Skip to main content
SpringerLink
Log in

DSA Signing Key Recovery with Noisy Side Channels and Variable Error Rates

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2017 (INDOCRYPT 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10698))

Included in the following conference series:

Abstract

The Digital Signature Algorithm (DSA) computes a modular exponentiation with a per-message ephemeral secret. This involves a sequence of modulo square and multiply operations which, if known, enables an adversary to obtain the DSA private key. Cache-based side channel attacks are able to recover only discontiguous blocks of the ephemeral key thanks to the sliding window optimization implemented in many crypto libraries. Further, noisy side channels, rarely addressed in the literature, greatly complicate key retrieval. Through extensive experiments, we obtain estimates of the error rate as a function of block position and size. We demonstrate key retrieval in the presence of noise and model the time complexity of key recovery as a function of error rate. Our model exposes the tradeoff between number of signature operations that need to be monitored and the computational requirements for the attack. By selectively using interior blocks in the ephemeral key, we are able to retrieve the DSA private key with less than half the number of signatures required by previous work that use only the rightmost block.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Typically an attacker obtains a large number of signatures. However only a fraction of these may actually be used in computing the DSA key.

References

  1. FIPS: 186–2. Digital Signature Standard (DSS). National Institute of Standards and Technology (NIST), vol. 20, p. 13 (2000)

    Google Scholar 

  2. Ashokkumar, C., Giri, R.P., Menezes, B.: Highly efficient algorithms for AES key retrieval in cache access attacks. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 261–275. IEEE (2016)

    Google Scholar 

  3. Durfee, G., Nguyen, P.Q.: Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt 1999. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_2

    Chapter  Google Scholar 

  4. Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_3

    Chapter  Google Scholar 

  5. Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  6. Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  7. Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah... Just a Little Bit”: A small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_5

    Google Scholar 

  8. van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_1

    Google Scholar 

  9. Fan, S., Wang, W., Cheng, Q.: Attacking openSSL implementation of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1505–1515. ACM (2016)

    Google Scholar 

  10. Gullasch, D., Bangerter, E., Krenn, S.: Cache games-bringing access-based cache attacks on AES to practice. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 490–505. IEEE (2011)

    Google Scholar 

  11. Yarom, Y., Falkner, K.: Flush+reload: A high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium, pp. 719–732 (2014)

    Google Scholar 

  12. Pereida García, C., Brumley, B.B., Yarom, Y.: Make sure DSA signing exponentiations really are constant-time. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1639–1650. ACM (2016)

    Google Scholar 

  13. Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  14. Babai, L.: On lovaszlattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  15. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  16. Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  17. Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    Chapter  Google Scholar 

  18. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_11

    Google Scholar 

  19. Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_19

    Chapter  Google Scholar 

  20. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13

    Chapter  Google Scholar 

  21. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! a fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_15

    Google Scholar 

  22. Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: Cache attacks on mobile devices. In: USENIX Security Symposium, pp. 549–564 (2016)

    Google Scholar 

  23. Lindner, R., Peikert, C.: Better key sizes (and Attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Indian Institute of Technology Bombay, Mumbai, India

    Jiji Angel, R. Rahul, C. Ashokkumar & Bernard Menezes

Authors
  1. Jiji Angel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. Rahul
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. C. Ashokkumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bernard Menezes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiji Angel .

Editor information

Editors and Affiliations

  1. Indian Institute of Science (IISc), Bengaluru, India

    Arpita Patra

  2. Department of Computer Science, University of Bristol, Bristol, United Kingdom

    Nigel P. Smart

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Angel, J., Rahul, R., Ashokkumar, C., Menezes, B. (2017). DSA Signing Key Recovery with Noisy Side Channels and Variable Error Rates. In: Patra, A., Smart, N. (eds) Progress in Cryptology – INDOCRYPT 2017. INDOCRYPT 2017. Lecture Notes in Computer Science(), vol 10698. Springer, Cham. https://doi.org/10.1007/978-3-319-71667-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-71667-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-71666-4

  • Online ISBN: 978-3-319-71667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation