Improved CRT-RSA Secret Key Recovery Method from Sliding Window Leakage

Abstract

In this paper, we discuss side-channel attacks on the CRT-RSA scheme (RSA scheme with Chinese Remainder Theorem) implemented by the left-to-right sliding window method. This method calculates exponentiations by repeating squaring and multiplication. In CHES 2017, Bernstein et al. proposed side-channel attacks on the CRT-RSA signature scheme implemented by the left-to-right sliding window method. We can obtain square-and-multiply sequences by their side-channel attacks, but cannot calculate CRT-RSA secret keys because there are multiple candidates of multiplications. Then, Bernstein et al. calculated CRT-RSA secret keys by using two methods. First, they recovered CRT-RSA secret keys partially and calculated all secret key bits by using the Heninger–Shacham method. Second, they applied the Heninger–Shacham method to square-and-multiply sequences directly. They showed that we can calculate CRT-RSA secret keys more efficiently when we use square-and-multiply sequences directly. They also showed that we can recover CRT-RSA secret keys in polynomial time when \(w \le 4\). Moreover, they experimentally showed that we can recover secret keys of 2048-bit CRT-RSA scheme when \(w=5\). However, their latter method is simple and has room for improvement. Here, we study bit recovery more profoundly to improve their method. First, we calculate the exact rate of all knowable bits. Next, we propose a new method for calculating the proportion of each bit 0 or 1 in each nonrecovery bit. Finally, we propose a new method for calculating CRT-RSA secret key using this bit information. In our proposed algorithm, we extend Bernstein et al.’s method in combination with Kunihiro et al.’s method. We calculate more secret keys when \(w=5\) by our proposed method compared to Bernstein et al.’s method.