Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild

  • Daniel J. Bernstein
  • Yun-An Chang
  • Chen-Mou Cheng
  • Li-Ping Chou
  • Nadia Heninger
  • Tanja Lange
  • Nicko van Someren
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8270)


This paper explains how an attacker can efficiently factor 184 distinct RSA keys out of more than two million 1024-bit RSA keys downloaded from Taiwan’s national “Citizen Digital Certificate” database. These keys were generated by government-issued smart cards that have built-in hardware random-number generators and that are advertised as having passed FIPS 140-2 Level 2 certification.

These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.

The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.


RSA smart cards factorization Coppersmith lattices 


  1. 1.
    ANSI. ANSI X9.31:1998: Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA). American National Standards Institute (1998)Google Scholar
  2. 2.
    Bernstein, D.J.: How to find the smooth parts of integers (May 2004),
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. In: Stern, J. (ed.) EUROCRYPT. LNCS, vol. 1592, pp. 1–11. Springer (1999)Google Scholar
  4. 4.
    Cadé, D., Pujol, X., Stehlé, D.: fpLLL (2013),
  5. 5.
    Ltd. Chunghwa Telecom Co. Hicos pki smart card security policy (2006),
  6. 6.
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT. LNCS, vol. 1070, pp. 178–189. Springer (1996)Google Scholar
  7. 7.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Decker, W., Greuel, G.-M., Pfister, G., Schönemann, H.: Singular 3-1-6 — A computer algebra system for polynomial computations (2012),
  9. 9.
    Faugère, J.-C., Marinier, R., Renault, G.: Implicit factoring with shared most significant and middle bits. In: Nguyen, P.Q., Pointcheval, D. (eds.) Public Key Cryptography. LNCS, vol. 6056, pp. 70–87. Springer (2010)Google Scholar
  10. 10.
    Bundesamt für Sicherheit in der Informationstechnik. Certification report BSI-DSZ-CC-0212-2004 for Renesas AE45C1 (HD65145C1) smartcard integrated circuit version 01 (2004),
  11. 11.
  12. 12.
    Granville, A.: Harald Cramér and the distribution of prime numbers. Scand. Actuarial J. 1995(1), 12–28 (1995)Google Scholar
  13. 13.
    Heninger, N., Durumeric, Z., Wustrow, E., Alex Halderman, J.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)Google Scholar
  14. 14.
    Heninger, N., Shacham, H.: Reconstructing rsa private keys from random key bits. In: Halevi, S. (ed.) CRYPTO. LNCS, vol. 5677, pp. 1–17. Springer (2009)Google Scholar
  15. 15.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT. LNCS, vol. 5350, pp. 406–424. Springer (2008)Google Scholar
  16. 16.
    Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC. LNCS, vol. 2146, pp. 51–66. Springer (2001)Google Scholar
  17. 17.
    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO. LNCS, vol. 7417, pp. 626–642. Springer (2012)Google Scholar
  18. 18.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    May, A., Ritzenhofen, M.: Implicit factoring: On polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) Public Key Cryptography. LNCS, vol. 5443, pp. 1–14. Springer (2009)Google Scholar
  20. 20.
  21. 21.
    National Institute of Standards and Technology (NIST). Security requirements for cryptographic modules. Federal Information Processing Standards Publication (FIPS PUB) 140-2 (May 2001), (updated December 03, 2012), See for differences between this and FIPS-140-1
  22. 22.
    National Institute of Standards and Technology (NIST). Recommendation for random number generation using deterministic random bit generators. NIST Special Publication (NIST SP) 800-90A (January 2012)Google Scholar
  23. 23.
    Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A coding-theoretic approach to recovering noisy RSA keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT. LNCS, vol. 7658, pp. 386–403. Springer (2012)Google Scholar
  24. 24.
    Stein, W.A., et al.: Sage Mathematics Software (Version 5.8). The Sage Development Team (2013),

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
    • 2
  • Yun-An Chang
    • 3
  • Chen-Mou Cheng
    • 3
  • Li-Ping Chou
    • 4
  • Nadia Heninger
    • 5
  • Tanja Lange
    • 2
  • Nicko van Someren
    • 6
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenThe Netherlands
  3. 3.Research Center for Information Technology InnovationAcademia SinicaTaipeiTaiwan
  4. 4.Department of Computer Science and Information EngineeringChinese Culture UniversityTaipeiTaiwan
  5. 5.Department of Computer and Information ScienceUniversity of PennsylvaniaUSA
  6. 6.Good Technology Inc.USA

Personalised recommendations