(EC)DSA lattice attacks based on Coppersmith's method
Section snippets
Introduction—statement of results
In the present paper we study Digital Signature Algorithm, DSA, and its elliptic curve variant, ECDSA [7]. Both are based on ElGamal signatures [8]. In these schemes Alice, the signer, randomly chooses a private key a from a public finite group G, with , for some large prime p. Usually G is the finite group of integers modulo p or the group defined by the points of an elliptic curve over a finite field. Then, she publishes an element and , for some a randomly chosen from the set
Auxiliary results
The main purpose of this section is to present some basic results necessary for the proof of Theorem 1.2. For some details of the computations in Lemma 2.4, Lemma 2.5 see [6, Chapter 6]. Lemma 2.1 Let is a sum of w monomials. Let in and integers such that . Suppose that i. , , then . Proof [6, FACT 2.4.1, p.17]. □ Lemma 2.2 Let L be a lattice and is an LLL-reduced basis of L. Then
Proof of the theorem
Multiplying both sides of equation (1) by , we get If we set where and , then we get . We consider the lattice L generated by the rows of the matrix (of Corollary 2.6) with be the polynomial defined by equation (4). We apply LLL algorithm to L and say is the first LLL-reduced vector. Let be the polynomial which corresponds to , that is
The improvement: proof of Proposition 1.1
If the dimension w of the lattice L is ≤35, then LLL algorithm will return, in practice, a shortest vector of the lattice. So the constant of relation (5) (it is a constant if we fix the dimension), can be replaced by another one which is much greater. If , then we shall replace the bound of the first LLL-reduced vector by .
A shortest lattice vector has length (the Gaussian heuristic holds in our lattices). To see this, we compute the first minimum
An example
For the computations we used Sagemath [14]. Let be a 160-bits prime number, the secret key and the ephemeral key Let be the signature of the message m and let the signing equation with We set . Note that
Conclusions
In this paper we improved the result of [13]. We applied Coppersmith's method to a lattice of Boneh–Durfee type [6]. The execution time of our attack is dominated by the running time of the LLL-algorithm in lattices of dimension 35. Our attack is valid when the private key and the inverse of one ephemeral key satisfy a suitable inequality (k can be large). Equivalently, the attack holds if some bits of the keys are known. Note that, we do not address here how the bits of a and are
Acknowledgements
The author is indebted to the anonymous referees for their helpful suggestions.
References (14)
- et al.
A subexponential algorithm for discrete logarithms over all finite fields
- et al.
Solving shortest and closest vector problems: the decomposition approach
LMS J. Com. Math.
(2014) - et al.
On the security of the digital signature algorithm
Des. Codes Cryptogr.
(2002) - et al.
Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes
Small solutions to polynomial equations, and low exponent RSA vulnerabilities
J. Cryptology
(1997)Cryptanalysis of RSA using algebraic and lattice methods
(2002)- FIPS PUB 186-4, Digital Signature Standard...
Cited by (6)
Lattice-based weak-key analysis on single-server outsourcing protocols of modular exponentiations and basic countermeasures
2021, Journal of Computer and System SciencesApplications and developments of the lattice attack in side channel attacks
2020, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Enhancing an attack to DSA schemes
2019, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)