New partial key exposure attacks on RSA with additive exponent blinding

Partial key exposure attacks present a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. In practice, the RSA implementations typically employ countermeasures to resist physical attacks, such as additive exponent blinding d ′ = d + r ϕ( N ) with unknown random blinding factor r . Although there are a couple of partial key exposure attacks on blinding RSA, these attacks require a considerable amount of leakage and fail to work when e is up to full size. In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d ′ are revealed. For the case where e is small, we first recover partial information of p by solving the quadratic congruence equation, and then find the small roots of the integer equation to recover entire private key. Our method relaxes the attack requirements, for instance, we reduce the amount of MSBs for a successful attack from 75 to 25% when e ≈ N 0.25 and r ≈ N 0 . Furthermore, we propose new attacks using the unique algebraic relationship in blinding RSA, which extend the attack to the case where e is of full size.


Introduction
RSA (Rivest-Shamir-Adleman) (Rivest et al. 1978) is a well-established public key cryptosystem widely employed in practical systems.Let N = pq represent the RSA modulus, where p and q are prime numbers.The encryption and decryption exponents, denoted as e and d respectively, satisfy ed ≡ 1 mod ϕ(N ) , where ϕ(•) represents Euler's totient function.In real-world cryptographic scenarios, confidential information may be exposed during device execution.For example, practical RSA implementations, often utilizing the Square-Multiply algorithm for exponentiation, may leak partial bits of d through distinguishable operations, rendering them susceptible to side-channel attacks (Kocher 1996;Novak 2002).
In 1998, Boneh et al. (1998) introduced the flagship attack on RSA when given either the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d.Their approach is based on Coppersmith's method, which utilizes lattice-based algorithms to find small solutions to modular (Coppersmith 1996) or integer (Coppersmith 1996) equations in polynomial time.Subsequent attacks (Aono 2009;Takayasu andKunihiro 2014, 2019;Suzuki et al. 2020;Zhou et al. 2022) have adopted a lattice-based framework, involving formulating modular/integer equations to recover the private key and then solving these equations using Coppersmith's method.These works have demonstrated the vulnerability of RSA to partial key exposure.This type of attack is commonly referred to as partial key exposure attack.
The partial key exposure attacks typically focus on unprotected RSA implementations.However, practical RSA cryptosystems often adopt countermeasures to mitigate leakage-based attacks.Strategies like blinding are employed to minimize the correlation between exposed information and confidential data, thereby significantly enhancing the challenge of extracting partial bits of d.The adoption of blinding techniques is evident in opensource cryptographic libraries such as MbedTLS (2023), Libgcrypt (2021), and Botan (2023).Depending on the protection target, blinding countermeasures encompass message (base) blinding, modulus blinding, and exponent blinding.
In the case of RSA with exponent blinding, the decryption exponent d is replaced by the blinded decryption exponent where r is an unknown random blinding factor.Partial key exposure attacks become challenging, as it is difficult to extract partial bits of d through physical attacks.Notably, an appropriate r can reduce the Hamming weight of d ′ and enhance the efficiency of the Square-Multiply algorithm.
Presently, there are a couple of partial key exposure attacks on RSA with exponent blinding (Joye and Lepoint 2012;Cimato et al. 2015a, b).These attacks typically build upon established techniques for standard RSA (Boneh et al. 1998;Blömer and May 2003;Ernst et al. 2005).In 2012, Joye and Lepoint (Joye and Lepoint 2012) proposed partial key exposure attacks on blinding RSA with small e, formulating MSBs attacks as a trivial univariate modular equation for re < N 1/2 , aligning with Boneh et al. 's method (Boneh et al. 1998).
In summary, previous partial key exposure attacks on blinding RSA primarily address limited cases of e and require a considerable amount of leakage.Two critical issues require attention: first, the feasibility of recovering the entire private key with less leakage; second, the possibility of mounting an partial key exposure attack on blinding RSA with full size e.
It is essential to note that, in the situation when e is up to full size, direct extension of attacks on standard RSA to blinding RSA is not feasible.Existing latticebased partial key exposure attacks on RSA work only when d < ϕ(N ) .In the case of RSA with additive expo- nent blinding, where the blinded private exponent d ′ is approximately rN and thus larger than ϕ(N ) , it is of great significance to develop new methods.

Our contributions
In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the MSBs or LSBs of d ′ are revealed, considering both cases where e is small and e is of full size.Briefly, the results of our new attacks are shown in the Table 1.
For the case where e is small, our attacks reduce the amount of leakage by solving the quadratic congruence equation to recover a portion of p.And we extend the attack to the case where e is of full size by utilizing the unique algebraic relationship d ′ = d + rϕ(N ) in blind- ing RSA.Specifically,

Previous work
This work

MSBs
Small e (a) (Joye and Lepoint 2012;Cimato et al. 2015a;2015b) -For blinding RSA with small e, we propose a new two-step attack that reduces the amount of leakage required for a successful attack.The first step recovers a sensitive parameter k ′ using MSBs on d ′ through the equation ed ′ = 1 + k ′ ϕ(N ) .The sec- ond step uses the value of k ′ to recover the entire private key by solving the quadratic congruence equation to get p mod e and then finding small roots of the bivariate integer equation.Suppose e is prime and approximately N α , r ≈ N σ , and the known part The comparison between the theoretical bounds of our new attack and previous attacks is shown in Fig. 1, where the horizontal axis represents the size of e, while the vertical axis represents the proportion of leakage.
-For blinding RSA with full size e, we propose a new two-step attack that successfully recovers the entire private key, which was unachievable by previous attacks.We first recover the blinding factor r and the MSBs of p + q using MSBs on d ′ through the equation d ′ = d + rϕ(N ) .Subsequently, we recover the entire private key by finding small roots of the bivariate integer equation.Suppose d ≈ N β , r ≈ N σ , and the known part d ′ MSBs ≈ N δ , where σ < 1/2 , and β < σ + 1/4 , then we can factor N if δ > α + σ .
• Given consecutive LSBs of d ′ : • For blinding RSA with small e, we propose a new attack that reduces the amount of leakage required for a successful attack.We first recover LSBs the of p by solving the quadratic congruence equation, where the modulus is a power of 2. And then we recover the entire private key by finding small roots of the bivariate integer equation.Suppose e ≈ N 0 , r ≈ N 0 , and the known part d  relationship ed ′ = 1 + k ′ ϕ(N ) .For blinding RSA with small e, we utilize an additional algebraic relationship p 2 − p(p + q) + N ≡ 0 , which enhances our capability to recover the entire private key with less knowledge of d ′ .For blinding RSA with full size e, we exploit the unique algebraic relationship in blinding RSA, specifically d ′ = d + rϕ(N ) .This exploitation allows us to recover the entire private key, which was unachievable before when e is up to full size.

Related works
Since Boneh, Durfee, and Frankel's successful recovery of the entire private key using partial information on d (Boneh et al. 1998), the partial key exposure attack has garnered considerable attention.Existing attacks on standard RSA primarily focus on specific scenarios related to encryption/decryption exponents, broadly categorized into two classes: (1) RSA with a small encryption exponent e, where the decryption exponent d is of full size (Boneh et al. 1998;Blömer and May 2003;Ernst et al. 2005).When given MSBs, most of the existing works calculate the approximate value of k using MSBs on d through the relationship k(N − p − q + 1) = ed − 1 .Particularly, k can be directly recovered when e < N 1/2 , then secret informa- tion such as d mod k , (p + q) mod e , or the MSBs of (p + q) can be calculated (Boneh et al. 1998).For a larger e, only the MSBs of k can be recovered.A trivariate equation modulo N (Blömer and May 2003) or a trivariate integer equation (Ernst et al. 2005) can be derived from the equation ed = 1 + kϕ(N ) , and then lattice-based methods can be used to recover the private key.When given LSBs, a bivariate equation modulo N or modulo eM can be derived (Blömer and May 2003), where M is a power of 2 representing the bound of leaked bits.These attacks utilize elementary lattice-based methods and are applicable to e < N .The leakage amount is at least N 1/4 when e < N 1/2 , and approaches N as e increases when e ≥ N 1/2 .
(2) RSA with a full size encryption exponent e, where the decryption exponent d is small (Ernst et al. 2005;Aono 2009;Takayasu andKunihiro 2014, 2019).Initial attacks, extending up to full size e, are carried out by solving trivariate integer equations (Ernst et al. 2005).These attacks are applicable to d < N for MSBs and d < N 0.875 for LSBs.When given MSBs, subsequent works (Takayasu andKunihiro 2014, 2019) demonstrate that it is equivalent to solving the bivariate equation modulo e, and reduce the amount of MSBs for d ≤ N 0.5625 by employing techniques such as unraveled linearization.When given LSBs, existing methods (Aono 2009;Takayasu andKunihiro 2014, 2019) construct lattices using bivariate equations modulo e and modulo eM, then reduce the amount of LSBs for d ≤ N 0.3681 through the unraveled linearization.The required leakage amount for an attack approaches N as d increases.
In practical applications, the Chinese remainder theorem (CRT) is commonly utilized to accelerate decryption process, employing CRT-exponents d p ≡ d mod (p − 1) and d q ≡ d mod (q − 1) .CRT-RSA integrates addi- tive exponent blinding through d ′ p = d p + r p (p − 1) and d ′ q = d q + r q (q − 1) , where r p and r q are blinding factors.Currently, several works have investigated the security of CRT-RSA with additive exponent blinding when given MSBs/LSBs of the blinded CRT-exponents (Cimato et al. 2015a, b;Zhou et al. 2022).For single MSBs/LSBs attacks where some bits of d ′ p are known, Cimato et al. (2015aCimato et al. ( , 2015b) ) . These attacks are applicable to e < N 1/4 .

Paper organization
The subsequent sections of this paper are organized as follows: "Preliminary" Section introduces the notations, followed by a recapitulation of the procedures for finding small roots of modular/integer equations using Coppersmith's method, and the procedures for solving a quadratic congruence equation."Partial information on MSB d′" and "Partial information on LSB of d′" Sections present our new partial key exposure attacks for scenarios with the MSBs and LSBs.In "Practical experiments" Section, we provide experimental results using our new methods.At last, we conclude our work in "Conclusion" Section.

Preliminary
In this section,we present the principal notations used throughout this paper, which are detailed in Table 2.We also recapitulate the process for finding small roots of a modular/integer equation using Coppersmith's method.Additionally, we recap how to find all roots of a quadratic congruence equation.

Lattice
A lattice can be viewed as a set of discrete points with periodic structure in n-dimensional Euclidean space R n .Con- sider a positive integer m such that m ≤ n , and let b 1 , . . ., b m represent linearly independent vectors in R n .The lattice The dimension and rank of L are denoted by dim(L) and rank(L) , respectively.Throughout this paper, the lattice is assumed to be full-rank unless otherwise specified, where m = n.
Let the basis vectors b 1 , . . ., b m be row vec- tors, then lattice L can be represented by the matrix The determinant of L is defined as the volume of the fundamental parallelepiped The Shortest Vector Problem (SVP) is a fundamental computational problem on lattices.In 1982, Lenstra et al. (1982) introduced an approximation algorithm for SVP, commonly known as the LLL algorithm.This algorithm can find short vectors in polynomial time, where the norm of short vectors output by the LLL algorithm satisfies Lemma 1.The LLL algorithm has diverse applications in computer science, including finding small roots of modular/integer equations.
Lemma 1 (Lenstra et al. 1982) Let L be a n-dimensional integer lattice, the LLL-algorithm outputs reduced basis vectors v i in polynomial time, where i = 1, 2, . . ., l .For l ≤ n , basis vectors satisfy

Finding small roots of a bivariate modular equation
In this section, we consider the problem of finding small roots to a given bivariate linear modular equation with restricted polynomial time.Let N be a large positive integer with an unknown factorization, and p be a factor of N such that p > N γ p , where 0 < γ p ≤ 1 .We are given a polynomial f (x, y) = a x x + a y y + a 0 with a 0 , a x , a y ∈ Z .The objective is to find all small integer solutions (x 0 , y 0 ) of the equation f (x, y) ≡ 0 mod p , where |x 0 | < X and |y 0 | < Y .We aim to maximize upper bounds X and Y while ensuring polynomial running time in the input size log N.
In 1996, Coppersmith introduced a lattice-based method for finding small roots of univariate modular equations (Coppersmith 1996).Subsequent works, including those by Jochemsz and May (2006) and Herrmann and May (2008), extended this method to more variables, albeit heuristically.Herrmann and May (2008) developed a general technique applicable to linear modular equations with any number of variables.Theoretically, small roots can be found in polynomial time if XY < N 3γ p −2+2(1−γ p ) 3/2 under a heuristic assumption, as shown in Lemma 2.
Assumption 1 The polynomials derived from lattice basis reduction algorithms, such as the LLL algorithm, are algebraically independent.
Lemma 2 (Herrmann and May 2008) Let N be a large integer (of unknown factorization) with a divisor p ≥ N γ p .Let f (x, y) ∈ Z[x, y] be a bivariate linear polynomial.Under Assumption 1, we can find all solutions (x 0 , y 0 ) of the equation f (x, y) ≡ 0 mod p with |x 0 | ≤ N γ x and |y 0 | ≤ N γ y if The algorithm's time and space complexity is polynomial in log N.
Coppersmith's method essentially reduces solving modular equations to solving equation systems over integers.One can construct a set of equations g i (x, y) ≡ 0 mod p m that contain all small roots under a larger modulus, where i = 1, 2, . . ., n .And then convert g i into integer equations h i with h i (x 0 , y 0 ) ≡ 0 mod p m and ||h i (x 0 , y 0 )|| < p m thereby removing the modulus.Specifically, Step 1 For a fixed integer m ≥ ⌈3γ p (1 + 1 − γ p )/ε⌉ , and t = ⌊(1 − 1 − γ p )m⌋ , construct shift polynomials Table 2 Notations N = pq represents the RSA modulus, where p and q are prime numbers

Parameter
Bound Description p, q 1/2 p and q are prime numbers, and p ≈ N 1/2 , q ≈ N 1/2 e α e represents the encryption exponent, and e ≈ N α where we suppose X > Y without loss of generality.
Step 2 Construct the lattice L , where the basis vectors are the coefficient vectors of g [i.j] (xX, yY ).
Step 3 Apply LLL algorithm and obtain the reduced basis vectors v 1 and v 2 .Construct the polynomials h 1 (x, y) and h 2 (x, y) , where the coefficient vectors of h j (xX, yY ) is v j for j = 1, 2.
Step 4 Find all roots of h 1 (x, y) and h 2 (x, y) using algebraic methods, such as the resultant method and Gröbner bases method.Verify all roots using gcd (f (x 0 , y 0 ), N ) ≥ N γ p to obtain the solutions.
In fact, each polynomial h j obtained from the linear combination of g [i.j] satisfies h j (x 0 , y 0 ) ≡ 0 mod p m .If the roots and the coefficients of h j are suitably small, the equation h j (x 0 , y 0 ) = 0 holds over the integers, as detailed in Lemma 3. Here, the norm ||f (x 1 , . . ., x k )|| := i a 2 i refers to the Euclidean norm.The norm of h 1 (xX, yY ) is actually ||v j || , and its upper bound is provided by Lemma 1.Based on the above conditions, the result of Lemma 2 can be derived by neglecting terms with lower asymptotic complexity.
Lemma 3 (Howgrave-Graham 1997) Let h(x 1 , . . ., x k ) ∈ Z[x 1 , . . ., x k ] be an integer polynomial with at most ω monomials.Let b, m, X 1 , . . ., X k be positive integers.Sup- pose that Then h(r 1 , . . ., r k ) = 0 holds over the integers.It is evident that at least k independent integer equations are needed to solve a k-variate equation.However, there is no guarantee that new polynomials generated by LLL algorithm are algebraically independent.In most cases where k > 1 , Coppersmith's method is a heuristic approach (Herrmann and May 2008;Suzuki et al. 2020;Ernst et al. 2005;Takayasu andKunihiro 2014, 2019).The validation of this assumption requires experimental confirmation.

Finding small roots of a bivariate integer equation
In this section, we consider the problem of finding small roots to a given bivariate integer equation with restricted polynomial time.Specifically, let f (x, y) = a + bx + cy + dxy be an irreducible polynomial.g [i.j] (x, y) = y j f i (x, y)N max {t−i,0} , for i = 0, . . ., m; j = 0, . . ., m − i; The objective is to find all small integer solutions (x 0 , y 0 ) of the equation f (x, y) = 0 , where |x 0 | ≤ X and |y 0 | ≤ Y .
Coppersmith introduced a lattice-based method for finding small roots of bivariate integer equations (Coppersmith 1996), and subsequent works (Jochemsz and May 2006;Coron 2004) improved the lattice construction and extended the method to more variables.For cases where the number of variables is 2, this method is rigorous, as shown in Lemma 4.
Lemma 4 (Coppersmith 1996;Coron 2004;Jochemsz and May 2006) Let f (x, y) ∈ Z[x, y] be a bivariate poly- nomial of maximum degree D in each variable separately, and the coefficients of f are relatively prime as a set.Let W = �f (xX, yY )� ∞ , where �f (x, y)� ∞ represents the infi- nite norm of f(x, y).We can find all solutions (x 0 , y 0 ) of the equation f (x, y) = 0 with |x 0 | ≤ X and |y 0 | ≤ Y if The algorithm's time and space complexity is polynomial in (log W , 2 D ).
For bivariate cases, this method essentially reduces solving bivariate integer equations to solving equation systems.One can choose an appropriate integer R and construct a set of equations g i (x, y) ≡ 0 mod R con- taining all small roots under a larger modulus, where i = 1, 2, . . ., n .By linearly combining g i , it is expected to obtain a new integer equation h(x, y) that is independent of f(x, y).On the other hand, the norm of h(xX, yY) needs to be small enough.One can obtain h by the LLL algorithm, similar to the previous subsection.Let W = �f (xX, yY )� ∞ , where �f (x, y)� ∞ represents the infinite norm of f(x, y).The enabling conditions are: (1) h(x 0 , y 0 ) = 0 holds over integer.From Lemma 3, (2) h(x, y) is independent of f(x, y).Since f is an irreducible polynomial, it is required that h is not a multiple of f.From Lemma 5, where h(x, y) is devisible by the integer c.
Lemma 5 (Coron 2004) Let f (x, y), h(x, y) ∈ Z[x, y] be two non-zero integer polynomials of maximum degree D separately in x and y, and f (0, 0) = 0 .Assume h is a multiple of f in Z[x, y] , and h is devisible by an integer c = 0 , and gcd (c, f (0, 0) One can use Jochemsz-May Strategy (2006) to construct the full rank lattice.Specifically, for a fixed integer m, define R = W (XY ) m−1 .Then, let f ′ = f −1 (0, 0) • f mod R , which results in a polynomial with a constant term of 1 and roots (x 0 , y 0 ) mod R .Define shift polynomials where S and M are sets of monomials representing the monomials of f m−1 and f m , respectively.We have g(x 0 , y 0 ) ≡ g ′ (x 0 , y 0 ) ≡ 0 mod R , both g and g ′ are divis- ible by (XY ) m−1 .Then one can follow the Step 2-4 in "Finding small roots of a bivariate modular equation" Section to find the roots.

