Partial Key Exposure on RSA with Private Exponents Larger Than N

In 1998, Boneh, Durfee and Frankel described several attacks against RSA enabling an attacker given a fraction of the bits of the private exponent d to recover all of d. These attacks were later improved and extended in various ways. They however always consider that the private exponent d is smaller than the RSA modulus N. When it comes to implementation, d can be enlarged to a value larger than N so as to improve the performance (by lowering its Hamming weight) or to increase the security (by preventing certain side-channel attacks). This paper studies this extended setting and quantifies the number of bits of d required to mount practical partial key exposure attacks. Both the cases of known most significant bits (MSBs) and least significant bits (LSBs) are analyzed. Our results are based on Coppersmith's heuristic methods and validated by practical experiments run through the SAGE computer-algebra system.

[1]  Santanu Sarkar,et al.  Partial Key Exposure Attack on RSA - Improvements for Limited Lattice Dimensions , 2010, INDOCRYPT.

[2]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[3]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[4]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[5]  Jean-Sébastien Coron,et al.  Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach , 2007, CRYPTO.

[6]  中嶋 純子,et al.  Cryptographic Hardware and Embedded Systems (CHES'99)国際会議参加報告 , 1999 .

[7]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[8]  Santanu Sarkar,et al.  Partial Key Exposure: Generalized Framework to Attack RSA , 2011, INDOCRYPT.

[9]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[10]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[11]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[12]  Moti Yung,et al.  Malicious cryptography - exposing cryptovirology , 2004 .

[13]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[14]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[15]  Kazuo Ohta,et al.  Advances in Cryptology — ASIACRYPT’98 , 2002, Lecture Notes in Computer Science.

[16]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[17]  Jean-Sébastien Coron,et al.  Finding Small Roots of Bivariate Integer Polynomial Equations Revisited , 2004, EUROCRYPT.

[18]  Gary L. Miller Riemann's Hypothesis and Tests for Primality , 1976, J. Comput. Syst. Sci..

[19]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[20]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[21]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[22]  David Pointcheval,et al.  Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings , 2010, Public Key Cryptography.

[23]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[24]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[25]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[26]  Alexander May,et al.  Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA , 2010, Public Key Cryptography.

[27]  David Chaum,et al.  Advances in Cryptology: Proceedings Of Crypto 83 , 2012 .

[28]  Sanjit Chatterjee,et al.  Progress in Cryptology - INDOCRYPT 2011 - 12th International Conference on Cryptology in India, Chennai, India, December 11-14, 2011. Proceedings , 2011, INDOCRYPT.

[29]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[30]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[31]  Aggelos Kiayias,et al.  Multi-query Computationally-Private Information Retrieval with Constant Communication Rate , 2010, Public Key Cryptography.

[32]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[33]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[34]  Adam L. Young,et al.  Cryptography: Malicious Cryptography – Exposing Cryptovirology , 2004 .

[35]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[36]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[37]  Alexander May,et al.  New Attacks on RSA with Small Secret CRT-Exponents , 2006, Public Key Cryptography.

[38]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[39]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[40]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[41]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[42]  H. Eagle,et al.  Amino acid metabolism in mammalian cell cultures. , 1959, Science.

[43]  Michael Darnell Cryptography and Coding, 6th IMA International Conference, Cirencester, UK, December 17-19, 1997, Proceedings , 1997, IMACC.

[44]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[45]  Guang Gong,et al.  Progress in Cryptology - INDOCRYPT 2010 , 2010, Lecture Notes in Computer Science.

[46]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[47]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[48]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[49]  Gustavus J. Simmons,et al.  The Subliminal Channel and Digital Signature , 1985, EUROCRYPT.

[50]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[51]  Gérard D. Cohen,et al.  How to Improve an Exponentiation Black-Box , 1998, EUROCRYPT.

[52]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[53]  Alexander May,et al.  A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 , 2007, CRYPTO.

[54]  Thomas Beth,et al.  Advances in cryptology : proceedings of EUROCRYPT 84, a Workshop on the Theory and Application of Cryptographic Techniques, Paris, France, April 9-11, 1984 , 1985 .

[55]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.