The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

@article{Nguyen2002TheIO,
  title={The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
},
  author={Phong Q. Nguyen and I. Shparlinski},
  journal={Journal of Cryptology},
  year={2002},
  volume={15},
  pages={151-176}
}
Abstract. We present a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. For most significant or least significant bits, the number of required bits is about log1/2 q , but can be decreased to log log q with a… Expand
226 Citations
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
  • 177
  • PDF
Analysis of the Insecurity of ECMQV with Partially Known Nonces
  • 10
  • Highly Influenced
Attacking (EC)DSA Given Only an Implicit Hint
  • 17
  • PDF
Security of most significant bits of gx2
  • 15
On the Security of the Digital Signature Algorithm
  • 12
On Security of Fiat-Shamir Signatures over Lattice in the Presence of Randomness Leakage
  • Highly Influenced
  • PDF
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 55 REFERENCES
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
  • 177
  • PDF
On the Security of Diffie-Hellman Bits
  • 54
Design Validations for Discrete Logarithm Based Signature Schemes
  • 95
  • PDF
Efficient signature generation by smart cards
  • C. Schnorr
  • Mathematics, Computer Science
  • Journal of Cryptology
  • 2004
  • 2,173
  • PDF
Security of the most significant bits of the Shamir message passing scheme
  • 28
  • PDF
On the Distribution of Diffie-Hellman Triples with Sparse Exponents
  • 23
...
1
2
3
4
5
...