11 research outputs found

    Notes on Small Private Key Attacks on Common Prime RSA

    Full text link
    We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA.Comment: 15 pages, 1 figur

    Notes on Small Private Key Attacks on Common Prime RSA

    Get PDF
    We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices\u27\u27 [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA

    Improved Results on Factoring General RSA Moduli with Known Bits

    Get PDF
    We revisit the factoring with known bits problem on general RSA moduli in the forms of N=prqsN=p^r q^s for r,s≥1r,s\ge 1, where two primes pp and qq are of the same bit-size. The relevant moduli are inclusive of pqpq, prqp^r q for r>1r>1, and prqsp^r q^s for r,s>1r,s>1, which are used in the standard RSA scheme and other RSA-type variants. Previous works acquired the results mainly by solving univariate modular equations. In contrast, we investigate how to efficiently factor N=prqsN=p^r q^s with given leakage of the primes by the integer method using the lattice-based technique in this paper. More precisely, factoring general RSA moduli with known most significant bits (MSBs) of the primes can be reduced to solving bivariate integer equations, which was first proposed by Coppersmith to factor N=pqN=pq with known high bits. Our results provide a unifying solution to the factoring with known bits problem on general RSA moduli. Furthermore, we reveal that there exists an improved factoring attack via the integer method for particular RSA moduli like p3q2p^3 q^2 and p5q3p^5 q^3

    Partial Key Exposure Attack on Common Prime RSA

    Get PDF
    In this paper, we focus on the common prime RSA variant and introduces a novel investigation into the partial key exposure attack targeting it. We explore the vulnerability of this RSA variant, which employs two common primes pp and qq defined as p=2ga+1p=2ga+1 and q=2gb+1q=2gb+1 for a large prime gg. Previous cryptanalysis of common prime RSA has primarily focused on the small private key attack. In our work, we delve deeper into the realm of partial key exposure attacks by categorizing them into three distinct cases. We are able to identify weak private keys that are susceptible to partial key exposure by using the lattice-based method for solving simultaneous modular univariate linear equations. To validate the effectiveness and soundness of our proposed attacks, we conduct experimental evaluations. Through these examinations, we demonstrate the validity and practicality of the proposed partial key exposure attacks on common prime RSA

    Improved Factoring Attacks on Multi-Prime RSA with Small Prime Difference

    Get PDF
    In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of the same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is to combine all the equations and solve one multivariate equation by generic lattice approaches. Since the equation form is similar to multi-prime Phi-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments

    Enhancing the Performance of Practical Profiling Side-Channel Attacks Using Conditional Generative Adversarial Networks

    Get PDF
    Recently, many profiling side-channel attacks based on Machine Learning and Deep Learning have been proposed. Most of them focus on reducing the number of traces required for successful attacks by optimizing the modeling algorithms. In previous work, relatively sufficient traces need to be used for training a model. However, in the practical profiling phase, it is difficult or impossible to collect sufficient traces due to the constraint of various resources. In this case, the performance of profiling attacks is inefficient even if proper modeling algorithms are used. In this paper, the main problem we consider is how to conduct more efficient profiling attacks when sufficient profiling traces cannot be obtained. To deal with this problem, we first introduce the Conditional Generative Adversarial Network (CGAN) in the context of side-channel attacks. We show that CGAN can generate new traces to enlarge the size of the profiling set, which improves the performance of profiling attacks. For both unprotected and protected cryptographic algorithms, we find that CGAN can effectively learn the leakage of traces collected in their implementations. We also apply it to different modeling algorithms. In our experiments, the model constructed with the augmented profiling set can reduce the required attack traces by more than half, which means the generated traces can provide useful information as the real traces

    Towards Strengthening Deep Learning-based Side Channel Attacks with Mixup

    Get PDF
    In recent years, various deep learning techniques have been exploited in side channel attacks, with the anticipation of obtaining more appreciable attack results. Most of them concentrate on improving network architectures or putting forward novel algorithms, assuming that there are adequate profiling traces available to train an appropriate neural network. However, in practical scenarios, profiling traces are probably insufficient, which makes the network learn deficiently and compromises attack performance. In this paper, we investigate a kind of data augmentation technique, called mixup, and first propose to exploit it in deep-learning based side channel attacks, for the purpose of expanding the profiling set and facilitating the chances of mounting a successful attack. We perform Correlation Power Analysis for generated traces and original traces, and discover that there exists consistency between them regarding leakage information. Our experiments show that mixup is truly capable of enhancing attack performance especially for insufficient profiling traces. Specifically, when the size of the training set is decreased to 30% of the original set, mixup can significantly reduce acquired attacking traces. We test three mixup parameter values and conclude that generally all of them can bring about improvements. Besides, we compare three leakage models and unexpectedly find that least significant bit model, which is less frequently used in previous works, actually surpasses prevalent identity model and hamming weight model in terms of attack results

    Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring

    No full text
    The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq<N3/2 when given the CRT-RSA key information (N,e,dp,dq). We apply Coppersmith’s lattice-based method as a basic mathematical tool for finding the small root solutions of modular polynomial equations. Furthermore, we provide validation experiments to illustrate the correctness of the CRT-RSA modulus factorization algorithm, and show that computing the CRT-RSA secret key and factoring its modulus is polynomial-time equivalent by using concrete numerical examples
    corecore