The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces

@article{Nguyen2003TheIO,
  title={The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces},
  author={Phong Q. Nguyen and Igor E. Shparlinski},
  journal={Designs, Codes and Cryptography},
  year={2003},
  volume={30},
  pages={201-217}
}
Nguyen and Shparlinski have recently presented a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log1/2q, but can be decreased to log log q with a running time qO(1/log… Expand
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
TLDR
A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA. Expand
Analysis of the Insecurity of ECMQV with Partially Known Nonces
TLDR
This paper presents the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, and reduces the security from O(q 1/2 ) down to O( q 1/4 ) when partial knowledge of the nonces is given. Expand
A hidden number problem in small subgroups
TLDR
A new modification in the scheme which amplifies the uniformity of distribution of the multipliers t is introduced and this result is extended to subgroups of order at least (log p)/(log log p) 1-e for all primes p, giving applications to the bit security of the Diffie-Hellman secret key. Expand
A Study on Attacks against Nonces in Schnorr-like Signatures
As cryptography these days is increasingly closely tied to not only personal computers, but also to all other devices around us that hold sensitive information, it is essential to actively analyzeExpand
Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys
We show that the least significant bits (LSB) of the elliptic curve Diffie---Hellman secret keys are hardcore. More precisely, we prove that if one can efficiently predict the LSB with non-negligibleExpand
Security of most significant bits of gx2
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field Fp = {0,..., p - 1 } of p elements from rather short strings of the mostExpand
Batch Verification of Elliptic Curve Digital Signatures
This thesis investigates the efficiency of batching the verification of elliptic curve signatures. The first signature scheme considered is a modification of ECDSA proposed by Antipa et al. alongExpand
Attacking (EC)DSA Given Only an Implicit Hint
TLDR
A lattice attack on DSA-like signature schemes under the assumption that implicit information on the ephemeral keys is known to provide lattices of small dimension and theoretical bounds on the number of shared bits in function of thenumber of signed messages are proven. Expand
On the Bits of Elliptic Curve Diffie-Hellman Keys
TLDR
A small multiplier version of the hidden number problem is introduced, and its properties are used to analyze the security of certain Diffie-Hellman bits and suggest new character sum conjectures that guarantee the uniqueness of solutions to thehidden number problem. Expand
On Security of Fiat-Shamir Signatures over Lattice in the Presence of Randomness Leakage
TLDR
The results indicate that the secret key of Dilithium and qTESLA can be recovered within seconds by running the method on an ordinary PC desktop, and it is shown that FS-ILWE can also be solved in polynomial time. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 42 REFERENCES
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
TLDR
A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA. Expand
The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA
At Crypto ‘86, Boneh and Venkatesan introduced the so-called hidden number problem: in a prime field ℤ q , recover a number α such that for many known random t, the most significant bits of tα areExpand
On the Security of Diffie-Hellman Bits
TLDR
Some recent bounds of exponential sums are used to generalize the algorithm for recovering a “hidden” element α of a finite field of p elements from rather short strings and improve one of the statements of the aforementioned work about the computational security of the most significant bits of the Diffie-Hellman key. Expand
The Insecurity of Nyberg-Rueppel and Other DSA-Like Signature Schemes with Partially Known Nonces
TLDR
This work extends the attack to the Nyberg-Rueppel variants of DSA and uses a connection with the hidden number problem introduced by Boneh and Venkatesan and new bounds of exponential sums which might be of independent interest. Expand
Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes
We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.Expand
The State of Elliptic Curve Cryptography
TLDR
This paper surveys the development of elliptic curve cryptosystems from their inception in 1985 by Koblitz and Miller to present day implementations. Expand
Security of the most significant bits of the Shamir message passing scheme
TLDR
For the Diffie-Hellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized and a similar analysis is given for the Shamir message passing scheme, where the results depend on some bounds of exponential sums. Expand
"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case
TLDR
It is shown that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures, illustrating the high vulnerability of the DSS to weaknesses in the underlying random number generation process. Expand
The Elliptic Curve Digital Signature Algorithm (ECDSA)
TLDR
The ANSI X9.62 ECDSA is described and related security, implementation, and interoperability issues are discussed, and the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. Expand
An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm
TLDR
A supersingular implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) is constructed that is essentially equivalent to a finite field implemented version of the DSA, and the efficiency of the two systems is compared. Expand
...
1
2
3
4
5
...