- Research
- Open access
- Published:
New partial key exposure attacks on RSA with additive exponent blinding
Cybersecurity volume 7, Article number: 26 (2024)
Abstract
Partial key exposure attacks present a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. In practice, the RSA implementations typically employ countermeasures to resist physical attacks, such as additive exponent blinding \(d' = d + r \varphi (N)\) with unknown random blinding factor r. Although there are a couple of partial key exposure attacks on blinding RSA, these attacks require a considerable amount of leakage and fail to work when e is up to full size. In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of \(d'\) are revealed. For the case where e is small, we first recover partial information of p by solving the quadratic congruence equation, and then find the small roots of the integer equation to recover entire private key. Our method relaxes the attack requirements, for instance, we reduce the amount of MSBs for a successful attack from 75 to 25% when \(e \approx N^{0.25}\) and \(r\approx N^{0}\). Furthermore, we propose new attacks using the unique algebraic relationship in blinding RSA, which extend the attack to the case where e is of full size.
Introduction
RSA (Rivest–Shamir–Adleman) (Rivest et al. 1978) is a well-established public key cryptosystem widely employed in practical systems. Let \(N=pq\) represent the RSA modulus, where p and q are prime numbers. The encryption and decryption exponents, denoted as e and d respectively, satisfy \(ed \equiv 1 \mod \varphi (N)\), where \(\varphi (\cdot )\) represents Euler’s totient function. In real-world cryptographic scenarios, confidential information may be exposed during device execution. For example, practical RSA implementations, often utilizing the Square-Multiply algorithm for exponentiation, may leak partial bits of d through distinguishable operations, rendering them susceptible to side-channel attacks (Kocher 1996; Novak 2002).
In 1998, Boneh et al. (1998) introduced the flagship attack on RSA when given either the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d. Their approach is based on Coppersmith’s method, which utilizes lattice-based algorithms to find small solutions to modular (Coppersmith 1996) or integer (Coppersmith 1996) equations in polynomial time. Subsequent attacks (Aono 2009; Takayasu and Kunihiro 2014, 2019; Suzuki et al. 2020; Zhou et al. 2022) have adopted a lattice-based framework, involving formulating modular/integer equations to recover the private key and then solving these equations using Coppersmith’s method. These works have demonstrated the vulnerability of RSA to partial key exposure. This type of attack is commonly referred to as partial key exposure attack.
The partial key exposure attacks typically focus on unprotected RSA implementations. However, practical RSA cryptosystems often adopt countermeasures to mitigate leakage-based attacks. Strategies like blinding are employed to minimize the correlation between exposed information and confidential data, thereby significantly enhancing the challenge of extracting partial bits of d. The adoption of blinding techniques is evident in open-source cryptographic libraries such as MbedTLS (2023), Libgcrypt (2021), and Botan (2023). Depending on the protection target, blinding countermeasures encompass message (base) blinding, modulus blinding, and exponent blinding.
In the case of RSA with exponent blinding, the decryption exponent d is replaced by the blinded decryption exponent
where r is an unknown random blinding factor. Partial key exposure attacks become challenging, as it is difficult to extract partial bits of d through physical attacks. Notably, an appropriate r can reduce the Hamming weight of \(d'\) and enhance the efficiency of the Square-Multiply algorithm.
Presently, there are a couple of partial key exposure attacks on RSA with exponent blinding (Joye and Lepoint 2012; Cimato et al. 2015a, b). These attacks typically build upon established techniques for standard RSA (Boneh et al. 1998; Blömer and May 2003; Ernst et al. 2005). In 2012, Joye and Lepoint (Joye and Lepoint 2012) proposed partial key exposure attacks on blinding RSA with small e, formulating MSBs attacks as a trivial univariate modular equation for \(re < N^{1/2}\), aligning with Boneh et al.’s method (Boneh et al. 1998). For \(N^{1/2}\le re < N\), they formulated MSBs/LSBs attacks as trivariate integer equations, applying Ernst et al.’s approachs (Ernst et al. 2005). In 2015, Cimato et al. (2015a, 2015b) improved on Joye-Lepoint’s results, drawing inspiration from the work of Blömer and May (2003).
In summary, previous partial key exposure attacks on blinding RSA primarily address limited cases of e and require a considerable amount of leakage. Two critical issues require attention: first, the feasibility of recovering the entire private key with less leakage; second, the possibility of mounting an partial key exposure attack on blinding RSA with full size e.
It is essential to note that, in the situation when e is up to full size, direct extension of attacks on standard RSA to blinding RSA is not feasible. Existing lattice-based partial key exposure attacks on RSA work only when \(d<\varphi (N)\). In the case of RSA with additive exponent blinding, where the blinded private exponent \(d'\) is approximately rN and thus larger than \(\varphi (N)\), it is of great significance to develop new methods.
Our contributions
In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the MSBs or LSBs of \(d'\) are revealed, considering both cases where e is small and e is of full size. Briefly, the results of our new attacks are shown in the Table 1.
For the case where e is small, our attacks reduce the amount of leakage by solving the quadratic congruence equation to recover a portion of p. And we extend the attack to the case where e is of full size by utilizing the unique algebraic relationship \(d'=d+r\varphi (N)\) in blinding RSA. Specifically,
-
Given consecutive MSBs of \(d'\):
-
For blinding RSA with small e, we propose a new two-step attack that reduces the amount of leakage required for a successful attack. The first step recovers a sensitive parameter \(k'\) using MSBs on \(d'\) through the equation \(ed'=1+k'\varphi (N)\). The second step uses the value of \(k'\) to recover the entire private key by solving the quadratic congruence equation to get \(p \mod e\) and then finding small roots of the bivariate integer equation. Suppose e is prime and approximately \(N^\alpha\), \(r \approx N^\sigma\), and the known part \(d'_{MSBs} \approx N^\delta\), where \(\alpha + \sigma < 1/2\), \(\alpha > 1/4\), then we can factor N if
$$\begin{aligned} \delta > \alpha +\sigma . \end{aligned}$$The comparison between the theoretical bounds of our new attack and previous attacks is shown in Fig. 1, where the horizontal axis represents the size of e, while the vertical axis represents the proportion of leakage.
-
For blinding RSA with full size e, we propose a new two-step attack that successfully recovers the entire private key, which was unachievable by previous attacks. We first recover the blinding factor r and the MSBs of \(p + q\) using MSBs on \(d'\) through the equation \(d'=d+r\varphi (N)\). Subsequently, we recover the entire private key by finding small roots of the bivariate integer equation. Suppose \(d \approx N^\beta\), \(r \approx N^\sigma\), and the known part \(d'_{MSBs} \approx N^\delta\), where \(\sigma < 1/2\), and \(\beta < \sigma +1/4\), then we can factor N if
$$\begin{aligned} \delta > 3/4. \end{aligned}$$
-
-
Given consecutive LSBs of \(d'\):
-
For blinding RSA with small e, we propose a new attack that reduces the amount of leakage required for a successful attack. We first recover LSBs the of p by solving the quadratic congruence equation, where the modulus is a power of 2. And then we recover the entire private key by finding small roots of the bivariate integer equation. Suppose \(e \approx N^0\), \(r \approx N^0\), and the known part \(d'_{LSBs} \approx N^\delta\), then we can factor N if
$$\begin{aligned} \delta > 1/4. \end{aligned}$$ -
For blinding RSA with full size e, we propose a new attack that successfully recovers the entire private key, which was unachievable by previous attacks. Our method mainly based on finding small roots of the bivariate modular equation derived from \(d'=d+r\varphi (N)\). Suppose \(d \approx N^\beta\), \(r \approx N^\sigma\), and the known part \(d'_{LSBs} \approx N^\delta\), then we can factor N if
$$\begin{aligned} \delta > \max {\{2\sigma + 1/2,\beta +\sigma \}}. \end{aligned}$$
-
Essentially, we advance the current state of attacks by exploiting unexplored algebraic relationships. Existing attacks on blinding RSA (Joye and Lepoint 2012; Cimato et al. 2015a, b) typically concentrate on the relationship \(ed' = 1 + k'\varphi (N)\). For blinding RSA with small e, we utilize an additional algebraic relationship \(p^2-p(p+q)+N \equiv 0\), which enhances our capability to recover the entire private key with less knowledge of \(d'\). For blinding RSA with full size e, we exploit the unique algebraic relationship in blinding RSA, specifically \(d'=d+r\varphi (N)\). This exploitation allows us to recover the entire private key, which was unachievable before when e is up to full size.
Related works
Since Boneh, Durfee, and Frankel’s successful recovery of the entire private key using partial information on d (Boneh et al. 1998), the partial key exposure attack has garnered considerable attention. Existing attacks on standard RSA primarily focus on specific scenarios related to encryption/decryption exponents, broadly categorized into two classes:
(1) RSA with a small encryption exponent e, where the decryption exponent d is of full size (Boneh et al. 1998; Blömer and May 2003; Ernst et al. 2005). When given MSBs, most of the existing works calculate the approximate value of k using MSBs on d through the relationship \(k(N-p-q+1)=ed-1\). Particularly, k can be directly recovered when \(e < N^{1/2}\), then secret information such as \(d\mod k\), \((p+q)\mod e\), or the MSBs of \((p+q)\) can be calculated (Boneh et al. 1998). For a larger e, only the MSBs of k can be recovered. A trivariate equation modulo N (Blömer and May 2003) or a trivariate integer equation (Ernst et al. 2005) can be derived from the equation \(ed=1+k\varphi (N)\), and then lattice-based methods can be used to recover the private key. When given LSBs, a bivariate equation modulo N or modulo eM can be derived (Blömer and May 2003), where M is a power of 2 representing the bound of leaked bits. These attacks utilize elementary lattice-based methods and are applicable to \(e<N\). The leakage amount is at least \(N^{1/4}\) when \(e < N^{1/2}\), and approaches N as e increases when \(e \ge N^{1/2}\).
(2) RSA with a full size encryption exponent e, where the decryption exponent d is small (Ernst et al. 2005; Aono 2009; Takayasu and Kunihiro 2014, 2019). Initial attacks, extending up to full size e, are carried out by solving trivariate integer equations (Ernst et al. 2005). These attacks are applicable to \(d<N\) for MSBs and \(d<N^{0.875}\) for LSBs. When given MSBs, subsequent works (Takayasu and Kunihiro 2014, 2019) demonstrate that it is equivalent to solving the bivariate equation modulo e, and reduce the amount of MSBs for \(d \le N^{0.5625}\) by employing techniques such as unraveled linearization. When given LSBs, existing methods (Aono 2009; Takayasu and Kunihiro 2014, 2019) construct lattices using bivariate equations modulo e and modulo eM, then reduce the amount of LSBs for \(d \le N^{0.3681}\) through the unraveled linearization. The required leakage amount for an attack approaches N as d increases.
In practical applications, the Chinese remainder theorem (CRT) is commonly utilized to accelerate decryption process, employing CRT-exponents \(d_p \equiv d \mod (p-1)\) and \(d_q \equiv d \mod (q-1)\). CRT-RSA integrates additive exponent blinding through \(d'_p = d_p + r_p (p-1)\) and \(d'_q = d_q + r_q (q-1)\), where \(r_p\) and \(r_q\) are blinding factors. Currently, several works have investigated the security of CRT-RSA with additive exponent blinding when given MSBs/LSBs of the blinded CRT-exponents (Cimato et al. 2015a, b; Zhou et al. 2022). For single MSBs/LSBs attacks where some bits of \(d'_p\) are known, Cimato et al. (2015a, 2015b) concentrate on the relationship \(ed'_p = 1 + k'_p(p-1)\). They compute an estimate of \(k'_pp\) using the MSBs of \(d'_p\), and they reduce the attack to the problem of solving an equation modulo p when given LSBs. For double MSBs/LSBs attacks where some bits of \(d'_p\) and \(d'_q\) are known, Zhou et al. (2022) utilize the algebraic relationship obtained by multiplying equations \(ed'_p = 1 + k'_p(p-1)\) and \(ed'_q = 1 + k'_q(q-1)\). These attacks are applicable to \(e < N ^{1/4}\).
Paper organization
The subsequent sections of this paper are organized as follows: “Preliminary” Section introduces the notations, followed by a recapitulation of the procedures for finding small roots of modular/integer equations using Coppersmith’s method, and the procedures for solving a quadratic congruence equation. “Partial information on MSB d′” and “Partial information on LSB of d′” Sections present our new partial key exposure attacks for scenarios with the MSBs and LSBs. In “Practical experiments” Section, we provide experimental results using our new methods. At last, we conclude our work in “Conclusion” Section.
Preliminary
In this section,we present the principal notations used throughout this paper, which are detailed in Table 2. We also recapitulate the process for finding small roots of a modular/integer equation using Coppersmith’s method. Additionally, we recap how to find all roots of a quadratic congruence equation.
Lattice
A lattice can be viewed as a set of discrete points with periodic structure in n-dimensional Euclidean space \(\mathbb {R}^n\). Consider a positive integer m such that \(m \le n\), and let \(\varvec{b}_1, \ldots , \varvec{b}_m\) represent linearly independent vectors in \(\mathbb {R}^n\). The lattice \(\mathcal {L}=\{ \varvec{v} \in \mathbb {R}^n: \varvec{v}=\sum _{i=1}^{m}a_i\varvec{b}_i, a_i \in \mathbb {Z}, i=1,2, \ldots , m \}\) is generated by \(\varvec{b}_1, \ldots , \varvec{b}_m\). The dimension and rank of \(\mathcal {L}\) are denoted by \(\textrm{dim} (\mathcal {L})\) and \(\textrm{rank}(\mathcal {L})\), respectively. Throughout this paper, the lattice is assumed to be full-rank unless otherwise specified, where \(m = n\).
Let the basis vectors \(\varvec{b}_1, \ldots , \varvec{b}_m\) be row vectors, then lattice \(\mathcal {L}\) can be represented by the matrix \(\varvec{B}=[\varvec{b}_1^T, \ldots , \varvec{b}_m^T]^T \in \mathbb {R}^{m \times n}\). The determinant of \(\mathcal {L}\) is defined as the volume of the fundamental parallelepiped \(P(\varvec{B})=\{\varvec{cB}: \varvec{c}\in \mathbb {R}^n, 0\le c_j <1, j=1,2,\ldots ,n \}\), given by \(\textrm{det}(\mathcal {L}) = \textrm{vol}(P(\varvec{B}))=\sqrt{\textrm{det} (\varvec{B}^T\varvec{B})}\). For a full-rank lattice, \(\textrm{det} (\mathcal {L})= ||\textrm{det} (\varvec{B})||\), where \(||\cdot ||\) denotes the Euclidean norm unless otherwise specified.
The Shortest Vector Problem (SVP) is a fundamental computational problem on lattices. In 1982, Lenstra et al. (1982) introduced an approximation algorithm for SVP, commonly known as the LLL algorithm. This algorithm can find short vectors in polynomial time, where the norm of short vectors output by the LLL algorithm satisfies Lemma 1. The LLL algorithm has diverse applications in computer science, including finding small roots of modular/integer equations.
Lemma 1
(Lenstra et al. 1982) Let \(\mathcal {L}\) be a n-dimensional integer lattice, the LLL-algorithm outputs reduced basis vectors \(\varvec{v}_i\) in polynomial time, where \(i=1, 2, \ldots , l\). For \(l \le n\), basis vectors satisfy
Finding small roots of a bivariate modular equation
In this section, we consider the problem of finding small roots to a given bivariate linear modular equation with restricted polynomial time. Let N be a large positive integer with an unknown factorization, and p be a factor of N such that \(p>N^{\gamma _p}\), where \(0<\gamma _p \le 1\). We are given a polynomial \(f(x,y)= a_xx+a_yy+a_0\) with \(a_0,a_x,a_y \in \mathbb {Z}\). The objective is to find all small integer solutions \((x_0,y_0)\) of the equation \(f(x,y)\equiv 0 \mod p\), where \(|x_0|<X\) and \(|y_0|<Y\). We aim to maximize upper bounds X and Y while ensuring polynomial running time in the input size \(\log {N}\).
In 1996, Coppersmith introduced a lattice-based method for finding small roots of univariate modular equations (Coppersmith 1996). Subsequent works, including those by Jochemsz and May (2006) and Herrmann and May (2008), extended this method to more variables, albeit heuristically. Herrmann and May (2008) developed a general technique applicable to linear modular equations with any number of variables. Theoretically, small roots can be found in polynomial time if \(XY < N^{3\gamma _p-2+2(1-\gamma _p)^{3/2}}\) under a heuristic assumption, as shown in Lemma 2.
Assumption 1
The polynomials derived from lattice basis reduction algorithms, such as the LLL algorithm, are algebraically independent.
Lemma 2
(Herrmann and May 2008) Let N be a large integer (of unknown factorization) with a divisor \(p \ge N^{\gamma _p}\). Let \(f(x,y)\in \mathbb {Z}[x,y]\) be a bivariate linear polynomial. Under Assumption 1, we can find all solutions \((x_0,y_0)\) of the equation \(f(x,y)\equiv 0 \mod p\) with \(|x_0|\le N^{\gamma _x}\) and \(|y_0|\le N^{\gamma _y}\) if
The algorithm’s time and space complexity is polynomial in \(\log {N}\).
Coppersmith’s method essentially reduces solving modular equations to solving equation systems over integers. One can construct a set of equations \(g_i(x,y)\equiv 0 \mod p^m\) that contain all small roots under a larger modulus, where \(i=1,2,\ldots ,n\). And then convert \(g_i\) into integer equations \(h_i\) with \(h_i(x_0,y_0)\equiv 0 \mod p^m\) and \(||h_i(x_0,y_0)||<p^m\) thereby removing the modulus. Specifically,
Step 1 For a fixed integer \(m\ge \lceil 3{\gamma _p}(1+\sqrt{1-{\gamma _p}})/\varepsilon \rceil\), and \(t = \lfloor (1-\sqrt{1-{\gamma _p}})m \rfloor\), construct shift polynomials
where we suppose \(X>Y\) without loss of generality.
Step 2 Construct the lattice \(\mathcal {L}\), where the basis vectors are the coefficient vectors of \(g_{[i.j]}(xX,yY)\).
Step 3 Apply LLL algorithm and obtain the reduced basis vectors \(\varvec{v}_1\) and \(\varvec{v}_2\). Construct the polynomials \(h_1(x,y)\) and \(h_2(x,y)\), where the coefficient vectors of \(h_j(xX,yY)\) is \(\varvec{v}_j\) for \(j=1,2\).
Step 4 Find all roots of \(h_1(x,y)\) and \(h_2(x,y)\) using algebraic methods, such as the resultant method and Gr\(\mathrm {\ddot{o}}\)bner bases method. Verify all roots using \(\gcd {(f(x_0,y_0),N)}\ge N^{\gamma _p}\) to obtain the solutions.
In fact, each polynomial \(h_j\) obtained from the linear combination of \(g_{[i.j]}\) satisfies \(h_j(x_0,y_0)\equiv 0 \mod p^m\). If the roots and the coefficients of \(h_j\) are suitably small, the equation \(h_j(x_0,y_0)= 0\) holds over the integers, as detailed in Lemma 3. Here, the norm \(||f(x_1,\ldots , x_k)||:= \sqrt{\sum _i a_i^2}\) refers to the Euclidean norm. The norm of \(h_1(xX,yY)\) is actually \(||\varvec{v}_j||\), and its upper bound is provided by Lemma 1. Based on the above conditions, the result of Lemma 2 can be derived by neglecting terms with lower asymptotic complexity.
Lemma 3
(Howgrave-Graham 1997) Let \(h(x_1, \ldots , x_k)\in \mathbb {Z}[x_1,\ldots ,x_k]\) be an integer polynomial with at most \(\omega\) monomials. Let \(b,m,X_1,\ldots ,X_k\) be positive integers. Suppose that
-
1.
\(h(r_1, \ldots , r_k) \equiv 0 \mod b^m\), where \(|r_1|<X_1,\ldots , |r_k|<X_k\); and
-
2.
\(||h(x_1X_1, \ldots , x_kX_k)||<b^m/\sqrt{\omega }\);
Then \(h(r_1, \ldots , r_k)=0\) holds over the integers.
It is evident that at least k independent integer equations are needed to solve a k-variate equation. However, there is no guarantee that new polynomials generated by LLL algorithm are algebraically independent. In most cases where \(k>1\), Coppersmith’s method is a heuristic approach (Herrmann and May 2008; Suzuki et al. 2020; Ernst et al. 2005; Takayasu and Kunihiro 2014, 2019). The validation of this assumption requires experimental confirmation.
Finding small roots of a bivariate integer equation
In this section, we consider the problem of finding small roots to a given bivariate integer equation with restricted polynomial time. Specifically, let \(f(x,y) = a + bx+cy+dxy\) be an irreducible polynomial. The objective is to find all small integer solutions \((x_0,y_0)\) of the equation \(f(x,y)= 0\), where \(|x_0|\le X\) and \(|y_0|\le Y\).
Coppersmith introduced a lattice-based method for finding small roots of bivariate integer equations (Coppersmith 1996), and subsequent works (Jochemsz and May 2006; Coron 2004) improved the lattice construction and extended the method to more variables. For cases where the number of variables is 2, this method is rigorous, as shown in Lemma 4.
Lemma 4
(Coppersmith 1996; Coron 2004; Jochemsz and May 2006) Let \(f(x,y)\in \mathbb {Z}[x,y]\) be a bivariate polynomial of maximum degree D in each variable separately, and the coefficients of f are relatively prime as a set. Let \(W = \Vert f(xX,yY) \Vert _{\infty }\), where \(\Vert f(x,y) \Vert _{\infty }\) represents the infinite norm of f(x, y). We can find all solutions \((x_0,y_0)\) of the equation \(f(x,y)= 0\) with \(|x_0|\le X\) and \(|y_0|\le Y\) if
The algorithm’s time and space complexity is polynomial in \((\log {W}, 2^D)\).
For bivariate cases, this method essentially reduces solving bivariate integer equations to solving equation systems. One can choose an appropriate integer R and construct a set of equations \(g_i(x,y)\equiv 0 \mod R\) containing all small roots under a larger modulus, where \(i=1,2,\ldots ,n\). By linearly combining \(g_i\), it is expected to obtain a new integer equation h(x, y) that is independent of f(x, y). On the other hand, the norm of h(xX, yY) needs to be small enough. One can obtain h by the LLL algorithm, similar to the previous subsection. Let \(W = \Vert f(xX,yY) \Vert _{\infty }\), where \(\Vert f(x,y) \Vert _{\infty }\) represents the infinite norm of f(x, y). The enabling conditions are:
(1) \(h(x_0,y_0) = 0\) holds over integer. From Lemma 3,
(2) h(x, y) is independent of f(x, y). Since f is an irreducible polynomial, it is required that h is not a multiple of f. From Lemma 5,
where h(x, y) is devisible by the integer c.
Lemma 5
(Coron 2004) Let \({f(x,y),h(x,y)}\in \mathbb {Z}[x,y]\) be two non-zero integer polynomials of maximum degree D separately in x and y, and \({f}(0,0) \ne 0\). Assume h is a multiple of f in \(\mathbb {Z}[x,y]\), and h is devisible by an integer \(c \ne 0\), and \(\gcd {({c,f(0,0)})=1}\). Then h(x, y) is devisible by \(c \cdot f(x,y)\) and \(||h|| \ge 2^{-(D+1)^2} \cdot |c| \cdot ||f||_{\infty }\).
One can use Jochemsz-May Strategy (2006) to construct the full rank lattice. Specifically, for a fixed integer m, define \(R=W(XY)^{m-1}\). Then, let \(f'=f^{-1}(0,0)\cdot f \mod R\), which results in a polynomial with a constant term of 1 and roots \((x_0,y_0)\mod R\). Define shift polynomials
where S and M are sets of monomials representing the monomials of \(f^{m-1}\) and \(f^m\), respectively. We have \(g(x_0,y_0) \equiv g'(x_0,y_0) \equiv 0 \mod R\), both g and \(g'\)are divisible by \((XY)^{m-1}\). Then one can follow the Step 2–4 in “Finding small roots of a bivariate modular equation” Section to find the roots.
Finding roots of a quadratic congruence equation
In this section, we recap how to find roots for a quadratic congruence equation. Let \(f(x)=a_nx^n+\cdots +a_1x+a_0\) be an integer polynomial, where the integer \(m = p_1^{i_1}\ldots p_t^{i_t}\), and \(p_1, \dots , p_t\) are t distinct prime numbers. Briefly, the steps to solve the general congruence equation \(f(x) \equiv 0 \mod m\) are:
-
(1)
For all \(j\in [{1},t]\), solve the congruence equation \(f(x) \equiv 0 \mod p_j\);
-
(2)
Find the solutions modulo prime powers \(p_j^2,\dots ,p_j^{i_j}\). This can be achieved by solving linear congruence equations, as long as the solutions modulo \(p_j\) are known;
-
(3)
Find solutions for all equations \(f(x) \equiv 0 \mod p_j^{i_j}\), where \({1} \le j \le t\). Apply the Chinese remainder theorem to obtain solutions modulo m.
Hence, this section focuses on equations modulo prime numbers.
The quadratic congruence equation is represented as \(a_2x^2+a_1x+a_0\equiv 0 \mod p\). If \(\gcd (a_2,p)=1\), the quadratic congruence can be simplified to the standard form \(x^2\equiv a \mod p\), where \(a\in Z^*_p\). One method for finding a square root \(x_0\) is to choose a quadratic non-residue \(b\in Z^*_p\) and compute the discrete logarithm \(\omega\) of \(a^{p_o}\) to the base \(b^{p_o}\), that is \(b^{p_o\omega }=a^{p_o}\), where \(p-1 = 2^cp_o\) and \(p_o\) is odd. The square root \(x_0\) is then obtained as \(x_0 = b^{p_o\omega /2}a^{-(p_o-1)/2}\). The total runtime of this procedure is \(O(\log ^3p+c\log c\log ^2p)\) (Shoup 2005). One can also use the Cipolla algorithm with complexity \(O(\log p)\). Notably, finding square roots modulo m is at least as hard as factoring m. If the factorization of m is unknown, it is hard to find square roots modulo m.
If the modulus is \(2^\gamma\), there may be multiple solutions. Denoting \(t_x\) as the largest integer such that \(2^{t_x}|x\), Steinfeld and Zheng (2001) completely characterize the solutions.
Lemma 6
(Steinfeld and Zheng 2001; Hinek 2009) Let \(N=pq\) be a n-bit integer, where p and q are primes. Let \(S_l\) be the set of solutions of the quadratic equation \(x^2-(p+q)x+pq \equiv 0 \mod 2^{n/4-l}\), where integer \(0\le l <n/4\). Denate \(\Delta = n/4-2(t_{p-q}-1)\), then the size of \(S_l\) is
where \(\omega = 1, 0, -1\) for \(l\le \Delta -3\), \(l=\Delta -2\), \(l=\Delta -1\), respectively. Futher, all of the solutions have the form
where R is any integer.
Partial information on MSB of \(d'\)
In this section, we propose new partial key exposure attacks on RSA with additive exponent blinding, specifically focusing on scenarios where MSBs of \(d'\) are available. This partial information may be acquired through side-channel attacks or alternative methods. Our contributions are demonstrated in Theorem 1 for small e and Theorem 2 for full size e.
Theorem 1
(MSBs with small \(\textrm{e}\)) Let \(N=pq\) be a large integer, where p and q are primes of the same bit-size. Let e and d satisfy \(ed \equiv 1 \mod \varphi (N)\), and \(d'=d+r\varphi (N)\), where \(\sigma +\alpha <1/2\), \(\alpha > 1/4\), and e is a prime number. Denote \(d'=d'_{MSBs}M+d'_0\), where \(d'_{MSBs} \approx N^\delta\) and M is a power of 2. Suppose \(e \approx N^{\alpha }\), \(r \approx N^{\sigma }\). Given public key (N, e) and partial information \((d'_{MSBs},M)\), then N can be factored in polynomial time if
Theorem 2
(MSBs with full size \(\textrm{e}\)) Let parameters be the same as in Theorem 1. Suppose \(r \approx N^{\sigma }\), \(d \approx N^{\beta }\), \(|p-q|>{\frac{1}{4}}N^{1/2}\), where \(\sigma <1/2\), and \(\beta < \sigma +1/4\). Given public key (N, e) and partial information \((d'_{MSBs},M)\), then N can be factored in polynomial time if
Attacks on blinding RSA with small e
For the MSB case where e is small, we present two methods for factoring N. The first method corresponds to Theorem 1. The second method, based on an alternative approach, results in a bound equivalent to the result of Joye and Lepoint (2012). Both of our methods involve two steps, and they share a common first step.
Specifically, the first step uses the known MSBs of \(d'\) to recover \(k'\) through the relationship \(k'(N-p-q+1)=ed'-1\). The second step utilizes the value of \(k'\) to recover the entire private key by (I) solving a quadratic congruence equation and a bivariate integer equation, or (II) solving a bivariate linear integer equation. We first give the proof of Theorem 1, which corresponds to the Method I.
Proof of Theorem 1
Since \(ed \equiv 1 \mod \varphi (N)\), there exist an integer k such that \(ed=1+k\varphi (N)\). Then we have \(ed'=e(d+r\varphi (N))=1+(k+er)\varphi (N)\). Therefore, for the blinded private exponent \(d'\), equation
holds, where \(k'=k+er \le N^{\alpha +\sigma }\).
Step 1: Recover \(k'\) when \(\alpha +\sigma <1/2\) and \(\alpha +\sigma <\delta\).
One can recover \(k'\) when \(\alpha\) and \(\sigma\) are suitably small. Define \(k'_1= \lfloor ed'_{MSBs}M/N \rfloor\), which serves as an approximate value of \(k'\). Let \(k'_0=k'-k'_1\), we have
Then for \(\alpha +\sigma <1/2\) and \(\delta >\alpha +\sigma\) as stated in Theorem 1, we have \(|k'_0| < O(N^0)\), that is we can recover \(k'=k'_1+k'_0\) in polynomial time.
Step 2-(I): Recover p by solving a quadratic congruence equation and a bivariate integer equation.
Denote \(s = p+q\), we can compute \(s_e = (p+q) \mod e=(N+1+k'^{-1})\mod e\) from the Equation (1) as long as \(k'\) is known. Then \(p \mod e\) can be recovered by solving a quadratic congruence equation similar to the method of Boneh et al. (1998). Specifically, we can formulate the equation
where \(z_0=p \mod e\) or \(z_0=q \mod e\), we assume \(z_0=p \mod e\) without losing generality. The roots can be find in probabilistic polynomial time since e is prime, as stated in Theorem 1. Notice that, the method for finding square roots is polynomial time when e is prime or the factorization of e is known.
Denote \(p_e=z_0\) and \(q_e = N/p_e \mod e\), then we can construct the integer equation
with the small solutions
It is crucial to divide by e to obtain the irreducible polynomial \(f(x,y)=F(x,y)/e\). Then \(W = \Vert f(xX,yY) \Vert _{\infty }=eXY\). We can find the roots \((x_0,y_0)\) satisfying \(f(x_0,y_0)=0\) by applying Lemma 4 when \(XY<W^{2/3}\), that is \(\alpha > 1/4\) as stated in Theorem 1.
Once \(x_0\) is found, N can be factored by calculating \(p=ex_0+p_e\). Thus far, the proof of Theorem 1 is complete.
In fact, Method I is unnecessary for e to be prime. For a composite e, the factorization of e must be provided to solve the quadratic congruence equation. Suppose e has t distinct prime factors, there exist \(2^t\) solutions to the quadratic equation \(x^2 -sx +N \equiv 0 \mod e\). Each solution must be tried to recover \(p\mod e\).
Corollary 1
Let parameters be the same as in Theorem 1. Suppose \(e \approx N^{\alpha }\), \(r \approx N^{\sigma }\), where \(\sigma +\alpha <1/2\), \(\alpha > 1/4\), and e has t distinct prime factors. Given public key (N, e), the factorization of e, and partial information \((d'_{MSBs},M)\), then N can be factored if
The time and space complexity of the algorithm is polynomial in \((\log {N},2^t)\).
Alternatively, we can recover the private key by solving a linear integer equation and then foator N, corresponding to the Method II. The result of this method is presented in Proposition 3, which aligns with the result obtained by Joye and Lepoint (2012). Although the Method II does not reduce the amount of leakage, it introduces a novel approach for the partial key exposure attack.
Proposition 3
Let parameters be the same as in Theorem 1. Given public key (N, e) and partial information \((d'_{MSBs},M)\), then N can be factored in polynomial time if \(\delta >1-\alpha\) and \(\sigma +\alpha <1/2\).
Proof of Proposition 3
We can recover \(k'\) when \(\alpha +\sigma <1/2\) and \(\alpha +\sigma <\delta\), as stated in Proposition 3. Now our proof starts from Step 2.
Step 2-(II): Recover p by solving a bivariate linear integer equation.
Denote \(s = p+q\), we can calculate an approximate value of s as
where \(\tilde{s} > s\), and \(k'\) has been recovered in Step 1. Let \(s_0=\tilde{s}-s\), then we have
Notice that p and q are primes of the same bit-size, implying \(p+q < {4}N^{1/2}\), the MSBs of \(p+q\) can be recovered only when \(\delta > 1/2\). Substituting \(p+q = s = \tilde{s}-s_0\) into Equation (1), we get the equation
then derive a integer equation
with the small solutions
Then we have \(W = \Vert f(xX,yY) \Vert _{\infty }=N^{\alpha +\sigma +1-\delta }\). Using Lemma 7, we can find the small roots of f(x, y) if \((1+\sigma -\delta )+(1-\delta )<\alpha +\sigma +1-\delta\), that is \(\delta > 1-\alpha\) as stated in Proposition 3. The proof of Lemma 7 can be found in the Appendix.
Lemma 7
Let \(f(x,y) \in \mathbb {Z}[x,y]\) be a linear polynomial. We can find all solutions \((x_0,y_0)\) of the bivariate integer equation \(f(x,y)= 0\) with \(|x_0|=X<N^{\gamma _x}, |y_0|=Y<N^{\gamma _y}\), \(W=||f(xX,yXY)||_{\infty }<N^{\gamma _W}\) in polynomial time if \(\gamma _x+\gamma _y<\gamma _W\).
Suppose \(p>q\) without losing generality, we can factor N by calculating
where \(s=\tilde{s}+y_0+1\). Thus, the proof of Proposition 3 is complete.
Attacks on blinding RSA with full size e
For the MSB case where e is up to full size, we focus on the algebraic relationship \(d'=d+r\varphi (N)\) and present three methods to recover private key, with Method I corresponding to Theorem 2. The results of Method II and Method III are covered by Method I. Our new methods involve two steps, and they share the same first step.
Specifically, the first step utilizes the known MSBs of \(d'\) to recover the blinding factor r, and the second step utilizes the value of r to recover the entire private key by (I) solving a bivariate integer equation, (II) solving a linear integer equation, or (III) solving a trivial univariate modular equation. We first present the proof of Theorem 2, which corresponds to the Method I.
Proof of Theorem 2
The proof mainly consists of two steps.
Step 1: Recover r when \(\sigma <\min {\{\delta ,1/2\}}\).
One can recover r when \(\sigma\) is suitably small. We set \(r_1= \lfloor d'_{MSBs}M/N \rfloor\) as an approximation of r. Let \(r_0=r-r_1\), we have
Since \(\beta \le 1\), it follows that \(\beta -1 \le 0\). Therefore, for \(\sigma <\delta\) and \(\sigma <1/2\) as stated in Theorem 2, we have \(|r_0|<O(N^0)\), that is we can recover \(r=r_1+r_0\) in polynomial time.
Step 2-(I): Recover p by solving a bivariate integer equation.
