Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 5<br />
Reconstruction <strong>of</strong> Primes given<br />
few <strong>of</strong> its Bits<br />
An extensive amount <strong>of</strong> research has been done in <strong>RSA</strong> factorization and we refer<br />
the reader to the survey papers by Boneh [11] and May [84] for a complete<br />
account. One major class <strong>of</strong> <strong>RSA</strong> attacks exploit partial knowledge <strong>of</strong> the <strong>RSA</strong><br />
secret keys or the primes. Rivest and Shamir [109] pioneered these attacks using<br />
Integer Programming and factored <strong>RSA</strong> modulus given two-third <strong>of</strong> the LSBs <strong>of</strong><br />
a factor. Later, a seminal paper [24] by Coppersmith proved that factorization <strong>of</strong><br />
the <strong>RSA</strong> modulus can be achieved given half <strong>of</strong> the MSBs <strong>of</strong> a factor. His method<br />
used LLL [77] lattice reduction technique to solve for small solutions to modular<br />
equations. This method triggered a host <strong>of</strong> research in the field <strong>of</strong> lattice based<br />
factorization, e.g., the works by Howgrave-Graham [59], Jochemsz and May [65].<br />
These results require knowledge <strong>of</strong> contiguous blocks <strong>of</strong> bits <strong>of</strong> the <strong>RSA</strong> secret<br />
keysortheprimes. However,inanactualpracticalscenario<strong>of</strong>side-channelattacks,<br />
it is more likely that an adversary will gain the knowledge <strong>of</strong> random bits <strong>of</strong><br />
the <strong>RSA</strong> parameters instead <strong>of</strong> contiguous blocks. In fact, the cold-boot attack<br />
proposed by Halderman et al [46] in 2009 was mounted to recover random bits <strong>of</strong><br />
<strong>RSA</strong> secret parameters exploiting data remanence in the computer memory. Thus<br />
the motivation comes from side channel attack on <strong>RSA</strong> where some bits <strong>of</strong> p and<br />
q are revealed but not the entire key. In this model, the application <strong>of</strong> the earlier<br />
factorization methods prove insufficient, and one requires a way to extract more<br />
information out <strong>of</strong> the random bits obtained via the side channel attacks. In [51],<br />
it has been shown how N can be factored with the knowledge <strong>of</strong> a random subset<br />
75