Correcting Errors in RSA Private Keys

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


Let pk= (N,e) be an RSA public key with corresponding secret key \({\sf sk}=(p,q,d,d_p,d_q, q_p^{-1})\). Assume that we obtain partial error-free information of sk, e.g., assume that we obtain half of the most significant bits of p. Then there are well-known algorithms to recover the full secret key. As opposed to these algorithms that allow for correcting erasures of the key sk, we present for the first time a heuristic probabilistic algorithm that is capable of correcting errors in sk provided that e is small. That is, on input of a full but error-prone secret key \(\widetilde{\sf sk}\) we reconstruct the original sk by correcting the faults.

More precisely, consider an error rate of \(\delta \in [0,\frac 1 2)\), where we flip each bit in sk with probability δ resulting in an erroneous key \(\widetilde{\sf sk}\). Our Las-Vegas type algorithm allows to recover sk from \(\widetilde{\sf sk}\) in expected time polynomial in logN with success probability close to 1, provided that δ< 0.237. We also obtain a polynomial time Las-Vegas factorization algorithm for recovering the factorization (p,q) from an erroneous version with error rate δ< 0.084.


RSA error correction statistical cryptanalysis 


  1. 1.
    Boneh, D.: Twenty years of attacks on the rsa cryptosystem. Notices of the American Mathematical Society (AMS) 46(2), 203–213 (1999)zbMATHMathSciNetGoogle Scholar
  2. 2.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent rsa vulnerabilities. J. Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Coron, J.-S., May, A.: Deterministic polynomial-time equivalence of computing the rsa secret key and factoring. J. Cryptology 20(1), 39–50 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: Cold boot attacks on encryption keys. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 45–60. USENIX Association (2008)Google Scholar
  6. 6.
    Heninger, N., Shacham, H.: Reconstructing rsa private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Hoeffding, W.: Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association 58(301), 13–30 (1963)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Maurer, U.M.: Factoring with an oracle. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 429–436. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  9. 9.
    Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  10. 10.
    RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard (June 2002)Google Scholar
  11. 11.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In: Feldmann, A., Mathy, L. (eds.) Proceedings of IMC 2009, pp. 15–27. ACM Press, New York (November 2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University Bochum, Faculty of MathematicsGermany

Personalised recommendations