Denote \(s=p+q\), we can calculate an approximate value of s as
where the value of r has been recovered in the Step 1, and \(\tilde{s} > s\) holds if \(d'_0>d\). Let \(s_0= \tilde{s}-s\), we have
Notably, p and q are primes of the same bit-size, implying \(p+q < {4}N^{1/2}\). The MSBs of \(p+q\) can be recovered only when \(\max {\{1-\delta ,\beta - \sigma \}}<1/2\). Then we calculate an approximate value of p as
where \(\tilde{p} > p\) holds if \(\tilde{s} > s\). Denoting \(p_0= \tilde{p}-p\), we have
where we use \(|p-q|>{\frac{1}{4}}N^{1/2}\) as stated in Theorem 2. We can also compute an approximate value of q as \(\tilde{q}= \lfloor N/\tilde{p} \rfloor\), where \(\tilde{q} < q\) holds if \(\tilde{p} > p\). Denoting \(q= \tilde{q}+q_0\), we have
Then we can derive a integer equation
with the small solutions
Then \(W = \Vert f(xX,yY) \Vert _{\infty }=N^{1/2}X=N^{1/2}Y\). We can find \((x_0,y_0)\) by apply Lemma 4 when \(XY<W^{2/3}\), that is \(\delta > 3/4\) and \(\beta < \sigma + 1/4\) as stated in Theorem 2. We can factor N by calculating \(p = \tilde{p}+x_0\). Thus far, the proof of Theorem 2 is complete. \(\square\)
We can also recover the private key by solving a linear integer equation or a trivial univariate modular equation, corresponding to Method II and Method III, respectively. The results from these two methods are identical, as demonstrated in Proposition 4. It should be noted that the results of Method I are superior to those of Method II and Method III.
Proposition 4
Let parameters be the same as in Theorem 2. Given public key (N, e) and partial information \((d'_{MSBs},M)\), then N can be factored in polynomial time if \(\delta >1\) and \(\beta< \sigma < 1/2\).
Proof of Proposition 4
The blinding factor r can be recovered in Step 1 when \(\sigma <\min {\{\delta ,1/2\}}\), as stated in Proposition 4. Now our proof starts from Step 2.
Step 2-(II): Recover p by solving a bivariate linear integer equation.
Define \(s=p+q=\tilde{s}-s_0\) as in the Step 2-(I), where \(|s_0|<N^{\max {\{1-\delta ,\beta - \sigma \}}}\). Since \(d'=d+rN-r(p+q-1)=d'_{MSBs}M+d'_0\) and \(p+q=s=\tilde{s}-s_0\), we can obtain \((d'_0-d)+r(\tilde{s}-s_0-1)+d'_{MSBs}M-rN=0\), and then derive a integer equation
with the small solutions
Then we have \(W = \Vert f(xX,yY) \Vert _{\infty }=N^{\max {\{1+\sigma -\delta , \beta \}}}\). By Lemma 7, small solutions of f(x, y) can be found if
that is \(\delta > 1\) and \(\beta < \sigma\) as stated in Proposition 4.
Suppose \(p>q\) without loss of generality, N can be factored by calculating
where \(s=\tilde{s}+y_0+1\).
Step 2-(III): Recover p by solving a trivial univariate modular equation.
Since \(d'=d'_{MSBs}M+d'_0=d+r\varphi (N)\) and r has been recovered in the Step 1, we can derive the modular equation
Then we obtain \(d'_0-d=-(d'_{MSBs}M\mod r)\) if \(\max {\{|d'_0|,|d|\}}<r\), that is \(\max {\{1+\sigma -\delta ,\beta \}}<\sigma\) as state in Proposition 4. Then we have
Suppose \(p>q\) without loss of generality, N can be factored by calculating
Thus far, the proof of Proposition 4 is complete.
Partial information on LSB of \(d'\)
In this section, we propose new partial key exposure attacks on RSA with additive exponent blinding, specifically focusing on scenarios where LSBs of \(d'\) are available. This partial information may be acquired through side-channel attacks or alternative methods. Our contributions are demonstrated in Theorem 5 for small e and Theorem 6 for full size e.
Theorem 5
(LSBs with small \(\textrm{e}\)) Let \(N=pq\) be a large integer, where p and q are primes of the same bit-size. Let e and d satisfy \(ed \equiv 1 \mod \varphi (N)\), and \(d'=d+r\varphi (N)\). Denote \(d'=d'_0M+d'_{LSBs}\), where \(d'_{LSBs}=d' \mod M\) and \(M\approx N^\delta\) is a power of 2. Suppose \(e \approx N^{0}\), \(r \approx N^{0}\). Given public key (N, e) and partial information \((d'_{LSBs},M)\), then N can be factored if
The time and space complexity of the algorithm is polynomial in \((\log {N}, re)\).
Theorem 6
(LSBs with full size \(\textrm{e}\)) Let parameters be the same as in Theorem 6. Suppose \(r \approx N^{\sigma }\), \(d \approx N^{\beta }\). Given public key (N, e) and partial information \((d'_{LSBs},M)\), then N can be factored in polynomial time if
Attacks on blinding RSA with small e
For the case where e is small, we propose a new attack on blinding RSA when provided with LSBs of \(d'\). Essentially, we extend the methods of Steinfeld and Zheng (2001); Hinek (2009) to blinding RSA. Our method necessitates exhaustively exploring the value of \(k'\), making it applicable only when both the public exponent e and the blinding factor r are very small. We now present the proof of Theorem 5.
Proof of Theorem 5
Let k and \(k'\) be integers satisfying \(ed=1+k\varphi (N)\) and \(ed'=1+k'\varphi (N)\), we have \(k'=k+er \le N^{\alpha +\sigma }\). We first try all integers in \([2,N^{\alpha +\sigma }]\) to find \(k'\). The time and space complexity is polynomial in \(N^{\alpha +\sigma }\).
For each \(k'\), denote \(k' = 2^{t_{k'}} \cdot O_{k'}\), where the integer \(O_{k'}\) is odd. Let \(s=p+q\), then equation \(ed'=1+k'\varphi (N)\) can be written as \(e(d'_0M+d'_{LSBs})-1=2^{t_{k'}} \cdot O_{k'}(N+1-s)\). Thus, we have
We can then construct a quadratic congruence equation \(z^2 -sz+N \equiv 0 \mod M\cdot 2^{-t_{k'}}\). Since \(M \approx N^\delta >N^{1/4}\) as stated in Theorem 5, we derive
where \(n = \lceil \log {N} \rceil\), and \(z_0 = p \mod 2^{n/4-t_{k'}}\)(or \(z_0 = q \mod 2^{n/4-t_{k'}}\)) is one of the solutions.
According to Lemma 6, the number of solutions to Equation (2) depends on \(l=t_{k'}\) and \(t_{p-q}\). For \(e, r \approx O(N^0)\) as stated in Theorem 5, \(t_{k'}\le \log _2{k'} \le \log _2{er}+1\) is a small integer. On the other hand, \(t_{p-q}\) is the number of LSBs that p and q have in common. Assuming that p and q are randomly selected, then the probability \(\Pr [t_{p-q}\ge b] \le 2^{1-b}\), notice that \(p\equiv q\equiv 1\mod 2\). Thus, \(t_{k'} < \Delta = n/4-2(t_{p-q}-1)\) with the probability approximately \(1-2^{1-n/8}\). Given that in practice, the typical bit length of RSA modulus is \(n= 512, 1024, 2048\), then \(\Pr [l< \Delta ] \approx 1\).
For \(l< \Delta\), the Lemma 6 assures that there will be at most \(2^{t_{p-q}+1}\) solutions to Eq. (2). The expected value \(\textrm{E}[t_{p-q}]\le 2\), and the distribution of \(t_{p-q}\) when p and q are random prime numbers in experiments is illustrated in Fig. 2. We assume that there will be at most \(2^4\) solutions in practice when \(t_{k'}\) is small, each solution is a candidate of \(x_0 = p \mod 2^{n/4-t_{k'}}\).
