Recovering Secrets From Prefix-Dependent Leakage

Abstract We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to k-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.

[1]  Christophe Clavier,et al.  Square Always Exponentiation , 2011, INDOCRYPT.

[2]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[3]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[4]  Junya Honda,et al.  RSA Meets DPA: Recovering RSA Secret Keys from Noisy Analog Data , 2014, CHES.

[5]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[6]  Bertram Poettering,et al.  Cold Boot Attacks in the Discrete Logarithm Setting , 2015, CT-RSA.

[7]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[8]  Dean H. Fearn Galton-Watson processes with generation dependence , 1972 .

[9]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[10]  Mehdi Tibouchi,et al.  GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias , 2014, ASIACRYPT.

[11]  Noboru Kunihiro,et al.  Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors , 2014 .

[12]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.

[13]  Christophe Clavier,et al.  Universal Exponentiation Algorithm , 2001, CHES.

[14]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[15]  Craig Costello,et al.  Complete Addition Formulas for Prime Order Elliptic Curves , 2016, EUROCRYPT.

[16]  Kenneth G. Paterson,et al.  A Coding-Theoretic Approach to Recovering Noisy RSA Keys , 2012, IACR Cryptol. ePrint Arch..

[17]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[18]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[19]  Michael Hutter,et al.  Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version , 2014, Journal of Cryptographic Engineering.

[20]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[21]  Damien Vergnaud,et al.  Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits , 2015, CHES.

[22]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[23]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[24]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .