New Results for Partial Key Exposure on RSA with Exponent Blinding

Stelvio Cimato, Silvia Mella, Ruggero Susella

Abstract

In 1998, Boneh, Durfee and Frankel introduced partial key exposure attacks, a novel application of Coppersmith’s method, to retrieve an RSA private key given only a fraction of its bits. This type of attacks is of particular interest in the context of side-channel attacks. By applying the exponent blinding technique as a countermeasure for side-channel attacks, the private exponent becomes randomized at each execution. Thus the attacker has to rely only on a single trace, significantly incrementing the noise, making the exponent bits recovery less effective. This countermeasure has also the side-effect of modifying the RSA equation used by partial key exposure attacks, in a way studied by Joye and Lepoint in 2012. We improve their results by providing a simpler technique in the case of known least significant bits and a better bound for the known most significant bits case. Additionally, we apply partial key exposure attacks to CRT-RSA when exponent blinding is used, a case not yet analyzed in literature. Our findings, for which we provide theoretical and experimental results, aim to reduce the number of bits to be recovered through side-channel attacks in order to factor an RSA modulus when the implementation is protected by exponent blinding.

References

  1. Blömer, J. and May, A. (2003). New partial key exposure attacks on RSA. In Boneh, D., editor, Advances in Cryptology - CRYPTO 2003, Proceedings, volume 2729 of LNCS, pages 27-43. Springer.
  2. Boneh, D., Durfee, G., and Frankel, Y. (1998). An attack on RSA given a small fraction of the private key bits. In Ohta, K. and Pei, D., editors, Advances in Cryptology - ASIACRYPT 1998, Proceedings, volume 1514 of LNCS, pages 25-34. Springer.
  3. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., and Verneuil, V. (2010). Horizontal correlation analysis on exponentiation. In Soriano, M., Qing, S., and L ópez, J., editors, Information and Communications Security - ICICS 2010, Proceedings, volume 6476 of LNCS, pages 46-61. Springer.
  4. Coppersmith, D. (1996a). Finding a small root of a bivariate integer equation; factoring with high bits known. In (Maurer, 1996), pages 178-189.
  5. Coppersmith, D. (1996b). Finding a small root of a univariate modular equation. In (Maurer, 1996), pages 155-165.
  6. Coron, J. (1999). Resistance against differential power analysis for elliptic curve cryptosystems. In Koc¸, C¸ . K. and Paar, C., editors, Cryptographic Hardware and Embedded Systems - CHES 1999, Proceedings, volume 1717 of LNCS, pages 292-302. Springer.
  7. Ernst, M., Jochemsz, E., May, A., and de Weger, B. (2005). Partial key exposure attacks on RSA up to full size exponents. In Cramer, R., editor, Advances in Cryptology - EUROCRYPT 2005, Proceedings, volume 3494 of LNCS, pages 371-386. Springer.
  8. Fouque, P., Kunz-Jacques, S., Martinet, G., Muller, F., and Valette, F. (2006). Power attack on small RSA public exponent. In Goubin, L. and Matsui, M., editors, Cryptographic Hardware and Embedded Systems - CHES 2006, Proceedings, volume 4249 of LNCS, pages 339-353. Springer.
  9. Herrmann, M. and May, A. (2008). Solving linear equations modulo divisors: On factoring given any bits. In Pieprzyk, J., editor, Advances in Cryptology - ASIACRYPT 2008, Proceedings, volume 5350 of LNCS, pages 406-424. Springer.
  10. Howgrave-Graham, N. (1997). Finding small roots of univariate modular equations revisited. In Darnell, M., editor, Cryptography and Coding, 6th IMA International Conference 1997, Proceedings, volume 1355 of LNCS, pages 131-142. Springer.
  11. Joye, M. and Lepoint, T. (2012). Partial key exposure on RSA with private exponents larger than N. In Ryan, M. D., Smyth, B., and Wang, G., editors, Information Security Practice and Experience - ISPEC 2012, Proceedings, volume 7232 of LNCS, pages 369-380. Springer.
  12. Kerry, C. F., Secretary, A., and Director, C. R. (2013). FIPS PUB 186-4 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Digital Signature Standard (DSS).
  13. Kocher, P. C. (1996). Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In Koblitz, N., editor, Advances in Cryptology - CRYPTO 1996, Proceedings, volume 1109 of LNCS, pages 104-113. Springer.
  14. Kocher, P. C., Jaffe, J., and Jun, B. (1999). Differential power analysis. In Wiener, M. J., editor, Advances in Cryptology - CRYPTO 1999, Proceedings, volume 1666 of LNCS, pages 388-397. Springer.
  15. Lenstra, A., Lenstra, H., and Lovász, L. (1982). Factoring polynomials with rational coefficients. Math. Ann., 261:515-534.
  16. Lu, Y., Zhang, R., and Lin, D. (2014). New partial key exposure attacks on CRT-RSA with large public exponents. In Boureanu, I., Owesarski, P., and Vaudenay, S., editors, Applied Cryptography and Network Security - ACNS 2014, Proceedings, volume 8479 of LNCS, pages 151-162. Springer.
  17. Maurer, U. M., editor (1996). Advances in Cryptology - EUROCRYPT 1996, Proceeding, volume 1070 of LNCS. Springer.
  18. May, A. (2003). New RSA vulnerabilities using Lattice Reduction Methods. PhD thesis, University of Paderborn.
  19. Quisquater, J.-J. and Couvreur, C. (1982). Fast decipherment algorithm for rsa public-key cryptosystem. Electronic Letters, 18:905-907.
  20. Stein, W. et al. (2014). Sage Mathematics Software (Version 6.2). The Sage Development Team. http://www.sagemath.org.
  21. Walter, C. D. (2001). Sliding windows succumbs to big mac attack. In Koc¸, C¸. K., Naccache, D., and Paar, C., editors, Cryptographic Hardware and Embedded Systems - CHES 2001, Proceedings, volume 2162 of LNCS, pages 286-299. Springer.
  22. Wiener, M. J. (1990). Cryptanalysis of short rsa secret exponents. IEEE Transactions on Information Theory, 36:553-558.
Download


Paper Citation


in Harvard Style

Cimato S., Mella S. and Susella R. (2015). New Results for Partial Key Exposure on RSA with Exponent Blinding . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 136-147. DOI: 10.5220/0005571701360147


in Bibtex Style

@conference{secrypt15,
author={Stelvio Cimato and Silvia Mella and Ruggero Susella},
title={New Results for Partial Key Exposure on RSA with Exponent Blinding},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={136-147},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005571701360147},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - New Results for Partial Key Exposure on RSA with Exponent Blinding
SN - 978-989-758-117-5
AU - Cimato S.
AU - Mella S.
AU - Susella R.
PY - 2015
SP - 136
EP - 147
DO - 10.5220/0005571701360147