For each solution of Eq. (2), we need to guess the \(t_{k'}\) MSBs of \(p \mod 2^{n/4}\)(or \(q \mod 2^{n/4}\)), resulting in \(2^{t_{k'}}\) candidates to construct. Once we obtain \(P_0=p \mod 2^{n/4}\)(or \(q \mod 2^{n/4}\)), we can compute \(Q_0 = N/P_0 \mod 2^{n/4}\) and then derive the integer equation
with the small solutions
Analogous to Theorem 1, we obtain the irreducible polynomial \(f(x,y)=F(x,y)/2^{n/4}\), and then \(W = \Vert f(xX,yY) \Vert _{\infty }=2^{n/4}XY\). We can find the roots \((x_0,y_0)\) satisfying \(f(x_0,y_0)=0\) by applying Lemma 4. Then N can be factored by calculating \(p=2^{n/4}x_0+P_0\) (or \(q=2^{n/4}x_0+P_0\)).
In summary, the total time and space complexity of all exhaustions in the above process is \(O(N^{\alpha +\sigma }\cdot 2^{t_{p-q}+1}\cdot 2^{t_{k'}})\). The result of Theorem 5 is thereby obtained.
Attacks on blinding RSA with full size e
For the case where e is of full size, we propose a new attack on blinding RSA when given LSBs of \(d'\). Unlike the situation with known MSBs, it is difficult to recover other sensitive parameters using LSBs of \(d'\). Our new method focuses on the unique algebraic relationship \(d'=d+r\varphi (N)\) in blinding RSA, and recovers the private key by solving a bivariate modular equation. We now give the proof of Theorem 6.
Proof of Theorem 6
Suppose \(d \approx N^{\beta }\). Since \(d'=d+rN-r(p+q-1)=d'_0M+d'_{LSBs}\), which can be expressed as
we derive a modular equation
with the small solutions
Note that we can also choose M as the modulus, which would yield the same result as choosing N. By employing Lemma 2, we can find the small solutions of f(x, y) if
that is \(\delta > \max {\{1/2+2\sigma , \beta +\sigma \}}\).
We can recover \(d' = M \cdot y_0 +d'_{LSBs}\) and subsequently factor N. Breifly, compute \(K = ed'-1\), noting that \(2|\varphi (N)\) and \(\varphi (N)|K\). For any \(g\in Z_N^*\) we have \(g^K = g^{ed'-1=k'\varphi (N)}\equiv 1\mod N\). Thus, \(g^{K/2}\) is a square root of unity modulo N. There are four square roots modulo \(N = pq\), that is \(1,-1,{\eta },-{\eta }\), where \({\eta }\) satisfies \({\eta } \equiv 1 \mod p\) and \({\eta } \equiv -1 \mod q\). We can recover \({\eta }\) in \(O(\log ^3N)\) time (Boneh 2002) then obtain \(p=\gcd ({\eta }-1,N)\).
Practical experiments
We perform practical experiments using SageMath 9.1 over Intel(R) Xeon(R) Bronze 3106 CPU @ 1.70GHz, Windows Server 2012 R2. The experimental results of our new attacks are basically consistent with the theoretical bounds.
For the MSB case with small e, the experimental results are shown in Table 3. In addition to some calculations, this attack mainly contains two parts. The first part involves finding a root of the quadratic congruence equation, equivalent to finding a square root module e. The implementation of this part adopts the Cipolla algorithm, which is highly efficient in practice, as shown in Table 3 (Find SR). The second part is to find small roots of the integer equation. The implementation of this part adopts the Jochemsz-May’s basic strategy (Jochemsz and May 2006), with the running time mainly depends on the LLL algorithm. To ensure the efficiency of the LLL algorithm, we choose small m to constrain the lattice dimension. One can make the size of e closer to the theoretical bound \(N^{1/4}\) by increasing m, which will increase the running time of LLL algorithm.
For the MSB case with full size e, the experimental results are shown in Table 4. The implementation of finding small roots of the integer equation employs the Jochemsz-May’s basic strategy (Jochemsz and May 2006) and we take small m to ensure the efficiency of the LLL algorithm. One can take larger m to make \(\delta\) and \(\beta\) closer to the theoretical bound, that is \(\delta \rightarrow 3/4\) and \(\beta \rightarrow (\sigma + 1/4)\).
For the LSB case with small e, the experimental results are shown in Table 5. Similar to the MSB case, the process of finding roots of the quadratic congruence equation is efficient in practice. Since there is more than one square root, we must try all possible values, with the average number of candidates provided in Table 5 (Candidates). As for the implementation of finding small roots of the integer equation, we adopt the Jochemsz-May’s basic strategy (Jochemsz and May 2006). We also choose small m to constrain the lattice dimension. One can make \(\delta\) closer to the theoretical bound, that is \(\delta \rightarrow 1/4\), by increasing m.
For the LSB case with full size e, the experimental results are shown in Table 6. The implementation of finding small roots of the modular equation adopts the Herrmann-May’s Herrmann and May (2008) method and we also take small m. One can take larger m to make \(\delta\) closer to the theoretical bound, that is \(\delta \rightarrow \max {\{2\sigma +1/2,\beta +\sigma \}}\).
Conclusion
In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the MSBs or LSBs of \(d'\) are revealed, considering both cases where e is small and e is of full size. For the case where e is small, we reduce the amount of leakage by solving the quadratic congruence equation to recover a portion of p. For the case where e is of full size, we introduce novel attacks utilizing the specific algebraic relationship \(d'=d+r\varphi (N)\) in blinding RSA. Our attacks confirm that blinding RSA is vulnerable to partial key exposure if either \(e\cdot r\) or \(d\cdot r\) is significantly smaller than N. This emphasizes the importance of users selecting both private and public exponents randomly, setting a blinding factor with a longer bit length, or implementing other countermeasures to prevent the leakage of the blinded private exponent \(d'\). In practice, smaller values for e, d, r are often chosen for efficiency. Based on the results of this paper, we suggest that \(e\cdot r\) and \(d\cdot r\) should be greater than N to increase the resilience against such attacks.
While our attack can handle the situation where e is of full size, it necessitates sufficient leakage and succeeds only when d is small. The potential for further reducing the amount of leakage and strategies for executing an attack in scenarios where both e and d are of full size still need to be explored.
Availability of data and materials
Not applicable.
