×𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) × 𝜆(𝑛)+1
𝑒−𝛽×𝜆(𝑛)+1
𝑒=𝜆(𝑛)
𝑒× (𝛼.𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) − 𝛽)
and because 𝜆(𝑛)and 𝑒are relatively prime and 𝑑𝑥0−𝑑𝑦0is integer, then 𝑒|(𝛼.𝑔𝑐𝑑 (𝑝− 1, 𝑞 − 1) − 𝛽). As a result,
𝑑𝑥𝑖−𝑑 𝑦𝑖=𝜆(𝑛) × 𝑤×𝑒
𝑒=𝜆(𝑛) × 𝑤
where 𝑤= (𝛼.𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) − 𝛽)∕𝑒is some positive integer value that represents the number of keys needed to
be passed in the second set to find a key that is equal to the first key in the first set. In other words, 𝑑𝑦𝑤=𝑑𝑥0. Recall
that the keys at position v in the two sets are:
𝑑𝑥𝑣=(𝛼+𝑣.𝑒).𝜙(𝑛)+1
𝑒
𝑑𝑦𝑣=(𝛽+𝑣.𝑒).𝜆(𝑛)+1
𝑒
Then,
𝑑𝑥𝑣−𝑑𝑦𝑣
𝜆(𝑛)= (𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) − 1) × 𝑣+𝑤
𝑤=𝛼×𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) − 𝛽
𝑒
Mahmoud M. Almazari et al. Page 3 of 7
Evaluation of Weak RSA Private Keys
To illustrate the point in the following example.
Example 3:
𝑞= 100213,𝑝= 465781,𝑒= 1303. We compute 𝜆(𝑛) = 555675540,𝜙(𝑛) = 46676745360,𝛼= 700,𝛽= 165, and
𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) = 84. Thus, 𝑤= 45. The calculations can be seen in the two following sets of keys.
𝑑𝑥0= 25075764967 𝑑𝑦0= 70365667 𝑑𝑥1= 71752510327 𝑑𝑦1= 626041207
𝑑𝑥2= 118429255687 𝑑𝑦2= 1181716747 𝑑𝑥3= 165106001047 𝑑𝑦3= 1737392287
𝑑𝑥4= 211782746407 𝑑𝑦4= 2293067827 𝑑𝑥5= 258459491767 𝑑𝑦5= 2848743367
𝑑𝑥6= 305136237127 𝑑𝑦6= 3404418907 𝑑𝑥7= 351812982487 𝑑𝑦7= 3960094447
𝑑𝑥8= 398489727847 𝑑𝑦8= 4515769987 𝑑𝑥9= 445166473207 𝑑𝑦9= 5071445527
𝑑𝑥10 = 491843218567 𝑑𝑦10 = 5627121067 𝑑𝑥11 = 538519963927 𝑑𝑦11 = 6182796607
𝑑𝑥12 = 585196709287 𝑑𝑦12 = 6738472147 𝑑𝑥13 = 631873454647 𝑑𝑦13 = 7294147687
𝑑𝑥14 = 678550200007 𝑑𝑦14 = 7849823227 𝑑𝑥15 = 725226945367 𝑑𝑦15 = 8405498767
𝑑𝑥16 = 771903690727 𝑑𝑦16 = 8961174307 𝑑𝑥17 = 818580436087 𝑑𝑦17 = 9516849847
𝑑𝑥18 = 865257181447 𝑑𝑦18 = 10072525387 𝑑𝑥19 = 911933926807 𝑑𝑦19 = 10628200927
𝑑𝑥20 = 958610672167 𝑑𝑦20 = 11183876467 𝑑𝑥21 = 1005287417527 𝑑𝑦21 = 11739552007
𝑑𝑥22 = 1051964162887 𝑑𝑦22 = 12295227547 𝑑𝑥23 = 1098640908247 𝑑𝑦23 = 12850903087
𝑑𝑥24 = 1145317653607 𝑑𝑦24 = 13406578627 𝑑𝑥25 = 1191994398967 𝑑𝑦25 = 13962254167
𝑑𝑥26 = 1238671144327 𝑑𝑦26 = 14517929707 𝑑𝑥27 = 1285347889687 𝑑𝑦27 = 15073605247
𝑑𝑥28 = 1332024635047 𝑑𝑦28 = 15629280787 𝑑𝑥29 = 1378701380407 𝑑𝑦29 = 16184956327
𝑑𝑥30 = 1425378125767 𝑑𝑦30 = 16740631867 𝑑𝑥31 = 1472054871127 𝑑𝑦31 = 17296307407
𝑑𝑥32 = 1518731616487 𝑑𝑦32 = 17851982947 𝑑𝑥33 = 1565408361847 𝑑𝑦33 = 18407658487
