Seeing through MIST Given a Small Fraction of an RSA Private Key
نویسنده
چکیده
In smartcard encryption and signature applications, randomised algorithms are used to increase tamper resistance against attacks based on side channel leakage. Mist is one of these. As is the case with the classical m-ary and sliding windows exponentiation algorithms, the most significant half of the public modulus yields information which can be used to halve the number of key digits which need to be guessed to recover the secret key from a Mist side channel trace. Lattice based methods are used to reduce this to just one quarter of the least significant digits. This enables the strength of the Mist exponentiation algorithm to be gauged more accurately under several threat models.
منابع مشابه
Reconstructing RSA Private Keys from Random Key Bits
We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. ...
متن کاملImproved RSA Private Key Reconstruction for Cold Boot Attacks
We give an algorithm that reconstructs an RSA private key given a 27% fraction of its bits at random. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information typically stored in an RSA private key. We give a rigorous analysis of the running time behavior of our algorithm that closely matches the sharp threshold phenomenon observ...
متن کاملPartial Key Exposure on RSA with Private Exponents Larger Than N
In 1998, Boneh, Durfee and Frankel described several attacks against RSA enabling an attacker given a fraction of the bits of the private exponent d to recover all of d. These attacks were later improved and extended in various ways. They however always consider that the private exponent d is smaller than the RSA modulus N . When it comes to implementation, d can be enlarged to a value larger t...
متن کاملCommon modulus attacks on small private exponent RSA and some fast variants (in practice)
In this work we re-examine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N the attack can factor the modulus about 93% of the time in practice. The success rate of the attack can be increased up to almost 10...
متن کاملSmall Private Exponent Partial Key-Exposure Attacks on Multiprime RSA
Given knowledge of one or more of the primes in a multiprime RSA modulus we show that the private exponent can be recovered provided it is sufficiently small. In particular, we present a simple and efficient method that given v of the u primes dividing the modulus N recovers any private exponent d satisfying d < Nv/u− . When only one prime is known, this bound can be increased to approximately ...
متن کامل