Finding roots of a quadratic congruence equation
In this section, we recap how to find roots for a quadratic congruence equation.Let also use the Cipolla algorithm with complexity O(log p) .Notably, finding square roots modulo m is at least as hard as factoring m.If the factorization of m is unknown, it is hard to find square roots modulo m.
If the modulus is 2 γ , there may be multiple solutions.Denoting t x as the largest integer such that 2 t x |x , Steinfeld and Zheng (2001) completely characterize the solutions.
Lemma 6 (Steinfeld and Zheng 2001;Hinek 2009) Let N = pq be a n-bit integer, where p and q are primes.Let S l be the set of solutions of the quadratic equation where integer 0 ≤ l < n/4 .Denate � = n/4 − 2(t p−q − 1) , then the size of S l is where ω = 1, 0, −1 for l ≤ − 3 , l = − 2 , l = − 1 , respectively.Futher, all of the solutions have the form where R is any integer.

Partial information on MSB of d ′
In this section, we propose new partial key exposure attacks on RSA with additive exponent blinding, specifically focusing on scenarios where MSBs of d ′ are avail- able.This partial information may be acquired through side-channel attacks or alternative methods.Our contributions are demonstrated in Theorem 1 for small e and Theorem 2 for full size e.
Theorem 1 (MSBs with small e ) Let N = pq be a large integer, where p and q are primes of the same bit-size.Let e and d satisfy ed ≡ 1 mod ϕ(N ) , and , where σ < 1/2 , and β < σ + 1/4 .Given public key (N, e) and partial information (d ′ MSBs , M) , then N can be factored in polynomial time if be an integer polynomial, where the integer m = p i 1 1 . . .p i t t , and p 1 , . . ., p t are t distinct prime num- bers.Briefly, the steps to solve the general congruence equation f (x) ≡ 0 mod m are: (1) For all j ∈ [1, t] , solve the congruence equation f (x) ≡ 0 mod p j ; (2) Find the solutions modulo prime powers p 2 j , . . ., p i j j .This can be achieved by solving linear congruence equations, as long as the solutions modulo p j are known; (3) Find solutions for all equations f (x) ≡ 0 mod p i j j , where 1 ≤ j ≤ t .Apply the Chinese remainder the- orem to obtain solutions modulo m.
Hence, this section focuses on equations modulo prime numbers.
The quadratic congruence equation is represented as a 2 x 2 + a 1 x + a 0 ≡ 0 mod p .If gcd(a 2 , p) = 1 , the quadratic congruence can be simplified to the standard form x 2 ≡ a mod p , where a ∈ Z * p .One method for finding a square root x 0 is to choose a quadratic non- residue b ∈ Z * p and compute the discrete logarithm ω of a p o to the base b p o , that is b p o ω = a p o , where p − 1 = 2 c p o and p o is odd.The square root x 0 is then obtained as x 0 = b p o ω/2 a −(p o −1)/2 .The total runtime of this proce- dure is O(log 3 p + c log c log 2 p) (Shoup 2005).One can