𝑑𝑥34 = 1612085107207 𝑑𝑦34 = 18963334027 𝑑𝑥35 = 1658761852567 𝑑𝑦35 = 19519009567
𝑑𝑥36 = 1705438597927 𝑑𝑦36 = 20074685107 𝑑𝑥37 = 1752115343287 𝑑𝑦37 = 20630360647
𝑑𝑥38 = 1798792088647 𝑑𝑦38 = 21186036187 𝑑𝑥39 = 1845468834007 𝑑𝑦39 = 21741711727
𝑑𝑥40 = 1892145579367 𝑑𝑦40 = 22297387267 𝑑𝑥41 = 1938822324727 𝑑𝑦41 = 22853062807
𝑑𝑥42 = 1985499070087 𝑑𝑦42 = 23408738347 𝑑𝑥43 = 2032175815447 𝑑𝑦43 = 23964413887
𝑑𝑥44 = 2078852560807 𝑑𝑦44 = 24520089427 𝑑𝑥45 = 2125529306167 𝑑𝑦45 = 25075764967
Note that 𝑑𝑥0=𝑑 𝑦45. Also, the distance between two keys at any position v is directly proportional to the
(𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) − 1), as explained earlier:
(𝑑𝑥0−𝑑𝑦0)∕555675540 = 0 ∗ (84 − 1) + 45 = 045
(𝑑𝑥1−𝑑𝑦1)∕555675540 = 1 ∗ (84 − 1) + 45 = 128
(𝑑𝑥2−𝑑𝑦2)∕555675540 = 2 ∗ (84 − 1) + 45 = 211
(𝑑𝑥3−𝑑𝑦3)∕555675540 = 3 ∗ (84 − 1) + 45 = 294
(𝑑𝑥4−𝑑𝑦4)∕555675540 = 4 ∗ (84 − 1) + 45 = 377
(𝑑𝑥5−𝑑𝑦5)∕555675540 = 5 ∗ (84 − 1) + 45 = 460
4. Multi Sets of Private Keys
In the previous section, we showed that any private key can be extended to set of private keys. Going one step
further, we demonstrate in this section the existence of multi-private keys from which further sets can be found.
When generating the keys in the RSA cryptosystem, we seek to find the 𝑒modular inverse of 𝜆(𝑛). In that process,
we aim to find the public key’s modular inverse of any integer that contains the 𝜆factors within it. By examining
the above equation where 𝛿=𝛾𝜈1
1×𝛾𝜈2
2×𝛾𝜈3
3
⋯, it presents that there are multi sets of private keys. Consider
𝜙(𝑝𝑞) = 𝜆(𝑝𝑞) × 𝑔𝑐𝑑 (𝑝− 1, 𝑞 − 1), and from the previous sections we know that Euler’s totient function is replaced by
Carmichael function. As a result, we can express that as 𝛿=𝑔𝑐𝑑 (𝑝− 1, 𝑞 − 1). To prove that such keys are valid, we
consider the decryption of the ciphertext to find the plaintext:
Mahmoud M. Almazari et al. Page 4 of 7
Evaluation of Weak RSA Private Keys
𝑐𝑑mod 𝑁=𝑐(𝑘.𝜙(𝑛)+1
𝑒)mod 𝑁
=𝑀(𝑘.𝜙(𝑛)+1) mod 𝑁
= ((𝑀𝑘.𝜙(𝑛)) mod 𝑁)×(𝑀1mod 𝑁)) mod 𝑁
= (𝑀𝑘.𝜆(𝑛).𝑔𝑐𝑑 (𝑝−1,𝑞−1) mod 𝑁)×(𝑀1mod 𝑁)
= (𝑀𝜆(𝑛)mod 𝑁)𝑘.𝛿 × (𝑀1mod 𝑁)
= (1)𝑘.𝛿 × (𝑀1mod 𝑁) = 𝑀
5. The Existence of A Universal Private Key And A New Set Of Weak Keys
In the previous section, we demonstrated that the private key 𝑑is any number that is 𝑑=𝑒−1 mod 𝑠, where
𝑠=𝑘.𝜆(𝑛),𝑘is any integer such that 𝑔𝑐𝑑(𝑠, 𝑒) = 1. In other words, there exists a key that can decrypt any RSA
modulus (a universal key) without knowing the factorization of 𝑁. Consider 𝑛to be the number of bits of 𝑁then,
𝑑𝑢𝑛𝑖 =𝑒−1 mod (2𝑛∕2)!