Abbreviations
- CRT:
-
Chinese remainder theorem
- LSBs:
-
Least signifficant bits
- MSBs:
-
Most signifficant bits
- RSA:
-
Rivest–Shamir–Adleman
- SVP:
-
Shortest vector problem
References
Aono Y (2009) A new lattice construction for partial key exposure attack for RSA. In: Public key cryptography—PKC 2009, 12th international conference on practice and theory in public key cryptography, Irvine, CA, USA, March 18–20, 2009. Proceedings, pp 34–53
Blömer J, May A (2003) New partial key exposure attacks on RSA. In: Advances in cryptology—CRYPTO 2003, 23rd annual international cryptology conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, pp 27–43
Boneh D (2002) Twenty years of attacks on the RSA cryptosystem. Notices o Ams 46:203–213
Boneh D, Durfee G, Frankel Y (1998) An attack on RSA given a small fraction of the private key bits. In: Advances in cryptology—ASIACRYPT ’98, international conference on the theory and applications of cryptology and information security, Beijing, China, October 18–22, 1998, Proceedings, pp 25–34
Botan (2023) Botan, a Crypto and TLS for Modern C++ library, Version: 3.2.0. https://github.com/randombit/botan. https://github.com/randombit/botan/blob/master/src/lib/pubkey/rsa/rsa.cpp
Cimato S, Mella S, Susella R (2015) New results for partial key exposure on RSA with exponent blinding. In: SECRYPT 2015: Proceedings of the 12th international conference on security and cryptography, Colmar, Alsace, France, 20–22 July, 2015, pp 136–147
Cimato S, Mella S, Susella R (2015) Partial key exposure attacks on RSA with exponent blinding. In: E-business and telecommunications: 12th international joint conference, ICETE 2015, Colmar, France, July 20–22, 2015, Revised Selected Papers, pp 364–385
Coppersmith D (1996) Finding a small root of a bivariate integer equation; factoring with high bits known. In: Advances in cryptology—EUROCRYPT ’96, international conference on the theory and application of cryptographic techniques, Saragossa, Spain, May 12–16, 1996, Proceeding, pp 178–189
Coppersmith D (1996) Finding a small root of a univariate modular equation. In: Advances in Cryptology—EUROCRYPT ’96, international conference on the theory and application of cryptographic techniques, Saragossa, Spain, May 12–16, 1996, Proceeding, pp 155–165
Coron J (2004) Finding small roots of bivariate integer polynomial equations revisited. In: Advances in cryptology—EUROCRYPT 2004, international conference on the theory and applications of cryptographic techniques, Interlaken, Switzerland, May 2–6, 2004, Proceedings, pp 492–505
Ernst M, Jochemsz E, May A, Weger B (2005) Partial key exposure attacks on RSA up to full size exponents. In: Advances in cryptology— EUROCRYPT 2005, 24th annual international conference on the theory and applications of cryptographic techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings, pp 371–386
Herrmann M, May A (2008) Solving linear equations modulo divisors: on factoring given any bits. In: Advances in cryptology—ASIACRYPT 2008, 14th international conference on the theory and application of cryptology and information security, Melbourne, Australia, December 7–11, 2008. Proceedings, pp 406–424
Hinek MJ (2009) Cryptanalysis of RSA and its variants. CRC Press, New York
Howgrave-Graham N (1997) Finding small roots of univariate modular equations revisited. In: Cryptography and coding, 6th IMA international conference, Cirencester, UK, December 17–19, 1997, Proceedings, pp 131–142
Jochemsz E, May A (2006) A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Advances in cryptology—ASIACRYPT 2006, 12th international conference on the theory and application of cryptology and information security, Shanghai, China, December 3–7, 2006, Proceedings, pp 267–282
Joye M, Lepoint T (2012) Partial key exposure on RSA with private exponents larger than N. In: Information security practice and experience: 8th international conference, ISPEC 2012, Hangzhou, China, April 9–12, 2012. Proceedings, pp 369–380
Kocher PC (1996) Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Advances in cryptology—CRYPTO ’96, 16th annual international cryptology conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings, pp 104–113
Lenstra AK, Lenstra HW, Lovász L (1982) Factoring polynomials with rational coefficients. Math Ann 261(4):515–534
Libgcrypt (2021) Libgcrypt, the gnu crypto library, Version: 1.9. https://github.com/gpg/libgcrypt. https://github.com/gpg/libgcrypt/blob/master/cipher/rsa.c
MbedTLS (2023) MbedTLS, a TLS and SSL library, Version: 3.5.1. https://github.com/Mbed-TLS/mbedtls, available at https://github.com/Mbed-TLS/mbedtls/blob/development/library/rsa.c
Novak R (2002) SPA-based adaptive chosen-ciphertext attack on RSA implementation. In: Public key cryptography, 5th International workshop on practice and theory in public key cryptosystems, PKC 2002, Paris, France, February 12–14, 2002, Proceedings, pp 252–262
Rivest RL, Shamir A, Adleman LM (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126
Shoup V (2005) A computational introduction to number theory and algebra. Cambridge University Press, Cambridge
Steinfeld R, Zheng Y (2001) An advantage of low-exponent RSA with modulus primes sharing least significant bits. In: Topics in cryptology—CT-RSA 2001, The cryptographer’s Track at RSA conference 2001, San Francisco, CA, USA, April 8–12, 2001, Proceedings, pp 52–62
Suzuki K, Takayasu A, Kunihiro N (2020) Extended partial key exposure attacks on RSA: improvement up to full size decryption exponents. Theor Comput Sci 841:62–83
Takayasu A, Kunihiro N (2019) Partial key exposure attacks on RSA: achieving the Boneh–Durfee bound. Theor Comput Sci 761:51–77
Takayasu A, Kunihiro N (2014) Partial key exposure attacks on RSA: achieving the Boneh-Durfee bound. In: Selected areas in cryptography: SAC 2014—21st international conference, Montreal, QC, Canada, August 14–15, 2014, Revised Selected Papers, pp 345–362
Zhou Y, Pol J, Yu Y, Standaert F (2022) A third is all you need: Extended partial key exposure attack on CRT-RSA with additive exponent blinding. In: Advances in cryptology: ASIACRYPT 2022—28th international conference on the theory and application of cryptology and information security, Taipei, Taiwan, December 5–9, 2022, Proceedings, Part IV, pp 508–536
Acknowledgements
Not applicable.
Funding
This work is supported in part by National Key R &D Program of China (No. 2022YFB3103800), National Natural Science Foundation of China (No. U1936209, No. 62002353, No. 62202231 and No. 62202230), China Postdoctoral Science Foundation (No.2021M701726) and Jiangsu Funding Program for Excellent Postdoctoral Talent (No.2022ZB270).
Author information
Authors and Affiliations
Contributions
ZJ completed the main work of the paper and drafted the manuscript. YZ and YL participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
Proof of Lemma 7
Let \(f(x,y)=a+bx+cy\) be a linear polynomial with the small solutions \(|x_0|\le X=N^{\gamma _x}\),\(|y_0|\le Y=N^{\gamma _y}\), we suppose \(X\le Y\) without loss of generality. Let \(W=||f(xX,yY)||_{\infty }<N^{\gamma _W}\), and we choose a prime integer \(R\in (W,2W)\). Multiplying the inverse of a, we can obtain a polynomial with a constant term of one, that is
and we have \(f'(x_0,y_0)\equiv 0 \mod R\).
Define the polynomials \(g_x(x,y) = Rx\) and \(g_y(x,y) = Ry\). We have that \(g_x(x_0,y_0)\equiv g_y(x_0,y_0)\equiv 0 \mod R\). Then we can construct the lattice
where the basis vectors are the coefficient vectors of \(f'(xX,yY)\), \(g_x(xX,yY)\) and \(g_y(xX,yY)\). As explained in Section "Finding small roots of a bivariate integer equation", we can find all small roots if \(\textrm{det}(\mathcal {L})^{1/\textrm{dim}(\mathcal {L})}< R\), that is \(R^2XY < R^3\). Then the result of Lemma 7 can be obtained.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Jiang, Z., Zhou, Y. & Liu, Y. New partial key exposure attacks on RSA with additive exponent blinding. Cybersecurity 7, 26 (2024). https://doi.org/10.1186/s42400-024-00214-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400-024-00214-y