Attacks on blinding RSA with small e
For the MSB case where e is small, we present two methods for factoring N. The first method corresponds to Theorem 1.The second method, based on an alternative approach, results in a bound equivalent to the result of Joye and Lepoint (2012).Both of our methods involve two steps, and they share a common first step.
Specifically, the first step uses the known MSBs of d ′ to recover k ′ through the relationship k ′ (N − p − q + 1) = ed ′ − 1 .The second step utilizes the value of k ′ to recover the entire private key by (I) solving a quadratic congruence equation and a bivariate integer equation, or (II) solving a bivariate linear integer equation.We first give the proof of Theorem 1, which corresponds to the Method I.
One can recover k ′ when α and σ are suitably small.Define k ′ 1 = ⌊ed ′ MSBs M/N ⌋ , which serves as an approxi- mate value of k

we have
Then for α + σ < 1/2 and δ > α + σ as stated in Theo- rem 1, we have Step 2-(I): Recover p by solving a quadratic congruence equation and a bivariate integer equation.
Denote s = p + q , we can compute s e = (p + q) mod e = (N + 1 + k ′−1 ) mod e from the Equation (1) as long as k ′ is known.Then p mod e can be recovered by solving a quadratic congruence equation similar to the method δ > 3/4. (1) of Boneh et al. (1998).Specifically, we can formulate the equation where z 0 = p mod e or z 0 = q mod e , we assume z 0 = p mod e without losing generality.The roots can be find in probabilistic polynomial time since e is prime, as stated in Theorem 1.Notice that, the method for finding square roots is polynomial time when e is prime or the factorization of e is known.
Denote p e = z 0 and q e = N /p e mod e , then we can con- struct the integer equation with the small solutions It is crucial to divide by e to obtain the irreducible polynomial f (x, y) = F (x, y)/e .Then W = �f (xX, yY )� ∞ = eXY .We can find the roots (x 0 , y 0 ) satisfying f (x 0 , y 0 ) = 0 by applying Lemma 4 when XY < W 2/3 , that is α > 1/4 as stated in Theorem 1.
Once x 0 is found, N can be factored by calculat- ing p = ex 0 + p e .Thus far, the proof of Theorem 1 is complete.
In fact, Method I is unnecessary for e to be prime.For a composite e, the factorization of e must be provided to solve the quadratic congruence equation.Suppose e has t distinct prime factors, there exist 2 t solutions to the quadratic equation x 2 − sx + N ≡ 0 mod e .Each solution must be tried to recover p mod e.

Corollary 1 Let parameters be the same as in Theo
, and e has t distinct prime factors.Given public key (N, e), the factorization of e, and partial information (d ′ MSBs , M) , then N can be factored if The time and space complexity of the algorithm is polynomial in (log N , 2 t ).
Alternatively, we can recover the private key by solving a linear integer equation and then foator N, corresponding to the Method II.The result of this method is presented in Proposition 3, which aligns with the result obtained by Joye and Lepoint (2012).Although the Method II does not reduce the amount of leakage, it introduces a novel approach for the partial key exposure attack.
Proposition 3 Let parameters be the same as in Theorem 1.Given public key (N, e) and partial information (d ′ MSBs , M) , then N can be factored in polynomial time if δ > 1 − α and σ + α < 1/2.
Step 2-(II): Recover p by solving a bivariate linear integer equation.
Denote s = p + q , we can calculate an approximate value of s as where s > s , and k ′ has been recovered in Step 1.Let s 0 = s − s , then we have Notice that p and q are primes of the same bit-size, implying p + q < 4N 1/2 , the MSBs of p + q can be recovered only when δ > 1/2 .Substituting p + q = s = s − s 0 into Equation (1), we get the equation then derive a integer equation with the small solutions Then we have W = �f (xX, yY )� ∞ = N α+σ +1−δ .Using Lemma 7, we can find the small roots of f(x, y) if The proof of Lemma 7 can be found in the Appendix.
Lemma 7 Let f (x, y) ∈ Z[x, y] be a linear polynomial.We can find all solutions (x 0 , y 0 ) of the bivariate integer equa- tion Suppose p > q without losing generality, we can fac- tor N by calculating where s = s + y 0 + 1 .Thus, the proof of Proposition 3 is complete.

Attacks on blinding RSA with full size e
For the MSB case where e is up to full size, we focus on the algebraic relationship d ′ = d + rϕ(N ) and pre- sent three methods to recover private key, with Method I corresponding to Theorem 2. The results of Method II and Method III are covered by Method I. Our new methods involve two steps, and they share the same first step.
Specifically, the first step utilizes the known MSBs of d ′ to recover the blinding factor r, and the second step utilizes the value of r to recover the entire private key by (I) solving a bivariate integer equation, (II) solving a linear integer equation, or (III) solving a trivial univariate modular equation.We first present the proof of Theorem 2, which corresponds to the Method I.

Proof of Theorem 2
The proof mainly consists of two steps.
Step 2-(I): Recover p by solving a bivariate integer equation.
Denote s = p + q , we can calculate an approximate value of s as where the value of r has been recovered in the Step 1, and Notably, p and q are primes of the same bit-size, implying p + q < 4N 1/2 .The MSBs of p + q can be recovered only when max {1 − δ, β − σ } < 1/2 .Then we calculate an approximate value of p as where p > p holds if s > s .Denoting p 0 = p − p , we have where we use |p − q| > 1 4 N 1/2 as stated in Theo- rem 2. We can also compute an approximate value of q as q = ⌊N / p⌋ , where q < q holds if p > p .Denoting q = q + q 0 , we have Then we can derive a integer equation with the small solutions We can find (x 0 , y 0 ) by apply Lemma 4 when XY < W 2/3 , that is δ > 3/4 and β < σ + 1/4 as stated in Theorem 2. We can factor N by calculating p = p + x 0 .Thus far, the proof of Theorem 2 is complete.
We can also recover the private key by solving a linear integer equation or a trivial univariate modular equation, corresponding to Method II and Method III, respectively.The results from these two methods are identical, as demonstrated in Proposition 4. It should be noted that the results of Method I are superior to those of Method II and Method III.
Proposition 4 Let parameters be the same as in Theorem 2. Given public key (N, e) and partial information (d ′ MSBs , M) , then N can be factored in polynomial time if δ > 1 and β < σ < 1/2.

Proof of Proposition 4
The blinding factor r can be recovered in Step 1 when σ < min {δ, 1/2} , as stated in Proposition 4. Now our proof starts from Step 2.
Step 2-(II): Recover p by solving a bivariate linear integer equation.
Define s = p + q = s − s 0 as in the Step 2-(I), where and then derive a integer equation where n = ⌈log N ⌉ , and z 0 = p mod 2 n/4−t k ′ (or z 0 = q mod 2 n/4−t k ′ ) is one of the solutions.
According to Lemma 6, the number of solutions to Equation (2) depends on l = t k ′ and t p−q .For e, r ≈ O(N 0 ) as stated in Theorem 5, t k ′ ≤ log 2 k ′ ≤ log 2 er + 1 is a small integer.On the other hand, t p−q is the num- ber of LSBs that p and q have in common.Assuming that p and q are randomly selected, then the probability Pr[t p−q ≥ b] ≤ 2 1−b , notice that p ≡ q ≡ 1 mod 2 .Thus, t k ′ < � = n/4 − 2(t p−q − 1) with the probabil- ity approximately 1 − 2 1−n/8 .Given that in practice, the typical bit length of RSA modulus is n = 512, 1024, 2048 , then Pr[l < �] ≈ 1.
For l < � , the Lemma 6 assures that there will be at most 2 t p−q +1 solutions to Eq. ( 2).The expected value E[t p−q ] ≤ 2 , and the distribution of t p−q when p and q are random prime numbers in experiments is illustrated in Fig. 2. We assume that there will be at most 2 4 solutions in practice when t k ′ is small, each solution is a candidate of x 0 = p mod 2 n/4−t k ′ .

Attacks on blinding RSA with full size e
For the case where e is of full size, we propose a new attack on blinding RSA when given LSBs of d ′ .Unlike the situation with known MSBs, it is difficult to recover other sensitive parameters using LSBs of d ′ .Our new method focuses on the unique algebraic relationship d ′ = d + rϕ(N ) in blinding RSA, and recovers the private key by solving a bivariate modular equation.We now give the proof of Theorem 6.

Proof of Theorem 6 Suppose
LSBs , which can be expressed as we derive a modular equation with the small solutions Note that we can also choose M as the modulus, which would yield the same result as choosing N. By employing Lemma 2, we can find the small solutions of We can recover d ′ = M • y 0 + d ′

Practical experiments
We perform practical experiments using SageMath 9.1 over Intel(R) Xeon(R) Bronze 3106 CPU @ 1.70GHz, Windows Server 2012 R2.The experimental results of our new attacks are basically consistent with the theoretical bounds.
For the MSB case with small e, the experimental results are shown in Table 3.In addition to some calculations, this attack mainly contains two parts.The first part involves finding a root of the quadratic congruence equation, equivalent to finding a square root module e.The implementation of this part adopts the Cipolla algorithm, which is highly efficient in practice, as shown in Table 3 (Find SR).The second part is to find small roots of the integer equation.The implementation of this part adopts the Jochemsz-May's basic strategy (Jochemsz and May 2006), with the running time mainly depends on the LLL algorithm.To ensure the efficiency of the LLL algorithm, we choose small m to constrain the lattice dimension.One can make the size of e closer to the theoretical bound N 1/4 by increasing m, which will increase the running time of LLL algorithm.
For the MSB case with full size e, the experimental results are shown in Table 4.The implementation of finding small roots of the integer equation employs the Jochemsz-May's basic strategy (Jochemsz and May 2006) and we take small m to ensure the efficiency of the LLL algorithm.One can take larger m to make δ and β closer to the theoretical bound, that is δ → 3/4 and β → (σ + 1/4).

