Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p

RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific (s, r) pairs can be found for which encryption and decryption will be correct for any (e, d) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r s. We give necessary and sufficient conditions for s with this property.


Notation and Background
Consider the RSA public-key cryptosystem and its operations of encryption and decryption [1].Let (p, q) be primes, n = p * q, φ(n) = (p − 1)(q − 1) denote Euler's totient function and (e, d) the encryption/decryption exponent pair chosen such that ed ≡ φ(n) 1.Let Z nZ * = U n be the group of units mod n, and let a ∈ U n .Encryption and decryption operations are given by: (a e ) d ≡ (a ed ) ≡ (a 1 ) ≡ a mod n We consider the case of RSA encryption and decryption where at least one of (p, q) is a composite number s.This situation might arise in the presence of a flawed primality tester or in the classroom when a teacher wishes to demonstrate in RSA what happens if one of (p, q) is not a true prime.This is the context in which this question arose for the author.Security in this case is obviously weaker, since the modulus is now easier to factor, but how is correctness affected?
First, we note that RSA can be implemented using n as the product of multiple primes, with the Chinese remainder theorem used to recover the message [2].In multi-prime RSA, (e, d) are chosen such that ed ≡ φ(n) 1, just as with two-prime RSA.The only difference is that the totient function φ(n) = (p − 1)(q − 1) can no longer be used.For example, for three-prime RSA with primes (p, q, r), the totient function is given by φ(n = pqr) = (p − 1)(q − 1)(r − 1).
For a composite number s (that the user incorrectly believes is prime) and a true prime r used to generate keys with standard two-prime RSA, encryption and decryption exponents would be chosen using the (incorrect) pseudo-totient φ (n = sr) = (s − 1)(r − 1), choosing (e, d) such that ed ≡ φ (n)

1.
In this case, encryption and decryption are given by: where x is no longer mathematically guaranteed to be a.Given the conditions above, under what circumstances will we have (a e ) d ≡ a? Is correct RSA even possible given the use of the wrong totient function?We investigate this question here.(s, r, e, d) Let n, e, d, a, s, r be as described.Let ord(a) denote the order of a in U n .Let us call the fraction of elements of U n , the order of which does not divide (ed − 1) the witness ratio of (s, r, e, d).For these elements (a e ) d ≡ a; they testify to the composite nature of s.Tuples (s, r, e, d) with a witness ratio of zero are said to be witness-free.For RSA encryption with those values, the composite nature of s will never be detected.

Witness-Free Tuples (s, r, e, d)
Let λ(n) denote the Carmichael function, the maximum order of any element in U n .By Lagrange's theorem, and the fact that for integers a and b, a | b ↔ all divisors of a | b, we see that those tuples (s, r, e, d) with the property λ(n) | (ed − 1) are exactly those that are witness-free.
For example, suppose we keep (s = 10, r = 7) from above, but now choose e = 11, d = 59.We have (ed 1 also posses the property ed ≡ For a given (s, r) with n = sr, such (e, d) can always be found by computing L = lcm(φ(n), φ (n)) and finding ed ≡ L 1.Such a procedure will by construction give ed ≡ φ (n) 1, yielding an (s, r, e, d) that is witness-free.
For example, consider the semiprimes s = 257 * 263, r = 269 * 271.We have: Since all the primes chosen were >256, if our RSA message consisted of ASCII text encrypted at the byte level (inefficient, but suitable for illustrative purposes), using the above values of (s, r, e, d), two-prime RSA encryption and decryption would work correctly.This is true even though neither s nor r are prime and even though e and d were chosen using the pseudo-totient.

Witness-Free Tuples (s, r)
It is possible in some cases to remove the effects of e and d.For those cases, (s, r, e, d) is witness-free for any ed ≡ φ (n=sr) 1.For these tuples the composite nature of s cannot be detected solely through RSA encryption and decryption, regardless of the elements encrypted and the public and private exponents chosen.
Proof.→: Assume (s, r) is witness-free for all ed ≡ φ (n=sr) 1. Let a ∈ U n be of order k.We have We have: ≡ a, contradicting our assumption that (s, r) is witness-free.Therefore, 1 for any (e, d) pair, so ed = 1 + mφ (n) for some integer m ≥ 0. This gives:

Values of s That Yield Witness-Free Tuples for All Odd Primes r
Certain values of s can be constructed such that they can be paired with any odd prime r to produce correct RSA key pairs.The properties of s required by Theorem 1 will hold for all primes r ↔ ∀k ∈ O s , k | (s − 1), i.e., ∀a ∈ U s , a s−1 ≡ s 1.This is the definition of a Carmichael number.Thus, any pair (C, r) where C is a Carmichael number and r is a prime will produce functioning RSA keys.This is a known result.
However, if we relax the requirements on s just slightly, so that only pairings with odd primes are of interest, then non-Carmichael numbers can also meet the requirements.Let s be a composite number such that Theorem 1 holds for all odd primes r s.We refer to all such s as strong impostors.We use the modifier strong to indicate that (s, r) is witness-free for all odd primes r s, as opposed to one or a few specific (s, r) that are witness-free.Theorem 2. s is a strong impostor ↔ λ(s) | 2(s − 1).

