On the Existence of Multiple RSA Private Keys

Wu, Chuan-Kun; Zhao, Bin

doi:https://doi.org/10.1155/2022/4997392

Security and Communication Networks

On this page

Abstract Introduction Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 4997392 | https://doi.org/10.1155/2022/4997392

On the Existence of Multiple RSA Private Keys

Chuan-Kun Wu¹and Bin Zhao¹

Academic Editor: Jie Cui

Received16 Jun 2022

Accepted18 Aug 2022

Published14 Sept 2022

Abstract

It is known that, given an RSA modulus, , the public key and the corresponding private key satisfy the modulo congruence , where . Usually, the private key can be computed efficiently using the extended Euclidean algorithm, and it is common knowledge that the private key is unique in the sense of modular . This paper shows that there exist multiple private keys ; they all satisfy that . This paper also presents the exact relationship between an RSA public key and a corresponding private key.

1. Introduction

Since the proposal of the RSA public key cryptosystem [1], there have been thousands of papers discussing RSA related problems (see e.g., [2–4]). RSA encryption as well as RSA digital signature algorithms have been in wide commercial use, and research related to RSA public key cryptosystems continues [5–7].

It is commonly known as a fact that an RSA public key corresponds to a unique private key in the sense when the public key and the private key take modulo operation, where is the Euler’s totient function of the public modulus .

This paper reveals an interesting property: an RSA public key corresponds to multiple private keys. Equivalently, this can be understood as a private key that corresponds to multiple public keys because a public key and a private key can swap at the stage of their computation.

The existence of multiple private keys corresponding to a public key has long been known as the following case: let and be the RSA public key and the private key, and the public modulus is . Then, for any integer , is also a valid private key, i.e., any message encrypted using the public key can be correctly decrypted using as the private key. However, in the sense of modulo operation, is the only one left since .

To the contrary of common knowledge, this paper shows an interesting result: given an RSA modulus and a public key , even under the condition that the private key takes over the operation of modulo , there can exist multiple private keys. Some implications about the problem have been mentioned (e.g. [8]), but no explicit explanation is given.

With mathematical deduction, this paper shows that, given an RSA public key , a sufficient and necessary condition for to be a valid private key is , and the number of such private keys under the restriction of modulo operation is given.

2. Traditional Computation of the RSA Private Key and Its Uniqueness

Let be the public modulus of an RSA public key cryptosystem, where and are different primes. Let be the public key and be the private key. Then, the following modulo congruence holds:where is the Euler’s totient function of .

The modulo congruence (1) means that and are inverses of each other in the sense of modulo operation. Given either or , the other one can efficiently be computed using the famous extended Euclidean algorithm [9, 10], which is described as follows.

Lemma 1. Given integers and , then it is efficient to compute integers and such that .
Using a recursive algorithm, it is easy to write a simple programing code for the extended Euclidean algorithm. Alternatively, the algorithm can be implemented using a loop.
It is easy to see that the modulo congruence (1) can equivalently be written aswhere is an integer.
Given a message , the RSA encryption algorithm is as follows:The corresponding decryption algorithm can be written asThe underline mathematics for the correct decryption is the Euler theorem for the case when the message is coprime to , which is described as follows.

Lemma 2. Let be a positive integer, be an integer coprime to . Then, the following congruent holds:

The Euler theorem (i.e., Lemma 2) ensures that if a message is coprime to , then the private key will work correctly, i.e., for the ciphertext , we have

When is not coprime to , using the Chinese remainder theorem [11], it can also be shown that the equality still holds.

Given an RSA public key , and let be a corresponding private key computed using the extended Euclidean algorithm (see Lemma 1). Then, it is obvious that for any integer , also works correctly as the decryption key. This comes from the observation that given , we have

If we only consider the positive values of private keys, must not be negative. In this sense, there exist multiple private keys in an RSA public key cryptosystem for a given public key.

However, if , then , which may not be preferable because the computation of is equivalent to that of . This means that the values of the private keys are congruent to each other in the sense of modulo ; hence, is congruent to modulo .

It is assumed that when using the extended Euclidean algorithm to compute an RSA private key, the algorithm outputs a value in the range . Now, we propose a question: is there a chance for the extended Euclidean algorithm to produce a different private key ?

Let the extended Euclidean algorithm produce two different private keys and in two executions, then we must have that both the congruences and hold; hence, we have , i.e., . Since is required to be coprime to (otherwise, the private key would not exist), hence we have . Since both and should be in the range between 0 and , this means that must hold. This shows the uniqueness of the RSA private key.

3. On the Existence of Multiple RSA Private Keys

Let be a positive integer. Denote by the ring of residues modulo , and let be the subset of whose elements are coprime to . Then, it is easy to verify that, together with the multiplication operation over forms a multiplicative group. It is known that the order of , i.e., the number of elements in , is , which is the definition of .

