Improved reconstruction of RSA private-keys from their fraction
Introduction
RSA is the most popular public-key cryptosystem. Its public-key is and e, where p and q are large primes. The secret-key is d such that In standard, it is recommended to use a redundant tuple as a private-key in order to allow for a fast Chinese Remainder type decryption process, where
Motivated by cold boot attack [2], Heninger and Shacham showed a method which can reconstruct from a random δ fraction of their bits [3]. It succeeds with high probability for small e when .
The reason why e must be small is as follows. From Eq. (1), it holds that for some k. The method of Heninger and Shacham first finds this k by exhaustive search over . Hence e must be small. In particular, it is so even for large δ.
In this paper, we show how to reduce the search range of k. The bigger δ, the better our method is. More precisely, the search range of k is reduced from e to .
Section snippets
Heninger and Shacham attack
Let denote the i-th bit of a positive integer a, where denotes the least significant bit of a. Define as
In RSA, the following equations hold:
Assume that we know δ fraction of . In Heninger–Shacham attack, we first determine the value k of Eq. (3). Since we have , we can determine the correct k by exhaustive search over .
For each , we define
As Boneh, Durfee,
How to avoid exhaustive search on k
The method of Heninger and Shacham [3] works when e is small because it includes the exhaustive search on k of Eq. (3), where . This is so even if large fraction of SK is known. In this section we propose a method which reduces this search range of k.
From Eq. (3), we have In the above equation, some bits of p, q, and d are unknown.
First we derive lower bounds on p, q, and d. This is done by simply substituting 0s into their unknown bits (see Fig. 1). In this way, we can
Formula on the search range
In this section, we derive a formula on the search range of the proposed method. Suppose that N and d are n-bit long. Let denote the ith bit of d, where is the most significant bit. If is unknown, then . If is known and is known, then . Therefore Hence We then have a formula on the search range of the proposed method as
References (3)
- et al.
An attack on RSA given a small fraction of the private key bits