Abstract
Nguyen and Shparlinski have recently presented a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1/2 q, but can be decreased to log log q with a running time q O(1/log log q) subexponential in log q, and even further to two in polynomial time if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of Howgrave-Graham and Smart who introduced the topic. Here, we obtain similar results for the elliptic curve variant of DSA (ECDSA).
References
M. Ajtai, R. Kumar and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, In Proc. 33rd ACM Symp. on Theory of Computation (STOC'2001), Crete (2001) pp. 601–610.
L. Babai, On Lovász lattice reduction and the nearest lattice point problem, Combinatorica, Vol.6 (1986) pp. 1–13.
M. Bellare, S. Goldwasser and D. Micciancio, “Pseudo-random” number generation within cryptographic algorithms: The DSS case, In Proc. of Crypto ' 97, volume 1294 of LNCS. IACR, Springer-Verlag (1997) pp. 277–291.
D. Bleichenbacher, On the generation of DSS one-time keys. Manuscript. The result was presented at the Monteverita workshop in March 2001, February 2001.
D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes, In Proc. of Crypto ' 96, volume 1109 of LNCS. IACR, Springer-Verlag (1996).
D. Boneh and R. Venkatesan, Rounding in lattices and its cryptographic applications, In Proc. of the 8th Symposium on Discrete Algorithms, ACM (1997) pp. 675–681.
D. R. L. Brown, The exact security of ECDSA. Technical report, Department of Combinatorics and Optimization, University of Waterloo (2000) CORR 2000–54.
M. Drmota and R. Tichy, Sequences, discrepancies and applications. Springer-Verlag, Berlin, 1997.
E. El Mahassni, P. Q. Nguyen and I. E. Shparlinski, The insecurity of Nyberg–Rueppel and other DSA-like signature schemes with partially known nonce, In '01), volume 2146 of LNCS, Springer-Verlag (2001) pp. 97–109.
M. I. González Vasco and I.E. Shparlinski, On the security of Diffie–Hellman bits, In (K.-Y. Lam, I. E.Shparlinski, H. Wang and C. Xing eds.), Proc. Workshop on Cryptography and Computational Number Theory (CCNT'99), Singapore, Birkhäuser (2001) pp. 257–268.
M. I. González Vasco and I.E. Shparlinski, Security of the most significant bits of the Shamir message passing scheme, Math. Comp., Vol. 71 (2002) pp. 333–342.
N. A. Howgrave–Graham and N. P. Smart, Lattice attacks on digital signature schemes, Design, Codesand Cryptography, Vol.23 (2001) pp. 283–290.
D. Johnson, A.J. Menezes and S.A. Vanstone, The elliptic curve digital signature algorithm (ECDSA), Intern. J. of Information Security, Vol. 1 (2001) pp. 36–63.
N. Koblitz, An elliptic curve implementation of the finite field digital signature algorithm, In Proc. of Crypto '98, volume 1462 of LNCS, IACR, Springer-Verlag (1998) pp. 327–337.
N. Koblitz, A.J. Menezes and S.A. Vanstone, The state of elliptic curve cryptography, Designs, Codes and Cryptography, Vol. 19 (1994) pp. 173–193.
D. Kohel and I. E. Shparlinski, Exponential sums and group generators for elliptic curves over finite fields, In Algorithmic Number Theory—Proc. of ANTS-IV, volume 1838 of LNCS, Springer-Verlag (2000) pp. 395–404.
S. V. Konyagin and I. E. Shparlinski, Character sums with exponential functions and their applications, Cambridge University Press, Cambridge (1999).
R. Kuipers and H. Niederreiter, Uniform Distribution of Sequences, Wiley-Interscience, NY (1974).
A.K. Lenstra, H.W. Lenstra, Jr. and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Ann., Vol. 261 (1982) pp. 513–534.
A. Menezes, P. Van Oorschot and S. Vanstone, Handbook of Applied Cryptography, CRC Press (1997).
C. J. Moreno and O. Moreno, Exponential sums and Goppa codes, I. Proc. Amer. Math. Soc., Vol. 111 (1991) pp. 523–531.
National Institute of Standards and Technology (NIST), FIPS Publication 186: Digital Signature Standard, May (1994).
P. Q.Nguyen, The dark side of the hidden number problem: Lattice attacks on DSA, In (K.-Y. Lam, I.E. Shparlin ski, H. Wang and C. Xing, eds.), Proc. Workshop on Cryptography and Computational Number Theory (CCNT'99), Singapore, Birkhäuser (2001) pp. 321–330.
P. Q. Nguyen and I. E. Shparlinski, The insecurity of the Digital Signature Algorithm with partially known nonces, J. Cryptology, Vol. 15 (2002) pp. 151–176.
P. Q. Nguyen and J. Stern, Lattice reduction in cryptology: An update, In Algorithmic Number Theory—Proc. of ANTS-IV, volume 1838 of LNCS, Springer-Verlag (2000) pp. 85–112.
P. Q. Nguyen and J. Stern, The two faces of lattices in cryptology, In Proc. Workshop on Cryptography and Lattices(CALC '01), volume 2146 of LNCS, Springer-Verlag (2001) pp. 146–180.
H. Niederreiter, Quasi-Monte Carlo methods and Pseudo-random numbers, Bull. Amer. Math. Soc., Vol. 84 (1978) pp. 957–104 1.
H. Niederreiter, Random Number Generation and Quasi–Monte Carlo Methods, volume 63, SIAM, Philadelphia, 1992, CBMS-NSF Regional Conference Series in Applied Mathematics.
J. H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag (1995).
D. R. Stinson, Cryptography: Theory and Practice, CRC Press (1995).
I. M. Vinogradov, Elements of Number Theory, Dover Publ., New York (1954).
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Nguyen, P.Q., Shparlinski, I.E. The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces. Designs, Codes and Cryptography 30, 201–217 (2003). https://doi.org/10.1023/A:1025436905711
Issue Date:
DOI: https://doi.org/10.1023/A:1025436905711