We discuss how to recover RSA secret keys from noisy key bits with erasures and errors. There are two known algorithms recovering original secret keys from noisy keys. At Crypto 2009, Heninger and Shacham proposed a method for the case where an erroneous version of secret keys contains only erasures. Subsequently, Henecka et al. proposed a method for an erroneous version containing only errors at Crypto 2010. For physical attacks such as side-channel and cold boot attacks, we need to study key recovery from a noisy secret key containing both erasures and errors. In this paper, we propose a method to recover a secret key from such an erroneous version and analyze the condition for error and erasure rates so that our algorithm succeeds in finding the correct secret key in polynomial time. We also evaluate a theoretical bound to recover the secret key and discuss to what extent our algorithm achieves this bound.

The XTR public key cryptosystem was introduced in 2000. XTR is suitable for a variety of environments including low-end smart cards, and is regarded as an excellent alternative to RSA and ECC. Moreover, it is remarked that XTR single exponentiation (XTR-SE) is less susceptible than usual exponentiation routines to environmental attacks such as the timing attack and the differential power analysis (DPA). This paper investigates the security of side channel attack (SCA) on XTR. In this paper, we show the immunity of XTR-SE against the simple power analysis if the order of the computation of XTR-SE is carefully considered. In addition, we show that XTR-SE is vulnerable to the data-bit DPA, the address-bit DPA, the doubling attack, the modified refined power analysis, and the modified zero-value attack. Moreover, we propose some countermeasures against these attacks. We also show experimental results of the efficiency of the countermeasures. From our implementation results, if we compare XTR with ECC with countermeasures against "SCAs," we think XTR is as suitable to smart cards as ECC.

In 1999, Boneh et al. proposed the Lattice Factoring Method (LFM) for the integer factoring problem for a composite of the form N = prq by employing the LLL-algorithm. Time complexity of LFM is measured by the number of calls of the LLL-algorithm. In the worst case, the number is 2log p for a certain constant c. In 2001, Uchiyama and Kanayama introduced a novel criterion and provided an improved algorithm which runs (2k-p)/|p-Nr+1| times faster (for certain constants k, Nr+1). In this letter, we note another practical improvement applicable to the original and the improved LFM, which enables to provide about 2 times speed-up.

CRT-RSA is a variant of RSA, which uses integers dp = d mod (p-1) and dq = d mod (q-1) (CRT-exponents), where d, p, q are the secret keys of RSA. May proposed a method to obtain the secret key in polynomial time if a CRT-exponent is small, moreover Bleichenbacher and May improved this method. On the other hand, Takagi's RSA is a variant of CRT-RSA, whose public key N is of the form prq for a given positive integer r. In this paper, we extend the May's method and the Bleichenbacher-May's method to Takagi's RSA, and we show that we obtain p in polynomial time if by the extended May's method, and if by the extended Bleichenbacher-May's method, when dq is arbitrary small. If r=1, these upper bounds conform to May's and Bleichenbacher-May's results respectively. Moreover, we also show that the upper bound of pr increase with an increase in r. Since these attacks are heuristic algorithms, we provide several experiments which show that we can obtain the secret key in practice.

This paper proposes fast elliptic curve multiplication algorithms resistant against side channel attacks, based on the Montgomery-type scalar multiplication. The proposed scalar multiplications can be applied to all curves over prime fields, e.g., any standardized curves over finite fields with characteristic larger than 3. The method utilizes the addition formulas xECDBL and xECADD assembled by only x-coordinates of points, and is applicable for any types of curves over finite fields. Then, we encapsulate two addition formulas into one formula xECADDDBL, which accomplishes a faster computation because several auxiliary variables of two formulas can be shared. We also develop a novel addition chain for the new formula, with which we can compute scalar multiplications. The improvement of our scalar multiplications over previous Coron's dummy operation method is about 18% for a 160-bit scalar multiplication. Our method requires no table-up of precomputed points and it is suitable for the implementation on memory constraint computing architectures, e.g., smart cards. Moreover, we optimize the proposed algorithms for parallelized implementations with SIMD operations. Compared with the similar scheme proposed by Fischer et al., our scheme is about 16% faster.

The ηT pairing for supersingular elliptic curves over GF(3m) has been paid attention because of its computational efficiency. Since most computation parts of the ηT pairing are GF(3m) multiplications, it is important to improve the speed of the multiplication when implementing the ηT pairing. In this paper we investigate software implementation of GF(3m) multiplication and propose using irreducible trinomials xm+axk+b over GF(3) such that k is a multiple of w, where w is the bit length of the word of targeted CPU. We call the trinomials "reduction optimal trinomials (ROTs)." ROTs actually exist for several m's and for typical values of w = 16 and 32. We list them for extension degrees m = 97, 167, 193, 239, 317, and 487. These m's are derived from security considerations. Using ROTs, we are able to implement efficient modulo operations (reductions) for GF(3m) multiplication compared with cases in which other types of irreducible trinomials are used (e.g., trinomials with a minimum k for each m). The reason for this is that for cases using ROTs, the number of shift operations on multiple precision data is reduced to less than half compared with cases using other trinomials. Our implementation results show that programs of reduction specialized for ROTs are 20-30% faster on 32-bit CPU and approximately 40% faster on 16-bit CPU compared with programs using irreducible trinomials with general k.

The Single Instruction, Multiple Data (SIMD) architecture enables computation in parallel on a single processor. The SIMD operations are implemented on some processors such as Pentium 3/4, Athlon, SPARC, or even on smart cards. This paper proposes efficient algorithms for assembling an elliptic curve addition (ECADD), doubling (ECDBL), and k-iterated ECDBL (k-ECDBL) with SIMD operations. We optimize the number of auxiliary variables and the order of basic field operations used for these addition formulas. If an addition chain has k-bit zero run, we can replace k-time ECDBLs to the proposed faster k-ECDBL and the total efficiency of the scalar multiplication can be improved. Using the singed binary chain, we can compute a scalar multiplication about 10% faster than the previously fastest algorithm proposed by Aoki et al. Combined with the sliding window method or the width-w NAF window method, we also achieve about 10% faster parallelized scalar multiplication algorithms with SIMD operations. For the implementation on smart cards, we establish two fast parallelized scalar multiplication algorithms with SIMD resistant against side channel attacks.

This paper studies two types of documents in which an adversary can forge a signature on a chosen document. One type is that a nonce is padded on an input document. The time-stamp protocol is a good example of this type. Another is a structured document (such as PS or PDF) whose contents are described in a body part and information (such as generated time and a generator) are in a meta part. In fact, this paper shows how to forge a time-stamp, a signature on a PDF and an X.509 certificate by the extended forgery attack and numerical examples. Forged signature by the original or the extended attacks is only accepted by the clients whose length check of zero-field is loosely implemented. As a result, we found that the latest versions of Adobe's Acrobat and Acrobat Reader accept the forged time-stamp and the forged signature on a PDF document. Target of this attack is RSASSA-PKCS1-v1_5, which does not have provable security. We also show the expanded attack might forge the signature of RSASSA-PSS, which has provable security, when the length check of zero-field is omitted or loosely implemented.

EMV signature is one of specifications for authenticating credit and debit card data, which is based on ISO/IEC 9796-2 signature scheme. At CRYPTO 2009, Coron, Naccache, Tibouchi, and Weinmann proposed a new forgery attack against the signature ISO/IEC 9796-2 (CNTW attack) [2]. They also briefly discussed the possibility when the attack is applied to the EMV signatures. They showed that the forging cost is $45,000 and concluded that the attack could not forge them for operational reason. However their results are derived from not fully analysis under only one condition. The condition they adopt is typical case. For security evaluation, fully analysis and an estimation in worst case are needed. This paper shows cost-estimation of CNTW attack against EMV signature in detail. We constitute an evaluate model and show cost-estimations under all conditions that Coron et al. do not estimate. As results, this paper contribute on two points. One is that our detailed estimation reduced the forgery cost from $45,000 to $35,200 with same condition as [2]. Another is to clarify a fact that EMV signature can be forged with less than $2,000 according to a condition. This fact shows that CNTW attack might be a realistic threat.

In this paper, we present a lattice based method on small secret exponent attack on the RSA scheme. Boneh and Durfee reduced the attack to finding the small roots of the bivariate modular equation: x(N+1+y)+1 ≡ 0 (mod e), where N is an RSA modulus and e is the RSA public key and proposed a lattice based algorithm for solving the problem. When the secret exponent d is less than N0.292, their method breaks the RSA scheme. Since the lattice used in the analysis is not full-rank, the analysis is not easy. Blömer and May proposed an alternative algorithm that uses a full-rank lattice, even though it gives a bound (d≤N0.290) that is worse than Boneh-Durfee. However, the proof for their bound is still complicated. Herrmann and May, however, have given an elementary proof for the Boneh-Durfee's bound: d≤N0.292. In this paper, we first give an elementary proof for achieving Blömer-May's bound: d≤N0.290. Our proof employs the unravelled linearization technique introduced by Herrmann and May and is rather simpler than that of Blömer-May's proof. We then provide a unified framework — which subsumes the two previous methods, the Herrmann-May and the Blömer-May methods, as a special case — for constructing a lattice that can be are used to solve the problem. In addition, we prove that Boneh-Durfee's bound: d≤N0.292 is still optimal in our unified framework.