This paper by Gabrielle De Micheli and Nadia Heninger from the University of California, San Diego, surveys techniques for recovering cryptographic keys from partial or indirect information in side-channel attacks. The authors focus on RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the most commonly used public-key cryptosystems. They categorize the known techniques based on the structure of the information learned by the attacker and provide simplified examples to illustrate each method. The introduction highlights the nature of side-channel attacks, which exploit physical effects such as timing, power consumption, electromagnetic radiation, and temperature to leak information about secret keys. The paper emphasizes that side-channel attacks often reveal incomplete or indirect information, necessitating additional cryptanalytic techniques to recover the full key. The authors provide a detailed overview of modular exponentiation and its vulnerabilities, including cache attacks, power analysis, and other side-channel attacks. They also discuss cold boot and memory attacks, which can leak partial information about keys stored in memory. The mathematical background covers lattice theory, including lattice reduction algorithms like LLL and BKZ, which are crucial for solving key recovery problems. The paper then delves into specific key recovery methods for RSA, including techniques for recovering private keys when large contiguous portions of the secret keys are known. These methods often involve lattice basis reduction to find roots of polynomials modulo an integer. The paper concludes with detailed examples and explanations of how to construct lattices and extract polynomials to find roots, demonstrating the effectiveness of these techniques in practical scenarios.This paper by Gabrielle De Micheli and Nadia Heninger from the University of California, San Diego, surveys techniques for recovering cryptographic keys from partial or indirect information in side-channel attacks. The authors focus on RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the most commonly used public-key cryptosystems. They categorize the known techniques based on the structure of the information learned by the attacker and provide simplified examples to illustrate each method. The introduction highlights the nature of side-channel attacks, which exploit physical effects such as timing, power consumption, electromagnetic radiation, and temperature to leak information about secret keys. The paper emphasizes that side-channel attacks often reveal incomplete or indirect information, necessitating additional cryptanalytic techniques to recover the full key. The authors provide a detailed overview of modular exponentiation and its vulnerabilities, including cache attacks, power analysis, and other side-channel attacks. They also discuss cold boot and memory attacks, which can leak partial information about keys stored in memory. The mathematical background covers lattice theory, including lattice reduction algorithms like LLL and BKZ, which are crucial for solving key recovery problems. The paper then delves into specific key recovery methods for RSA, including techniques for recovering private keys when large contiguous portions of the secret keys are known. These methods often involve lattice basis reduction to find roots of polynomials modulo an integer. The paper concludes with detailed examples and explanations of how to construct lattices and extract polynomials to find roots, demonstrating the effectiveness of these techniques in practical scenarios.