Correcting errors in RSA private keys
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Factoring RSA modulus using prime reconstruction from random known bits
AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa
The leakage-resilience limit of a computational problem is equal to its unpredictability entropy
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Generalized security analysis of the random key bits leakage attack
WISA'11 Proceedings of the 12th international conference on Information Security Applications
Partial key exposure: generalized framework to attack RSA
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
Partial key exposure on RSA with private exponents larger than N
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
Attacking exponent blinding in RSA without CRT
COSADE'12 Proceedings of the Third international conference on Constructive Side-Channel Analysis and Secure Design
Correcting errors in private keys obtained from cold boot attacks
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Improvement of trace-driven I-Cache timing attack on the RSA algorithm
Journal of Systems and Software
Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
A coding-theoretic approach to recovering noisy RSA keys
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
PRIME: private RSA infrastructure for memory-less encryption
Proceedings of the 29th Annual Computer Security Applications Conference
| Hi-index | 0.00 |
We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the "cold boot" attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments.