A Third is All You Need: Extended Partial Key Exposure Attack on CRT-RSA with Additive Exponent Blinding

Yuanyuan Zhou; Joop van de Pol; Yu Yu; François-Xavier Standaert

Paper 2022/1163

A Third is All You Need: Extended Partial Key Exposure Attack on CRT-RSA with Additive Exponent Blinding

Yuanyuan Zhou

, UCLouvain

Joop van de Pol

Yu Yu

, Shanghai Jiao Tong University

François-Xavier Standaert

Abstract

At Eurocrypt 2022, May et al. proposed a partial key exposure (PKE) attack on CRT-RSA that efficiently factors $N$ knowing only a $\frac{1}{3}$ -fraction of either most significant bits (MSBs) or least significant bits (LSBs) of private exponents and for public exponent . In practice, PKE attacks typically rely on the side-channel leakage of these exponents, while a side-channel resistant implementation of CRT-RSA often uses additively blinded exponents and with unknown random blinding factors and , which makes PKE attacks more challenging. Motivated by the above, we extend the PKE attack of May et al. to CRT-RSA with additive exponent blinding. While admitting , our extended PKE works ideally when , in which case the entire private key can be recovered using only known MSBs or LSBs of the blinded CRT exponents and . Our extended PKE follows their novel two-step approach to first compute the key-dependent constant (, ), and then to factor by computing the root of a univariate polynomial modulo . We extend their approach as follows. For the MSB case, we propose two options for the first step of the attack, either by obtaining a single estimate and calculating via factoring, or by obtaining multiple estimates and calculating probabilistically via GCD. For the LSB case, we extend their approach by constructing a different univariate polynomial in the second step of the LSB attack. A formal analysis shows that our LSB attack runs in polynomial time under the standard Coppersmith-type assumption, while our MSB attack either runs in sub-exponential time with a reduced input size (the problem is reduced to factor a number of size ) or in probabilistic polynomial time under a novel heuristic assumption. Under the settings of the most common key sizes (1024-bit, 2048-bit, and 3072-bit) and blinding factor lengths (32-bit, 64-bit, and 128-bit), our experiments verify the validity of the Coppersmith-type assumption and our own assumption, as well as the feasibility of the factoring step. To the best of our knowledge, this is the first PKE on CRT-RSA with experimentally verified effectiveness against 128-bit unknown exponent blinding factors. We also demonstrate an application of the proposed PKE attack using real partial side-channel key leakage targeting a Montgomery Ladder exponentiation CRT implementation.

Note: This is the full version of our proceeding paper.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: A major revision of an IACR publication in ASIACRYPT 2022
Keywords: Partial Key Exposure Additive Blinding CRT-RSA Coppersmith method
Contact author(s): zhou yuanyuan @ gmail com
csjhvdp @ my bristol ac uk
yuyu @ yuyu hk
fstandae @ uclouvain be
History: 2022-09-06: approved; 2022-09-06: received; See all versions
Short URL: https://ia.cr/2022/1163
License: CC BY

BibTeX

@misc{cryptoeprint:2022/1163,
      author = {Yuanyuan Zhou and Joop van de Pol and Yu Yu and François-Xavier Standaert},
      title = {A Third is All You Need: Extended Partial Key Exposure Attack on {CRT}-{RSA} with Additive Exponent Blinding},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1163},
      year = {2022},
      url = {https://eprint.iacr.org/2022/1163}
}