The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA

  • Phong Q. Nguyen
Part of the Progress in Computer Science and Applied Logic book series (PCS, volume 20)


At Crypto ‘86, Boneh and Venkatesan introduced the so-called hidden number problem: in a prime field ℤ q , recover a number α such that for many known random t, the most significant bits of tα are known. They showed that Babai’s LLL-based polynomial-time nearest plane algorithm for approximating the lattice closest vector problem solves the problem with probability at least \(\frac{1}{2}\), provided that the number of bits known (for each tα) is greater than \(\sqrt {\log q} + \log \log q\). That result is often cited as the only positive application known in cryptology of the LLL algorithm, because it enables to prove the hardness of the most significant bits of secret keys in Diffie-Hellman and related schemes. The purpose of this short and elementary note is to highlight the fact that the result also has a dark side. Indeed, we remark that the hidden number problem is an idealized version of the problem which HowgraveGraham and Smart recently tried to solve heuristically in their (lattice-based) attacks on DSA and related signature schemes: given a few bits of the random nonces k used in sufficiently many DSA signatures, recover the secret key. This suggests to determine what can be achieved in practice, rather than in theory. Since lattice reduction algorithms are known to behave much more nicely than their proved worst-case bounds, we give the number of bits that enables the Boneh-Venkatesan technique to succeed, provided an oracle for the lattice closest vector problem in the Euclidean norm or the infinity norm. An analogous assumption is used in the well-known lattice-based attacks against low-density subset sums. Interestingly, our experiments support our theoretical bounds and improve the experimental bounds of Howgrave-Graham and Smart.


Signature Scheme Plane Algorithm Target Vector Dark Side Lattice Reduction 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Cornbinatorica, 6:1–13, 1986.MathSciNetzbMATHCrossRefGoogle Scholar
  2. [2]
    D. Bleichenbacher, 1999. Private communication.Google Scholar
  3. [3]
    M. Bellare, S. Goldwasser, and D. Micciancio. “Pseudo-random” number generation within cryptographic algorithms: The DSS case. In Proc. of Crypto ‘87, volume 1294 of LNCS. IACR, Springer-Verlag, 1997.Google Scholar
  4. [4]
    D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In Proc. of Crypto ‘86. IACR, Springer-Verlag, 1996.Google Scholar
  5. [5]
    M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Comput. Complexity, 2:111–128, 1992.MathSciNetzbMATHCrossRefGoogle Scholar
  6. [6]
    N.A. Howgrave-Graham and N.P. Smart. Lattice attacks on digital signature schemes. Technical report, HP Labs, 1999. Report HPL-1999–90. To appear in Designs, Codes and Cryptography. Google Scholar
  7. [7]
    A.K. Lenstra, H.W. Lenstra Jr., and L. Lovész. Factoring polynomials with rational coefficients. Mathematische Ann., 261:513–534, 1982.Google Scholar
  8. [8]
    A. Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.zbMATHGoogle Scholar
  9. [9]
    P. Nguyen. Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto ‘87. In Proc. of Crypto ‘89, volume 1666 of LNCS, pages 288–304. IACR, Springer-Verlag, 1999.Google Scholar
  10. [10]
    P.Q. Nguyen and I.E. Shparlinski. The insecurity of the Digital Signature Algorithm with partially known nonces. Manuscript in preparation, 2000.Google Scholar
  11. [11]
    P.Q. Nguyen and J. Stern. Lattice reduction in cryptology: An update. In Algorithmic Number Theory - Proc. of ANTS-IV, LNCS. Springer-Verlag, 2000.Google Scholar
  12. [12]
    H. Ritter. Breaking knapsack cryptosystems by max-norm enumeration. In Proc. of Pragocrypt ‘86, pages 480–492. CTU Publishing House, 1996.Google Scholar
  13. [13]
    C.P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.MathSciNetzbMATHCrossRefGoogle Scholar
  14. [14]
    C.P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming, 66:181–199, 1994.MathSciNetzbMATHCrossRefGoogle Scholar
  15. [15]
    V. Shoup. Number Theory C++ Library (NTL) version 3.7. Available at

Copyright information

© Springer Basel AG 2001

Authors and Affiliations

  • Phong Q. Nguyen
    • 1
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParisFrance

Personalised recommendations