Similar operation template attack on RSA-CRT as a case study

Xu, Shuping; Lu, Xiangjun; Zhang, Kaiyu; Li, Yang; Wang, Lei; Wang, Weijia; Gu, Haihua; Guo, Zheng; Liu, Junrong; Gu, Dawu

doi:10.1007/s11432-017-9210-3

Cited by 4 publications

(4 citation statements)

References 33 publications

(42 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attack Type Used Method ours, [35] factoring attack lattice-based method [37] factoring attack elliptic curve method [6,12,17,18,38] small CRT-exponent attack lattice-based method [19][20][21][22][23] partial key exposure attack lattice-based method [24][25][26][27][28] side-channel attack power-based method [39][40][41] key recovery attack tree-based method Notice that we experimentally verify our CRT-RSA modulus factorization algorithm for small CRT exponents. A limiting factor in achieving large CRT exponents is that we need to perform the lattice reduction algorithm with large lattice dimension in such cases.…”

Section: Related Workmentioning

confidence: 73%

“…In addition, the partial-key-exposure attacks such as [19][20][21][22][23] were studied due to the consideration of partial leakage of the CRT-RSA private key. From the implementation aspect, side-channel attacks such as [24][25][26][27][28] were proposed by exploiting the side-channel information leakage during the running process of the CRT-RSA algorithm.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Zheng

2022

Mathematics

View full text Add to dashboard Cite

The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq<N3/2 when given the CRT-RSA key information (N,e,dp,dq). We apply Coppersmith’s lattice-based method as a basic mathematical tool for finding the small root solutions of modular polynomial equations. Furthermore, we provide validation experiments to illustrate the correctness of the CRT-RSA modulus factorization algorithm, and show that computing the CRT-RSA secret key and factoring its modulus is polynomial-time equivalent by using concrete numerical examples.

show abstract

Section: Related Workmentioning

confidence: 73%

Section: Introductionmentioning

confidence: 99%

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Zheng

2022

Mathematics

View full text Add to dashboard Cite

show abstract

“…i q = p −1 mod q. From the partial product, the security of the RSA-CRT relies on the hardness of the hidden multiplier problem over GF(q) [6]. Definition 1 (Hidden multiplier problem over GF(q)).…”

Section: Algorithm 1 Prime Byte Recovery Algorithmmentioning

confidence: 99%

Side channel attack of multiplication in GF(q)–application to secure RSA-CRT

Wang

et al. 2018

Sci. China Inf. Sci.

Self Cite

View full text Add to dashboard Cite

“…However, cryptographic devices have been subject to side channel attack techniques since Kocher first introduced a power analysis attack based on execution time measurements in 1996 Kocher [4]. Side channel attacks (SCAs) have attracted the attention of many researchers, and many SCA attacks against RSA-CRT cryptosystems have been proposed, such as simple power analysis (SPA) [5,6], differential power analysis (DPA) [7][8][9], and template attack [10].…”

Section: Introductionmentioning

confidence: 99%

Clustering Collision Power Attack on RSA-CRT

Wan¹,

Chen²,

Xia³

et al. 2021

Computer Systems Science and Engineering

View full text Add to dashboard Cite

In this paper, we propose two new attack algorithms on RSA implementations with CRT (Chinese remainder theorem). To improve the attack efficiency considerably, a clustering collision power attack on RSA with CRT is introduced via chosen-message pairs. This attack method is that the key parameters d p and d q are segmented by byte, and the modular multiplication collisions are identified by k-means clustering. The exponents d p and d q were recovered by 12 power traces of six groups of the specific message pairs, and the exponent d was obtained. We also propose a second order clustering collision power analysis attack against RSA implementation with CRT, which applies double blinding exponentiation. To reduce noise and artificial participation, we analyze the power points of interest by preprocessing and k-means clustering with horizontal correlation collisions. Thus, we recovered approximately 91% of the secret exponents manipulated with a single power curve on RSA-CRT with countermeasures of double blinding methods.

show abstract

Similar operation template attack on RSA-CRT as a case study

Cited by 4 publications

References 33 publications

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Side channel attack of multiplication in GF(q)–application to secure RSA-CRT

Clustering Collision Power Attack on RSA-CRT

Contact Info

Product

Resources

About