Cryptology ePrint Archive: Report 2004/147

Key Recovery Method for CRT Implementation of RSA

Matthew J. Campagna and Amit Sethi

Abstract: This paper analyzes a key recovery method for RSA signature generation or decryption implementations using the Chinese Remainder Theorem (CRT) speed up. The CRT-based RSA implementation is common in both low computing power devices and high speed cryptographic acceleration cards. This recovery method is designed to work in conjunction with a side-channel attack where the CRT exponents are discovered from a message decryption or signature generation operation, the public exponent is assumed small and the public modulus is unknown. Since many RSA implementations use the small, low hamming weight public exponent 65537 this turns out to be a realistic method. An algorithm for recovering the private key, modulus and prime factorization candidates is presented with a proof of correctness. Runtime estimates and sample source code is given.

Category / Keywords: public-key cryptography / key recovery

Date: received 23 Jun 2004

Contact author: matthew campagna at pb com

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20040623:220316 (All versions of this report)

Short URL: ia.cr/2004/147

Discussion forum: Show discussion | Start new discussion