Cryptology ePrint Archive: Report 2008/510

Reconstructing RSA Private Keys from Random Key Bits

Nadia Heninger and Hovav Shacham

Abstract: We show that an RSA private key with small public exponent can be efficiently recovered given a 0.27 fraction of its bits at random. An important application of this work is to the "cold boot" attacks of Halderman et al. We make new observations about the structure of RSA keys that allow our algorithm to make use of the redundant information in the typical storage format of an RSA private key. Our algorithm itself is elementary and does not make use of the lattice techniques used in other RSA key reconstruction problems. We give an analysis of the running time behavior of our algorithm that matches the threshold phenomenon observed in our experiments.

Category / Keywords: public-key cryptography / RSA, cold boot, cryptanalysis, branching process

Publication Info: Extended abstract in the proceedings of Crypto 2009

Date: received 2 Dec 2008, last revised 25 Feb 2010

Contact author: hovav at cs ucsd edu

Available formats: PDF | BibTeX Citation

Version: 20100226:010534 (All versions of this report)

Discussion forum: Show discussion | Start new discussion