The Structure of Strong Impostors
We can say a couple of things about the structure of strong impostors.First, we note that the exponent of two in their prime factorization is always ≤3, and the exponents of all odd primes in their prime factorization are always ≤1.
Theorem 3. Let s = p e 1 1 p e 2 2 . . .p e m m be a strong impostor, where the primes appear in numerical order and all e i ≥ 0.Then, e 1 ≤ 3, and ∀i > 1 e i <= 1.
If e 1 ≤ 2, we have: By the properties of the least common multiple, the exponents of all primes p i in the number above must be ≥ e i − 1, and the number itself must divide 2(s − 1).We have: We see by inspection that for all odd primes p i , no p e i −1 i can divide 2(s − 1) if e i > 1, as there will always be a remainder of −2.For p 1 = 2, 2 e 1 −1 can divide 2(s − 1) only if e 1 = 1 or e 1 = 2. Therefore, if s is an even strong impostor with e 1 ≤ 2, we have If s is even, but with e 1 > 2, we have: s is unchanged, so the same restrictions on the exponents of odd primes still apply.Applying similar reasoning as before, 2 e 1 −2 can divide 2(s − 1) only when e 1 = 2 or e 1 = 3.Therefore, the theorem holds for even strong impostors.Now, suppose that s is odd.Then: As before, we require λ(s) | 2(s − 1).We have s − 1 = p e 2 2 . . .p e m m − 1.Since s only contains odd primes, the same conditions are required on its odd prime exponents for λ(s) to divide 2(s − 1).Thus, for all strong impostors, the exponent of two in their prime factorization is ≤ 3, and the exponents of all odd primes are ≤ 1.
It follows that all odd strong impostors are square-free, and all even strong impostors are free of squares > 4.These s when multiplied by any prime r s produce non-square-free moduli that yield valid RSA key pairs and witness-free tuples for any ed ≡ φ (n=rs) 1.

Example
Here is the prime factorization of the first eight strong impostors: Note that there are no non-unitary powers of odd primes, and their maximum power of two is three.
We can also see that no strong impostor s can contain an odd prime pair (p i , p j ) in its factorization such that p j ≡ p i 1.This is because if p j = kp i + 1 appears in the prime factorization of s, we will have φ(p j ) = kp i , so p i will appear somewhere in λ(s).No such p i can divide 2(s − 1) evenly.Thus, no s that contains three in its prime factorization can contain any of the primes {7, 13, 19, 31...}, no s that containing five can contain any of {11, 31, 41, 61...}, etc.This is perhaps more clearly seen in the prime factorization of the next eight strong impostors: Proof.Let s be a strong impostor as described.By Theorem 2, λ(s) | 2(s − 1).We can write s as s = 2 j ∏ m i=1 p i .Since s is a strong impostor, we must have Performing the first step of division by an arbitrary Since the latter term is the remainder and must also be evenly divisible by p i − 1 and since the choice of p i was arbitrary, the result follows.Put another way, the strong impostors are exactly those s = 2 j p 2 p 3 . . .p m where 0 ≤ j ≤ 3, and the set of m-1 simultaneous linear congruences 2(2 j ∏ k =i p k − 1) ≡ p i −1 0 has a solution in odd primes p i .

Semiprime Strong Impostors
Impostors can be strong in the sense of producing valid RSA encryption and decryption, while still being easily detected by inspection or the presence of small factors.For example, strong impostors that are even are obviously composite, as are those ending in five or those, the digits of which sum to a multiple of three.Impostors for which the effectiveness of such simple detection techniques is minimized are semiprimes s = pq, where p and q are both prime (three of these appear in the first 16 strong impostors above).These impostors are also the hardest to factor.The reader may have noticed that all the semiprime strong impostors shown are prime pairs of the form (p, 2p − 1).This is in fact always the case.Theorem 5. Let p, q be distinct odd primes, p < q. s = pq is a strong impostor ↔ q = 2p − 1.
Proof.This result is a special case of Theorem 4, with j = 0 and m = 3. Plugging in these values, we obtain p 2 − 1 | 2(p 3 − 1) and p 3 − 1 | 2(p 2 − 1).Assume p 2 < p 3 , and apply a change of variables with These two equations together imply k 1 * k 2 = 4. Since x 2 and x 3 are distinct, we discard the solution

