A Coding-Theoretic Approach to Recovering Noisy RSA Keys

Inspired by cold boot attacks, Heninger and Shacham (Crypto 2009) initiated the study of the problem of how to recover an RSA private key from a noisy version of that key. They gave an algorithm for the case where some bits of the private key are known with certainty. Their ideas were extended by Henecka, May and Meurer (Crypto 2010) to produce an algorithm that works when all the key bits are subject to error. In this paper, we bring a coding-theoretic viewpoint to bear on the problem of noisy RSA key recovery. This viewpoint allows us to cast the previous work as part of a more general framework. In turn, this enables us to explain why the previous algorithms do not solve the motivating cold boot problem, and to design a new algorithm that does (and more). In addition, we are able to use concepts and tools from coding theory --- channel capacity, list decoding algorithms, and random coding techniques --- to derive bounds on the performance of the previous and our new algorithm.

[1]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[2]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[3]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[4]  Noboru Kunihiro,et al.  Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors , 2013, Public Key Cryptography.

[5]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[6]  Alex Tsow,et al.  An Improved Recovery Algorithm for Decayed AES Key Schedule Images , 2009, Selected Areas in Cryptography.

[7]  Santanu Sarkar,et al.  More on Correcting Errors in RSA Private Keys: Breaking CRT-RSA with Low Weight Decryption Exponents , 2012, IACR Cryptol. ePrint Arch..

[8]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[9]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[10]  Martin R. Albrecht,et al.  Cold Boot Key Recovery by Solving Polynomial Systems with Noise , 2011, ACNS.

[11]  Peter Elias,et al.  List decoding for noisy channels , 1957 .

[12]  Peter Elias,et al.  Error-correcting codes for list decoding , 1991, IEEE Trans. Inf. Theory.

[13]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[14]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[15]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[16]  Abdel Alim Kamal,et al.  Applications of SAT Solvers to AES Key Recovery from Decayed Key Schedule Images , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[17]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[18]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[19]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[20]  Santanu Sarkar,et al.  Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents , 2012, CHES.

[21]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[22]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[23]  Venkatesan Guruswami,et al.  Algorithmic Results in List Decoding , 2006, Found. Trends Theor. Comput. Sci..