New partial key exposure attacks on RSA with additive exponent blinding

Partial key exposure attacks present a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. In practice, the RSA implementations typically employ countermeasures to resist physical attacks, such as additive exponent blinding \(d' = d + r \varphi (N)\) with unknown random blinding factor r. Although there are a couple of partial key exposure attacks on blinding RSA, these attacks require a considerable amount of leakage and fail to work when e is up to full size. In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of \(d'\) are revealed. For the case where e is small, we first recover partial information of p by solving the quadratic congruence equation, and then find the small roots of the integer equation to recover entire private key. Our method relaxes the attack requirements, for instance, we reduce the amount of MSBs for a successful attack from 75 to 25% when \(e \approx N^{0.25}\) and \(r\approx N^{0}\). Furthermore, we propose new attacks using the unique algebraic relationship in blinding RSA, which extend the attack to the case where e is of full size.