Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies

  • Joachim Breitner
  • Nadia HeningerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)


In this paper, we compute hundreds of Bitcoin private keys and dozens of Ethereum, Ripple, SSH, and HTTPS private keys by carrying out cryptanalytic attacks against digital signatures contained in public blockchains and Internet-wide scans. The ECDSA signature algorithm requires the generation of a per-message secret nonce. If this nonce is not generated uniformly at random, an attacker can potentially exploit this bias to compute the long-term signing key. We use a lattice-based algorithm for solving the hidden number problem to efficiently compute private ECDSA keys that were used with biased signature nonces due to multiple apparent implementation vulnerabilities.


Hidden number problem ECDSA Lattices Bitcoin Crypto 



We thank Luke Valenta and Zakir Durumeric for help in updating ZGrab and Censys to collect HTTPS and SSH signature hashes, Tanja Lange for the reference on the surprisingly small binary representation of \(k = 1/2\) in secp256k1, and Greg Maxwell and Dan Brown for insightful comments on the preprint. Much of the work for this paper was done while the authors were at the University of Pennsylvania. This work was supported by the National Science Foundation under grants no. CNS-1651344 and CNS-1513671. We are grateful to Cisco for donating much of the computing cluster used to carry out our computations.


  1. 1.
    The most repeated r value on the blockchain (2015).
  2. 2.
    Bitcoin wiki: Address reuse (2018).
  3. 3.
    Akavia, A.: Solving hidden number problem with one bit oracle and advice. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 337–354. Springer, Heidelberg (2009). Scholar
  4. 4.
    Bartoletti, M., Lande, S., Pompianu, L., Bracciali, A.: A general framework for blockchain analytics. In: Proceedings of the 1st Workshop on Scalable and Resilient Infrastructures for Distributed Ledgers, SERIAL 2017, pp. 7:1–7:6. ACM, New York (2017).
  5. 5.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh aah... just a little bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014). Scholar
  6. 6.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). Scholar
  7. 7.
    Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 157–175. Springer, Heidelberg (2014). Scholar
  8. 8.
    Brengel, M., Rossow, C.: Identifying key leakage of bitcoin users. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 623–643. Springer, Cham (2018). Scholar
  9. 9.
    Brown, D.R.L.: SEC 2: Recommended elliptic curve domain parameters (2010).
  10. 10.
    Buterin, V.: Ethereum: a next-generation smart contract and decentralized application platform (2013).
  11. 11.
    Castellucci, R., Valsorda, F.: Stealing bitcoin with math (2016).
  12. 12.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). Scholar
  13. 13.
    Courtois, N.T., Emirdag, P., Valsorda, F.: Private key recovery combination attacks: on extreme fragility of popular bitcoin key management, wallet and cold storage solutions in presence of poor RNG events. Cryptology ePrint Archive, Report 2014/848 (2014).
  14. 14.
    Dall, F., et al.: Cachequote: efficiently recovering long-term secrets of SGX EPID via cache attacks. IACR Trans. Cryptogr. Hardware Embed. Syst. 2018(2), 171–191 (2018).
  15. 15.
    De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 435–452. Springer, Heidelberg (2013). Scholar
  16. 16.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol. IETF RFC RFC5246 (2008)Google Scholar
  17. 17.
    Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: 22nd ACM Conference on Computer and Communications Security, October 2015Google Scholar
  18. 18.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium, August 2012Google Scholar
  19. 19.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signatureschemes. Des. Codes Crypt. 23(3), 283–290 (2001). Scholar
  20. 20.
    Klyubin, A.: Some SecureRandom thoughts, August 2013.
  21. 21.
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Michaelis, K., Meyer, C., Schwenk, J.: Randomly failed! The state of randomness in current Java implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 129–144. Springer, Heidelberg (2013). Scholar
  23. 23.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2009).
  24. 24.
    National Institute of Standards and Technology: FIPS PUB 180-2: Secure Hash Standard, August 2002Google Scholar
  25. 25.
    National Institute of Standards and Technology: FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013Google Scholar
  26. 26.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003). Scholar
  27. 27.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006). Scholar
  28. 28.
    Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). In: Mathematics of Computation, vol. 32 (1978)Google Scholar
  29. 29.
    Pornin, T.: Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA) (2013).
  30. 30.
    rico666: Large bitcoin collider.
  31. 31.
    Schnorr, C.P.: A hierarchy of polynomial time lattice basis reductionalgorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987). Scholar
  32. 32.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994). Scholar
  33. 33.
    Schwartz, D., Youngs, N., Britto, A.: The Ripple protocol consensus algorithm (2014). Accessed 08 Aug 2016
  34. 34.
    Shanks, D.: Class number, a theory of factorization, and genera. In: Proceedings of Symposia in Pure Mathematics, vol. 20, pp. 41–440 (1971)Google Scholar
  35. 35.
    Blockchain Team: Android wallet security update.
  36. 36.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.1) (2017).
  37. 37.
    Valsorda, F.: Exploiting ECDSA failures in the bitcoin blockchain. Hack In The Box (HITB) (2014)Google Scholar
  38. 38.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) transport layer protocol.IETF RFC 4253 (2006)Google Scholar

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.DFINITY FoundationZugSwitzerland
  2. 2.University of CaliforniaSan DiegoUSA

Personalised recommendations