Unmasking a Semiprime Strong Impostor
Semiprime strong impostors s = pq are among the most resistant to probabilistic primality tests, because they approach the Rabin limit of s/4 bases [3] to which they are strong semiprimes.Nonetheless, s/4 remains a small proportion, so like any composite, they will quickly fail probabilistic primality tests like Miller-Rabin.If RSA key generation is implemented properly, there is no worry about a strong impostor slipping through.
There is also a way to unmask a strong impostor s that yields its factors.We have s = pq = p(2p − 1) = 2p 2 − p, which means 2p 2 − p − s = 0. s is known, so applying the quadratic formula and considering only the positive solution, we have p = 1+ √ 1+8s 4 . Thus, if you suspect s of being a semiprime strong impostor, multiply it by eight, add one and take the square root.If the result is an integer ≡ 4 3, you have caught the impostor red-handed.

Constructing Strong Impostors
Theorem 4 and similar results above provide insights into the structure of strong impostors that can be used to construct them.For example, it can be shown that for any even strong impostor, all its odd prime factors are congruent to three mod four.We offer the following additional results for odd primes p i , some without proof, but with examples to aid understanding.Proofs can be obtained by combining the specific criteria below with the definition of a strong impostor.
We have already shown Condition A to be the definition of a two-factor strong impostor; Condition B is the general definition.These are the simplest ways to find strong impostors: sift through the required number of primes until those meeting the required condition are found.
Condition C applies to prime three-tuples that are separated by multiples of p − 1.Thus, to generate a strong impostor from a prime p, if b = 2 does not yield a prime (i.Condition D describes the possible construction of a strong impostor from a Carmichael number of a specific form.s = ∏(p 1 , p 2 , p 3 ) = ∏(6k + 1, 12k + 1, 18k + 1) is a Carmichael number for prime p 1 , p 2 , p 3 [4].Such a number can be multiplied by a prime of the form mk + 1 to produce a non-Carmichael strong impostor if an m meeting the indicated criteria can be found.For example, k = 6, (37, 73, 109) are all prime, and therefore, s = 37 * 73 * 109 = 294,409 is Carmichael number.m = 72 is the smallest m that meets the criteria of Condition D, and mk + 1 = 72 * 6 + 1 = 433 is prime.Therefore, s = 294,409 * 433 = 127,479,097 is a strong impostor.
The author has tested all Carmichael numbers of the indicated form with k ≤ 2 20 .Approximately 85% yield strong impostors using this technique.Since there is an infinite number of Carmichael numbers [5], there is an infinite number of strong impostors.The author conjectures there is an infinite number of non-Carmichael strong impostors.This is related to well-known conjectures on prime constellations [6].For example, proving there is an infinite number of two-factor strong impostors would prove there is an infinite number of (p, 2p − 1) prime pairs.For a given p, we might ask if a strong impostor s exists containing p as its smallest factor.We refer to such an s as an extension of p.While extensions have been found by the author for the first 256 primes, it is an open question whether every prime has an extension.Proving this would of course prove there is an infinite number of non-Carmichael strong impostors.Similar open questions exist for non-Carmichael strong impostors of various forms, such as prime three-tuples in arithmetic progression of the form (p, p + 6m, p + 12m) where p = 6k + 1. Examples of strong impostors of this form for p >= 67 are currently unknown.

Conclusions and Open Problems
It is an open question whether an infinite number of Carmichael numbers of the form (6k + 1, 12k + 1, 18k + 1) [7] can be extended to non-Carmichael strong impostors using the technique of Condition D.
We have seen the that largest prime factor of a strong impostor must be less than twice the product of the other prime factors.This means the computations required to determine if criteria for Conditions B and C are met for a given input will terminate if the largest prime in the tuple is specified, or if all primes except the largest are specified.For all other cases, termination is not guaranteed.This relates to the open questions above.
Modern implementations of RSA use λ(n) instead of φ(n) in the selection of (e, d).A similar substitution may be made in the examples here, with appropriate algebraic modifications as needed.
Finally, efficient algorithms for finding the smallest extension for a given prime p would be interesting to explore, as well as a deeper understanding of the relationships between each p i of a strong impostor beyond that presented here.

Theorem 4 .
Let s = 2 j p 2 p 3 . . .p m , where all p i are odd primes.s is a strong impostor

Funding:
Support for this work was provided in part by the Air Force Office of Scientific Research under Grant #1220961 and by the US Air Force Academy Department of Computer Science.