# Recovering RSA Private Keys on Implementations with Tampered LSBs

### Constantinos Patsakis

#### Abstract

The theoretical security that modern encryption algorithms are providing, leads researchers to new attack scenarios which are more implementation centric. By discovering hardware or software flaws that can recover some information about the decryption key, cryptanalysts try to exploit this knowledge. Therefore, many side channel attacks have appeared, illustrating that the concept of having secure code or even embedding all cryptographic functions in hardware modules, in many cases in not adequate. The aim of this work is to illustrate how partial information can be used to exploit the extracted information, leading to full reconstruction of the private key of RSA, for some implementations of the algorithm where the LSB has been selected to fit several constraints. More precisely, we study the case where the LSB half of the primes is identical or when there is a linear equation that mixes the LSB halves of the two primes.

#### References

- Boneh, D., Durfee, G., and Frankel, Y. (1998). An attack on rsa given a small fraction of the private key bits. In ASIACRYPT, pages 25-34.
- Coppersmith, D. (1996). Finding a small root of a univariate modular equation. In EUROCRYPT, pages 155-165.
- Courtois, N. T., Bard, G. V., and Wagner, D. (2008). Fast software encryption. chapter Algebraic and Slide Attacks on KeeLoq, pages 97-115. Springer-Verlag, Berlin, Heidelberg.
- De, D., Kumarasubramanian, A., and Venkatesan, R. (2007). Inversion attacks on secure hash functions using sat solvers. In Proceedings of the 10th international conference on Theory and applications of satisfiability testing, SAT'07, pages 377-382, Berlin, Heidelberg. Springer-Verlag.
- Dylkeyt, V. I., Faizullin, R. T., and Khnykin, I. G. (2007). Reducing the problem of asymmetric ciphers cryptanalysis to solving satisfiability problems.R In Proceedings of the XIII All-Russian Conference Mathematical Methods in Pattern Recognition, pages 249- 251. MAKC press.
- Eibach, T., Pilz, E., and Völkel, G. (2008). Attacking bivium using sat solvers. In Proceedings of the 11th international conference on Theory and applications of satisfiability testing, SAT'08, pages 63-76, Berlin, Heidelberg. Springer-Verlag.
- Erickson, J., Ding, J., and Christensen, C. (2010). Algebraic cryptanalysis of sms4: gröebner basis attack and sat attack compared. In Proceedings of the 12th international conference on Information security and cryptology, ICISC'09, pages 73-86, Berlin, Heidelberg. Springer-Verlag.
- Faizullin, R. T., Khnykin, I. G., and Dylkeyt, V. I. (2009). The sat solving method as applied to cryptographic analysis of asymmetric ciphers. The Computing Research Repository, abs/0907.1755.
- Fiorini, C., Martinelli, E., and Massacci, F. (2003). How to fake an rsa signature by encoding modular root finding as a sat problem. Discrete Applied Mathematics, 130(2):101-127.
- Golle, P. and Wagner, D. (2007). Cryptanalysis of a cognitive authentication scheme (extended abstract). In Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP 7807, pages 66-70, Washington, DC, USA. IEEE Computer Society.
- Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J. A., Feldman, A. J., Appelbaum, J., and Felten, E. W. (2009). Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91-98.
- Henecka, W., May, A., and Meurer, A. (2010). Correcting errors in rsa private keys. In Proceedings of the 30th annual conference on Advances in cryptology, CRYPTO'10, pages 351-369, Berlin, Heidelberg. Springer-Verlag.
- Heninger, N. and Shacham, H. (2009). Reconstructing rsa private keys from random key bits. In In CRYPTO, pages 1-17.
- Homsirikamol, E., Morawiecki, P., Rogawski, M., and Srebrny, M. (2012). Security margin evaluation of sha-3 contest finalists through sat-based attacks. In Computer Information Systems and Industrial Management, volume 7564 of Lecture Notes in Computer Science, pages 56-67. Springer Berlin Heidelberg.
- Kamal, A. and Youssef, A. (2010). Applications of sat solvers to aes key recovery from decayed key schedule images. In Emerging Security Information Systems and Technologies (SECURWARE), 2010 Fourth International Conference on, pages 216 -220.
- Maitra, S., Sarkar, S., and Sen Gupta, S. (2010). Factoring rsa modulus using prime reconstruction from random known bits. In Proceedings of the Third international conference on Cryptology in Africa, AFRICACRYPT'10, pages 82-99, Berlin, Heidelberg. Springer-Verlag.
- Massacci, F. (1999). Using walk-sat and rel-sat for cryptographic key search. In Proceedings of the Sixteenth International Joint Conference on Artificial Intelligence, IJCAI 7899, pages 290-295, San Francisco, CA, USA. Morgan Kaufmann Publishers Inc.
- Massacci, F. and Marraro, L. (2000). Logical cryptanalysis as a sat problem. J. Autom. Reason., 24(1-2):165-203.
- Meng, X. and Bi, J. (2011). Weak keys in rsa with primes sharing least significant bits. In Information Security and Cryptology, pages 278-287. Springer.
- Mironov, I. and Zhang, L. (2006). Applications of sat solvers to cryptanalysis of hash functions. In Proceedings of the 9th international conference on Theory and Applications of Satisfiability Testing, SAT'06, pages 102-115, Berlin, Heidelberg. Springer-Verlag.
- Mohamed, M., Bulygin, S., and Buchmann, J. (2011). Using sat solving to improve differential fault analysis of trivium. pages 62-71. Springer.
- Morawiecki, P. and Srebrny, M. (2010). A sat-based preimage analysis of reduced keccak hash functions. http://eprint.iacr.org/2010/285. pawelm@wshkielce.edu.pl 14742 received 13 May 2010.
- Paterson, K., Polychroniadou, A., and Sibborn, D. (2012). A coding-theoretic approach to recovering noisy rsa keys. Advances in Cryptology-ASIACRYPT 2012, pages 386-403.
- Patsakis, C. (2013). Rsa private key reconstruction from random bits using sat solvers. IACR Cryptology ePrint Archive, 2013:26.
- Rivest, R. L. and Shamir, A. (1985). Efficient factoring based on partial information. In EUROCRYPT, pages 31-34.
- Santanu, S., Sourav Sen, G., and Subhamoy, M. (2011). Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side. In WCC 2011 - Workshop on coding and cryptography, pages 7-16, Paris, France.
- Sarkar, S. (2011). Partial key exposure: Generalized framework to attack rsa. In Progress in Cryptology - INDOCRYPT 2011, volume 7107 of Lecture Notes in Computer Science, pages 76-92. Springer Berlin / Heidelberg.
- Soos, M. (2009). Cryptominisat - a sat solver for cryptographic problems. http://planete.inrialpes.fr/~soos/ CryptoMiniSat2/index.php.
- Soos, M. (2010). Grain of Salt - an Automated Way to Test Stream Ciphers through SAT Solvers. In Tools'10: Proceedings of the Workshop on Tools for Cryptanalysis 2010, pages 1-2, RHUL.
- Soos, M., Nohl, K., and Castelluccia, C. (2009). Extending sat solvers to cryptographic problems. In Proceedings of the 12th International Conference on Theory and Applications of Satisfiability Testing, SAT 7809, pages 244-257, Berlin, Heidelberg. Springer-Verlag.
- Steinfeld, R. and Zheng, Y. (2001). An advantage of lowexponent rsa with modulus primes sharing least significant bits. Topics in Cryptology-CT-RSA 2001, pages 52-62.
- Sun, H., Wu, M., Wang, H., and Guo, J. (2008a). On the improvement of the bdf attack on lsbs-rsa. In Information Security and Privacy, pages 84-97. Springer.
- Sun, H.-M., Wu, M.-E., Steinfeld, R., Guo, J., and Wang, H. (2008b). Cryptanalysis of short exponent rsa with primes sharing least significant bits. In Franklin, M., Hui, L., and Wong, D., editors, Cryptology and Network Security, volume 5339 of Lecture Notes in Computer Science, pages 49-63. Springer Berlin Heidelberg.
- Yuen, H. and Bebel, J. (July 18, 2011). Toughsat. http:// toughsat.appspot.com.
- Zhao, Y. and Qi, W. (2007). Small private-exponent attack on rsa with primes sharing bits. Information Security, pages 221-229.

#### Paper Citation

#### in Harvard Style

Patsakis C. (2013). **Recovering RSA Private Keys on Implementations with Tampered LSBs** . In *Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)* ISBN 978-989-8565-73-0, pages 453-460. DOI: 10.5220/0004534904530460

#### in Bibtex Style

@conference{secrypt13,

author={Constantinos Patsakis},

title={Recovering RSA Private Keys on Implementations with Tampered LSBs},

booktitle={Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)},

year={2013},

pages={453-460},

publisher={SciTePress},

organization={INSTICC},

doi={10.5220/0004534904530460},

isbn={978-989-8565-73-0},

}

#### in EndNote Style

TY - CONF

JO - Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)

TI - Recovering RSA Private Keys on Implementations with Tampered LSBs

SN - 978-989-8565-73-0

AU - Patsakis C.

PY - 2013

SP - 453

EP - 460

DO - 10.5220/0004534904530460