Mathematical Approach for Recovering Secret Key from Its Noisy Version

  • Noboru KunihiroEmail author
Part of the Mathematics for Industry book series (MFI, volume 29)


In this paper, we discuss how to recover the RSA secret key from a noisy version of the secret key obtained through physical attacks such as cold boot and side channel attacks. For example, consider a cold boot attack to extract the RSA secret key stored in the memory. The attacker can obtain a degraded version of the secret key so that some bits are erased. In principle, if many erasures occur, the key recovery for the secret key becomes rather difficult. To date, many noise models other than the erasure model have been introduced. For the discrete noise case, the binary erasure model, binary error model, and binary erasure and error model have been introduced. Effective algorithms have been proposed for each noise model, and the conditions for noise which the original secret key can be recovered in polynomial time have been derived. Research has also been conducted on models that can obtain continuous leakage. In this case, several algorithms have been proposed according to the degree of knowledge of the leakage model. Many studies have been conducted on by taking heuristic approaches. In this paper, we provide a survey of existing research and then attempt to explain it within a unified framework.


RSA key recovery Noisy secret key Noise/leakage model 


  1. 1.
    M. Albrecht, C. Cid, Cold Boot Key Recovery by Solving Polynomial Systems with Noise, in Proceedings of ACNS2011, vol. 6715 (LNCS, 2011) pp. 57–72Google Scholar
  2. 2.
    C.M. Bishop, Pattern Recognition and Machine Learning (Springer, Berlin, 2006)zbMATHGoogle Scholar
  3. 3.
    D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a small fraction of the private key bits, in Proceeding of Asiacrypt’98, vol. 1514 (LNCS,1998), pp. 25–34Google Scholar
  4. 4.
    C.M. Cover, J.A. Thomas, Elements of Information Theory, 2nd edn. (Wiley-Interscience, Hoboken, 2006)zbMATHGoogle Scholar
  5. 5.
    J. Daemen, V. Rijmen, The Design of Rijndael (Springer, Berlin, 2002)CrossRefzbMATHGoogle Scholar
  6. 6.
    A.P. Dempster, N.M. Laird, D.B. Rubin, Maximum likelihood from incomplete data via the EM algorithm. J. R. Stat. Soc. Ser. B 39(1), 1–38 (1977)MathSciNetzbMATHGoogle Scholar
  7. 7.
    J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten, Lest we remember: cold boot attacks on encryption keys. Proc. USENIX Secur. Symp. 2008, 45–60 (2008)Google Scholar
  8. 8.
    W. Henecka, A. May, A. Meurer, Correcting errors in RSA private keys, in Proceedings of Crypto2010, vol. 6223 (LNCS, 2010), pp. 351–369Google Scholar
  9. 9.
    N. Heninger, H. Shacham, Reconstructing RSA private keys from random key bits, in Proceeding of Crypto2009, vol. 5677 (LNCS,2009), pp. 1–17Google Scholar
  10. 10.
    P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in Proc. of CRYPTO’99, vol. 1666 (LNCS, 1999), pp. 388–397Google Scholar
  11. 11.
    N. Kunihiro, An improved attack for recovering noisy RSA secret keys and its countermeasure, in Proceeding of ProvSec2015, vol. 9451 (LNCS, 2015), pp. 61–81Google Scholar
  12. 12.
    N. Kunihiro, J. Honda, RSA meets DPA: Recovering RSA secret keys from noisy analog data, in Proceedings of CHES2014, vol. 8731 (LNCS, 2014), pp. 261–278Google Scholar
  13. 13.
    N. Kunihiro, J. Honda, RSA meets DPA: recovering RSA secret keys from noisy analog data, in IACR (2014), arXiv:eprint:2014/513
  14. 14.
    N. Kunihiro, N. Shinohara, T. Izu, Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors, in Proceedings of PKC2013, vol. 7778(LNCS, 2013), pp. 180–197Google Scholar
  15. 15.
    N. Kunihiro, Y. Takahashi Improved key recovery algorithms from noisy RSA secret keys with analog noise, in Proceedings of CT-RSA2017, vol. 10159 (LNCS, 2017), pp. 328–343Google Scholar
  16. 16.
    K.G. Paterson, A. Polychroniadou, D.L. Sibborn, A coding-theoretic approach to recovering noisy RSA keys, in Proc. of Asiacrypt2012, vol. 7658 (LNCS, 2012), pp. 386–403Google Scholar
  17. 17.
    B. Poettering, D.L. Sibborn, Cold Boot Attacks in the Discrete Logarithm Setting, in Proceedings of CT-RSA2015, vol. 9048 (LNCS, 2015), pp. 449–465Google Scholar
  18. 18.
    PKCS #1: RSA Cryptography Specifications Version 2.0,
  19. 19.
    R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    S. Sarkar, S. Maitra, Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents, in Proceeding of CHES2012, vol. 7428 (LNCS, 2012) pp. 476–493Google Scholar
  21. 21.
    T. Tanigaki, N. Kunihiro, Maximum likelihood-based key recovery algorithm from decayed key schedules, in Proceedings of ICISC2015, vol. 9558 (LNCS, 2015), pp. 314–328Google Scholar
  22. 22.
    A. Tsow, An improved recovery algorithm for decayed AES key schedule images, in Proceedings of SAC2009, vol. 5867 (LNCS, 2009), pp. 215–230Google Scholar
  23. 23.
    S. Yilek, E. Rescorla, H. Shacham, B. Enright, S. Savage, When private keys are public: results from the 2008 debian openssl vulnerability. IMC2009 (ACM Press, 2009), pp. 15–27Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.School of Frontier SciencesUniversity of TokyoKashiwa-shi, ChibaJapan

Personalised recommendations