Kleptographic (algorithmic) backdoors in the RSA key generator

A cryptographic (algorithmic) backdoor is the ability of the backdoor key owner to gain an unauthorized access to user's secret information embedded in the cryptoalgorithm. There are two independent classifications of backdoors: by the level of cryptographic strength (weak, symmetric, asymmetric backdoor) and by the method of implementing undeclared capabilities (based on covert channel or on implicit weakening of the cryptoalgorithm). We present examples of each type of backdoor and discuss a method for constructing an asymmetric backdoor based on an implicit weakening of the algorithm in the RSA key generator. Let it be required to generate a public module of the RSA key $n=pq$, $|n|=L$. We will generate such prime numbers that $|p|=|q|={L}/{2}$. Let $D$ be the backdoor parameter, $|D|=K$; $ID$ is the identifier of the generator instance; $i$ is the key generation counter; $\psi_s(a, ID, i)$ is a one-way (trapdoor) function with the trapdoor $s$ on the first argument. Let $(a, D)=1$ and
$$r'(a, D, r_0)= \begin{cases} \min\{r:r\geq r_0; (rD+a) \text{ is prime}\}, &\text{if } r{<} 2^{{L}/{2}-K}\text{ and }rD+a{<}2^{{L}/{2}};\\ 0, &\text{otherwise.} \end{cases}$$
Let's choose the function $R(x, y, z, i)$ and define $r_{ID}^{(i)}(a, D)=r'(a, D, R(a, D, ID, i))$. For any random $a_p\in\mathbb{Z}_D^*$ and $r'_0\in\mathbb{Z}$, $({2^{{L}/{2}-1}})/{D}<r'_0<2^{{L}/{2}-K}$, the following values are uniquely determined:
\begin{gather*} p = r_{ID}^{(i)}(a_p, D)D + a_p,\\ q = r'(\psi_s(a_p, ID, i) a_p^{-1}\bmod D,D,r'_0) D + \psi_s(a_p, ID, i) a_p^{-1}\bmod D. \end{gather*}
At the same time, if $r_{ID}^{(i)}(\cdot)\neq 0$ and $r'(\cdot)\neq 0$, then the numbers $p$ and $q$ are prime, $|p|=|q|={L}/{2}$, $|n|=|pq|\in\{L-1, L\}$. If the numbers $p$ and $q$ are generated in this way, then, provided that the secret $s$ is known, the public module $n=pq$ can be factorized in polynomial time of the key length. Really, $p = r_{ID}^{(i)}(\psi_s^{-1}(n\bmod D, ID, i), D) D + \psi_s^{-1}(n\bmod D, ID, i)$. This approach allows to develop a cryptographically strong key generator, even if the adversary knows the methods used and has access to the source code of the key generator. This allows us to use a backdoor generator even in open source systems. Cryptographic strength depends on the choice of algorithm parameters: in particular, on the level of cryptographic strength of the function $\psi_s(a, ID, i)$.