0

Is there any way to derive the RSA private key from another RSA private key?

Let's say I have a base RSA key $(P, Q)$ (both prime), and then use some salt and an algorithm that creates a new primes, e.g. $(P', Q') = f(P, Q, \mathsf{salt})$.

Is there any security issue with my approach? Does anyone have a better solution for this or is this not possible at all?

I want to do key derivation, so I can only use a salt and recreate keys in my code. This will enable me to not store more than one base key and just derive it with a specific salt parameter.

Mark Schultz-Wu
  • 12,944
  • 19
  • 41
simonS
  • 3
  • 1
  • History tells us don't. What if the salt is leaked? – kelalaka Mar 18 '24 at 13:55
  • 1
    It's unclear how P and Q of a base RSA key would help generation of (different) derived P and Q. Also, in applications where a user's private part of a public/private key can be derived, that possibility is covert (the user does not know that their private key is not private to them/their device), or/and the asymmetric crypto can functionally be replaced by symmetric crypto with derived symmetric keys. – fgrieu Mar 18 '24 at 15:05

1 Answers1

1

Is there any security issue with my approach?

Well, no, there doesn't have to be.

One approach would be to seed a cryptorng with $P, Q, salt$, and then use the output bits of your cryptorng as the seed for a standard RSA private key generation algorithm.

Of course, this doesn't try to take advantage of the fact that the inputs are a factorization of an RSA modulus; it would work equally well if $P, Q$ were random values. But it should answer your question.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • Addition: if we do as described, the holder of the public/private key pair should fear not to be the only one knowing their private key. And a lot of the rationale of using public-key crypto (rather than symmetric crypto with diversified key) falls apart. – fgrieu Mar 19 '24 at 08:28