Attacking (EC)DSA Given Only an Implicit Hint

We describe a lattice attack on DSA-like signature schemes under the assumption that implicit information on the ephemeral keys is known. Inspired by the implicit oracle of May and Ritzenhofen presented in the context of RSA (PKC2009), we assume that the ephemeral keys share a certain amount of bits without knowing the value of the shared bits. This work also extends results of Leadbitter, Page and Smart (CHES2004) which use a very similar type of partial information leakage. By eliminating the shared blocks of bits between the ephemeral keys, we provide lattices of small dimension (e.g. equal to the number of signatures) and thus obtain an efficient attack. More precisely, by using the LLL algorithm, the complexity of the attack is polynomial. We show that this method can work when ephemeral keys share certain amount of MSBs and/or LSBs, as well as contiguous blocks of shared bits in the middle. Under the Gaussian heuristic assumption, theoretical bounds on the number of shared bits in function of the number of signed messages are proven. Experimental results show that we are often able to go a few bits beyond the theoretical bound. For instance, if only 2 shared LSBs on each ephemeral keys of 200 signed messages (with no knowledge about the secret key) then the attack reveals the secret key. The success rate of this attack is about 90% when only 1 LSB is shared on each ephemeral keys associated with about 400 signed messages.

[1]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[2]  Michael E. Pohst,et al.  A Modification of the LLL Reduction Algorithm , 1987, J. Symb. Comput..

[3]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[4]  Igor E. Shparlinski,et al.  The Insecurity of Nyberg-Rueppel and Other DSA-Like Signature Schemes with Partially Known Nonces , 2001, CaLC.

[5]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[6]  Leonard M. Adleman,et al.  A subexponential algorithm for discrete logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves over finite fields , 1994, ANTS.

[7]  Mihir Bellare,et al.  "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case , 1997, CRYPTO.

[8]  Dj Daniel Bernstein,et al.  A general number field sieve implementation , 1993 .

[9]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[10]  Marc Joye,et al.  Cautionary note for protocol designers: Security proof is not enough , 2002 .

[11]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[12]  Dimitrios Poulakis,et al.  Some lattice attacks on DSA and ECDSA , 2011, Applicable Algebra in Engineering, Communication and Computing.

[13]  Katsuyuki Takashima,et al.  Practical Modifications of Leadbitter et al.'s Repeated-Bits Side-Channel Analysis on (EC)DSA , 2005, WISA.

[14]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[15]  Nigel P. Smart,et al.  Attacking DSA Under a Repeated Bits Assumption , 2004, CHES.

[16]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[17]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[18]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[19]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[20]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[21]  Sergei Skorobogatov,et al.  Semi-invasive attacks: a new approach to hardware security analysis , 2005 .

[22]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[23]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[24]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.

[25]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[26]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[27]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[28]  Stanislaw Jarecki,et al.  Public Key Cryptography – PKC 2009 , 2009, Lecture Notes in Computer Science.

[29]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[30]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[31]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[32]  Shirley M. Radack Updated Digital Signature Standard Approved as Federal Information Processing Standard (FIPS)186-3 | NIST , 2009 .

[33]  Aggelos Kiayias,et al.  Multi-query Computationally-Private Information Retrieval with Constant Communication Rate , 2010, Public Key Cryptography.

[34]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[35]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[36]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[37]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[38]  Edlyn Teske Square-root algorithms for the discrete logarithm problem (a survey) , 2001 .

[39]  Jean-Charles Faugère,et al.  Implicit Factoring with Shared Most Significant and Middle Bits , 2010, Public Key Cryptography.

[40]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[41]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[42]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[43]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[44]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[45]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[46]  Katsuyuki Takashima Practical Application of Lattice Basis Reduction Algorithm to Side-Channel Analysis on (EC)DSA , 2006, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[47]  Santanu Sarkar,et al.  Further results on implicit factoring in polynomial time , 2009, Adv. Math. Commun..

[48]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[49]  Phong Q. Nguyen Hermite's Constant and Lattice Algorithms , 2010, The LLL Algorithm.

[50]  Leonard M. Adleman,et al.  A Subexponential Algorithm for Discrete Logarithms over All Finite Fields , 1993, CRYPTO.

[51]  David Naccache,et al.  Experimenting with Faults, Lattices and the DSA , 2005, Public Key Cryptography.

[52]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[53]  Leonard M. Adleman,et al.  A Subexponential Algorithm for Discrete Logarithms over Hyperelliptic Curves of Large Genus over GF(q) , 1999, Theor. Comput. Sci..

[54]  Alexander May,et al.  Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint , 2009, Public Key Cryptography.

[55]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.