# The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

@article{Nguyen2002TheIO, title={The Insecurity of the Digital Signature Algorithm with Partially Known Nonces }, author={Phong Q. Nguyen and Igor E. Shparlinski}, journal={Journal of Cryptology}, year={2002}, volume={15}, pages={151-176} }

Abstract. We present a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. For most significant or least significant bits, the number of required bits is about log1/2 q , but can be decreased to log log q with a…

## 242 Citations

### The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA

- Computer Science, Mathematics
- 2001

The hidden number problem is an idealized version of the problem which HowgraveGraham and Smart recently tried to solve heuristically in their (lattice-based) attacks on DSA and related signature schemes: given a few bits of the random nonces k used in sufficiently many DSA signatures, recover the secret key.

### Analysis of the Insecurity of ECMQV with Partially Known Nonces

- Computer Science, MathematicsISC
- 2003

This paper presents the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, and reduces the security from O(q 1/2 ) down to O( q 1/4 ) when partial knowledge of the nonces is given.

### Cryptanalysis of Mqv with Partially Known

- Computer Science, Mathematics
- 2002

The rst lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, is presented, in which one party may recover the other party's static private key from partial knowledge of the nonces from several runs of the protocol.

### Attacking (EC)DSA Given Only an Implicit Hint

- Computer Science, MathematicsSelected Areas in Cryptography
- 2012

A lattice attack on DSA-like signature schemes under the assumption that implicit information on the ephemeral keys is known to provide lattices of small dimension and theoretical bounds on the number of shared bits in function of thenumber of signed messages are proven.

### On the Security of the Digital Signature Algorithm

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2002

A key-recovery attack against the Digital Signature Algorithm shows that if about half of the total number of bits in two ephemeral keys are known, again assumed contiguous unknown bits in each key, the system can be shown to be insecure.

### A Study on Attacks against Nonces in Schnorr-like Signatures

- Computer Science, Mathematics
- 2018

This Master’s dissertation investigates the (in)security of real-world implementations of Schnorr-like signatures, one of the most widely-used class of digital signature schemes, which includes in particular the standardized Digital Signature Algorithm (DSA).

### Guessing Bits: Improved Lattice Attacks on (EC)DSA

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

A new idea to improve the attack based on the same data in exchange for additional computation: carry out an exhaustive search on some bits of the secret key to turn the problem from a single bounded distance decoding (BDD) instance in a certain lattice to multiple BDD instances in a fixed lattice of larger volume.

### Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

- Computer Science, MathematicsCHES
- 2015

Analysis of discrete-logarithm based authentication schemes such as Schnorr identification scheme or Girault-Poupard-Stern identification and signature schemes shows that the GPS scheme with 128-bit security can be broken using only 710 signatures assuming that the adversary knows (on average) one bit per nonce.

### On Security of Fiat-Shamir Signatures over Lattice in the Presence of Randomness Leakage

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

The results indicate that the secret key of Dilithium and qTESLA can be recovered within seconds by running the method on an ordinary PC desktop, and it is shown that FS-ILWE can also be solved in polynomial time.

## References

SHOWING 1-10 OF 49 REFERENCES

### The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA

- Computer Science, Mathematics
- 2001

The hidden number problem is an idealized version of the problem which HowgraveGraham and Smart recently tried to solve heuristically in their (lattice-based) attacks on DSA and related signature schemes: given a few bits of the random nonces k used in sufficiently many DSA signatures, recover the secret key.

### On the Security of Diffie-Hellman Bits

- Mathematics, Computer ScienceElectron. Colloquium Comput. Complex.
- 2000

Some recent bounds of exponential sums are used to generalize the algorithm for recovering a “hidden” element α of a finite field of p elements from rather short strings and improve one of the statements of the aforementioned work about the computational security of the most significant bits of the Diffie-Hellman key.

### Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

- Computer Science, MathematicsCRYPTO
- 1996

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.…

### Design Validations for Discrete Logarithm Based Signature Schemes

- Computer Science, MathematicsPublic Key Cryptography
- 2000

This paper considers several Discrete Logarithm (DSA-like) signatures abstracted as generic schemes, and shows that the following holds: if the schemes can be broken by an existential forgery using an adaptively chosen-message attack then either the discrete logarithM problem can be solved, or some hash function can be distinguished from an ideal one, or multi-collisions can be found.

### The Insecurity of Nyberg-Rueppel and Other DSA-Like Signature Schemes with Partially Known Nonces

- Computer Science, MathematicsCaLC
- 2001

This work extends the attack to the Nyberg-Rueppel variants of DSA and uses a connection with the hidden number problem introduced by Boneh and Venkatesan and new bounds of exponential sums which might be of independent interest.

### Efficient signature generation by smart cards

- Computer Science, MathematicsJournal of Cryptology
- 2004

An efficient algorithm that preprocesses the exponentiation of a random residue modulo p is presented, which improves the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures.

### Security of the most significant bits of the Shamir message passing scheme

- Computer Science, MathematicsMath. Comput.
- 2000

For the Diffie-Hellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized and a similar analysis is given for the Shamir message passing scheme, where the results depend on some bounds of exponential sums.

### Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem

- Computer Science, MathematicsDes. Codes Cryptogr.
- 1994

The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery, and that with DLP-based schemes the same functionality as with RSA can be obtained.

### "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case

- Computer Science, MathematicsCRYPTO
- 1997

It is shown that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures, illustrating the high vulnerability of the DSS to weaknesses in the underlying random number generation process.

### On the Distribution of Diffie-Hellman Triples with Sparse Exponents

- Mathematics, Computer ScienceSIAM J. Discret. Math.
- 2001

This paper proves the uniformity of distribution of the Diffie--Hellman triples (gx, gy, gxy) as the exponents x and y run through the set of n-bit integers with precisely k nonzero bits in their bit representation provided that k \ge 0.35 n.