Analysis of the Insecurity of ECMQV with Partially Known Nonces

Leadbitter, Peter J.; Smart, Nigel P.

doi:10.1007/10958513_19

Analysis of the Insecurity of ECMQV with Partially Known Nonces

Peter J. Leadbitter⁶ &
Nigel P. Smart⁶

Conference paper

714 Accesses
4 Citations
3 Altmetric

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2851))

Abstract

In this paper we present the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication. We present a two stage attack on the elliptic curve variant of MQV in which one party may recover the other party’s static private key from partial knowledge of the nonces from several runs of the protocol. The first stage reduces the attack to a hidden number problem which is partially solved by considering a closest vector problem and using Babai’s algorithm. This stage is closely related to the attack of Howgrave-Graham, Smart, Nguyen and Shparlinski on DSA but is complicated by a non-uniform distribution of multipliers. The second stage recovers the rest of the key using the baby-step/giant-step algorithm or Pollard’s Lambda algorithm and runs in time O(q ^1/4). The attack has been proven to work with high probability and validated experimentally. We have thus reduced the security from O(q ^1/2) down to O(q ^1/4) when partial knowledge of the nonces is given.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Babai, L.: On Lovàsz lattice reduction and the nearest lattice point problem. Combinatoria 6, 1–13 (1986)
Article MATH MathSciNet Google Scholar
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N ^0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)
Google Scholar
Boneh, D., Halevi, S., Howgrave-Graham, N.: The Modular Inversion Hidden Number Problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001)
Chapter Google Scholar
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)
Google Scholar
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology 10, 233–260 (1997)
Article MATH MathSciNet Google Scholar
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Designs, Codes and Cryptography 23, 283–290 (2001)
Article MATH MathSciNet Google Scholar
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography (to appear)
Google Scholar
Lenstra, A.L., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math Ann. 261, 515–534 (1982)
Article MATH MathSciNet Google Scholar
Merkle, R., Hellman, M.: Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory IT-24, 525–530 (1978)
Article Google Scholar
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the Digital Signature Algorithm with partially known nonces. J. Cryptology 15, 151–176 (2002)
Article MATH MathSciNet Google Scholar
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve Digital Signature Algorithm with partially known nonces. Designs, Codes and Cryptography (to appear)
Google Scholar
Nguyen, P.Q., Stern, J.: Lattice reduction in cryptology: An update. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 85–112. Springer, Heidelberg (2000)
Chapter Google Scholar
Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp. 32, 918–924 (1978)
Article MATH MathSciNet Google Scholar
Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)
Article MathSciNet MATH Google Scholar
Shamir, A.: A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In: Proc. of 23rd FOCS, pp. 145–152. IEEE, Los Alamitos (1982)
Google Scholar
de Weger, B.M.M.: Solving exponential diophantine equations using lattice basis reduction algorithms. J. Number Theory 26, 325–367 (1987)
Article MATH MathSciNet Google Scholar

Download references

Author information

Authors and Affiliations

Computer Science Department, University of Bristol, Woodland Road, Bristol, BS8 1UB, United Kingdom
Peter J. Leadbitter & Nigel P. Smart

Authors

Peter J. Leadbitter
View author publications
You can also search for this author in PubMed Google Scholar
Nigel P. Smart
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Information Security Institute, Queensland University of Technology, GPO Box 2434, Qld 4001, Brisbane, Australia
Colin Boyd
Hewlett-Packard Laboratories, Filton Road, Stoke Gifford, BS34 8QZ, Bristol, UK
Wenbo Mao

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Leadbitter, P.J., Smart, N.P. (2003). Analysis of the Insecurity of ECMQV with Partially Known Nonces. In: Boyd, C., Mao, W. (eds) Information Security. ISC 2003. Lecture Notes in Computer Science, vol 2851. Springer, Berlin, Heidelberg. https://doi.org/10.1007/10958513_19

Download citation

DOI: https://doi.org/10.1007/10958513_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20176-2
Online ISBN: 978-3-540-39981-0
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics