RSA Meets DPA: Recovering RSA Secret Keys from Noisy Analog Data

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8731)


We discuss how to recover RSA secret keys from noisy analog data obtained through physical attacks such as cold boot and side channel attacks. Many studies have focused on recovering correct secret keys from noisy binary data. Obtaining noisy binary keys typically involves first observing the analog data and then obtaining the binary data through quantization process that discards much information pertaining to the correct keys. In this paper, we propose two algorithms for recovering correct secret keys from noisy analog data, which are generalized variants of Paterson et al.’s algorithm. Our algorithms fully exploit the analog information. More precisely, consider observed data which follows the Gaussian distribution with mean ( − 1) b and variance σ 2 for a secret key bit b. We propose a polynomial time algorithm based on the maximum likelihood approach and show that it can recover secret keys if σ < 1.767. The first algorithm works only if the noise distribution is explicitly known. The second algorithm does not need to know the explicit form of the noise distribution. We implement the first algorithm and verify its effectiveness.


RSA Key-Recovery Cold Boot Attack Side Channel Attack Maximum Likelihood 


  1. 1.
    Cover, C.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley-Interscience (2006)Google Scholar
  2. 2.
    Dembo, A., Zeitouni, O.: Large deviations techniques and applications, 2nd edn. Applications of Mathematics, vol. 38. Springer, New York (1998)CrossRefzbMATHGoogle Scholar
  3. 3.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold Boot Attacks on Encryption Keys. In: Proc. of USENIX Security Symposium 2008, pp. 45–60 (2008)Google Scholar
  4. 4.
    Henecka, W., May, A., Meurer, A.: Correcting Errors in RSA Private Keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Heninger, N., Shacham, H.: Reconstructing RSA Private Keys from Random Key Bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Kunihiro, N., Shinohara, N., Izu, T.: Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 180–197. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  8. 8.
    Mangard, S., Oswald, E., Standaert, F.-X.: One for all - all for one: unifying standard differential power analysis attacks. IET Information Security 5(2), 100–110 (2011)CrossRefGoogle Scholar
  9. 9.
    Paterson, K.G., Polychroniadou, A., Sibborn, D.L.: A Coding-Theoretic Approach to Recovering Noisy RSA Keys. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 386–403. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
  11. 11.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Sarkar, S., Maitra, S.: Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 476–493. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Schlegel, C., Perez, L.: Trellis and Turbo Codes. Wiley-IEEE Press (2004)Google Scholar
  14. 14.
    Sklar, B.: Digital Communications: Fundamentals and Applications, 2nd edn. Prentice Hall (2001)Google Scholar
  15. 15.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability. In: IMC 2009, pp. 15–27. ACM Press (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.The University of TokyoJapan

Personalised recommendations