Table 3 Implementation results of Theorem 1-MSB case with small e
Where prime factors p, q are of the same bit-size, e is prime, and δ/(1 + σ ) represents the proportion of leakage.Our attack requires fewer leaked bits Len(d ′ MSBs ) than previous attacks, which need the leaked bits to exceed either 3 For the LSB case with small e, the experimental results are shown in Table 5.Similar to the MSB case, the process of finding roots of the quadratic congruence equation is efficient in practice.Since there is more than one square root, we must try all possible values, with the average number of candidates provided in Table 5 (Candidates).As for the implementation of finding small roots of the integer equation, we adopt the Jochemsz-May's basic strategy (Jochemsz and May 2006).We also choose small m to constrain the lattice dimension.One can make δ closer to the theoretical bound, that is δ → 1/4 , by increasing m.
For the LSB case with full size e, the experimental results are shown in Table 6.The implementation of finding small roots of the modular equation adopts the Herrmann-May's Herrmann and May (2008) method and we also take small m.One can take larger m to make δ closer to the theoretical bound, that is δ → max {2σ + 1/2, β + σ }.

Conclusion
In this paper, we propose new partial key exposure attacks on RSA with additive exponent blinding, focusing on leakage scenarios where the MSBs or LSBs of d ′ are revealed, considering both cases where e is small and e is of full size.For the case where e is small, we reduce the amount of leakage by solving the quadratic congruence equation to recover a portion of p.For the case where e is of full size, we introduce novel attacks utilizing the specific algebraic relationship d ′ = d + rϕ(N ) in blinding RSA.Our attacks confirm that blinding RSA is vulnerable to partial key exposure if either e • r or d • r is signifi- cantly smaller than N.This emphasizes the importance of users selecting both private and public exponents randomly, setting a blinding factor with a longer bit length, or implementing other countermeasures to prevent the leakage of the blinded private exponent d ′ .In practice, smaller values for e, d, r are often chosen for efficiency.Based on the results of this paper, we suggest that e • r and d • r should be greater than N to increase the resil- ience against such attacks.
While our attack can handle the situation where e is of full size, it necessitates sufficient leakage and succeeds only when d is small.The potential for further reducing the amount of leakage and strategies for executing an attack in scenarios where both e and d are of full size still need to be explored.Where prime factors p, q are of the same bit-size, e is prime, and δ/(1 + σ ) represents the proportion of leakage.We take m = 6 in the LLL algorithm, corresponds to dimension dim = 49 .Our attack requires fewer leaked bits Len(d ′ LSBs ) than previous attacks Joye and Lepoint (2012); Cimato et al. (2015aCimato et al. ( , 2015b)), which need the leaked bits to exceed 1 2 Size(N) when e ≈ N 0 and r ≈ N 0 .Here, Len(x)

Fig. 1
Fig. 1 Comparison of partial key exposure attacks given MSBs when e is small d β d represents the decryption exponent, and d ≈ N β r σ r represents the blinding factor, and r ≈ N σ d ′ 1 + σ d ′ represents the blinded decryption exponent, and d ′ ≈ N 1+σ d ′ MSBs δ d ′ MSBs represents the given MSBs of d ′ , and d ′ MSBs ≈ N δ d ′ LSBs δ d ′ LSBs represents the given LSBs of d ′ , and d ′ LSBs ≈ N δ and e is a prime number.Denote d ′ = d ′ MSBs M + d ′ 0 , where d ′ MSBs ≈ N δ and M is a power of 2. Suppose e ≈ N α , r ≈ N σ .Given public key (N, e) and partial information (d ′ MSBs , M) , then N can be factored in polynomial time if Theorem 2 (MSBs with full size e ) Let parameters be the same as in Theorem 1

Fig. 2
Fig. 2 Distribution of t p−q when p and q are random prime integers

Table 1
Overview: the theoretical bounds of our new attacks e is prime, e ≈ N α , d ≈ N β , r ≈ N σ , and the known part of d ′ is approximately N δ

Table 4
Implementation results of Theorem 2-MSB case with full size eWhere prime factors p, q are of the same bit-size, e is prime, and δ/(1 + σ ) represents the proportion of leakage

Table 5
Implementation results of Theorem 5-LSB case with small e denotes the bit length of x

Table 6
Implementation results of Theorem 6-LSB case with full size eWhere prime factors p, q are of the same bit-size, e is prime, and δ/(1 + σ ) represents the proportion of leakage