Side channel attack of multiplication in GF(q)–application to secure RSA-CRT

Xu, Shuping; Wang, Weija; Lu, Xiangjun; Guo, Zheng; Liu, Junrong; Gu, Dawu

doi:10.1007/s11432-018-9488-2

Cited by 1 publication

(2 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attack Type Used Method ours, [35] factoring attack lattice-based method [37] factoring attack elliptic curve method [6,12,17,18,38] small CRT-exponent attack lattice-based method [19][20][21][22][23] partial key exposure attack lattice-based method [24][25][26][27][28] side-channel attack power-based method [39][40][41] key recovery attack tree-based method Notice that we experimentally verify our CRT-RSA modulus factorization algorithm for small CRT exponents. A limiting factor in achieving large CRT exponents is that we need to perform the lattice reduction algorithm with large lattice dimension in such cases.…”

Section: Related Workmentioning

confidence: 73%

“…In addition, the partial-key-exposure attacks such as [19][20][21][22][23] were studied due to the consideration of partial leakage of the CRT-RSA private key. From the implementation aspect, side-channel attacks such as [24][25][26][27][28] were proposed by exploiting the side-channel information leakage during the running process of the CRT-RSA algorithm.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Zheng

2022

Mathematics

View full text Add to dashboard Cite

The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq<N3/2 when given the CRT-RSA key information (N,e,dp,dq). We apply Coppersmith’s lattice-based method as a basic mathematical tool for finding the small root solutions of modular polynomial equations. Furthermore, we provide validation experiments to illustrate the correctness of the CRT-RSA modulus factorization algorithm, and show that computing the CRT-RSA secret key and factoring its modulus is polynomial-time equivalent by using concrete numerical examples.

show abstract