For an element , define its order to be the smallest positive integer such that the congruent holds, i.e.,and denote it as . It is a basic result in group theory that , i.e., is a factor of . Define to be the maximum value of for all , i.e.,

Then, we have

Lemma 3. With the above definition and notation, let , we have that and .
The result of Lemma 3 is a preliminary result in the theory of finite groups, which can be found in most relevant books such as [12].
Now we further explore the properties of . Since exists only when , the definition of makes sense only when . We have

Lemma 4. ([13]) The value of the functioncan be computed as follows:(i),, andfor.(ii)Ifis an odd prime, thenfor any positive integer.(iii)If, whereare pairwise coprime, thenNote that for any positive integer , . So, we also have

Theorem 1. Given an RSA public key . Let be a private key. Then, the equalityHolds for every message , if and only if the following congruence holds:

Proof. Sufficiency: suppose that (12) holds, which means that there exists some integer such that . Then, the sufficiency is equivalent to prove that for any message , must hold. The following cases are considered, respectively.(i)If is coprime to , then . By Lemma 3, since , we must have that holds. This leads to that .(ii)If is a multiple of , it must not be a multiple of . Otherwise, must be a multiple of which is in contradiction with the assumption that . In this case, it is easy to prove that must be coprime to . Since , we have that . By Lemma 4 we know that ; hence, . Since and are coprime, by Fermat little theorem (i.e., a special case of Lemma 2), we have ; hence, the congruent and consequently hold. This means that both and hold. Therefore, we have or equivalently .(iii)If is a multiple of , it must not be a multiple of , and hence must be coprime to . The proof for this case is similar to case (ii).Necessity: assume that congruence (9) does not hold, i.e., . By the definition of , there exists such that . It can be shown that such a message is coprime to . Since is a private key, hence we have , so we get . By the assumption that the order of is , we get . This is possible only when , which contradicts the assumption that congruence (9) does not hold. This means that the necessity of the theorem must be true.
Now, we have a new relationship between an RSA public key and its corresponding private key (congruence (9)). If holds, then the new relationship makes no sense. By Lemma 4, it is known that for an RSA public modulus , . This guarantees that .
Notice that the congruence (1) is the traditional understanding of the relationship between an RSA public key and a private key. If we take as the input to the extended Euclidean algorithm to replace , then we can get multiple values of satisfying that . Needless to say, many of those values do not meet congruence (1), but they meet congruence (9) and hence meet congruence (8) instead.

4. Counting the RSA Private Keys

The above analysis shows that under the condition that both the RSA public key and the private key are in the range between 0 and , there exist multiple private keys for any given public key. It is interesting to know how many private keys there are corresponding to a public key. We have the following conclusion.

Theorem 2. Given an RSA public modulus , where and are two different prime numbers. Given a public key which is coprime to , the number of valid private keys that make the modulo congruence hold for all is .

Proof. Let be the smallest private key. Then, it is easy to verify that for any integer , is also a valid private key, i.e., for any message , the equality holds. This means that the number of choices of the value is the number of valid private keys. Under the condition that , it is easy to see that the number of valid private keys isSince and are both even numbers, there exist at least two valid private keys. If and have a large common divisor, then the number of valid private keys can be large. This means that the number of valid private keys of the RSA cryptosystem varies in different cases. This is also a good indication to construct RSA cryptosystems with a large number of valid private keys when such private keys are useful.
It should be pointed out that even if and have a fairly large common divisor that is sufficiently large for practical applications, e.g., the practical possible number of different holders of RSA private keys, the factorization of still remains hard as long as the common divisor of and is not too large. For example, if and are 512-bit (about 170 decimal digits) integers, and their common divisor is about a million, which is sufficient for most of the applications. This may reduce the difficulty of factorizing at most by a factor of , and it is still a hard problem that can be practically solved.

Example 1. (A small example) In order to show how it works, let,,. Then,,. Using the extended Euclidean algorithm, it is easy to compute the private key.
Note that . Using the extended Euclidean algorithm, it is easy to compute . Apparently, . However, it is trivial to verify that holds for all , which means that is a valid private key.
According to Theorem 2, the number of private keys is ; hence, and are the only valid private keys not exceeding .

5. How to Choose a Private Key as Small as Possible

Theoretically, the public key is chosen at random. However, sometimes it requires to be as small as possible to minimize the computational cost of the encryption process (e.g., siangature verification via a smart card). This would also reduce the computational cost of public key management. In this case, the public key is normally chosen as a small number. When the public key is fixed, the user has to choose a private key. If the private key is also reasonably small, then encryption or signature creation needs a relatively small amount of computation. When the relation is used to compute a private key , may be well close to . The best case is when is a factor of . If the relation is used instead, may be much smaller when is fixed. Following is an example to show that private keys can be smaller than the ones satisfying the equality .

Example 2. Let the public modulus be , whereare the two largest known prime factors of the Fermat number so far. Then, we haveNow, let . If is chosen such that , thenis the only solution. If is chosen such that , thenNote that is 300557 times larger than ; hence, the use of is more efficient. The binary representation of has 148 bits with 75 of 1’s; hence, the computation of requires 221 modulo multiplications. The binary representation of has 130 bits with 61 of 1’s. Hence, the computation of requires 189 modulo multiplications, with 32 less modulo multiplications than the computation of .
By Theorem 2, there arevalid private keys, andis the smallest one.

6. An Application in Many-To-One Privacy-Preserving Encryption

The above statement shows the existence of multiple RSA private keys, which is the one-to-many feature between an RSA public key and private keys. To make use of the multiple private keys, we give an application here.

Consider the following scenario: in medical practices, abnormal cases (e.g., when an abnormal symptom is diagnosed) are to be reported to an authority . This problem has become practically important due to the finding of the COVID-19 pandemic and other new diseases. Usually, before the reported message is processed and verified by the authority, the message should be kept secret to the public, avoiding unnecessary panic among the civilians. Hence, sending the message in ciphertext form would meet the requirement. If symmetric key encryption is used, then the key management is an overhead burden, and the privacy of the message reporter cannot be protected. If public key encryption is used, then it is difficult to reveal the identity of the message sender, which increases the chances of deliberate hoaxes. It is ideal to keep the privacy of message reporters in normal cases, and in some special cases, the identity of the message sender can be revealed by the help of other technical support, e.g., the system management center.

With the property of multiple RSA private keys, a privacy-preserving scheme can be established, where the above disadvantages can be overcome.

6.1. System Setup

Assume that a management center establishes an RSA cryptosystem with as the modulus, where the public key corresponds to multiple private keys . The management enters, sends to the authority , and sends to the user . Such messages are sent in a secure manner (e.g., offline).

In order to assist the user to execute the following message encryption scheme, the management center should find some prime factors of and send the factors to as well. If do not have odd prime factors or it is difficult to find such factors, then dispose and choose a different private key as . Ideally, the odd prime factors of should be larger than .

It is noted that the system is no longer a public key cryptosystem but a many-to-one encryption scheme.

6.2. Message Encryption

When a user wants to send a message to , he does the following:(1)Find an odd factor of , say . does not have to be a prime number, it can be the multiplication of some of the factors of known to the user;(2)Compute ;(3)Send to the authority .

When the authority receives the message , he computes . Then, is the original message.

The following theorem confirms the correctness of the decryption.

Theorem 3. For any message , the computation made by can recover the original message .

Proof. Through the process of message encryption, . Then, the can getSince is a valid pair of a public key and a private key. By Theorem 1, for any message , the equality must hold.

6.3. Properties of the Proposed Scheme

It is easy to verify that the above scheme has the following properties.

6.3.1. Privacy Preserving of the Message Sender

Although the authority can recover the original message that was encrypted using , from the message , the authority does not know who sent the message. The correct recovery of the message only tells us that the message sender is one of the key holders. This preserves the privacy of the message sender.

However, when the same user sends more messages than the number of prime factors of that knows and when two messages are associated with the same , with a high probability, it may indicate that the two messages are sent by the same user. This can be treated as a privacy problem; however, it is still too far from getting the real identity of the message sender.

6.3.2. Revealing the Identity of the Message Sender

In case when the identity of the message sender needs to be revealed, the management center needs to do some verification. By checking which user created the message, the identity of the message sender can be revealed. This verification can be done by the management center by simply checking which key has the factor .

If there exists another key that also has as a factor, then the management center is unable to tell which key was used to create the message, hence unable to identify the message sender. However, if is relatively large, particularly when , then the following theorem tells us that the user key having as a factor is unique.

Theorem 4. Let be the public modulus of an RSA cryptosystem and let and be valid private keys corresponding to the public key . If is a prime factor of and , then must not be a factor of .

Proof. By the proof of Theorem 2, it is known that holds for some integer . Assume that is a common factor of both and , then must hold, i.e., . Since , we have that . Since is a private key corresponding to , there must exist some integer such that holds; hence, we get that , which means that , which is a contradiction. This contradiction means that must not be a factor of .
Theorem 4 shows that when , it is not possible for two valid private keys to have a common factor . Although the condition in Theorem 4 is that , from the proof it can be seen that as long as , the conclusion of the theorem still holds.
Let be the smallest private key corresponding to the public key . By Theorem 2, the other valid private keys corresponding to the same public key can be represented by , where . Combining with the proof of Theorem 4, we get the following conclusion.

