4

Assume that there is a smartcard or other hardware token that exposes the raw RSA private key operation (modular exponentiation, with or without CRT parameters). Is there any possibility that raw RSA leaks information about the private key that would not otherwise become available?

Please clearly distinguish between attacks on the algorithm itself and side channel attacks. This question is not about the security of unpadded RSA signatures themselves.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • I'm presuming that the RSA problem would disallow any information being leaked by the algorithm itself but presumptions are dangerous... – Maarten Bodewes Mar 24 '16 at 09:59
  • what do you mean by the "raw RSA private key operation"? – gusto2 Mar 24 '16 at 12:39
  • @GabrielVince Modular exponentiation or a CRT parameter. Everything except the padding basically. Edited question to make this clear, thanks. – Maarten Bodewes Mar 24 '16 at 12:41
  • Even in modern smart cards there are operations working with the private key (signing, decrypting, ..). Now disregarding obvious side-channel attacks (power consumption, failure state, ..) which modern cards should mitigate - exposing some direct private key operations could open options to other attacks, like using arbitrary / invalid group lengths, encrypt and sign with the same key, ... – gusto2 Mar 24 '16 at 13:04
  • Ok, so I am after those. I assume you meant decrypt and sign of course. Being able to sign and decrypt is not an attack in itself though. Note that I asked mainly about protection of the private key as using the private key for any other function at the time it is exposed is obviously possible. – Maarten Bodewes Mar 24 '16 at 13:06
  • I meant encrypt and sign - see http://crypto.stackexchange.com/questions/12090/using-the-same-rsa-keypair-to-sign-and-encrypt . – gusto2 Mar 24 '16 at 13:12
  • Here you may have an answer http://crypto.stackexchange.com/questions/1890/exposing-rsa-private-key-data-bad – gusto2 Mar 24 '16 at 13:13
  • 1
    As far as I know blind RSA signatures are secure (e.g. for untraceable money) and they expose the raw private key operation. – CodesInChaos Mar 24 '16 at 13:15

1 Answers1

2

As far as we know, no: from a mathematical standpoint, exposure of the raw RSA private key operation does not leak the private key, or anything allowing to perform the raw RSA private key operation (such as another private key, or a factorization of the public modulus). We have no proof; but this has been well studied, and any advance in that direction would make the headlines.

Things can be very different in practice, where you have to consider side channel and fault injection attacks. There are so many such attacks around, and they depend so much on the implementation (hardware, CRT or full modulus, Montgomery or straight arithmetic, blinding(s), randomized exponent scanning, other countermeasures..) that I pass on that part of the question.

fgrieu
  • 140,762
  • 12
  • 307
  • 587