Generalized Security Analysis of the Random Key Bits Leakage Attack

In CRYPTO 2009, Heninger and Shacham presented a new method of recovering RSA private keys bit by bit given a fraction of private data, and analyzed resistance of RSA against the attack. They obtained a system of relations between RSA private variables and calculated the expected number of solution candidates. As they dealt with only RSA case, we consider the case that the system of equations is given in more general linear form. We show that the complexity of their attack depends only on the number of variables, the number of ambiguous variables, and the degree of freedom. As concrete examples, we apply the attack to Paillier cryptosystem and Takagi's variant of RSA, and analyze their resistance against the attack. In Pailiier's case, its resistance is almost the same as the case when a fraction of three private RSA keys are leaked. In Takagi's case, we find that the asymmetricity in two factors of the modulus give some effects on the resistance against the attack.

[1]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[2]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[3]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.

[4]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[5]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[6]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[7]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[8]  Tanja Lange,et al.  Progress in Cryptology - AFRICACRYPT 2010, Third International Conference on Cryptology in Africa, Stellenbosch, South Africa, May 3-6, 2010. Proceedings , 2010, AFRICACRYPT.

[9]  Tsuyoshi Takagi,et al.  Fast RSA-Type Cryptosystem Modulo pkq , 1998, CRYPTO.

[10]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[11]  N. S. Mendelsohn,et al.  Two Algorithms for Bipartite Graphs , 1963 .

[12]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[13]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[14]  Santanu Sarkar,et al.  Factoring RSA Modulus Using Prime Reconstruction from Random Known Bits , 2010, AFRICACRYPT.

[15]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[16]  Dan Boneh,et al.  Factoring N = prq for Large r , 1999, CRYPTO.

[17]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.