Error Correction of Partially Exposed RSA Private Keys from MSB Side

The most popular public key cryptosystem to date has been RSA, whose security primarily relies on the unfeasibility of factoring the modulus, which is a product of two large primes, and on the secrecy of certain RSA parameters. In 2009, the cold-boot attack by Halderman et al presented an important cryptanalytic model where a portion of the secret parameters may be exposed. In this direction, Heninger and Shacham Crypto 2009 introduced the problem of reconstructing RSA private keys when few random bits from each are known. Later, Henecka, May and Meurer Crypto 2010 introduced the problem of error-correction in the RSA private keys when all the bits are known with some probability of error. Their approach attempted error-correction from the least significant side of the parameters. In this paper we provide a novel technique for error-correction that works from the most significant side of the parameters. Representative experimental results are provided to substantiate our claim.

[1]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[2]  Igor E. Shparlinski,et al.  On RSA moduli with almost half of the bits prescribed , 2007, Discret. Appl. Math..

[3]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[4]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[5]  Igor E. Shparlinski,et al.  On RSA Moduli with Prescribed Bit Patterns , 2006, Des. Codes Cryptogr..

[6]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[7]  Santanu Sarkar,et al.  Factoring RSA Modulus Using Prime Reconstruction from Random Known Bits , 2010, AFRICACRYPT.

[8]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[9]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[10]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[11]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[12]  Kenneth G. Paterson,et al.  A Coding-Theoretic Approach to Recovering Noisy RSA Keys , 2012, IACR Cryptol. ePrint Arch..

[13]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[14]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[15]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[16]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[17]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.