The security of the main public-key cryptosystems is based on the difficulty of solving certain mathematical problems. In this context, the most commonly used problems come from Number Theory, most notably the integer factorization problem and the discrete logarithm on finite cyclic groups. DSA and RSA are two of the most used cryptosystems and their security relays in these problems. There are many software products like SSH, OpenPGP, S/MIME and SSL which use RSA for encrypting and signing and DSA for signing. The National Institute of Standards and Technology has also promoted the use of elliptic curve cryptography, whose security is based on the discrete logarithm problem in special groups. Although, the National Security Agency has recently advocated to start replacing these cryptosystems NSA because of the potential developments in quantum computing, the perspective is that these cryptosystems are going to be widely use in the short term.
In this paper, we study a cryptosystem based on the discrete logarithm problem. Apart from the advances in quantum computing and some recent results on quasi-polynomial complexity algorithms for solving the discrete logarithm problem in multiplicative groups of small characteristic fields Jouxetal ; Grangeretal1 ; Grangeretal2 ; Joux13 and for certain abelian groups sutherland2011structure , the discrete logarithm problem on finite fields of large characteristic remains solvable in subexponential time only and the best algorithm known is given by Adleman and DeMarrais DLPAdlemanD93 .
The discrete logarithm problem in elliptic curves seems to be even harder. Although there are results for anomalous curves cohen2005handbook and curves defined in extension fields diem2013discrete , known approaches run in exponential time (see the survey by Galbraith and Gaudry galbraith2015 ).
However, this fact does not mean that attacking secure cryptosystems is hopeless. Many practical attacks are possible because there is additional information available due to the knowledge of implementation. For example, Genkin, Shamir and Tromer accustic showed that it is possible to recover the private key of a 4096-RSA cryptosystem using the sound pattern generated during the decryption of some chosen data.
These advances point to a new research question: which information should be added in order to solve this problem in polynomial time. This question has been in the spotlight for a long time. Indeed, Rivest and Shamir RSAfactoring86 introduced the notion of oracle to formalize this approach in the context of factorization of RSA modules.
In this article, we focus on the Digital Signature Algorithm (DSA) DSS94 whose security is based on the difficulty of the DLP in multiplicative groups of finite fields (see Section 2 for more details). The first proposal of using an oracle on DSA comes from Howgrave-Graham and Smart Howgrave-GrahamS01 using the LLL lattice reduction algorithm LLLfactoring to take benefit from the knowledge of a small number of bits in many ephemeral keys. However, these results were only heuristics, even though confirmed by experimentation. Nguyen and Shparlinski NguyenShparlinski02 ; NguyenShparlinski03 presented the first polynomial time algorithm that provably recovers the secret DSA key if about LSB (or MSB) of each ephemeral key are known ( denoting the order of the chosen group, see Section 2
) for a polynomially bounded number of corresponding signed messages. Other attacks take advantage using the bits in the ephemeral key and the Fast Fourier Transformde2013using ; de2014 . We remark that, although, these type of attacks normally need less bits, the computational cost is bigger. However, there is a common point between these attacks. They need explicit information about the bits used and they bypass the problem of computing discrete logarithms.
At SAC 2012, Faugère, Goyet and Renault Faugere12 restricted the power of the oracle by introducing an implicit attack on DSA. More precisely, they do not assume that the oracle explicitly outputs bits of the ephemeral keys but rather provides only implicit information. In this implicit scenario, the oracle is stated in the following way: the attacker knows some signatures that were computed with ephemeral keys sharing some bits. Instead of an explicit information related to the value of these shared bits the implicit information provides only the positions of the shared bits. In an application point of view, this oracle can be instantiated by an invasive attack where some registers used by a pseudo random generator would be destroyed by a laser and keep always the same unknown value during the computation of many signatures. The introduction of implicit information given by an oracle where first presented by May and Ritzenhofen MayR09 in the context of the RSA cryptosystem and well studied since then (e.g. FMR10 ; sarkar2009further ). The attack proposed in Faugere12 is heuristic based. The contribution of this article is to provide a rigorous proof and analyze the applicability of this attack. This article presents results for the DSA over a finite field, but we remark that these techniques can be adapted for the elliptic curve version (ECDSA) as well.
presents the background in uniform distribution theory necessary to understand the probabilistic approach. Section4 presents the proofs of our main results and Section 5 shows the performance of the attack in experiments and discusses the relation with the theoretical results.
