# New Results for Partial Key Exposure on RSA with Exponent Blinding

### Stelvio Cimato, Silvia Mella, Ruggero Susella

#### Abstract

In 1998, Boneh, Durfee and Frankel introduced partial key exposure attacks, a novel application of Coppersmith’s method, to retrieve an RSA private key given only a fraction of its bits. This type of attacks is of particular interest in the context of side-channel attacks. By applying the exponent blinding technique as a countermeasure for side-channel attacks, the private exponent becomes randomized at each execution. Thus the attacker has to rely only on a single trace, significantly incrementing the noise, making the exponent bits recovery less effective. This countermeasure has also the side-effect of modifying the RSA equation used by partial key exposure attacks, in a way studied by Joye and Lepoint in 2012. We improve their results by providing a simpler technique in the case of known least significant bits and a better bound for the known most significant bits case. Additionally, we apply partial key exposure attacks to CRT-RSA when exponent blinding is used, a case not yet analyzed in literature. Our findings, for which we provide theoretical and experimental results, aim to reduce the number of bits to be recovered through side-channel attacks in order to factor an RSA modulus when the implementation is protected by exponent blinding.

#### References

- Blömer, J. and May, A. (2003). New partial key exposure attacks on RSA. In Boneh, D., editor, Advances in Cryptology - CRYPTO 2003, Proceedings, volume 2729 of LNCS, pages 27-43. Springer.
- Boneh, D., Durfee, G., and Frankel, Y. (1998). An attack on RSA given a small fraction of the private key bits. In Ohta, K. and Pei, D., editors, Advances in Cryptology - ASIACRYPT 1998, Proceedings, volume 1514 of LNCS, pages 25-34. Springer.
- Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., and Verneuil, V. (2010). Horizontal correlation analysis on exponentiation. In Soriano, M., Qing, S., and L ópez, J., editors, Information and Communications Security - ICICS 2010, Proceedings, volume 6476 of LNCS, pages 46-61. Springer.
- Coppersmith, D. (1996a). Finding a small root of a bivariate integer equation; factoring with high bits known. In (Maurer, 1996), pages 178-189.
- Coppersmith, D. (1996b). Finding a small root of a univariate modular equation. In (Maurer, 1996), pages 155-165.
- Coron, J. (1999). Resistance against differential power analysis for elliptic curve cryptosystems. In Koc¸, C¸ . K. and Paar, C., editors, Cryptographic Hardware and Embedded Systems - CHES 1999, Proceedings, volume 1717 of LNCS, pages 292-302. Springer.
- Ernst, M., Jochemsz, E., May, A., and de Weger, B. (2005). Partial key exposure attacks on RSA up to full size exponents. In Cramer, R., editor, Advances in Cryptology - EUROCRYPT 2005, Proceedings, volume 3494 of LNCS, pages 371-386. Springer.
- Fouque, P., Kunz-Jacques, S., Martinet, G., Muller, F., and Valette, F. (2006). Power attack on small RSA public exponent. In Goubin, L. and Matsui, M., editors, Cryptographic Hardware and Embedded Systems - CHES 2006, Proceedings, volume 4249 of LNCS, pages 339-353. Springer.
- Herrmann, M. and May, A. (2008). Solving linear equations modulo divisors: On factoring given any bits. In Pieprzyk, J., editor, Advances in Cryptology - ASIACRYPT 2008, Proceedings, volume 5350 of LNCS, pages 406-424. Springer.
- Howgrave-Graham, N. (1997). Finding small roots of univariate modular equations revisited. In Darnell, M., editor, Cryptography and Coding, 6th IMA International Conference 1997, Proceedings, volume 1355 of LNCS, pages 131-142. Springer.
- Joye, M. and Lepoint, T. (2012). Partial key exposure on RSA with private exponents larger than N. In Ryan, M. D., Smyth, B., and Wang, G., editors, Information Security Practice and Experience - ISPEC 2012, Proceedings, volume 7232 of LNCS, pages 369-380. Springer.
- Kerry, C. F., Secretary, A., and Director, C. R. (2013). FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS).
- Kocher, P. C. (1996). Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Koblitz, N., editor, Advances in Cryptology - CRYPTO 1996, Proceedings, volume 1109 of LNCS, pages 104-113. Springer.
- Kocher, P. C., Jaffe, J., and Jun, B. (1999). Differential power analysis. In Wiener, M. J., editor, Advances in Cryptology - CRYPTO 1999, Proceedings, volume 1666 of LNCS, pages 388-397. Springer.
- Lenstra, A., Lenstra, H., and Lovász, L. (1982). Factoring polynomials with rational coefficients. Math. Ann., 261:515-534.
- Lu, Y., Zhang, R., and Lin, D. (2014). New partial key exposure attacks on CRT-RSA with large public exponents. In Boureanu, I., Owesarski, P., and Vaudenay, S., editors, Applied Cryptography and Network Security - ACNS 2014, Proceedings, volume 8479 of LNCS, pages 151-162. Springer.
- Maurer, U. M., editor (1996). Advances in Cryptology - EUROCRYPT 1996, Proceeding, volume 1070 of LNCS. Springer.
- May, A. (2003). New RSA vulnerabilities using Lattice Reduction Methods. PhD thesis, University of Paderborn.
- Quisquater, J.-J. and Couvreur, C. (1982). Fast decipherment algorithm for rsa public-key cryptosystem. Electronic Letters, 18:905-907.
- Stein, W. et al. (2014). Sage Mathematics Software (Version 6.2). The Sage Development Team. http://www.sagemath.org.
- Walter, C. D. (2001). Sliding windows succumbs to big mac attack. In Koc¸, C¸. K., Naccache, D., and Paar, C., editors, Cryptographic Hardware and Embedded Systems - CHES 2001, Proceedings, volume 2162 of LNCS, pages 286-299. Springer.
- Wiener, M. J. (1990). Cryptanalysis of short rsa secret exponents. IEEE Transactions on Information Theory, 36:553-558.

#### Paper Citation

#### in Harvard Style

Cimato S., Mella S. and Susella R. (2015). **New Results for Partial Key Exposure on RSA with Exponent Blinding** . In *Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)* ISBN 978-989-758-117-5, pages 136-147. DOI: 10.5220/0005571701360147

#### in Bibtex Style

@conference{secrypt15,

author={Stelvio Cimato and Silvia Mella and Ruggero Susella},

title={New Results for Partial Key Exposure on RSA with Exponent Blinding},

booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},

year={2015},

pages={136-147},

publisher={SciTePress},

organization={INSTICC},

doi={10.5220/0005571701360147},

isbn={978-989-758-117-5},

}

#### in EndNote Style

TY - CONF

JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)

TI - New Results for Partial Key Exposure on RSA with Exponent Blinding

SN - 978-989-758-117-5

AU - Cimato S.

AU - Mella S.

AU - Susella R.

PY - 2015

SP - 136

EP - 147

DO - 10.5220/0005571701360147