Skip to main content
Log in

The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces

Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Nguyen and Shparlinski have recently presented a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1/2 q, but can be decreased to log log q with a running time q O(1/log log q) subexponential in log q, and even further to two in polynomial time if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of Howgrave-Graham and Smart who introduced the topic. Here, we obtain similar results for the elliptic curve variant of DSA (ECDSA).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. M. Ajtai, R. Kumar and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, In Proc. 33rd ACM Symp. on Theory of Computation (STOC'2001), Crete (2001) pp. 601–610.

  2. L. Babai, On Lovász lattice reduction and the nearest lattice point problem, Combinatorica, Vol.6 (1986) pp. 1–13.

  3. M. Bellare, S. Goldwasser and D. Micciancio, “Pseudo-random” number generation within cryptographic algorithms: The DSS case, In Proc. of Crypto ' 97, volume 1294 of LNCS. IACR, Springer-Verlag (1997) pp. 277–291.

    Google Scholar 

  4. D. Bleichenbacher, On the generation of DSS one-time keys. Manuscript. The result was presented at the Monteverita workshop in March 2001, February 2001.

  5. D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes, In Proc. of Crypto ' 96, volume 1109 of LNCS. IACR, Springer-Verlag (1996).

  6. D. Boneh and R. Venkatesan, Rounding in lattices and its cryptographic applications, In Proc. of the 8th Symposium on Discrete Algorithms, ACM (1997) pp. 675–681.

  7. D. R. L. Brown, The exact security of ECDSA. Technical report, Department of Combinatorics and Optimization, University of Waterloo (2000) CORR 2000–54.

  8. M. Drmota and R. Tichy, Sequences, discrepancies and applications. Springer-Verlag, Berlin, 1997.

    Google Scholar 

  9. E. El Mahassni, P. Q. Nguyen and I. E. Shparlinski, The insecurity of Nyberg–Rueppel and other DSA-like signature schemes with partially known nonce, In '01), volume 2146 of LNCS, Springer-Verlag (2001) pp. 97–109.

    Google Scholar 

  10. M. I. González Vasco and I.E. Shparlinski, On the security of Diffie–Hellman bits, In (K.-Y. Lam, I. E.Shparlinski, H. Wang and C. Xing eds.), Proc. Workshop on Cryptography and Computational Number Theory (CCNT'99), Singapore, Birkhäuser (2001) pp. 257–268.

  11. M. I. González Vasco and I.E. Shparlinski, Security of the most significant bits of the Shamir message passing scheme, Math. Comp., Vol. 71 (2002) pp. 333–342.

    Google Scholar 

  12. N. A. Howgrave–Graham and N. P. Smart, Lattice attacks on digital signature schemes, Design, Codesand Cryptography, Vol.23 (2001) pp. 283–290.

  13. D. Johnson, A.J. Menezes and S.A. Vanstone, The elliptic curve digital signature algorithm (ECDSA), Intern. J. of Information Security, Vol. 1 (2001) pp. 36–63.

    Google Scholar 

  14. N. Koblitz, An elliptic curve implementation of the finite field digital signature algorithm, In Proc. of Crypto '98, volume 1462 of LNCS, IACR, Springer-Verlag (1998) pp. 327–337.

    Google Scholar 

  15. N. Koblitz, A.J. Menezes and S.A. Vanstone, The state of elliptic curve cryptography, Designs, Codes and Cryptography, Vol. 19 (1994) pp. 173–193.

    Google Scholar 

  16. D. Kohel and I. E. Shparlinski, Exponential sums and group generators for elliptic curves over finite fields, In Algorithmic Number Theory—Proc. of ANTS-IV, volume 1838 of LNCS, Springer-Verlag (2000) pp. 395–404.

    Google Scholar 

  17. S. V. Konyagin and I. E. Shparlinski, Character sums with exponential functions and their applications, Cambridge University Press, Cambridge (1999).

    Google Scholar 

  18. R. Kuipers and H. Niederreiter, Uniform Distribution of Sequences, Wiley-Interscience, NY (1974).

    Google Scholar 

  19. A.K. Lenstra, H.W. Lenstra, Jr. and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Ann., Vol. 261 (1982) pp. 513–534.

    Google Scholar 

  20. A. Menezes, P. Van Oorschot and S. Vanstone, Handbook of Applied Cryptography, CRC Press (1997).

  21. C. J. Moreno and O. Moreno, Exponential sums and Goppa codes, I. Proc. Amer. Math. Soc., Vol. 111 (1991) pp. 523–531.

    Google Scholar 

  22. National Institute of Standards and Technology (NIST), FIPS Publication 186: Digital Signature Standard, May (1994).

  23. P. Q.Nguyen, The dark side of the hidden number problem: Lattice attacks on DSA, In (K.-Y. Lam, I.E. Shparlin ski, H. Wang and C. Xing, eds.), Proc. Workshop on Cryptography and Computational Number Theory (CCNT'99), Singapore, Birkhäuser (2001) pp. 321–330.

  24. P. Q. Nguyen and I. E. Shparlinski, The insecurity of the Digital Signature Algorithm with partially known nonces, J. Cryptology, Vol. 15 (2002) pp. 151–176.

    Google Scholar 

  25. P. Q. Nguyen and J. Stern, Lattice reduction in cryptology: An update, In Algorithmic Number Theory—Proc. of ANTS-IV, volume 1838 of LNCS, Springer-Verlag (2000) pp. 85–112.

    Google Scholar 

  26. P. Q. Nguyen and J. Stern, The two faces of lattices in cryptology, In Proc. Workshop on Cryptography and Lattices(CALC '01), volume 2146 of LNCS, Springer-Verlag (2001) pp. 146–180.

    Google Scholar 

  27. H. Niederreiter, Quasi-Monte Carlo methods and Pseudo-random numbers, Bull. Amer. Math. Soc., Vol. 84 (1978) pp. 957–104 1.

    Google Scholar 

  28. H. Niederreiter, Random Number Generation and Quasi–Monte Carlo Methods, volume 63, SIAM, Philadelphia, 1992, CBMS-NSF Regional Conference Series in Applied Mathematics.

    Google Scholar 

  29. J. H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag (1995).

  30. D. R. Stinson, Cryptography: Theory and Practice, CRC Press (1995).

  31. I. M. Vinogradov, Elements of Number Theory, Dover Publ., New York (1954).

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and permissions

About this article

Cite this article

Nguyen, P.Q., Shparlinski, I.E. The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces. Designs, Codes and Cryptography 30, 201–217 (2003). https://doi.org/10.1023/A:1025436905711

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1025436905711

Navigation