2 Implicit attack on DSA
We follow the same notation as in the article Faugere12 and go through
the technique proposed there. The next diagram represents the protocol to
generate a public key and signing a message using DSA with finite fields. For
readers not familiar with DSA, we provide the explicit details.
Let be a positive integer, be a a -bit prime and be a prime divisor of satisfying . The integers and are recommended to be chosen such that see FIPS:2013:DSS .
The finite field of elements is denoted by and each of its element is uniquely represented by an integer in the range . This also implies that in the sequel, any number modulo gives a number in the previous range. For the DSA signature scheme, the user selects a random element , which must be kept private, and then publishes , , an element of multiplicative order and .
For efficiency and security reasons, the bit-size of the messages signed with DSA has to be the same as the one of (e.g. or ). Thus for a general message it is necessary to consider its hash and only sign this hash. In the sequel, we denote by this hash function and the hash of the message with (which its bit-size is assumed to be adapted to the chosen ). The hash function is not important in the results, if it has standard security requirements.
To sign , the user generates a random number (called the ephemeral key) and calculates,
The user requires that and are not zero, and in this case, is a valid signature. Otherwise, the user generates another and calculates again.
2.1 Scenario of the attack
We suppose that the user wants to sign messages, whose hashes are so he generates and publishes the signatures . We also suppose that, due to some malicious actions of the attacker, the corresponding ephemeral keys differs only in a block of bits of known length so the attacker knows that,
where have the following property,
with , two unknown fixed -bit and -bit integers respectively. Thus, there is a total of shared bits. Notice that we can substitute using Equation (3) in Equation (2) and eliminate variables and which results in the following set of equations,
where come from (3) and are public values defined as,
Next, we can build a lattice using the rows of the following matrix,
and find a short vector in it using an appropriate algorithm, for example schnorr . The attacker hopes to recover the following vector,
which has a rather short norm. This is the algorithm proposed in Faugere12 , with some discussion depending on the parameters.
Our first contribution is a variant of this proposal, we still relate the recovering of the ephemeral keys in DSA with a lattice problem but we give rigorous results on the performance of the resulting algorithm.
To give this new attack, we follow the presentation in Nguyen02 . First, we define the lattice by the rows of the following matrix,
and two vectors ,
where for .
Lattice and are known to the attacker and his goal is to recover using this information. It is straightforward that and . Thus is a vector in this lattice, which is close to , and we hope that the solution of the closest vector problem is .
If we call the solution to the closest vector problem then verifies and .
The so-called Gaussian heuristic (see (nguyen2010lll, , page 27, Definition 8)) provides a way of analyzing this method’s performance, describing those cases where is expected to be . The shortest vector of lattice is expected to have norm
so, as soon as
we hope to recover .
Applying the Gaussian heuristic to the lattice defined in Equation (5) is equivalent to this situation because a short vector defines the short vector which is in the lattice defined in (5). This argument is heuristic in nature, so an attacker who finds the closest vector in to has no theoretical guarantee to rediscover
. We extend this argument to a probabilistic-in-nature argument. This means, we can measure the success probability of this attack.
Assumption and Statement of the Main Result.
In order to state our main result, we need that the hash function used in DSA verifies a property (which is the case in practice):
Let and be two different messages. The probability of a collision
is supposed to be less than where is some positive constant that will be defined later.
Under this assumption, we can now state our main result.
Under the notations used above and Assumption 1, there exists such that the probability that is the solution of the closest vector problem where is the target vector in is greater than .
This is equivalent to say that when , then the attack has non negligible probability of being successful.
