Generating Carmichael numbers in polynomial time

Question

I'm generating RSA 2048-bit keys with $p$ and $q$ of 1024-bit primes. For primality, I'm using the Miller-Rabin test. As Carmichael numbers pass the MR test, I tried to compute how many such numbers exist.

From wiki, the number of Carmichaels numbers exist are $C(X)>X^{0.332}$.

So the number of 1024-bit Carmichael numbers are 2^339.07.

In relative terms the probability that a chosen prime number is Carmichael number is 2^−678.01 which is significantly low.

My doubt is since the amount of Carmichael numbers that exists which is 2^339.07 is quite a significant number and if there is a way these numbers are generated in polynomial time there is a high possibility that one can easily install backdoors or purposefully can generate weak RSA keys with Carmichael numbers as primes.

Is there exists any such algorithm that can generate Carmichael numbers in polynomial time? Is there any sort of this kind of insider attack that happened on RSA before, if so can you please share some references?

Answer 1

First note that Carmichael numbers do not pass all MR tests, at least 75% of MR witnesses will identify a Carmichael number as composite. However, for any fixed set of witnesses, it is possible to construct a Carmichael number which the witnesses avow as composite (see Arnault Constructing Carmichael numbers which are strong pseudoprimes to several bases.

With regard to polynomial time construction of Carmichael numbers, we believe that a simple way to do this is by generating Chernick numbers which are number of the form $(6n+1)(12n+1)(18n+1)$ where all three brackets are prime. A sharper form of Dickson's conjecture tells us to expect that the proportion of $n\le x$ for which all three brackets are prime is $O((\log x)^3$. All Chernick numbers are Carmichael numbers.

Thus by choosing random $n$ performing three polynomial time primality proofs, e.g. the AKS primality test we can find Carmichael numbers in polynomial time.

There are other methods, such as Arnault's, to generate more sophisticated Carmichael numbers with particular pseudo-prime properties and the possibility of using these maliciously has been studied at least in the case of Diffie-Hellman moduli. A good reference is the Prime and Prejudice paper by Albrecht, Massimo, Paterson and Somorvsky. For these and other reasons, cryptographic implementations are moving towards using the BPSW primality test in place of Miller-Rabin.

Answer 2

Is there any sort of this kind of insider attack that happened on RSA before

It appears unlikely, as there are better ways (from the attacker's standpoint) to generate trapdoor RSA keys (assuming a black box RSA key generation implementation).

Here is one such:

• Pick a $k$ bit random seed $s$ (where $k$ is reasonable size, say, 256 bits)

• Use the seed $s$ (and a secret value $t$) to pick a random prime $p$ using a deterministic algorithm

• Search for a prime $q$ such that $q = (2s+1)p^{-1} \pmod {2^{k+1}}$

That way, by examining the lower $k+1$ bits of the modulus, the attacker can recover the value of $s$, and then with the secret value $t$, recompute $p$.

And, this observation is not only cheaper to exploit (if you know $t$), it is not useful to anyone who doesn't know $t$. Hence, this backdoor is useful to the attacker, but not anyone else (and the generated RSA keys are indistinguishable from honestly generated keys).

And, we can do even more - instead of inserting $s$ into the modulus, we can insert $ECCEncrypt(s)$ - if the blackbox implementation has only the public ECC key, then even if the blackbox implementation is revealed, then people (except for the original designer who holds the private ECC key) still cannot use this to factor the keys.