𝑔𝑐𝑑((2𝑛∕2 )!, 𝑒𝑣)(5)
Where 𝑣is a huge exponent to remove e values from the factorial. Such a key will be huge and is computationally
infeasible to be generated. For example, with RSA-2048, 𝑛= 2048, the value of will be around 2.14 × 10301 GiB. In
other words, the factorial will have a size of (𝑔𝑝)𝑔2, where gp is the googolplex number and g is the googol number.
Therefore, to overcome this limitation, we exploit a flaw to define a new set of weak RSA keys that can satisfy
the FIPS recommendation. The factorial is a massive increasing function, despite the length and size that is needed
to calculate it, we have managed to compute the factorial of the prime numbers up to 224, which does not require a
huge computation power. The private key size after computation was 0.274 MiB, such a key can decrypt any message
encrypted with the same 𝑒if and only if the biggest factor of (𝑝− 1, 𝑞 − 1) is lower than 224. We used 𝑒= 216 + 1 but
it can be easily changed to a different value, and code can be found in (Almazari,2022).
Theorem 5.1. If 𝑝− 1 = 𝛼𝛽1
1×𝛼𝛽2
2×𝛼𝛽3
3×⋯and 𝑞− 1 = 𝛾𝜈1
1×𝛾𝜈2
2×𝛾𝜈3
3
⋯
Then N is considered a broken key if and only if max(𝛼1, 𝛼2, 𝛼3, 𝛾1, 𝛾2, 𝛾3⋯)⩽2(𝜏), where 2𝜏depends on the
computational power to compute the factorial of prime numbers from 1 up to 2𝜏.
If we want a factorial of the prime numbers up to 240 then such a key size will be 2
240
𝑙𝑛(240)∗40∕3 bits, where (40/3) bits
is the average size of each prime from 1 to 240, roughly speaking, the maximum size of such a private key is 62 GiB.
6. A New Attack on RSA To Factor N
In the previous section, we discussed the existence of a universal key that can break a wide range of RSA pairs
that satisfy the FIPS recommendations. In this section, we discuss a new attack and a new set of weak RSA keys by
exploiting a vulnerability of the factors of 𝑝− 1, 𝑞 − 1 that will lead to the factorization of N. Unfortunately, FIPS
recommendations require the private key size to be bigger than 2𝑛∕2, where n is the modulus size, we show that if the
private key is a little bigger than 2𝑛∕2, we can factorize N.
Theorem 6.1. Suppose that 𝑞− 1 = 𝐴×𝐶,𝑝=𝐵×𝐶, where 𝐶=𝛼𝛽1
1×𝛼𝛽2
2×𝛼𝛽3
3×⋯, then we can factorize N
efficiently in polynomial time if and only if 𝐴×𝐵can be brute forced.
Note that the private key is bigger than 2𝑛∕2, when 𝜆(𝑛)is small. Since, 𝜆(𝑛)is small then 𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) will be
large. Moreover, based on Theorem 6.1,𝐶=𝑔𝑐𝑑 (𝑝− 1, 𝑞 − 1), because C is the common factor, then we exploit this
GCD in order to factorize N as follows:
𝑞− 1 = 𝐴.𝐶 , 𝑝 − 1 = 𝐵.𝐶
𝑁=𝑝𝑞 = (𝐴.𝐶 + 1)(𝐵.𝐶 + 1) = 𝐴.𝐵.𝐶2+ (𝐴+𝐵).𝐶 + 1
𝐴.𝐵.𝐶 2+ (𝐴+𝐵).𝐶 + (1 − 𝑁)=0 (6)
Mahmoud M. Almazari et al. Page 5 of 7
Evaluation of Weak RSA Private Keys
If the size of A and B is small, we can brute force and solve the quadratic equation in polynomial time. We illustrate
with a numerical example as shown below.
