Correcting errors in RSA private keys

Authors:
Wilko Henecka;Alexander May;Alexander Meurer
Affiliations:
Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Faculty of Mathematics, Germany;Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Faculty of Mathematics, Germany;Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Faculty of Mathematics, Germany
Venue:
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Year:
2010

Citing 7
Cited 7

Efficient factoring based on partial information

Proc. of a workshop on the theory and application of cryptographic techniques on Advances in cryptology---EUROCRYPT '85
An Attack on RSA Given a Small Fraction of the Private Key Bits

ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring

Journal of Cryptology
Lest we remember: cold boot attacks on encryption keys

SS'08 Proceedings of the 17th conference on Security symposium
Reconstructing RSA Private Keys from Random Key Bits

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
When private keys are public: results from the 2008 Debian OpenSSL vulnerability

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Factoring with an oracle

EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques

Exponent blinding does not always lift (partial) spa resistance to higher-level security

ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Generalized security analysis of the random key bits leakage attack

WISA'11 Proceedings of the 12th international conference on Information Security Applications
Correcting errors in private keys obtained from cold boot attacks

ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Improvement of trace-driven I-Cache timing attack on the RSA algorithm

Journal of Systems and Software
Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents

CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
A coding-theoretic approach to recovering noisy RSA keys

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
SMARTPROXY: secure smartphone-assisted login on compromised machines

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

Let pk = (N, e) be an RSA public key with corresponding secret key sk = (p, q, d, dp, dq, qp-1). Assume that we obtain partial error-free information of sk, e.g., assume that we obtain half of the most significant bits of p. Then there are well-known algorithms to recover the full secret key. As opposed to these algorithms that allow for correcting erasures of the key sk, we present for the first time a heuristic probabilistic algorithm that is capable of correcting errors in sk provided that e is small. That is, on input of a full but error-prone secret key sk we reconstruct the original sk by correcting the faults. More precisely, consider an error rate of δ ∈ [0, 1/2), where we flip each bit in sk with probability δ resulting in an erroneous key sk. Our Las-Vegas type algorithm allows to recover sk from sk in expected time polynomial in log N with success probability close to 1, provided that δ p, q) from an erroneous version with error rate δ