# Mathematical Approach for Recovering Secret Key from Its Noisy Version

## Abstract

In this paper, we discuss how to recover the RSA secret key from a noisy version of the secret key obtained through physical attacks such as cold boot and side channel attacks. For example, consider a cold boot attack to extract the RSA secret key stored in the memory. The attacker can obtain a degraded version of the secret key so that some bits are erased. In principle, if many erasures occur, the key recovery for the secret key becomes rather difficult. To date, many noise models other than the erasure model have been introduced. For the discrete noise case, the binary erasure model, binary error model, and binary erasure and error model have been introduced. Effective algorithms have been proposed for each noise model, and the conditions for noise which the original secret key can be recovered in polynomial time have been derived. Research has also been conducted on models that can obtain continuous leakage. In this case, several algorithms have been proposed according to the degree of knowledge of the leakage model. Many studies have been conducted on by taking heuristic approaches. In this paper, we provide a survey of existing research and then attempt to explain it within a unified framework.

## Keywords

RSA key recovery Noisy secret key Noise/leakage model## References

- 1.M. Albrecht, C. Cid, Cold Boot Key Recovery by Solving Polynomial Systems with Noise, in
*Proceedings of ACNS2011*, vol. 6715 (LNCS, 2011) pp. 57–72Google Scholar - 2.C.M. Bishop,
*Pattern Recognition and Machine Learning*(Springer, Berlin, 2006)zbMATHGoogle Scholar - 3.D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a small fraction of the private key bits, in
*Proceeding of Asiacrypt’98*, vol. 1514 (LNCS,1998), pp. 25–34Google Scholar - 4.C.M. Cover, J.A. Thomas,
*Elements of Information Theory*, 2nd edn. (Wiley-Interscience, Hoboken, 2006)zbMATHGoogle Scholar - 5.J. Daemen, V. Rijmen,
*The Design of Rijndael*(Springer, Berlin, 2002)CrossRefzbMATHGoogle Scholar - 6.A.P. Dempster, N.M. Laird, D.B. Rubin, Maximum likelihood from incomplete data via the EM algorithm. J. R. Stat. Soc. Ser. B
**39**(1), 1–38 (1977)MathSciNetzbMATHGoogle Scholar - 7.J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Feldman, J. Appelbaum, E.W. Felten, Lest we remember: cold boot attacks on encryption keys. Proc. USENIX Secur. Symp.
**2008**, 45–60 (2008)Google Scholar - 8.W. Henecka, A. May, A. Meurer, Correcting errors in RSA private keys, in
*Proceedings of Crypto2010*, vol. 6223 (LNCS, 2010), pp. 351–369Google Scholar - 9.N. Heninger, H. Shacham, Reconstructing RSA private keys from random key bits, in
*Proceeding of Crypto2009*, vol. 5677 (LNCS,2009), pp. 1–17Google Scholar - 10.P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in
*Proc. of CRYPTO’99*, vol. 1666 (LNCS, 1999), pp. 388–397Google Scholar - 11.N. Kunihiro, An improved attack for recovering noisy RSA secret keys and its countermeasure, in
*Proceeding of ProvSec2015*, vol. 9451 (LNCS, 2015), pp. 61–81Google Scholar - 12.N. Kunihiro, J. Honda, RSA meets DPA: Recovering RSA secret keys from noisy analog data, in
*Proceedings of CHES2014*, vol. 8731 (LNCS, 2014), pp. 261–278Google Scholar - 13.N. Kunihiro, J. Honda, RSA meets DPA: recovering RSA secret keys from noisy analog data, in
*IACR*(2014), arXiv:eprint:2014/513 - 14.N. Kunihiro, N. Shinohara, T. Izu, Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors, in
*Proceedings of PKC2013*, vol. 7778(LNCS, 2013), pp. 180–197Google Scholar - 15.N. Kunihiro, Y. Takahashi Improved key recovery algorithms from noisy RSA secret keys with analog noise, in
*Proceedings of CT-RSA2017*, vol. 10159 (LNCS, 2017), pp. 328–343Google Scholar - 16.K.G. Paterson, A. Polychroniadou, D.L. Sibborn, A coding-theoretic approach to recovering noisy RSA keys, in
*Proc. of Asiacrypt2012*, vol. 7658 (LNCS, 2012), pp. 386–403Google Scholar - 17.B. Poettering, D.L. Sibborn, Cold Boot Attacks in the Discrete Logarithm Setting, in
*Proceedings of CT-RSA2015*, vol. 9048 (LNCS, 2015), pp. 449–465Google Scholar - 18.PKCS #1: RSA Cryptography Specifications Version 2.0, http://www.ietf.org/rfc/rfc2437.txt
- 19.R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM
**21**(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar - 20.S. Sarkar, S. Maitra, Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents, in
*Proceeding of CHES2012*, vol. 7428 (LNCS, 2012) pp. 476–493Google Scholar - 21.T. Tanigaki, N. Kunihiro, Maximum likelihood-based key recovery algorithm from decayed key schedules, in
*Proceedings of ICISC2015*, vol. 9558 (LNCS, 2015), pp. 314–328Google Scholar - 22.A. Tsow, An improved recovery algorithm for decayed AES key schedule images, in
*Proceedings of SAC2009*, vol. 5867 (LNCS, 2009), pp. 215–230Google Scholar - 23.S. Yilek, E. Rescorla, H. Shacham, B. Enright, S. Savage, When private keys are public: results from the 2008 debian openssl vulnerability. IMC2009 (ACM Press, 2009), pp. 15–27Google Scholar