Small generic hardcore subsets for the discrete logarithm: short secret DL-keys
Information Processing Letters
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Universal Exponentiation Algorithm
CHES '01 Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems
Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem
Mathematics of Computation
Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
Reconstructing RSA Private Keys from Random Key Bits
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
A note on discrete logarithms with special structure
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Correcting errors in RSA private keys
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Power attack on small RSA public exponent
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
| Hi-index | 0.00 |
Based on the cold boot attack technique, this paper proposes a new algorithm to obtain the private key of the discrete logarithm (DL) based cryptosystems and the standard RSA from its erroneous value. The proposed algorithm achieves almost the square root complexity of search space size. More precisely, the private key of the DL based system with 160-bit key size can be recovered in 243.24 exponentiations while the complexity of the exhaustive search is 271.95 exponentiations if the error rate is given by 10%. In case of the standard RSA with 1024-bit key size, our algorithm can recover the private key with 249.08 exponentiations if the error rate is given by 1%. Compared with the efficiency of some algorithms [7,6] to recover the private key in RSA using Chinese Remainder Theorem, the recoverable error rate of our algorithm is quite small. However, our algorithm requires only partial information of the private key d while other algorithms require additional information such as partial information of factors of the RSA modulus N. The proposed algorithm can also be used for breaking countermeasure of differential power analysis attack. In the standard RSA, one uses the randomized exponent $\tilde{d}=d+r\cdot\phi(N)$ instead of the decryption exponent d with the random value r. When the size of a random value r is 26-bit, it can be shown that the randomized exponent can be recovered with 249.30 exponentiations if the error rate is 1%. Finally, we also consider the breaking countermeasure that splits the decryption exponent d into d1 and d2 of same size.