Advertisement

Improved CRT-RSA Secret Key Recovery Method from Sliding Window Leakage

  • Kento OonishiEmail author
  • Xiaoxuan Huang
  • Noboru KunihiroEmail author
Conference paper
  • 20 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11975)

Abstract

In this paper, we discuss side-channel attacks on the CRT-RSA scheme (RSA scheme with Chinese Remainder Theorem) implemented by the left-to-right sliding window method. This method calculates exponentiations by repeating squaring and multiplication. In CHES 2017, Bernstein et al. proposed side-channel attacks on the CRT-RSA signature scheme implemented by the left-to-right sliding window method. We can obtain square-and-multiply sequences by their side-channel attacks, but cannot calculate CRT-RSA secret keys because there are multiple candidates of multiplications. Then, Bernstein et al. calculated CRT-RSA secret keys by using two methods. First, they recovered CRT-RSA secret keys partially and calculated all secret key bits by using the Heninger–Shacham method. Second, they applied the Heninger–Shacham method to square-and-multiply sequences directly. They showed that we can calculate CRT-RSA secret keys more efficiently when we use square-and-multiply sequences directly. They also showed that we can recover CRT-RSA secret keys in polynomial time when \(w \le 4\). Moreover, they experimentally showed that we can recover secret keys of 2048-bit CRT-RSA scheme when \(w=5\). However, their latter method is simple and has room for improvement. Here, we study bit recovery more profoundly to improve their method. First, we calculate the exact rate of all knowable bits. Next, we propose a new method for calculating the proportion of each bit 0 or 1 in each nonrecovery bit. Finally, we propose a new method for calculating CRT-RSA secret key using this bit information. In our proposed algorithm, we extend Bernstein et al.’s method in combination with Kunihiro et al.’s method. We calculate more secret keys when \(w=5\) by our proposed method compared to Bernstein et al.’s method.

Keywords

Side-channel attacks Sliding window method CRT-RSA scheme Secret key recovery 

Notes

Acknowledgements

This research was partially supported by JST CREST Grant Number JPMJCR14D6, Japan and JSPS KAKENHI Grant Number JP16H02780.

References

  1. 1.
    Bernstein, D.J., et al.: Sliding right into disaster: left-to-right sliding windows leak. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 555–576. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66787-4_27CrossRefGoogle Scholar
  2. 2.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E.: Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 207–228. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48324-4_11CrossRefGoogle Scholar
  3. 3.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_25CrossRefGoogle Scholar
  4. 4.
    Halderman, J.A., et al.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52, 91–98 (2009).  https://doi.org/10.1145/1506409.1506429CrossRefGoogle Scholar
  5. 5.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_1CrossRefGoogle Scholar
  6. 6.
    Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Comparative power analysis of modular exponentiation algorithms. IEEE Trans. Comput. 59, 795–807 (2010).  https://doi.org/10.1109/TC.2009.176MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    İnci, M.S., Gulmezoglu, B., Irazoqui, G., Eisenbarth, T., Sunar, B.: Cache attacks enable bulk key recovery on the cloud. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 368–388. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_18CrossRefGoogle Scholar
  8. 8.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_9CrossRefGoogle Scholar
  9. 9.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  10. 10.
    Kunihiro, N., Shinohara, N., Izu, T.: Recovering RSA secret keys from noisy key bits with erasures and errors. IEICE Trans. Fundam. E97-A, 1273–1284 (2014).  https://doi.org/10.1587/transfun.E97.A.1273
  11. 11.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)zbMATHGoogle Scholar
  12. 12.
    Moriarty, K., Kaliski, B., Jonsson, J., Rusch, A.: PKCS #1: RSA cryptography specifications version 2.2 (2016). https://tools.ietf.org/html/rfc8017
  13. 13.
    Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A coding-theoretic approach to recovering noisy RSA keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 386–403. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_24CrossRefGoogle Scholar
  14. 14.
    Percival, C.: Cache missing for fun and profit (2005). http://www.daemonology.net/papers/htt.pdf
  15. 15.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978).  https://doi.org/10.1145/359340.359342MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Smith, W.L.: Renewal theory and its ramifications. J. Roy. Stat. Soc. 20, 243–302 (1958).  https://doi.org/10.1111/j.2517-6161.1958.tb00294.xMathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    van Vredendaal, C.: Exploiting Mathematical Structures in Cryptography. Technische Universiteit Eindhoven, Eindhoven (2018)Google Scholar
  18. 18.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX 2014, pp. 719–732 (2014)Google Scholar
  19. 19.
    Yarom, Y., Genkin, D., Heninger, N.: CacheBleed: a timing attack on OpenSSL constant time RSA. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 346–367. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_17CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.The University of TokyoTokyoJapan
  2. 2.University of TsukubaTsukubaJapan

Personalised recommendations