Results 1  10
of
30
Least we remember: Cold boot attacks on encryption keys
 In USENIX Security Symposium
, 2008
"... For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit ..."
Abstract

Cited by 105 (3 self)
 Add to MetaCart
For the most recent version of this paper, answers to frequently asked questions, and videos of demonstration attacks, visit
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
Checking before Output May Not Be Enough against FaultBased Cryptanalysis
, 2000
"... In order to avoid faultbased attacks on cryptographic security modules (e.g., smartcards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential faultbased attack where key bits leak only through the informa ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
In order to avoid faultbased attacks on cryptographic security modules (e.g., smartcards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential faultbased attack where key bits leak only through the information whether the device produces after a temporary fault a correct answer or not. This information is available to the adversary even if a check is performed before output.
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
New partial key exposure attacks on rsa
 In CRYPTO
, 2003
"... Abstract. In 1998, Boneh, Durfee and Frankel [4] presented several attacks on RSA when an adversary knows a fraction of the secret key bits. The motivation for these socalled partial key exposure attacks mainly arises from the study of sidechannel attacks on RSA. With side channel attacks an adver ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
Abstract. In 1998, Boneh, Durfee and Frankel [4] presented several attacks on RSA when an adversary knows a fraction of the secret key bits. The motivation for these socalled partial key exposure attacks mainly arises from the study of sidechannel attacks on RSA. With side channel attacks an adversary gets either most significant or least significant bits of the secret key. The polynomial time algorithms given in [4] only work provided that the public key e is smaller than N 1 2. It was raised as an open question whether there are polynomial time attacks beyond this bound. We answer this open question in the present work both in the case of most and least significant bits. Our algorithms make use of Coppersmith’s heuristic method for solving modular multivariate polynomial equations [8]. For known most significant bits, we provide an algorithm that works for public exponents e in the interval [N 1 2, N 0.725]. Surprisingly, we get an even stronger result for known least significant bits: An algorithm that works for all e < N 7 8. We also provide partial key exposure attacks on fast RSAvariants that use Chinese Remaindering in the decryption process (e.g. [20, 21]). These fast variants are interesting for timecritical applications like smartcards which in turn are highly vulnerable to sidechannel attacks. The new attacks are provable. We show that for small public exponent RSA half of the bits of dp = d mod p − 1 suffice to find the factorization of N in polynomial time. This amount is only a quarter of the bits of N and therefore the method belongs to the strongest known partial key exposure attacks.
Exposing an RSA Private Key Given a Small Fraction of its Bits
, 1998
"... We show that for low public exponent RSA, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N^(1/4), N^(1/2)], half the bits of the ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
We show that for low public exponent RSA, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N^(1/4), N^(1/2)], half the bits of the private key suffice to reconstruct the entire private key. Our results point out the danger of partial key exposure in the rsa public key system.
Approximate integer common divisors
 CaLC 2001, LNCS
, 2001
"... Abstract. We show that recent results of Coppersmith, Boneh, Durfee and HowgraveGraham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by ap ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract. We show that recent results of Coppersmith, Boneh, Durfee and HowgraveGraham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same “proof of algebraic independence ” problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continuedfraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis. Keywords: Greatest common divisor, approximations, Coppersmith’s method, continued fractions, lattice attacks.
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.
An attack on the proactive RSA signature scheme in the URSA ad hoc network access control protocol
 in the URSA Ad Hoc Network Access Control Protocol. In ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN
, 2004
"... ..."
Reconstructing rsa private keys from random key bits
 In CRYPTO
, 2009
"... We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algori ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the “cold boot ” attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments. 1