11 research outputs found
Notes on Small Private Key Attacks on Common Prime RSA
We point out critical deficiencies in lattice-based cryptanalysis of common
prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for
IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68].
To rectify these flaws, we carefully scrutinize the relevant parameters
involved in the analysis during solving a specific trivariate integer
polynomial equation. Additionally, we offer a synthesized attack illustration
of small private key attacks on common prime RSA.Comment: 15 pages, 1 figur
Notes on Small Private Key Attacks on Common Prime RSA
We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices\u27\u27 [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA
Improved Results on Factoring General RSA Moduli with Known Bits
We revisit the factoring with known bits problem on general RSA moduli in the forms of for , where two primes and are of the same bit-size. The relevant moduli are inclusive of , for , and for , which are used in the standard RSA scheme and other RSA-type variants. Previous works acquired the results mainly by solving univariate modular equations.
In contrast, we investigate how to efficiently factor with given leakage of the primes by the integer method using the lattice-based technique in this paper. More precisely, factoring general RSA moduli with known most significant bits (MSBs) of the primes can be reduced to solving bivariate integer equations, which was first proposed by Coppersmith to factor with known high bits. Our results provide a unifying solution to the factoring with known bits problem on general RSA moduli. Furthermore, we reveal that there exists an improved factoring attack via the integer method for particular RSA moduli like and
Partial Key Exposure Attack on Common Prime RSA
In this paper, we focus on the common prime RSA variant and introduces a novel investigation into the partial key exposure attack targeting it. We explore the vulnerability of this RSA variant, which employs two common primes and defined as and for a large prime . Previous cryptanalysis of common prime RSA has primarily focused on the small private key attack. In our work, we delve deeper into the realm of partial key exposure attacks by categorizing them into three distinct cases. We are able to identify weak private keys that are susceptible to partial key exposure by using the lattice-based method for solving simultaneous modular univariate linear equations. To validate the effectiveness and soundness of our proposed attacks, we conduct experimental evaluations. Through these examinations, we demonstrate the validity and practicality of the proposed partial key exposure attacks on common prime RSA
Improved Factoring Attacks on Multi-Prime RSA with Small Prime Difference
In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of the same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is to combine all the equations and solve one multivariate equation by generic lattice approaches. Since the equation form is similar to multi-prime Phi-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments
Enhancing the Performance of Practical Profiling Side-Channel Attacks Using Conditional Generative Adversarial Networks
Recently, many profiling side-channel attacks based on Machine Learning and
Deep Learning have been proposed. Most of them focus on reducing the number of
traces required for successful attacks by optimizing the modeling algorithms.
In previous work, relatively sufficient traces need to be used for training a
model. However, in the practical profiling phase, it is difficult or impossible
to collect sufficient traces due to the constraint of various resources. In
this case, the performance of profiling attacks is inefficient even if proper
modeling algorithms are used. In this paper, the main problem we consider is
how to conduct more efficient profiling attacks when sufficient profiling
traces cannot be obtained. To deal with this problem, we first introduce the
Conditional Generative Adversarial Network (CGAN) in the context of
side-channel attacks. We show that CGAN can generate new traces to enlarge the
size of the profiling set, which improves the performance of profiling attacks.
For both unprotected and protected cryptographic algorithms, we find that CGAN
can effectively learn the leakage of traces collected in their implementations.
We also apply it to different modeling algorithms. In our experiments, the
model constructed with the augmented profiling set can reduce the required
attack traces by more than half, which means the generated traces can provide
useful information as the real traces
Towards Strengthening Deep Learning-based Side Channel Attacks with Mixup
In recent years, various deep learning techniques have been exploited in side
channel attacks, with the anticipation of obtaining more appreciable attack
results. Most of them concentrate on improving network architectures or putting
forward novel algorithms, assuming that there are adequate profiling traces
available to train an appropriate neural network. However, in practical
scenarios, profiling traces are probably insufficient, which makes the network
learn deficiently and compromises attack performance.
In this paper, we investigate a kind of data augmentation technique, called
mixup, and first propose to exploit it in deep-learning based side channel
attacks, for the purpose of expanding the profiling set and facilitating the
chances of mounting a successful attack. We perform Correlation Power Analysis
for generated traces and original traces, and discover that there exists
consistency between them regarding leakage information. Our experiments show
that mixup is truly capable of enhancing attack performance especially for
insufficient profiling traces. Specifically, when the size of the training set
is decreased to 30% of the original set, mixup can significantly reduce
acquired attacking traces. We test three mixup parameter values and conclude
that generally all of them can bring about improvements. Besides, we compare
three leakage models and unexpectedly find that least significant bit model,
which is less frequently used in previous works, actually surpasses prevalent
identity model and hamming weight model in terms of attack results
Revisiting the Polynomial-Time Equivalence of Computing the CRT-RSA Secret Key and Factoring
The Rivest–Shamir–Adleman (RSA) cryptosystem is currently the most influential and commonly used algorithm in public-key cryptography. Whether the security of RSA is equivalent to the intractability of the integer factorization problem is an interesting issue in mathematics and cryptography. Coron and May solved the above most fundamental problem and proved the polynomial-time equivalence of computing the RSA secret key and factoring. They demonstrated that the RSA modulus N=pq can be factored in polynomial time when given RSA key information (N,e,d). The CRT-RSA variant is a fast technical implementation of RSA using the Chinese Remainder Theorem (CRT), which aims to speed up the decryption process. We focus on the polynomial-time equivalence of computing the CRT-RSA secret key and factoring in this paper. With the help of the latest partial key exposure attack on CRT-RSA, we demonstrate that there exists a polynomial-time algorithm outputting the factorization of N=pq for edp,edq<N3/2 when given the CRT-RSA key information (N,e,dp,dq). We apply Coppersmith’s lattice-based method as a basic mathematical tool for finding the small root solutions of modular polynomial equations. Furthermore, we provide validation experiments to illustrate the correctness of the CRT-RSA modulus factorization algorithm, and show that computing the CRT-RSA secret key and factoring its modulus is polynomial-time equivalent by using concrete numerical examples