Correcting Errors in RSA Private Keys

Let pk = (N , e) be an RSA public key with corresponding secret key sk = (p, q , d , dp , dq , q −1 p ). Assume that we obtain partial error-free information of sk, e.g., assume that we obtain half of the most significant bits of p. Then there are well-known algorithms to recover the full secret key. As opposed to these algorithms that allow for correcting erasures of the key sk, we present for the first time a heuristic probabilistic algorithm that is capable of correcting errors in sk provided that e is small. That is, on input of a full but error-prone secret key s̃k we reconstruct the original sk by correcting the faults. More precisely, consider an error rate of δ ∈ [0, 1 2 ), where we flip each bit in sk with probability δ resulting in an erroneous key s̃k. Our Las-Vegas type algorithm allows to recover sk from s̃k in expected time polynomial in logN with success probability close to 1, provided that δ < 0.237. We also obtain a polynomial time Las-Vegas factorization algorithm for recovering the factorization (p, q) from an erroneous version with error rate δ < 0.084.