Error Correction of Partially Exposed RSA Private Keys from MSB Side

  • Santanu Sarkar
  • Sourav Sen Gupta
  • Subhamoy Maitra
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8303)


The most popular public key cryptosystem to date has been RSA, whose security primarily relies on the unfeasibility of factoring the modulus, which is a product of two large primes, and on the secrecy of certain RSA parameters. In 2009, the cold-boot attack by Halderman et al presented an important cryptanalytic model where a portion of the secret parameters may be exposed. In this direction, Heninger and Shacham (Crypto 2009) introduced the problem of reconstructing RSA private keys when few random bits from each are known. Later, Henecka, May and Meurer (Crypto 2010) introduced the problem of error-correction in the RSA private keys when all the bits are known with some probability of error. Their approach attempted error-correction from the least significant side of the parameters. In this paper we provide a novel technique for error-correction that works from the most significant side of the parameters. Representative experimental results are provided to substantiate our claim.


cryptanalysis RSA cold-boot attack partial key exposure private keys error-correction 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)Google Scholar
  3. 3.
    Graham, S.W., Shparlinski, I.E.: On RSA moduli with almost half of the bits prescribed. Discrete Applied Mathematics 156(16), 3150–3154 (2008)Google Scholar
  4. 4.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)Google Scholar
  5. 5.
    Henecka, W., May, A., Meurer, A.: Correcting errors in RSA private keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010)Google Scholar
  6. 6.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)Google Scholar
  8. 8.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)Google Scholar
  10. 10.
    Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)Google Scholar
  11. 11.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)Google Scholar
  12. 12.
    Maitra, S., Sarkar, S., Sen Gupta, S.: Factoring RSA modulus using prime reconstruction from random known bits. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 82–99. Springer, Heidelberg (2010)Google Scholar
  13. 13.
    Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A Coding-Theoretic Approach to Recovering Noisy RSA Keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 386–403. Springer, Heidelberg (2012)Google Scholar
  14. 14.
    Public-Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Standard. RSA Security Inc. (2002),
  15. 15.
    Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters 18(21), 905–907 (1982)Google Scholar
  16. 16.
    Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)Google Scholar
  17. 17.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the Association for Computing Machinery 21(2), 120–126 (1978)Google Scholar
  18. 18.
    Sarkar, S., Sen Gupta, S., Maitra, S.: Reconstruction and error correction of RSA secret parameters from the MSB side. In: Workshop on Coding and Cryptography (2011)Google Scholar
  19. 19.
    Shparlinski, I.E.: On RSA moduli with prescribed bit patterns. Designs, Codes and Cryptography 39, 113–122 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Santanu Sarkar
    • 1
  • Sourav Sen Gupta
    • 2
  • Subhamoy Maitra
    • 2
  1. 1.Chennai Mathematical InstituteChennaiIndia
  2. 2.Indian Statistical InstituteKolkataIndia

Personalised recommendations