TY - GEN
T1 - A Third is All You Need
T2 - 28th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2022
AU - Zhou, Yuanyuan
AU - van de Pol, Joop
AU - Yu, Yu
AU - Standaert, François Xavier
N1 - Publisher Copyright:
© 2022, International Association for Cryptologic Research.
PY - 2022
Y1 - 2022
N2 - At Eurocrypt 2022, May et al. proposed a partial key exposure (PKE) attack on CRT-RSA that efficiently factors N knowing only a 13 -fraction of either most significant bits (MSBs) or least significant bits (LSBs) of private exponents dp and dq for public exponent e≈N112. In practice, PKE attacks typically rely on the side-channel leakage of these exponents, while a side-channel resistant implementation of CRT-RSA often uses additively blinded exponents dp′=dp+rp(p-1) and dq′=dq+rq(q-1) with unknown random blinding factors rp and rq, which makes PKE attacks more challenging. Motivated by the above, we extend the PKE attack of May et al. to CRT-RSA with additive exponent blinding. While admitting rpe∈(0,N14), our extended PKE works ideally when rpe≈N112, in which case the entire private key can be recovered using only 13 known MSBs or LSBs of the blinded CRT exponents dp′ and dq′. Our extended PKE follows their novel two-step approach to first compute the key-dependent constant k′ (edp′=1+k′(p-1), edq′=1+l′(q-1) ), and then to factor N by computing the root of a univariate polynomial modulo k′p. We extend their approach as follows. For the MSB case, we propose two options for the first step of the attack, either by obtaining a single estimate k′l′ and calculating k′ via factoring, or by obtaining multiple estimates k′l1′,…,k′lz′ and calculating k′ probabilistically via GCD. For the LSB case, we extend their approach by constructing a different univariate polynomial in the second step of the LSB attack. A formal analysis shows that our LSB attack runs in polynomial time under the standard Coppersmith-type assumption, while our MSB attack either runs in sub-exponential time with a reduced input size (the problem is reduced to factor a number of size e2rprq≈N16 ) or in probabilistic polynomial time under a novel heuristic assumption. Under the settings of the most common key sizes (1024-bit, 2048-bit, and 3072-bit) and blinding factor lengths (32-bit, 64-bit, and 128-bit), our experiments verify the validity of the Coppersmith-type assumption and our own assumption, as well as the feasibility of the factoring step. To the best of our knowledge, this is the first PKE on CRT-RSA with experimentally verified effectiveness against 128-bit unknown exponent blinding factors. We also demonstrate an application of the proposed PKE attack using real partial side-channel key leakage targeting a Montgomery Ladder exponentiation CRT implementation.
AB - At Eurocrypt 2022, May et al. proposed a partial key exposure (PKE) attack on CRT-RSA that efficiently factors N knowing only a 13 -fraction of either most significant bits (MSBs) or least significant bits (LSBs) of private exponents dp and dq for public exponent e≈N112. In practice, PKE attacks typically rely on the side-channel leakage of these exponents, while a side-channel resistant implementation of CRT-RSA often uses additively blinded exponents dp′=dp+rp(p-1) and dq′=dq+rq(q-1) with unknown random blinding factors rp and rq, which makes PKE attacks more challenging. Motivated by the above, we extend the PKE attack of May et al. to CRT-RSA with additive exponent blinding. While admitting rpe∈(0,N14), our extended PKE works ideally when rpe≈N112, in which case the entire private key can be recovered using only 13 known MSBs or LSBs of the blinded CRT exponents dp′ and dq′. Our extended PKE follows their novel two-step approach to first compute the key-dependent constant k′ (edp′=1+k′(p-1), edq′=1+l′(q-1) ), and then to factor N by computing the root of a univariate polynomial modulo k′p. We extend their approach as follows. For the MSB case, we propose two options for the first step of the attack, either by obtaining a single estimate k′l′ and calculating k′ via factoring, or by obtaining multiple estimates k′l1′,…,k′lz′ and calculating k′ probabilistically via GCD. For the LSB case, we extend their approach by constructing a different univariate polynomial in the second step of the LSB attack. A formal analysis shows that our LSB attack runs in polynomial time under the standard Coppersmith-type assumption, while our MSB attack either runs in sub-exponential time with a reduced input size (the problem is reduced to factor a number of size e2rprq≈N16 ) or in probabilistic polynomial time under a novel heuristic assumption. Under the settings of the most common key sizes (1024-bit, 2048-bit, and 3072-bit) and blinding factor lengths (32-bit, 64-bit, and 128-bit), our experiments verify the validity of the Coppersmith-type assumption and our own assumption, as well as the feasibility of the factoring step. To the best of our knowledge, this is the first PKE on CRT-RSA with experimentally verified effectiveness against 128-bit unknown exponent blinding factors. We also demonstrate an application of the proposed PKE attack using real partial side-channel key leakage targeting a Montgomery Ladder exponentiation CRT implementation.
KW - Additive blinding
KW - CRT-RSA
KW - Coppersmith method
KW - Partial key exposure
UR - https://www.scopus.com/pages/publications/85149632770
U2 - 10.1007/978-3-031-22972-5_18
DO - 10.1007/978-3-031-22972-5_18
M3 - 会议稿件
AN - SCOPUS:85149632770
SN - 9783031229718
T3 - Lecture Notes in Computer Science
SP - 508
EP - 536
BT - Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings
A2 - Agrawal, Shweta
A2 - Lin, Dongdai
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 5 December 2022 through 9 December 2022
ER -