Annual Cryptology Conference

CRYPTO 2010: Advances in Cryptology – CRYPTO 2010 pp 351-369

# Correcting Errors in RSA Private Keys

• Wilko Henecka
• Alexander May
• Alexander Meurer
Conference paper

DOI: 10.1007/978-3-642-14623-7_19

Volume 6223 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Henecka W., May A., Meurer A. (2010) Correcting Errors in RSA Private Keys. In: Rabin T. (eds) Advances in Cryptology – CRYPTO 2010. CRYPTO 2010. Lecture Notes in Computer Science, vol 6223. Springer, Berlin, Heidelberg

## Abstract

Let pk= (N,e) be an RSA public key with corresponding secret key $${\sf sk}=(p,q,d,d_p,d_q, q_p^{-1})$$. Assume that we obtain partial error-free information of sk, e.g., assume that we obtain half of the most significant bits of p. Then there are well-known algorithms to recover the full secret key. As opposed to these algorithms that allow for correcting erasures of the key sk, we present for the first time a heuristic probabilistic algorithm that is capable of correcting errors in sk provided that e is small. That is, on input of a full but error-prone secret key $$\widetilde{\sf sk}$$ we reconstruct the original sk by correcting the faults.

More precisely, consider an error rate of $$\delta \in [0,\frac 1 2)$$, where we flip each bit in sk with probability δ resulting in an erroneous key $$\widetilde{\sf sk}$$. Our Las-Vegas type algorithm allows to recover sk from $$\widetilde{\sf sk}$$ in expected time polynomial in logN with success probability close to 1, provided that δ< 0.237. We also obtain a polynomial time Las-Vegas factorization algorithm for recovering the factorization (p,q) from an erroneous version with error rate δ< 0.084.

### Keywords

RSAerror correctionstatistical cryptanalysis