Abstract
Let pk= (N,e) be an RSA public key with corresponding secret key \({\sf sk}=(p,q,d,d_p,d_q, q_p^{-1})\). Assume that we obtain partial error-free information of sk, e.g., assume that we obtain half of the most significant bits of p. Then there are well-known algorithms to recover the full secret key. As opposed to these algorithms that allow for correcting erasures of the key sk, we present for the first time a heuristic probabilistic algorithm that is capable of correcting errors in sk provided that e is small. That is, on input of a full but error-prone secret key \(\widetilde{\sf sk}\) we reconstruct the original sk by correcting the faults.
More precisely, consider an error rate of \(\delta \in [0,\frac 1 2)\), where we flip each bit in sk with probability δ resulting in an erroneous key \(\widetilde{\sf sk}\). Our Las-Vegas type algorithm allows to recover sk from \(\widetilde{\sf sk}\) in expected time polynomial in logN with success probability close to 1, provided that δ< 0.237. We also obtain a polynomial time Las-Vegas factorization algorithm for recovering the factorization (p,q) from an erroneous version with error rate δ< 0.084.
Chapter PDF
References
Boneh, D.: Twenty years of attacks on the rsa cryptosystem. Notices of the American Mathematical Society (AMS) 46(2), 203–213 (1999)
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent rsa vulnerabilities. J. Cryptology 10(4), 233–260 (1997)
Coron, J.-S., May, A.: Deterministic polynomial-time equivalence of computing the rsa secret key and factoring. J. Cryptology 20(1), 39–50 (2007)
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: Cold boot attacks on encryption keys. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 45–60. USENIX Association (2008)
Heninger, N., Shacham, H.: Reconstructing rsa private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)
Hoeffding, W.: Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association 58(301), 13–30 (1963)
Maurer, U.M.: Factoring with an oracle. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 429–436. Springer, Heidelberg (1993)
Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)
RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard (June 2002)
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In: Feldmann, A., Mathy, L. (eds.) Proceedings of IMC 2009, pp. 15–27. ACM Press, New York (November 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Henecka, W., May, A., Meurer, A. (2010). Correcting Errors in RSA Private Keys. In: Rabin, T. (eds) Advances in Cryptology – CRYPTO 2010. CRYPTO 2010. Lecture Notes in Computer Science, vol 6223. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14623-7_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-14623-7_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14622-0
Online ISBN: 978-3-642-14623-7
eBook Packages: Computer ScienceComputer Science (R0)