A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
RSA Signature Algorithm for Microcontroller Implementation
CARDIS '98 Proceedings of the The International Conference on Smart Card Research and Applications
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Generating RSA Moduli with a Predetermined Portion
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
Reconstructing RSA Private Keys from Random Key Bits
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Fault Attacks on RSA Signatures with Partially Unknown Messages
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
A polynomial time attack on RSA with private CRT-exponents smaller than N0.073
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Correcting errors in RSA private keys
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Modulus fault attacks against RSA-CRT signatures
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
Efficient CRT-RSA decryption for small encryption exponents
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Fault attacks against EMV signatures
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Cryptanalysis of short RSA secret exponents
IEEE Transactions on Information Theory
New directions in cryptography
IEEE Transactions on Information Theory
| Hi-index | 0.00 |
Towards the cold boot attack (a kind of side channel attack), the problems of reconstructing RSA parameters when (i) certain bits are unknown (Heninger and Shacham, Crypto 2009) and (ii) the bits are available but with some error probability (Henecka, May and Meurer, Crypto 2010) have been considered very recently. In this paper we exploit the error correction heuristic proposed by Henecka et al to show that CRT-RSA schemes having low Hamming weight decryption exponents are insecure given small encryption exponents (e.g., e=216+1). In particular, we show that the CRT-RSA schemes presented by Lim and Lee (SAC 1996) and Galbraith, Heneghan and McKee (ACISP 2005) with low weight decryption exponents can be broken in a few minutes in certain cases. Further, the scheme of Maitra and Sarkar (CT-RSA 2010), where the decryption exponents are not of low weight but they have large low weight factors, can also be cryptanalysed. We also identify a few modifications of the error correction strategy that provides significantly improved experimental outcome towards the cold boot attack.