N = 18369583373607319524848230962864856788641872197252249438510296626216984019
00767770231109723345229280047378054983385725531621576008806522718839768228
95155752536323923971545099766616521104912801219459206580577418109585426788
94186440036821454425304791711282798209813170929253634748758078024559105723
17065705659759090744861931152060180797219017707220689811518504015189123409
21973803084917534538315417471053185166367184094562280791943232148143653003
55951159745383220310112790585573021538809712101420219793936813969140292008
64660786683952675497641394732617079419376910978204951439718834170833126480
0385010840190811956595297
A = 16135453 , B = 16372597
C = 83387371782197792172623397291771726569847672290744673235202388778220013318
14997575307844024904832045978308876022952803468558728387340737937040841658
68153727543780345009752984160464056256725252862795377473845049850261668367
12775958307530475534348349797051782157566720607792197655530846287693897036
99134
q = 13454930181851787123051327137017099807966283334067130099869660896186964485
54382980714936777951827469507768418885511818815851663396337022719684394596
64097986675574731992286538175309122379197462514807502618464855311415541876
39376709748011175340521276837778885695696564147311624390375281603253093540
2721302797703
p = 13652678330790962255321173166290698951223082898044293647766549249031186553
92702338564924811586247784414883219686467690012109142307183898039257810730
18404361151221154453656466792066613260766911048456450088421430416432446407
22630855166579985411422451888421606173976304171229767119583513673373582355
4615330230999
d (65537 , lambda (N) ) = 15584853613967811566689450274710991761254882518079720188
45236463641204511391962721529706849410104785770789000522620797231652757928
14689914740017562702078886693338838681236114468910880800809328412556411222
30257775730425724104466358405034102915451430564640344986171358426560260491
71055609777279681239248488057407524103
We brute force using different values of A and B to find the value of C. Thus, we can find the value of 𝑞=𝐴.𝐶 + 1
and 𝑝=𝐵.𝐶 + 1. Note that this attack succeeds due to the small values of A and B. One interesting observation is
that the countermeasures of the Wiener Attack recommend increasing 𝑔𝑐𝑑(𝑝− 1, 𝑞 − 1) (Wiener,1990). However, as
shown in this section, such a measure can be exploited in this attack, and code can be found in (Almazari,2022).
7. Extending The Attack on RSA To Factor N
In the previous section, a new attack was introduced on RSA that targets a weakness in the FIPS recommendation.
The attack, also, can be extended such that if there is a big common factor between 𝑞−𝛼and 𝑝−𝛽where 𝛼, 𝛽 ∈ℤ
then:
𝑞−𝛼=𝐴.𝐶
𝑝−𝛽=𝐵.𝐶
𝑁=𝑝𝑞 = (𝐴.𝐶 +𝛼)(𝐵.𝐶 +𝛽) = 𝐴.𝐵.𝐶2+ (𝛽 𝐴 +𝛼𝐵).𝐶 +𝛼𝛽
𝐴.𝐵.𝐶 2+ (𝛽𝐴 +𝛼𝐵).𝐶 + (𝛼𝛽 −𝑁)=0 (7)
Notice that 𝛼, 𝛽 ∈ℤ, which means that assuming 𝑞+𝛼and 𝑝+𝛽is also possible. Nevertheless, by assuming the
size of 𝛼, 𝛽 , 𝐴 and 𝐵to be 𝑛𝛼, 𝑛𝛽, 𝑛𝐴and 𝑛𝐵bits, respectively, the previous equation can be solved and factor 𝑁in
𝑂(2(𝑛𝛼×𝑛𝛽×𝑛𝐴×𝑛𝐵))
Mahmoud M. Almazari et al. Page 6 of 7
Evaluation of Weak RSA Private Keys
8. Conclusion
We conducted a thorough analysis of the existence of multiple sets of private keys in this paper (rather than a single
key). In addition, we demonstrated that the keys produced by the Charmichael function and the keys produced by the
Euler totient function are connected, emphasising the relationship between the two sets of keys. Through our analysis,
we proved that there is a universal key that satisfies the FIPS requirements. Last but not least, we demonstrated a new
attack on RSA that would reveal the factors used to calculate 𝑁by taking advantage of a FIPS recommendation that
the value of the private key must be bigger than 2(𝑛∕2).
References
R. L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21
(1978) 120–126.
M. Ibrishimova, Proving the existence of a second private key that decrypts a message encrypted with the rsa encryption algorithm, https:
//marinaibrishimova.net/docs/otherkeys.pdf, 2017. (Accessed on 03/19/2022).
M. M. Almazari, Paper codes - universal key calculation and factorization attack, https://github.com/lcsig/RSAWeakKeys, 2022.
M. J. Wiener, Cryptanalysis of short rsa secret exponents, IEEE Transactions on Information theory 36 (1990) 553–558.
Mahmoud M. Almazari et al. Page 7 of 7