Corollary 1. Let be the public modulus of an RSA cryptosystem, and let the public key be . If different private keys corresponding to are used, then no two private keys have a common prime factor larger than .
The proof of Corollary 1 can be similar to that of Theorem 4, except that the private keys are chosen to be the smallest ones. The condition of Corollary 1 is weaker than that of Theorem 4 because . This means that when a small number of different private keys are used than the total number of private keys, the condition for no two private keys to have a common prime factor is weaker. The cases for small common factors in general are complicated, which are left as an open problem.
The result of Theorem 4 means that the identity-revealing process of the proposed protocol works effectively.
What if a user chooses such that it is not a factor of ? If the user can compute , then by receiving the message together with sent to , can decrypt the message correctly but cannot find who sent the message. However, in the proposed scheme, is only known to the management center. This means that it is difficult for the user to compute ; hence, it is difficult for the user to create a message in the form while the user also knows .

7. Concluding Remarks

This paper reveals that an RSA public key corresponds to multiple private keys that are all smaller than , the Euler’s totient function of the modulus . The exact relation between an RSA public key and a valid private key that is smaller than is given. Theorem 1 shows that apart from the revealed possible private keys, no other values can work as private keys.

As a specific application of the multiple RSA private keys, this paper presents a simple privacy-preserving encryption scheme, enabling many-to-one encryption, which provides properties such as privacy-preserving in encryption and identity-revealing in the case when it is necessary. This application actually turns the RSA system into a privacy-preserving encryption scheme, where no key is made public. Other applications on the property of multiple RSA private keys need to be further studied.

In applications where a certain number of private keys are needed corresponding to the same public key, the two prime numbers and can be chosen in such a way that is large enough to meet the application requirement but not unnecessarily large. On the other hand, if the number of valid private keys should be kept small, then and should be chosen in such a way that is as small as possible. The best case is that , which means that there are only 2 valid private keys, and one of them is the usual private key computed using .

Nevertheless, the existence of multiple RSA private keys and the relationship between an RSA public key and a private key should be kept in mind when designing RSA-based cryptosystems or schemes.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

Shandong Major Scientific and Technological Innovation Project (2019JZZY010134) and the Natural Science Foundation of Shandong Province, China (ZR2020MF029).

References

R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, 1978.
View at: Publisher Site | Google Scholar
K. Berlin and S. S. Dhenakaran, “An overview of cryptanalysis of RSA public key system,” International Journal of Engineering and Technology, vol. 9, no. 5, pp. 3575–3579, 2017.
View at: Google Scholar
S. Nisha and M. Farik, “RSA public key cryptography algorithm C a review,” International Journal of Scientific & Technology Research, vol. 6, no. 7, pp. 187–191, 2017.
View at: Google Scholar
W. P. Wardlaw and D. Joyner, “The RSA public key cryptosystem,” Coding Theory and Cryptography, Springer, Berlin, Heidelberg, 2000.
View at: Google Scholar
M. J. Hinek, Cryptanalysis Of RSA and its Variants, Chapman and Hall/CRC, London, UK, 2009.
R. A. Mollin, RSA and Public-Key Cryptography, CRC Press, Boca Raton, FL, U.S.A, 2019.
S. Tanwar and A. Kumar, “An efficient and secure identity based multiple signatures scheme based on RSA,” Journal of Discrete Mathematical Sciences and Cryptography, vol. 22, no. 6, pp. 953–971, 2019.
View at: Publisher Site | Google Scholar
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Robust and efficient sharing of RSA functions,” Advances in Cryptology — Crypto’96, Springer, vol. 1109, pp. 157–172, 1996.
View at: Google Scholar
S. P. Glasby, “Extended euclid’s algorithm via backward recurrence relations,” Mathematics Magazine, vol. 72, no. 3, pp. 228–230, 1999.
View at: Publisher Site | Google Scholar
D. E. Knuth, The art of computer programming, Addison-Wesley, Boston, MA, U.S.A, 3rd edition, 1997.
C. Ding, D. Pei, A. Solomma, and M. Cryptography, Chinese Remainder Theorem: Applications in Computing, Coding, World Scientific Publishing Co., Inc, Singapore, 1996.
J. W. Lawrence and F. A. Zorzitto, Abstract Algebra: A Comprehensive Introduction, Cambridge University Press, Cambridge, England, 2021.
View at: Publisher Site
K. H. Rosen, Elementary Number Theory And its Applications, Addison-Wesley, Boston, MA, U.S.A, 2nd edition, 1988.

Copyright

Copyright © 2022 Chuan-Kun Wu and Bin Zhao. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

146

Downloads

266

Citations