Journal of Cryptographic Engineering

, Volume 4, Issue 1, pp 33–45 | Cite as

Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version

  • Elke De MulderEmail author
  • Michael Hutter
  • Mark E. Marson
  • Peter Pearson
CHES 2013


In this paper, we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. We confirmed our attack by extracting the entire signing key using a 5-bit nonce leak from 4,000 signatures.


Side channel analysis ECDSA Modular inversion  Hidden number problem Bleichenbacher FFT LLL  BKZ 



We would like to thank Pankaj Rohatgi and Mike Hamburg for many fruitful discussions and valuable suggestions.


  1. 1.
    Minutes from the IEEE P1363 Working Group for Public-Key Cryptography Standards, November 15 (2000)Google Scholar
  2. 2.
    ANSI X9.62:2005: Public key cryptography for the Financial Services Industry, The elliptic curve digital signature algorithm (ECDSA) (2005)Google Scholar
  3. 3.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  4. 4.
    Bleichenbacher, D.: On the generation of one-time keys in DL signature schemes. Presentation at IEEE P1363 Working Group meeting, November (2000)Google Scholar
  5. 5.
    Bleichenbacher, D.: On the generation of DSA one-time keys. Presentation at cryptography research Inc., San Francisco, CA (2007)Google Scholar
  6. 6.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes. In Koblitz, N. (ed.) CRYPTO 1996, volume 1109 of LNCS, pp. 129–142 (1996)Google Scholar
  7. 7.
    D. Cadé, Pujol, X., Stehlé, D.: fplll-4.0.1 Lattice Reduction Library (2012)Google Scholar
  8. 8.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski B.S. Jr., Koç, Ç.K., Paar, C. (eds.) CHES 2002, volume 2523 of LNCS, pp 13–28. Springer, New York (2002)Google Scholar
  9. 9.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: ASIACRYPT, volume 7073 of Lecture Notes in Computer Science, pp 1–20. Springer (2011)Google Scholar
  10. 10.
    Hachez, G., Quisquater, J.-J.: Montgomery exponentiation with no final subtractions: improved results. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000, volume 1965 of LNCS, pp. 91–100. Springer (2000)Google Scholar
  11. 11.
    Hamburg M.: Fast and compact elliptic-curve cryptography. IACR Cryptology ePrint Archive 309 (2012)Google Scholar
  12. 12.
    Hedabou, M., Pinel, P., Beneteau, L.: A comb method to render ECC resistant against side channel attacks. IACR Cryptology ePrint Archive 342 (2004)Google Scholar
  13. 13.
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (August 2001)Google Scholar
  14. 14.
    Hutter, M., Medwed, M., Hein, D., Wolkerstorfer, J.: Attacking ECDSA-enabled RFID devices. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds) ACNS 2009, volume 5536 of LNCS, pp 519–534. Springer (2009)Google Scholar
  15. 15.
    Joye, M., Tunstall, M.: Exponent recoding and regular exponentiation algorithms. In: Preneel B. (ed.) AFRICACRYPT 2009, volume 5580 of LNCS, pp 334–349 (2009)Google Scholar
  16. 16.
    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed) CRYPTO 1996, volume 1109 of LNCS, pp 104–113. Springer (1996)Google Scholar
  17. 17.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed) CRYPTO 1999, volume 1666 of LNCS, pp 388–397 (1999) Google Scholar
  18. 18.
    Lenstra, A.K., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed) Topics in cryptology-CT-RSA 2013, volume 7779 of LNCS, pp 293–309. Springer (2013)Google Scholar
  20. 20.
    Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) brainpool standard curves and curve generation. RFC 5639 (Informational), March (2010)Google Scholar
  21. 21.
    Naccache, D., Nguyen, P.Q., Tunstall, M., Whelan, C.: Experimenting with faults, lattices and the DSA. In: Vaudenay, S. (ed) PKC 2005, volume 3386 of LNCS, pp 16–28. Springer, New York (2005)Google Scholar
  22. 22.
    National Institute of Standards and Technology (NIST). FIPS-186-2 (+Change Notice): Digital Signature Standard (DSS), January 2000. Available online at
  23. 23.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  25. 25.
    Quisquater, J.-J., Koene, F.: DSA security evaluation of the signature scheme and primitive. Technical report, Math RiZK, K2Crypt, February (2002)Google Scholar
  26. 26.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  27. 27.
    Shoup, V.: NTL: a library for doing number theory (2012)Google Scholar
  28. 28.
    Vaudenay, S.: Evaluation report on DSA. IPA work delivery 1002 (2001)Google Scholar
  29. 29.
    Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electron. Lett. 35, 1831–1832 (1999)CrossRefGoogle Scholar
  30. 30.
    Walter, C.D., Thompson, S.: Distinguishing exponent digits by observing modular subtractions. In: Naccache, D. (ed) CT-RSA 2001, volume 2020 of LNCS, pp 192–207. Springer, New York (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Elke De Mulder
    • 1
    Email author
  • Michael Hutter
    • 2
  • Mark E. Marson
    • 1
  • Peter Pearson
    • 1
  1. 1.Cryptography Research, Inc.San FranciscoUSA
  2. 2.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations