Attacking Noisy Secret CRT-RSA Exponents in Binary Method

Oonishi, Kento; Kunihiro, Noboru

doi:10.1007/978-3-030-12146-4_3

Cited by 4 publications

(2 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attack Type Used Method ours, [35] factoring attack lattice-based method [37] factoring attack elliptic curve method [6,12,17,18,38] small CRT-exponent attack lattice-based method [19][20][21][22][23] partial key exposure attack lattice-based method [24][25][26][27][28] side-channel attack power-based method [39][40][41] key recovery attack tree-based method Notice that we experimentally verify our CRT-RSA modulus factorization algorithm for small CRT exponents. A limiting factor in achieving large CRT exponents is that we need to perform the lattice reduction algorithm with large lattice dimension in such cases.…”

Section: Related Workmentioning

confidence: 73%

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Zheng

2022

Mathematics

View full text Add to dashboard Cite

The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq<N3/2 when given the CRT-RSA key information (N,e,dp,dq). We apply Coppersmith’s lattice-based method as a basic mathematical tool for finding the small root solutions of modular polynomial equations. Furthermore, we provide validation experiments to illustrate the correctness of the CRT-RSA modulus factorization algorithm, and show that computing the CRT-RSA secret key and factoring its modulus is polynomial-time equivalent by using concrete numerical examples.

show abstract

Section: Related Workmentioning

confidence: 73%

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Zheng

2022

Mathematics

View full text Add to dashboard Cite

show abstract

“…Often only a fraction of the key bits are recovered, and their values are not known with certainty. Various researchers have exploited the redundancy present in private key material to correct the errors [5,25,44,46,48,66].…”

Section: Rsa Backgroundmentioning

confidence: 99%

RAMBleed: Reading Bits in Memory Without Accessing Them

Kwong

Genkin

Gruss

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

108

View full text Add to dashboard Cite

The Rowhammer bug is a reliability issue in DRAM cells that can enable an unprivileged adversary to flip the values of bits in neighboring rows on the memory module. Previous work has exploited this for various types of fault attacks across security boundaries, where the attacker flips inaccessible bits, often resulting in privilege escalation. It is widely assumed however, that bit flips within the adversary's own private memory have no security implications, as the attacker can already modify its private memory via regular write operations.We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel. More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel. Thus, the primary contribution of this work is to show that Rowhammer is a threat to not only integrity, but to confidentiality as well.Furthermore, in contrast to Rowhammer write side channels, which require persistent bit flips, our read channel succeeds even when ECC memory detects and corrects every bit flip. Thus, we demonstrate the first security implication of successfullycorrected bit flips, which were previously considered benign.To demonstrate the implications of this read side channel, we present an end-to-end attack on OpenSSH 7.9 that extracts an RSA-2048 key from the root level SSH daemon. To accomplish this, we develop novel techniques for massaging memory from user space into an exploitable state, and use the DRAM rowbuffer timing side channel to locate physically contiguous memory necessary for double-sided Rowhammering. Unlike previous Rowhammer attacks, our attack does not require the use of huge pages, and it works on Ubuntu Linux under its default configuration settings.

show abstract

Recovering CRT-RSA Secret Keys from Noisy Square-and-Multiply Sequences in the Sliding Window Method

Oonishi

Kunihiro

2020

Information Security and Privacy

View full text Add to dashboard Cite

Attacking Noisy Secret CRT-RSA Exponents in Binary Method

Cited by 4 publications

References 25 publications

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

RAMBleed: Reading Bits in Memory Without Accessing Them

Recovering CRT-RSA Secret Keys from Noisy Square-and-Multiply Sequences in the Sliding Window Method

Contact Info

Product

Resources

About