Reconstructing RSA Private Keys from Random Key Bits

  • Nadia Heninger
  • Hovav Shacham
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5677)

Abstract

We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments.

References

  1. 1.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)Google Scholar
  2. 2.
    Alwen, J., Dodis, Y., Wichs, D.: Public key cryptography in the bounded retrieval model and security against side-channel attacks. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 36–53. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Boneh, D.: Twenty years of attacks on the RSA cryptosystem. Notices of the American Mathematical Society (AMS) 46(2), 203–213 (1999)MathSciNetMATHGoogle Scholar
  4. 4.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Shacham, H.: Fast variants of RSA. RSA Cryptobytes 5(1), 1–9 (Winter/Spring 2002)Google Scholar
  6. 6.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Coron, J.-S., May, A.: Deterministic polynomial-time equivalence of computing the RSA secret key and factoring. J. Cryptology 20(1), 39–50 (2007)MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Dodis, Y., Tauman Kalai, Y., Lovett, S.: On cryptography with auxiliary input. In: Mitzenmacher, M. (ed.) Proceedings of STOC 2009. ACM Press, New York (2009)Google Scholar
  9. 9.
    Goldwasser, S.: Cryptography without (hardly any) secrets. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 369–370. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Halderman, J.A., Schoen, S., Heninger, N., Clarkson, W., Paul, W., Calandrino, J., Feldman, A., Appelbaum, J., Felten, E.: Lest we remember: Cold boot attacks on encryption keys. In: Van Oorschot, P. (ed.) Proceedings of USENIX Security 2008, July 2008, pp. 45–60. USENIX (2008)Google Scholar
  11. 11.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. Cryptology ePrint Archive, Report 2008/510 (December 2008), http://eprint.iacr.org/
  12. 12.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Karlin, S., Taylor, H.M.: A First Course in Stochastic Processes. Academic Press, London (1975)MATHGoogle Scholar
  14. 14.
    Maurer, U.: On the oracle complexity of factoring integers. Computational Complexity 5(3/4), 237–247 (1995)MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. PhD thesis, University of Paderborn (October 2003)Google Scholar
  16. 16.
    May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: Nguyen, P. (ed.) Proceedings of LLL+25 (June 2007)Google Scholar
  17. 17.
    Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)MATHGoogle Scholar
  18. 18.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Nguyen, P., Stern, J.: Adapting density attacks to low-weight knapsacks. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 41–58. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Rivest, R., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  22. 22.
    RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard (June 2002), http://www.rsa.com/rsalabs/node.asp?id=2125
  23. 23.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: Results from the 2008 Debian OpenSSL debacle (May 2009) (manuscript)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Nadia Heninger
    • 1
  • Hovav Shacham
    • 2
  1. 1.Princeton UniversityUSA
  2. 2.University of CaliforniaSan Diego

Personalised recommendations