(EC)DSA lattice attacks based on Coppersmith's method

doi:10.1016/j.ipl.2016.04.001

Information Processing Letters

Volume 116, Issue 8, August 2016, Pages 541-545

https://doi.org/10.1016/j.ipl.2016.04.001 Get rights and content

Highlights

•
We apply a variant of Coppersmith's method to the Digital Signature Algorithm.
•
We use a Boneh–Durfee type lattice attack.
•
Our attack is feasible if the product of the keys $k^{- 1} \cdot a$ is small.

Abstract

We provide an attack to (EC)DSA digital signature built upon Coppersmith's method. We prove that, if $a, k$ are the private and ephemeral key, respectively, of the (EC)DSA scheme and ${(k^{- 1} \mod q)}^{2} a < 0.262 \cdot q^{1.157}$ , then we can efficiently find a.

Section snippets

Introduction—statement of results

In the present paper we study Digital Signature Algorithm, DSA, and its elliptic curve variant, ECDSA [7]. Both are based on ElGamal signatures [8]. In these schemes Alice, the signer, randomly chooses a private key a from a public finite group G, with $| G | = p$ , for some large prime p. Usually G is the finite group of integers modulo p or the group defined by the points of an elliptic curve over a finite field. Then, she publishes an element $g \in G$ and $R = g^{a}$ , for some a randomly chosen from the set ${1,$

Auxiliary results

The main purpose of this section is to present some basic results necessary for the proof of Theorem 1.2. For some details of the computations in Lemma 2.4, Lemma 2.5 see [6, Chapter 6].

Lemma 2.1

Let $h (x, y) \in R [x, y]$ is a sum of w monomials. Let $X, Y$ in $R_{> 0}$ and integers $x_{0}, y_{0}$ such that $| x_{0} | < X, | y_{0} | < Y$ . Suppose that

i. $h (x_{0}, y_{0}) \in Z$ , $i i .$ $‖ h (x X, y Y) ‖ = \sqrt{\sum_{i, j} {(h_{i, j} X^{i} Y^{j})}^{2}} < \frac{1}{\sqrt{w}}$ ,

then $h (x_{0}, y_{0}) = 0$ .

Proof

[6, FACT 2.4.1, p.17]. □

Lemma 2.2

Let L be a lattice and $b_{1}, b_{2}, \dots, b_{w}$ is an LLL-reduced basis of L. Then $\begin{matrix} ‖ b_{1} ‖ < 2^{(w - 1) / 4} {(\det L)}^{1 / w}, \\ ‖ b_{2} ‖ \leq 2^{w / 4} (\det L \end{matrix}$

Proof of the theorem

Multiplying both sides of equation (1) by $- {(k r)}^{- 1} (\mod q)$ , we get $k^{- 1} (a + h (m) r^{- 1}) + (- s r^{- 1}) \equiv 0 (\mod q) .$ If we set $f (x, y) = \frac{x (y + A) + B}{q},$ where $A = {[h (m) r^{- 1}]}_{q}$ and $B = {[- s r^{- 1}]}_{q}$ , then we get $f ({[k^{- 1}]}_{q}, a) \in Z$ . We consider the lattice L generated by the rows of the matrix $A_{t, m}$ (of Corollary 2.6) with $f (x, y)$ be the polynomial defined by equation (4). We apply LLL algorithm to L and say $b_{1}$ is the first LLL-reduced vector. Let $H_{1} (x, y)$ be the polynomial which corresponds to $b_{1}$ , that is $\begin{matrix} H_{1} (x, y) \\ = b_{1} \cdot (1, x / X, x y / X Y, \dots, y / Y, . ., x^{m} y^{m + t} / X \end{matrix}$

The improvement: proof of Proposition 1.1

If the dimension w of the lattice L is ≤35, then LLL algorithm will return, in practice, a shortest vector of the lattice. So the constant $ζ (w)$ of relation (5) (it is a constant if we fix the dimension), can be replaced by another one which is much greater. If $w \leq 35$ , then we shall replace the bound of the first LLL-reduced vector by $\sqrt{\frac{w}{2 π e}} \det {(L)}^{1 / w}$ .

A shortest lattice vector has length $‖ L ‖ \approx \sqrt{\frac{w}{2 π e}} \det {(L)}^{1 / w}$ (the Gaussian heuristic holds in our lattices). To see this, we compute the first minimum $‖ L ‖$

An example

For the computations we used Sagemath [14]. Let $\begin{matrix} q = 1420781990420358144729370324145404355374905166249, \end{matrix}$ be a 160-bits prime number, the secret key $a = 24251561979536311495125 (75-bits)$ and the ephemeral key $\begin{matrix} k = 913551645485465300451420923974053878879771609110 (160 -bits) \end{matrix}$ Let $(r, s)$ be the signature of the message m and let $x (A + y) + B \equiv 0 (\mod q)$ the signing equation with $\begin{matrix} A = 269366230512225345569353296119811290445931088756, \end{matrix}$ $\begin{matrix} B = 542189824416770300914626882856872739739223238744 . \end{matrix}$ We set $f (x, y) = \frac{x (y + A) + B}{q}$ . Note that ${[k^{- 1}]}_{q} \cdot a >$