We remark that this assumption is not a big restriction because the expected probability of collision on a good hash function is of order .
Also, although is difficult to be evaluated exactly, if for some positive , then when is sufficiently big. This gives a lower bound for the success probability of the algorithm.
Moreover, we conjecture that the value of is close to , so if and the probability of success is greater than .
This theorem can be generalized in the case where each ephemeral key is taken with blocks of bits fixed sharing a total of bits. This case was also considered in Faugere12 with a heuristic approach. Again, in order to obtain a probability of success of the attack, the hash function has to verify Assumption 1.
Under the notation used above, and generalizing the attack above for having blocks of bits sharing a total of bits, there exists and a probabilistic algorithm to recover in polynomial time in the size of the input such that the success probability is greater than .
For practical purposes, the most interesting case is , so we focus on this case, the proof of the general case follows the same ideas with more technicalities.
3 Short vectors and Discrepancy measures
Coming back at our original problem, we remark that we want to prove that the solution of the CVP is, in some way unique and this is related with the norm of the shortest vector in the lattice . This lattice has a vector of norm at most if and only if there exists , such that
If were taken randomly and independently in , then the probability of this event is approximately . More precisely, we have the following result from Nguyen02 .
Lemma 1 (Nguyen02 )
Let be different from zero. Choose integers uniformly and independently at random in . Then with probability all vectors such that are of the form
where and is the maximum of the absolutes values of vector .
Notice that this requires that are realizations of random independent variables in and, unfortunately, as it is mentioned in Nguyen02 , this is not necessary the case. However, if are sufficiently well-distributed, then the situation remains the same.
In order to keep the paper self-contained, we recall a way to measure well-distribution through the concept of discrepancy.
Let be a multiset of points contained in the real interval , then the discrepancy of the set is defined as
where is the number of points of inside the interval
of volume and the supremum is taken over all such boxes.
From the definition, it is easy to see that the discrepancy is a number between and . The closer the value is to , more uniformly is distributed in the unit interval. For more information about discrepancy, see DrTi . We also need to introduce the following definition.
A set of integers is -homogeneously distributed modulo if for any integer coprime with the discrepancy of the set,
is at most
We now state the following lemma. from Nguyen02 .
Lemma 2 (Nguyen02 )
Let be different from zero. Choose integers uniformly and independently at random from , which is homogeneously distributed modulo . Then with probability all vectors such that are of the form
where and is the maximum of the absolutes values of vector .
To show the limits of the attack, it is necessary to show that defined in Equation (4) are taken from a set homogeneously distributed. For this reason, we improve (Nguyen02, , lemma 10), which could be of independent interest and show that the following set,
is -homogeneously distributed.
Fixed a real number , then for any sufficiently big , there exists such that for any of multiplicative order , the set is -homogeneously distributed provided that the hash function verifies Assumption 1.
for any coprime with gives a bound for the probability of having a sufficiently short vector. Lemma 3 alone is not sufficient to measure the limits of the attack. Also, it is important to note that to find the closest vector in a lattice to a given target is an NP-complete problem if the dimension of the lattice is a parameter. The attacker relies on algorithms that provide only approximations for the closest vector in a lattice when the dimension is large. In particular, he can use a combination of Schnorr’s modification schnorr of the LLL algorithm with the result of Kannan to approximate the CVP kannan . We thus have the following result.
There exists a polynomial time algorithm which, given an -dimensional full rank lattice and a vector , finds a a vector satisfying the inequality,
where the implied constants are absolute.
This lemma shows that we must also consider the cases where the vector found is not so short, and this is the reason that proving results for small is difficult.
There is also an added difficulty, coming from . Not all the bits of the ephemeral key are taken randomly and independently, indeed only are taken at random and the rest are fixed. The case of many blocks of shared bits is difficult because there are several blocks of bits which are fixed. However, in this case, one can prove a bound for the discrepancy of the set . 111We notice that are elements of the set plus and then reduced modulo . But this does not change the value of the discrepancy. We cite the following lemma without proof because its independent interest and mention that this follows the same lines as the previous result.
Fixed a real number , then for any sufficiently big , there exists such that for any of multiplicative order , is a -homogeneously distributed when is taken with blocks of bits fixed provided that the hash function verifies Assumption 1.
As explained above, we focus on the case and thus we will prove this lemma in the next section for the case where .
This result gives useful information whenever the discrepancy of the set is smaller than . We see that if is fixed and and are big enough, then the attack has a high probability of success.
4 Main results
4.1 Exponential Sums and Discrepancy
In this section, we study the discrepancy of the set (see the definition on page 3) in the unit interval, Typically the bounds on the discrepancy of a sequence are derived from bounds of exponential sums with elements of this set. The relation is made explicit in the celebrated Koksma–Szüsz inequality which we present in the following form.
Lemma 6 (Corollary 3.11, Nied2 )
Let be a set of points in the range such that there exits a real number with the property
for any integer with and . Then, the discrepancy where,
where the implied constant is absolute.
For a positive integer we denote
Notice that for a prime , the function is an additive character of . Exponential sums are well studied and used extensively in number theory, uniform distribution theory and many other areas because of their applications. In the following lemmas, we outline several known properties.
Lemma 7 (Exercise 11.a,Chapter 3, vinogradov )
Then, for any set and , the formula
Lemma 8 (Exercise 11.c,Chapter 3, vinogradov )
For any and , , the following inequality,
holds, where the implicit constant is absolute.
We will need the following version of the Weil bound.
Lemma 9 (morenomoreno )
Let be a non-constant univariate rational function over and let be the number of distinct roots of the polynomial in the algebraic closure of . Then
where indicates that the poles of are excluded from the summation, and if , otherwise and .
In order to prove the main result of this paper, we will need to study the number of solutions of the left part of Eq. (1) when has some fixed bits. Nguyen and Shparlinski (Nguyen02, , lemma 8) proved a similar result but we prove a stronger bound using the following result.
Lemma 10 (Theorem 4.1, garaev2010sums )
Let be a positive integer, and an arbitrary fixed constant. Suppose that are subsets of not containing and satisfying the condition
The following result is a particular case of the one given in (garaev2010sums, , Corollary 4.1), but we prove here an explicit version for this case.
Fixed a real number , then for any sufficiently big and of multiplicative order , the following bound,
The proof is just the application of lemma 10. Fix the value of to , and select an integer satisfying,
where the inequality on the right has been obtained by substituting and taking logarithms in the equality on the right.
Now, considering , and lemma 10, gives
Now, select the minimum integer satisfying . If satisfies , i. e. it is sufficiently big, substituting the minimum value of and give the result.
The next result is a generalization of a result by Shparlinski and Nguyen (Nguyen02, , lemma 8). In this result, we prove an asymptotic bound for the discrepancy for the elements of the multiplicative group generated by for sufficiently big .
Fixed a real number , then for any sufficiently big and of multiplicative order , the number of solutions of the following equation,
where is , where the implied constant is absolute.
Now, we will give an upper bound of the following exponential
where is defined as,
and are defined in (1). The symbol indicates that the poles are excluded from summation.
Fixed a real number , then for any sufficiently big and any of multiplicative order , the bound
holds, where the constant is absolute.
Taking any integer coprime with and calling the value of the exponential sum, we have
For we denote by the number of with . We also define the integer . Then,
where is the private key, the symbol indicates that the poles are excluded from summation and
Now, we apply the Cauchy inequality,
We remark that,
We can operate with the other term in the right side of Equation (8).
We write the inner sum in the following way:
Notice that is a rational function in when and are fixed. The function is not constant if because then has two different poles. If , the sum is constant only in two cases: either or . By lemma 12, we see that the number of such pairs is . In other case, it is easy to see that is not a constant function so it is possible to apply lemma 9. This gives,
Substituting this estimate in Equation (8) with Equation (9), we get the result.
4.2 Proof of lemma 5 for
lemma 6 shows the relationship between bounds on exponential sums and bounds on the discrepancy. So, our goal is to find bounds of the following exponential sum:
where is the set of integers defined by Equation (3).
Notice that if does not meet the requisites, i. e. it does not has the correct bits fixed, the inner sum is equal to zero. Otherwise, the inner sum is equal to one. Doing the following transformations,
By lemma 13, we have that
Recalling lemma 8,
The above bound for the exponential sum and lemma 6 show that is a -homogeneously distributed modulo provided that
4.3 Proof of theorem 2.1 and some comments
Now, we are ready to prove the main result.
Suppose that the attacker has obtained the following messages with their corresponding signatures,
Using this information, the attacker builds lattice using the rows of the matrix defined in (6) and also vector defined in (7). The attacker can find a closest vector in to and suppose that the second component of this vector is . Let be the solution found to the closest vector problem, so the norm of satisfies,
The attack success if any vector in the lattice with norm less than has a zero in the second coordinate. By lemma 2, the probability of success is greater than , if is a -homogeneously distributed. Lemma 5 implies that it is possible to take and this finish the proof.
5 Experimental results
We have empirically tested the performance of the attack.
In the first parameters set, the bit size of is and the bit size of is . In the second set, the bit size of is and the bit size of is . For the hash function, we have chosen SHA1, because it was widely used in DSA.
We note that the experimental results are better than what we expect from Theorem 2.2.
The reason is that the lower bound, , is very pessimistic. Indeed, for , we have made the following calculations in Table 1. The calculation for the theoretical value of is finding the minimum value such that,
From the empirical results, we make the following conjecture.
Assuming that , then given messages with the probability of success is greater than .
|Known bits||Mean value of in simulations||Value of by Theorem 2.2|
Figure 1 show in the abscissa against the minimum number of signatures required to recover the ephemeral keys. For each experiment, we have selected randomly the value and for and repeated each experiment times.
We want to thank Igor Shparlinski for his time, ideas and comments during the development of the paper. The research of the first author was supported by the Ministerio de Economia y Competitividad research project MTM2014-55421-P.
- (1) Leonard M. Adleman and Jonathan DeMarrais. A Subexponential Algorithm for Discrete Logarithms over All Finite Fields. In Advances in Cryptology - CRYPTO ’93, 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26, 1993, Proceedings, Lecture Notes in Computer Science, pages 147–158, 1993.
- (2) National Security Agency. Cryptography today.
- (3) Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages 1–16, 2014.
- (4) Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, and Frederik Vercauteren. Handbook of elliptic and hyperelliptic curve cryptography. CRC press, 2005.
- (5) Elke De Mulder, Michael Hutter, Mark E Marson, and Peter Pearson. Using Bleichenbacher” s solution to the Hidden Number Problem to attack nonce leaks in 384-bit ECDSA. In Cryptographic Hardware and Embedded Systems-CHES 2013, pages 435–452. Springer, 2013.
- (6) Elke De Mulder, Michael Hutter, Mark E Marson, and Peter Pearson. Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ecdsa: extended version. Journal of Cryptographic Engineering, 4(1):33–45, 2014.
- (7) Claus Diem. On the discrete logarithm problem in elliptic curves II. Algebra and Number Theory, 7(6):1281–1323, 2013.
- (8) Michael Drmota and Robert F. Tichy. Sequences, discrepancies, and applications. Lecture notes in mathematics. Springer, 1997.
- (9) Jean-Charles Faugère, Christopher Goyet, and Guénaël Renault. Attacking (EC)DSA given only an implicit hint. In Selected Areas in Cryptography, 19th International Conference, SAC 2012, Windsor, ON, Canada, August 15-16, 2012, Revised Selected Papers, pages 252–274, 2012.
- (10) Jean-Charles Faugère, Raphaël Marinier, and Guénaël Renault. Implicit Factoring with Shared Most Significant and Middle Bits. In Public Key Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 70–87. Springer, 2010.
- (11) FIPS. Digital Signature Standard (DSS). National Institute of Standards and Technology (NIST), 1994.
- (12) FIPS. Digital Signature Standard (DSS). pub-NIST, pub-NIST:adr, 2013.
- (13) Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve discrete logarithm problem. Cryptology ePrint Archive, Report 2015/1022, 2015.
- (14) Mubaris Z. Garaev. Sums and products of sets and estimates of rational trigonometric sums in fields of prime order. Russian Mathematical Surveys, 65(4):599, 2010.
- (15) Daniel Genkin, Adi Shamir, and Eran Tromer. RSA key extraction via low-bandwidth acoustic cryptanalysis. In International Cryptology Conference, pages 444–461. Springer, 2014.
- (16) Faruk Göloglu, Robert Granger, Gary McGuire, and Jens Zumbrägel. On the function field sieve and the impact of higher splitting probabilities - application to discrete logarithms in and. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pages 109–128, 2013.
- (17) Faruk Göloglu, Robert Granger, Gary McGuire, and Jens Zumbrägel. Solving a 6120 -bit DLP on a desktop computer. In Selected Areas in Cryptography - SAC 2013 - 20th International Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised Selected Papers, pages 136–152, 2013.
- (18) Nick Howgrave-Graham and Nigel P. Smart. Lattice Attacks on Digital Signature Schemes. Des. Codes Cryptography, 23(3):283–290, 2001.
- (19) Antoine Joux. Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, pages 177–193, 2013.
- (20) Ravindran Kannan. Algorithmic geometry of numbers. Annual Review of Computer Science, 2(1):231–267, 1987.
- (21) Arjen Lenstra, Hendrik Lenstra, and László Lovász. Factoring polynomials with rational coefficients. In Mathematische Annalen, volume 261, no 4, pages 515–534, 1982.
- (22) Alexander May and Maike Ritzenhofen. Implicit factoring: On polynomial time factoring given only an implicit hint. In Public Key Cryptography, volume 5443 of Lecture Notes in Computer Science, pages 1–14. Springer, 2009.
- (23) Carlos Moreno and Oscar Moreno. Exponential sums and Goppa codes. Proceedings of the American Mathematical Monthly, 111:523–531, 1991.
- (24) Phong Q. Nguyen and Igor Shparlinski. The insecurity of the digital signature algorithm with partially known nonces. Journal of Cryptology, 15(3):151–176, 2002.
- (25) Phong Q. Nguyen and Igor Shparlinski. The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. Journal of Cryptology, 15:151–176, 2002.
- (26) Phong Q. Nguyen and Igor Shparlinski. The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces. Designs, Codes and Cryptography, 30(2):201–217, 2003.
- (27) Phong Q. Nguyen and Brigitte Vallée. The LLL Algorithm. Springer, 2010.
- (28) Harald Niederreiter. Random Number Generation and Quasi-Monte Carlo Methods. CBMS-NSF Regional Conference Series in Applied Mathematics. Society for Industrial and Applied Mathematics, 1987.
- (29) Ronald Linn Rivest and Adi Shamir. Efficient factoring based on partial information. In Proc. of a workshop on the theory and application of cryptographic techniques on Advances in cryptology—EUROCRYPT ’85, pages 31–34, New York, NY, USA, 1986. Springer-Verlag New York, Inc.
- (30) Santanu Sarkar and Subhamoy Maitra. Further Results on Implicit Factoring in Polynomial Time. Advances in Mathematics of Communications, 3(2):205–217, 2009.
- (31) Claus-Peter Schnorr. Efficient Identification and Signatures for Smart Cards. In Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’89, pages 239–252. Springer-Verlag, 1990.
- (32) Andrew Sutherland. Structure computation and discrete logarithms in finite abelian -groups. Mathematics of Computation, 80(273):477–500, 2011.
- (33) Ivan M. Vinogradov. Elements of Number Theory. Dover Phoenix Editions. Dover, 2003.