Cryptography and Computational Number Theory pp 321-330 | Cite as

# The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA

## Abstract

At Crypto ‘86, Boneh and Venkatesan introduced the so-called hidden number problem: in a prime field ℤ _{ q }, recover a number α such that for many known random *t*, the most significant bits of *t*α are known. They showed that Babai’s LLL-based polynomial-time nearest plane algorithm for approximating the lattice closest vector problem solves the problem with probability at least \(\frac{1}{2}\), provided that the number of bits known (for each *t*α) is greater than \(\sqrt {\log q} + \log \log q\). That result is often cited as the only positive application known in cryptology of the LLL algorithm, because it enables to prove the hardness of the most significant bits of secret keys in Diffie-Hellman and related schemes. The purpose of this short and elementary note is to highlight the fact that the result also has a dark side. Indeed, we remark that the hidden number problem is an idealized version of the problem which HowgraveGraham and Smart recently tried to solve heuristically in their (lattice-based) attacks on DSA and related signature schemes: given a few bits of the random nonces *k* used in sufficiently many DSA signatures, recover the secret key. This suggests to determine what can be achieved in practice, rather than in theory. Since lattice reduction algorithms are known to behave much more nicely than their proved worst-case bounds, we give the number of bits that enables the Boneh-Venkatesan technique to succeed, provided an oracle for the lattice closest vector problem in the Euclidean norm or the infinity norm. An analogous assumption is used in the well-known lattice-based attacks against low-density subset sums. Interestingly, our experiments support our theoretical bounds and improve the experimental bounds of Howgrave-Graham and Smart.

## Keywords

Signature Scheme Plane Algorithm Target Vector Dark Side Lattice Reduction## Preview

Unable to display preview. Download preview PDF.

## References

- [1]L. Babai. On Lovasz lattice reduction and the nearest lattice point problem.
*Cornbinatorica*, 6:1–13, 1986.MathSciNetzbMATHCrossRefGoogle Scholar - [2]D. Bleichenbacher, 1999. Private communication.Google Scholar
- [3]M. Bellare, S. Goldwasser, and D. Micciancio. “Pseudo-random” number generation within cryptographic algorithms: The DSS case. In
*Proc. of Crypto ‘87*, volume 1294 of*LNCS*. IACR, Springer-Verlag, 1997.Google Scholar - [4]D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In
*Proc. of Crypto ‘86*. IACR, Springer-Verlag, 1996.Google Scholar - [5]M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms.
*Comput. Complexity*, 2:111–128, 1992.MathSciNetzbMATHCrossRefGoogle Scholar - [6]N.A. Howgrave-Graham and N.P. Smart. Lattice attacks on digital signature schemes. Technical report, HP Labs, 1999. Report HPL-1999–90. To appear in
*Designs, Codes and Cryptography*. Google Scholar - [7]A.K. Lenstra, H.W. Lenstra Jr., and L. Lovész. Factoring polynomials with rational coefficients.
*Mathematische Ann*., 261:513–534, 1982.Google Scholar - [8]A. Menezes, P. Van Oorschot, and S. Vanstone
*. Handbook of Applied Cryptography*. CRC Press, 1997.zbMATHGoogle Scholar - [9]P. Nguyen. Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto ‘87. In
*Proc. of Crypto ‘89*, volume 1666 of*LNCS*, pages 288–304. IACR, Springer-Verlag, 1999.Google Scholar - [10]P.Q. Nguyen and I.E. Shparlinski. The insecurity of the Digital Signature Algorithm with partially known nonces. Manuscript in preparation, 2000.Google Scholar
- [11]P.Q. Nguyen and J. Stern. Lattice reduction in cryptology: An update. In
*Algorithmic Number Theory - Proc. of ANTS-IV*, LNCS. Springer-Verlag, 2000.Google Scholar - [12]H. Ritter. Breaking knapsack cryptosystems by max-norm enumeration. In
*Proc. of Pragocrypt ‘86*, pages 480–492. CTU Publishing House, 1996.Google Scholar - [13]C.P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms.
*Theoretical Computer Science*, 53:201–224, 1987.MathSciNetzbMATHCrossRefGoogle Scholar - [14]C.P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems.
*Math. Programming*, 66:181–199, 1994.MathSciNetzbMATHCrossRefGoogle Scholar - [15]V. Shoup. Number Theory C++ Library (NTL) version 3.7. Available at http://www.shoup.net/nt1/.