Conclusions

In this paper we improved the result of [13]. We applied Coppersmith's method to a lattice of Boneh–Durfee type [6]. The execution time of our attack is dominated by the running time of the LLL-algorithm in lattices of dimension 35. Our attack is valid when the private key and the inverse of one ephemeral key ${[k^{- 1}]}_{q}$ satisfy a suitable inequality (k can be large). Equivalently, the attack holds if some bits of the keys are known. Note that, we do not address here how the bits of a and ${[k^{- 1}]}_{q}$ are

Acknowledgements

The author is indebted to the anonymous referees for their helpful suggestions.

References (14)

L. Adleman et al.
A subexponential algorithm for discrete logarithms over all finite fields
A. Becker et al.
Solving shortest and closest vector problems: the decomposition approach
LMS J. Com. Math.
(2014)
I.F. Blake et al.
On the security of the digital signature algorithm
Des. Codes Cryptogr.
(2002)
D. Boneh et al.
Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes
Don Coppersmith
Small solutions to polynomial equations, and low exponent RSA vulnerabilities
J. Cryptology
(1997)
Glenn Durfee
Cryptanalysis of RSA using algebraic and lattice methods
(2002)
FIPS PUB 186-4, Digital Signature Standard...

There are more references available in the full text version of this article.

Cited by (6)

Lattice-based weak-key analysis on single-server outsourcing protocols of modular exponentiations and basic countermeasures
2021, Journal of Computer and System Sciences
We investigate the problem of securely outsourcing the modular exponentiations in cryptography to an untrusted server, and analyze the security and the efficiency of three privacy-preserving outsourcing protocols for exponentiations proposed in Ding et al. (2017) [18]. Based on Coppersmith's lattice-based method, we present heuristic polynomial-time and ciphertext-only weak-key attacks on these protocols, which shows that the recommended size of the secret keys in their protocols can not assure the input privacy of the exponents. Correspondingly, we explicitly estimate the size of the secure secret keys to circumvent our attacks, and analyze the efficiency of the revised protocols with security settings. Our theoretical analysis and experimental results demonstrate that the protocol of single modular exponentiation is unavailable, the protocol of simultaneous modular exponentiations is not so efficient as claimed but still available, and the protocol of multiple modular exponentiations becomes more efficient as the number of exponentiations increases.
ATTACKING (EC)DSA SCHEME WITH EPHEMERAL KEYS SHARING SPECIFIC BITS
2023, arXiv
MESSAGE RECOVERY ATTACK TO NTRU USING A LATTICE INDEPENDENT FROM THE PUBLIC KEY
2022, arXiv
Applications and developments of the lattice attack in side channel attacks
2020, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Enhancing an attack to DSA schemes
2019, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
A Survey of Lattice Attack on Digital Signature Algorithm
2018, SSRN

View full text

Miniaturized array antenna with reduced beam squinting
AEU - International Journal of Electronics and Communications, Volume 117, 2020, Article 153110
Omid Niksan, …, Maryam SamadpourHendevari
Isogeny graphs with maximal real multiplication
Journal of Number Theory, Volume 207, 2020, pp. 385-422
Sorina Ionica, Emmanuel Thomé
Centre-fed dual band omnidirectional array antenna with electrical down tilt
AEU - International Journal of Electronics and Communications, Volume 69, Issue 3, 2015, pp. 622-628
Majid Sharifi, Somayyeh Chamaani
Optimal sequential fusion for multibiometric cryptosystems
Information Fusion, Volume 32, Part B, 2016, pp. 93-108
Takao Murakami, …, Kenta Takahashi
The k-subset sum problem over finite fields of characteristic 2
Finite Fields and Their Applications, Volume 59, 2019, pp. 175-184
Hyok Choe, Chunghyok Choe
Slicing techniques for temporal aggregation in spanning event streams
Information and Computation, Volume 281, 2021, Article 104807
Aurélie Suzanne, …, Damien Tassetti

(EC)DSA lattice attacks based on Coppersmith's method

Highlights

Abstract

Section snippets

Introduction—statement of results

Auxiliary results

Proof of the theorem

The improvement: proof of Proposition 1.1

An example

Conclusions

Acknowledgements

A subexponential algorithm for discrete logarithms over all finite fields

Solving shortest and closest vector problems: the decomposition approach

LMS J. Com. Math.

On the security of the digital signature algorithm

Des. Codes Cryptogr.

Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes

Small solutions to polynomial equations, and low exponent RSA vulnerabilities

J. Cryptology

Cryptanalysis of RSA using algebraic and lattice methods