In 1998, Boneh, Durfee and Frankel introduced partial key exposure attacks, a novel application of Coppersmith's method, to retrieve an RSA private key given only a fraction of its bits. This type of attacks is of particular interest in the context of side-channel attacks. By applying the exponent blinding technique as a countermeasure for side-channel attacks, the private exponent becomes randomized at each execution. Thus the attacker has to rely only on a single trace, significantly incrementing the noise, making the exponent bits recovery less effective. This countermeasure has also the side-effect of modifying the RSA equation used by partial key exposure attacks, in a way studied by Joye and Lepoint in 2012. We improve their results by providing a simpler technique in the case of known least significant bits and a better bound for the known most significant bits case. Additionally, we apply partial key exposure attacks to CRT-RSA when exponent blinding is used, a case not yet analyzed in literature. Our findings, for which we provide theoretical and experimental results, aim to reduce the number of bits to be recovered through side-channel attacks in order to factor an RSA modulus when the implementation is protected by exponent blinding.
New Results for Partial Key Exposure on RSA with Exponent Blinding / R. Susella, S. Mella, S. Cimato - In: Proceedings of the 12th International Conference on Security and Cryptography. 1: SECRYPT / [a cura di] M.S. Obaidat, P. Lorenz, P. Samarati. - Prima edizione. - [s.l] : SciTePress, 2015. - ISBN 9789897581175. - pp. 136-147 (( Intervento presentato al 12. convegno International Conference on Security and Cryptography tenutosi a Colmar nel 2015 [10.5220/0005571701360147].
New Results for Partial Key Exposure on RSA with Exponent Blinding
S. MellaSecondo
;S. CimatoUltimo
2015
Abstract
In 1998, Boneh, Durfee and Frankel introduced partial key exposure attacks, a novel application of Coppersmith's method, to retrieve an RSA private key given only a fraction of its bits. This type of attacks is of particular interest in the context of side-channel attacks. By applying the exponent blinding technique as a countermeasure for side-channel attacks, the private exponent becomes randomized at each execution. Thus the attacker has to rely only on a single trace, significantly incrementing the noise, making the exponent bits recovery less effective. This countermeasure has also the side-effect of modifying the RSA equation used by partial key exposure attacks, in a way studied by Joye and Lepoint in 2012. We improve their results by providing a simpler technique in the case of known least significant bits and a better bound for the known most significant bits case. Additionally, we apply partial key exposure attacks to CRT-RSA when exponent blinding is used, a case not yet analyzed in literature. Our findings, for which we provide theoretical and experimental results, aim to reduce the number of bits to be recovered through side-channel attacks in order to factor an RSA modulus when the implementation is protected by exponent blinding.
| File | Dimensione | Formato | |
|---|---|---|---|
|
SECRYPT_2015_106.pdf
accesso aperto
Tipologia:
Publisher's version/PDF
Dimensione
239.04 kB
Formato
Adobe PDF
|
239.04 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
