# The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces

@article{Nguyen2003TheIO, title={The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces}, author={Phong Q. Nguyen and Igor E. Shparlinski}, journal={Designs, Codes and Cryptography}, year={2003}, volume={30}, pages={201-217} }

Nguyen and Shparlinski have recently presented a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log1/2q, but can be decreased to log log q with a running time qO(1/log… Expand

#### Topics from this paper

#### 186 Citations

The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

- Mathematics, Computer Science
- Journal of Cryptology
- 2002

A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA. Expand

Analysis of the Insecurity of ECMQV with Partially Known Nonces

- Computer Science
- ISC
- 2003

This paper presents the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, and reduces the security from O(q 1/2 ) down to O( q 1/4 ) when partial knowledge of the nonces is given. Expand

A hidden number problem in small subgroups

- Computer Science, Mathematics
- Math. Comput.
- 2003

A new modification in the scheme which amplifies the uniformity of distribution of the multipliers t is introduced and this result is extended to subgroups of order at least (log p)/(log log p) 1-e for all primes p, giving applications to the bit security of the Diffie-Hellman secret key. Expand

A Study on Attacks against Nonces in Schnorr-like Signatures

- 2018

As cryptography these days is increasingly closely tied to not only personal computers, but also to all other devices around us that hold sensitive information, it is essential to actively analyze… Expand

Bits Security of the Elliptic Curve Diffie-Hellman Secret Keys

- Mathematics, Computer Science
- CRYPTO
- 2008

We show that the least significant bits (LSB) of the elliptic curve Diffie---Hellman secret keys are hardcore. More precisely, we prove that if one can efficiently predict the LSB with non-negligible… Expand

Security of most significant bits of gx2

- Mathematics, Computer Science
- Inf. Process. Lett.
- 2002

Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field Fp = {0,..., p - 1 } of p elements from rather short strings of the most… Expand

Batch Verification of Elliptic Curve Digital Signatures

- Mathematics
- 2015

This thesis investigates the efficiency of batching the verification of elliptic curve signatures. The first signature scheme considered is a modification of ECDSA proposed by Antipa et al. along… Expand

Attacking (EC)DSA Given Only an Implicit Hint

- Mathematics, Computer Science
- Selected Areas in Cryptography
- 2012

A lattice attack on DSA-like signature schemes under the assumption that implicit information on the ephemeral keys is known to provide lattices of small dimension and theoretical bounds on the number of shared bits in function of thenumber of signed messages are proven. Expand

On the Bits of Elliptic Curve Diffie-Hellman Keys

- Mathematics, Computer Science
- INDOCRYPT
- 2007

A small multiplier version of the hidden number problem is introduced, and its properties are used to analyze the security of certain Diffie-Hellman bits and suggest new character sum conjectures that guarantee the uniqueness of solutions to thehidden number problem. Expand

On Security of Fiat-Shamir Signatures over Lattice in the Presence of Randomness Leakage

- Physics, Computer Science
- IACR Cryptol. ePrint Arch.
- 2019

The results indicate that the secret key of Dilithium and qTESLA can be recovered within seconds by running the method on an ordinary PC desktop, and it is shown that FS-ILWE can also be solved in polynomial time. Expand

#### References

SHOWING 1-10 OF 42 REFERENCES

The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

- Mathematics, Computer Science
- Journal of Cryptology
- 2002

A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA. Expand

The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA

- Physics
- 2001

At Crypto ‘86, Boneh and Venkatesan introduced the so-called hidden number problem: in a prime field ℤ q , recover a number α such that for many known random t, the most significant bits of tα are… Expand

On the Security of Diffie-Hellman Bits

- Computer Science, Mathematics
- Electron. Colloquium Comput. Complex.
- 2000

Some recent bounds of exponential sums are used to generalize the algorithm for recovering a “hidden” element α of a finite field of p elements from rather short strings and improve one of the statements of the aforementioned work about the computational security of the most significant bits of the Diffie-Hellman key. Expand

The Insecurity of Nyberg-Rueppel and Other DSA-Like Signature Schemes with Partially Known Nonces

- Computer Science
- CaLC
- 2001

This work extends the attack to the Nyberg-Rueppel variants of DSA and uses a connection with the hidden number problem introduced by Boneh and Venkatesan and new bounds of exponential sums which might be of independent interest. Expand

Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

- Mathematics, Computer Science
- CRYPTO
- 1996

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.… Expand

The State of Elliptic Curve Cryptography

- Mathematics, Computer Science
- Des. Codes Cryptogr.
- 2000

This paper surveys the development of elliptic curve cryptosystems from their inception in 1985 by Koblitz and Miller to present day implementations. Expand

Security of the most significant bits of the Shamir message passing scheme

- Computer Science, Mathematics
- Math. Comput.
- 2000

For the Diffie-Hellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized and a similar analysis is given for the Shamir message passing scheme, where the results depend on some bounds of exponential sums. Expand

"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case

- Mathematics, Computer Science
- CRYPTO
- 1997

It is shown that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures, illustrating the high vulnerability of the DSS to weaknesses in the underlying random number generation process. Expand

The Elliptic Curve Digital Signature Algorithm (ECDSA)

- Computer Science
- International Journal of Information Security
- 2001

The ANSI X9.62 ECDSA is described and related security, implementation, and interoperability issues are discussed, and the strength-per-key-bit is substantially greater in an algorithm that uses elliptic curves. Expand

An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm

- Computer Science, Mathematics
- CRYPTO
- 1998

A supersingular implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) is constructed that is essentially equivalent to a finite field implemented version of the DSA, and the efficiency of the two systems is compared. Expand