Skip to main content
SpringerLink
Log in

Generalized attack on ECDSA: known bits in arbitrary positions

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

This work focuses on the generalized model of known bits in ECDSA nonces. We start from recovering the secret key from the middle bits of the nonce, and extend the attack to the situation that multiple bit chunks are known in arbitrary positions, then translate the information into the extended hidden number problem. The new attack generalizes the lattice-based side-channel attacks on ECDSA, and enables the attacker to recover the key from bit leakage scenarios that conventional models can not process. We perform simulations and experiments to verify the theoretical estimations about the effectiveness of the attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Data availability

All data generated or analyzed during this study are included in this published article. Any supporting data is available from the corresponding author on reasonable request.

References

  1. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 717–746. Springer (2019)

  2. Albrecht M.R., Göpfert F., Virdia F., Wunderer T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi T., Peyrin T. (eds.) Advances in Cryptology-ASIACRYPT 2017, pp. 297–322. Springer, Cham (2017)

  3. Albrecht, M.R., Heninger, N.: On bounded distance decoding with predicate: Breaking the “lattice barrier” for the hidden number problem. In: Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 528–558. Springer (2021)

  4. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), pp. 327–343. USENIX Association, Austin, TX. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim (2016)

  5. Aono Y., Wang Y., Hayashi T., Takagi T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin M., Coron J.S. (eds.) Advances in Cryptology-EUROCRYPT 2016, pp. 789–819. Springer, Berlin Heidelberg (2016)

  6. Boneh D., Venkatesan R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz N. (ed.) Advances in Cryptology-CRYPTO ’96, pp. 129–142. Springer, Berlin Heidelberg (1996)

  7. Breitner, J., Heninger, N.: Biased nonce sense: lattice attacks against weak ECDSA signatures in cryptocurrencies. In: Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 3–20. Springer (2019)

  8. Chen, Y.: Reduction de reseau et securite concrete du chiffrement complétement homomorphe. Ph.D. thesis, Higher Normal School - PSL (2013). These de doctorat dirigee par Nguyen, Phong-Quang Informatique Paris 7. http://www.theses.fr/2013PA077242 (2013)

  9. Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 1–20. Springer (2011)

  10. Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Proceedings of the Annual International Cryptology Conference, pp. 329–358. Springer (2020)

  11. Dall, F., De Micheli, G., Eisenbarth, T., Genkin, D., Heninger, N., Moghimi, A., Yarom, Y.: Cachequote: Efficiently recovering long-term secrets of SGX EPID via cache attacks (2018)

  12. De Micheli, G., Piau, R., Pierrot, C.: A tale of three signatures: practical attack of ECDSA with wNAF. In: Proceedings of the International Conference on Cryptology in Africa, pp. 361–381. Springer (2020)

  13. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 125–145. Springer (2018)

  14. Ducas L., Stevens M., van Woerden W.: Advanced lattice sieving on GPUs, with tensor cores. In: Canteaut A., Standaert F.X. (eds.) Advances in Cryptology-EUROCRYPT 2021, pp. 249–279. Springer, Cham (2021)

  15. Fan, S., Wang, W., Cheng, Q.: Attacking OpenSSL implementation of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1505–1515 (2016)

  16. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Advances in Cryptology-EUROCRYPT 2008, pp. 31–51. Springer, Berlin Heidelberg (2008)

  17. Haque M.M., Rahman M.O.: Analyzing progressive-BKZ lattice reduction algorithm. Int. J. Comput. Netw. Inf. Secur. 11, 40–46 (2019)

  18. Hlaváč, M., Rosa, T.: Extended hidden number problem and its cryptanalytic applications. In: Proceedings of the International Workshop on Selected Areas in Cryptography, pp. 114–133. Springer (2006)

  19. Jancar, J., Sedlacek, V., Svenda, P., Sys, M.: Minerva: The curse of ECDSA nonces systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(4), 281–308 (2020). https://doi.org/10.13154/tches.v2020.i4.281-308

  20. Khadir O.: Factoring RSA moduli with primes sharing bits in the middle. Appl. Algebra Eng. Commun. Comput. 29, 245–259 (2018). https://doi.org/10.1007/s00200-017-0340-0

  21. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of the Annual international cryptology conference, pp. 388–397. Springer (1999)

  22. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Topics in Cryptology – CT-RSA 2011, pp. 319–339. Springer, Berlin, Heidelberg (2011)

  23. Martinet J.: Perfect Lattices in Euclidean Spaces. Grundlehren der mathematischen Wissenschaften. Springer, Cham (2003)

  24. Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-quantum Cryptography, pp. 147–191. Springer (2009)

  25. Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Advances in Cryptology – EUROCRYPT 2016, pp. 820–849. Springer, Berlin, Heidelberg (2016)

  26. Micheli, G.D.: Discrete logarithm cryptanalyses : Number field sieve and lattice tools for side-channel attacks. (cryptanalyses de logarithmes discrets : crible algébrique et réseaux pour canaux auxiliaires). Ph.D. thesis, University of Lorraine, Nancy, France. https://tel.archives-ouvertes.fr/tel-03335360 (2021)

  27. Micheli, G.D., Heninger, N.: Recovering cryptographic keys from partial information, by example. Cryptology ePrint Archive, Report 2020/1506. https://ia.cr/2020/1506 (2020)

  28. Moghimi, D., Sunar, B., Eisenbarth, T., Heninger, N.: TPM-FAIL: TPM meets timing and lattice attacks. In: Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), pp. 2057–2073. USENIX Association. https://www.usenix.org/conference/usenixsecurity20/presentation/moghimi-tpm (2020)

  29. Nguyen P., Vallée B.: The LLL Algorithm: Survey and Applications. Springer, Cham (2010)

  30. Nguyen P.Q., Shparlinski I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)

  31. Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: STACS 2003, pp. 145–156. Springer, Berlin, Heidelberg (2003)

  32. The FPLLL development team: The general sieve kernel (g6k). https://github.com/fplll/fpylll (2021)

  33. Thibault, J.P., O’Flynn, C., Dewar, A.: Ark of the ECC: An open-source ECDSA power analysis attack on a FPGA based curve P-256 implementation. Cryptology ePrint Archive, Paper 2021/1520. https://eprint.iacr.org/2021/1520 (2021)

  34. Vanstone S.: Responses to NIST’s proposal. Commun. ACM 35(7), 50–52 (1992)

  35. Wang, S., Qu, L., Li, C., Fu, S.: A new attack on RSA with known middle bits of the private key. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E98A(12), 2677–2685 (2015). https://doi.org/10.1587/transfun.E98.A.2677

  36. Weiser, S., Schrammel, D., Bodner, L., Spreitzer, R.: Big numbers - big troubles: Systematically analyzing nonce leakage in (EC)DSA implementations. In: Proceedings of the 29th USENIX Security Symposium, Proceedings of the 29th USENIX Security Symposium, pp. 1767–1784. USENIX Association, United States (2020). 29th USENIX Security Symposium, 12–14 August 2020. https://www.usenix.org/conference/usenixsecurity20/

  37. Yang X., Liu M., Au M.H., Luo X., Ye Q.: Efficient verifiably encrypted ECDSA-like signatures and their applications. IEEE Trans. Inf. Forensics Secur. 17, 1573–1582 (2022). https://doi.org/10.1109/TIFS.2022.3165978

  38. Yarom Y., Benger N.: Recovering OpenSSL ECDSA nonces using the FLUSH+ RELOAD cache side-channel attack. IACR Cryptol. Arch. 2014, 140 (2014)

  39. Yarom, Y., Falkner, K.: FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732 (2014)

Download references

Funding

The work of Qingfeng Cheng was supported by the National Natural Science Foundation of China under Grant No. 61872449; The work of Jian Weng was supported by National Key Research and Development Plan of China under Grant No. 2020YFB1005600, Major Program of Guangdong Basic and Applied Research Project under Grant No. 2019B030302008, National Natural Science Foundation of China under Grant No. 61825203, Guangdong Provincial Science and Technology Project under Grant Nos. 2017B010111005 and 2021A0505030033, National Joint Engineering Research Center of Network Security Detection and Protection Technology, and Guangdong Key Laboratory of Data Security and Privacy Preserving.

Author information

Authors and Affiliations

  1. Strategic Support Force Information Engineering University, Zhengzhou, 450001, China

    Jinzheng Cao & Qingfeng Cheng

  2. Jinan University, Guangzhou, 510630, China

    Jian Weng

  3. Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing, 100190, China

    Yanbin Pan

Authors
  1. Jinzheng Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jian Weng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yanbin Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qingfeng Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qingfeng Cheng.

Ethics declarations

Competing interest

The authors declared that they have no conflicts of interest to this work.

Additional information

Communicated by M. Albrecht.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cao, J., Weng, J., Pan, Y. et al. Generalized attack on ECDSA: known bits in arbitrary positions. Des. Codes Cryptogr. 91, 3803–3823 (2023). https://doi.org/10.1007/s10623-023-01269-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-023-01269-7

Keywords

Mathematics Subject Classification

Search

Navigation