Keywords

1 Introduction

Since the introduction of the ElGamal signature scheme [6], many works have been devoted to design digital signatures and identification schemes, based on the discrete logarithm problem in a finite cyclic group \(\mathbb {G}\) of order q (e.g. [14]). After Schnorr’s proof of knowledge for discrete logarithms in groups of known prime order [22] (that can be used as an interactive identification scheme or be converted into a digital signature scheme using the Fiat-Shamir paradigm [8]), many other signature schemes have been designed, including the standard DSA [17]. Another variant, proposed by Girault [9] and further analysed by Poupard and Stern [10, 21] – called GPS – allows to use groups of unknown order.

All these signature and identification schemes perform randomized authentication: they use a nonce (or ephemeral key) r in \(\{0,1,\ldots ,q - 1\}\) for each message (or identification session) and compute \(g^r\) with g some generator of \(\mathbb {G}\). These random nonces can be generated using either a (true) random number generator or a pseudo-random one. Obviously extreme care is required in sampling such nonces since a predictable (or reused) output of the (pseudo)random generator may lead to a total break of the scheme. As an example, Bellare, Goldwasser and Micciancio mounted [2] a polynomial time key-recovery attack against the DSA signature scheme when the random nonces are generated using a (truncated) linear congruential generator. In [5], Bleichenbacher found a bias in the original DSA pseudorandom number generator specification, that could reveal the signer’s private key and this attack was made practical recently [16].

Using side-channel attacks, partial information can be obtained on the nonce r from the run of the algorithm that computes \(g^r\). In [15], Kuwakado and Tanaka proposed a polynomial-time algorithm that recovers the signer’s private key given only two signatures with nonces smaller than \(\sqrt{q}\) or where half of the nonces’ bits are known to the adversary. Nguyen and Shparlinski [18] presented a polynomial-time algorithm that recovers the secret key of the signer when a few consecutive bits of the nonces are known for several signatures. Their algorithm runs in polynomial time when approximately \(\sqrt{\log q}\) bits are known for a number of signatures in \(O(\log q)\). Note that in practice, side-channel attacks will not generally reveal consecutive bits of the nonces used. Moreover, if countermeasures are used, only noisy information on the secrets may leak through power consumption (or other side-channel attacks) and an adversary may obtain partial information on the nonces (but not with perfect certainty).

In [11], it was reported that memory persistence times can be increased with simple cooling techniques and that an attacker with physical access to a machine may be able to recover some random part of cryptographic key information. Motivated by this work, Heninger and Shacham presented in [13] a new method for recovering RSA private keys given a fraction of private data (see also [20]). Their method succeeds with good probability in quadratic time if a fraction of at least 0.27 of the private key bits are known with certainty. In [12], Henecka, May and Meurer addressed the situation where no RSA private key bits are known with certainty but where a candidate for each secret key bit is known to the adversary in such a way that most bits are correct but some of them (unknown to the adversary) are flipped (in a symmetric way). In [19], Paterson, Polychroniadou and Sibborn brought a coding-theoretic viewpoint to bear on this problem. In particular, they highlighted the fact that the papers [12, 13] considered the problem of error-correcting noisy RSA private keys in the binary erasure channel and the binary symmetric channel (respectively). This coding-theoretic viewpoint enabled them to design a new algorithm in another channel model more relevant for the so-called “cold-boot attacks” from [11] and to derive bounds on the performance of the proposed algorithms.

Contributions of the Paper. We propose attacks on discrete-logarithm based authentication schemes where an adversary has some information on the nonces used in the signature generation or in some identification sessions. This information may come from the use of a biased (pseudo)random generator, a side-channel attack or a cold-boot attack. Using the coding-theoretic viewpoint from [19], we consider the following two scenarios:

  • erasure correction scenario: we assume that some bits of the nonces are known exactly by the adversary, while no information at all is known about the other bits. This is defined in terms of a parameter \(\delta \) representing the fraction of erasures. In standard coding terminology, this corresponds to an erasure model for errors, and an erasure channel.

  • error correction scenario: we assume that all bits of the nonces are obtained from the correct ones by independent bit flipping with probability defined by a parameter also denoted \(\delta \). In coding-theoretic terms, this corresponds to a (memoryless) binary symmetric channel with crossover probability \(\delta \).

Our attacks apply to discrete-logarithm based authentication schemes where the “authentication relation” holds over the integers (instead of modulo the group order q). In particular, they can be applied readily to the GPS identification and the GPS signature schemes. However, they can also be mounted against Schnorr identification protocol if the adversary is first allowed to interact with the prover in a “dishonest” way before trying to impersonate her. In this active attack model [4, 7], which is the standard de facto security notion, an adversary can simply choose small challenges in the identification session in order to obtain an authentication relation that holds over the integers (after a small brute force search of the size of the chosen challenge).

In the erasure correction scenario, we provide an algorithm that, given t signatures or identification sessions (with \(t \ge 2\)) and partial information on the corresponding nonces with a fraction of erasures \(\delta \simeq \ln (2)/t\), recovers the corresponding secret key in (heuristic) quadratic time. The algorithm recovers the nonces bit-by-bit, starting from the least significant bit to the most significant one, by growing a search tree and pruning it to remove partial solutions which do not match the known key bits. The algorithm is similar to the one proposed in [13] but works for any \(t \ge 2\) and requires a more complex analysis. We implemented it and performed extensive experiments; in particular, we attack a 128-bit security level instantiation of GPS signature scheme that uses 512-bit nonces [10, 21] with \(\delta \simeq 1/512\) (i.e. with on average only one nonce bit known for each signature). Our analysis guarantees that the private key can be recovered given only 710 signatures and a very naive implementation actually gives the secret key in a few minutes. In the error correction scenario, we provide an algorithm that, given t signatures or identification sessions (with \(t \ge 2\)) and partial information on the corresponding nonces with a fraction of errors \(\delta \simeq 1/2 - \sqrt{{\ln (2)}/{2t}}\), recovers the corresponding secret key in (heuristic) quadratic time. We implemented our algorithm and performed extensive experiments using it. The attack analysis is simpler and follows closely the one presented in [12].

2 Preliminaries

Schnorr Identification. Let \(\mathbb {G} = \langle g \rangle \) be a group of (known) prime order q and P and V denote a prover and a verifier. By engaging in the protocol, P proves to V that she knows the discrete logarithm x of a public group element \(y = g^x\). The protocol has three simple moves:

  • Commitment. P selects a random \(r \in \{0,1, \ldots ,q-1\}\) and sends \(k = g^r\) to V.

  • Challenge. V picks a random \(c \in \{0,1, \ldots ,q-1\}\) and sends c to P.

  • Response. P computes and sends \(s = r+c x\hbox { mod }q\) to V.

Eventually, V checks that \(g^s\cdot y^{-c} = k\) and recognizes that P knows x if the equality holds. Schnorr’s scheme is one of the most important ingredients in the design of cryptographic protocols and proofs of knowledge. It readily gives rise to an identification scheme where P proves her knowledge of the discrete logarithm of her public key.

The strongest form of attack against an identification scheme is an active attack, where the adversary (that wants to impersonate P) interacts with P, posing as V, but not necessarily following V’s protocol. Since active attacks are quite feasible in practice, this model has become the standard de facto security notion for identification scheme. In [4], Bellare and Palacio proved that Schnorr identification scheme is secure against active attacks assuming the one-more discrete logarithm assumption in \(\mathbb {G}\) (see [3]).

GPS Identification and Signature Scheme. The GPS schemes were proposed by Girault in [9] and further analysed by Poupard and Stern [10, 21]. The schemes are similar to Schnorr’s but allow to use groups of unknown order. Given a group \(\mathbb {G} = \langle g \rangle \) generated by g, of (possibly) unknown order and three parameters \(R,S,C \in \mathbb {N}\), the protocol has three simple moves to prove the knowledge of \(x \in \{0, \ldots ,S\}\) such that \(y = g^x\):

  • Commitment. P selects a random \(r \in \{0,1, \ldots ,R\}\) and sends \(k = g^r\) to V.

  • Challenge. V picks a random \(c \in \{0,1, \ldots ,C\}\) and sends c to P.

  • Response. P computes and sends \(s = r+c x\) to V.

Eventually, V checks that \(g^s = k y^{c}\) and recognizes that P knows x if the equality holds and \(s \in \{0,1, \ldots , R + CS \}\). GPS signature scheme is derived from the identification scheme using the Fiat-Shamir heuristic [8]: to sign a message \(m \in \{0,1\}^*\), the signer selects a random \(r \in \{0,1, \ldots ,R\}\), computes \(k = g^r\), computes \(c = \mathcal {H}(m,k)\) where \(\mathcal {H} : \{0,1\}^* \longrightarrow \{0,1, \ldots ,C\}\) is a cryptographic hash function and outputs the pair (sc) where \(s = r+c x\) as the signature of the message m. The security of the signature scheme against existential forgeries under chosen message attacks was proven (when \(\mathcal {H}\) is modelled as a random oracle) in [10] under the assumption that computing discrete logarithms in \(\mathbb {G}\) with exponents in \(\{0,1, \ldots ,S\}\) is hard. For a k-bit security level, the analysis requires to use \(S \simeq 2^{2k}\), \(C \simeq 2^k\) and \(R \simeq 2^{4k}\).

Authentication Relation. In the following, we call the authentication relation of a discrete-logarithm based authentication scheme, the relation used in the Response phase of the three-move identification scheme (or in the signature generation protocol). Our attacks apply to all discrete-logarithm based authentication scheme for which this authentication relation holds over the integers. This is obviously the case for GPS identification and signature schemes. However, our attack also applies to Schnorr identification if one considers an adversary allowed to mount an active attack and that has access to partial information on the nonce bits used in the different identification sessions. Such an adversary posing as V can indeed pick small challenges c (e.g. always \(c = 1\)). Since we have \(s = r + c x\,\hbox {mod}\, q\) in Schnorr identification scheme, we obtain \(s = r + c x + \alpha q\), where \(\alpha \in \mathbb {Z}_-\) and \(\vert \alpha \vert \le c\). By performing an exhaustive search on the small set of values for \(\alpha \) (e.g. \(\alpha \in \{-1,0\}\) when \(c = 1\)), the adversary obtains an authentication relation that holds over the integers.

Note that for all these discrete-logarithm based schemes, the knowledge of the random values generated during the signature process/identification session provides precious information on the signer’s secret key. In particular, if an adversary is given access to a valid signature/identification transcript \(\sigma =(s,c)\) (possibly for some message m), and to the nonce r such that \(g^s = g^r y^{c}\) then he can retrieve the value of the signer’s secret key x in polynomial time. Therefore, in the following, we will focus on attacks that aim to recover a complete nonce from partial information on nonces used in several signatures/identification sessions.

3 Erasure Correction Scenario

In this section, we focus on the erasure correction scenario described in the introduction where part of the bits of the random value r generated during the signature process are revealed to the attacker. To be more precise, we denote the binary decomposition of r as \(r_{0} + r_{1} 2^1 + \cdots + r_{n-1} 2^{n-1}\) and we introduce a parameter \(\delta \), with \(0 \le \delta \le 1\), to define the probability that, at a given position \(i \in \{0, \ldots ,n-1\}\), the bit \(r_i\) is known to the adversary (and probability \((1-\delta )\) that bit \(r_i\) is unknown).

Assuming that t signatures have been processed, we determine a lower-bound on \(\delta \) allowing the attacker to fully recover the secret key x in (heuristic) polynomial time. We focus on the particular case of the GPS signature scheme, but as explained previously any other signature or identification scheme using authentication relations defined over the integers can be attacked similarly. In the following we first focus on the simple case of two signatures, and then generalize the study for a higher number of signatures.

3.1 The Attack Knowing Two Signatures

We assume that the adversary is given access to two valid signatures \(\sigma _1=(s_1,c_1)\) and \(\sigma _2=(s_2,c_2)\), respectively related to the messages \(m_1\) and \(m_2\). According to the description of the GPS scheme, provided in Sect. 2, the following relations hold:

$$\begin{aligned} s_1 = r_1 + c_1 x \hbox { and } s_2 = r_2 + c_2 x \end{aligned}$$
(1)

where \(r_1\) and \(r_2\) are nonces generated during the signature process and \(c_i = \mathcal {H}(m_i,g^{r_i})\) (for \(i \in \{1,2\}\)). Eliminating the unknown x in (1), we get:

$$\begin{aligned} C= r_1 c_2 - r_2 c_1 \end{aligned}$$
(2)

where \(C = s_1 c_2 - s_2 c_1\). Our algorithm will construct all pairs \((\upvartheta _1,\upvartheta _2)\) that satisfy (2) and match the known partial information on \((r_1,r_2)\) - in the sequel we denote as \(\mathcal {L}\) the list of such elements - and eventually, select, among them, the one that verifies the relations (1).

General Idea. Following [13], our method to construct the set \(\mathcal {L}\) consists in performing an exhaustive search on all pairs \((\upvartheta _1,\upvartheta _2)\) satisfying Eq. (2), guessing each of their bits from the least significant one to the most significant, and detecting invalid candidates during the process. Given a pair \((\upvartheta _1,\upvartheta _2)\) for which the relation (2) holds, if we denote \(\upvartheta _{\alpha }^{(i)} = \upvartheta _{\alpha ,0} + 2 \upvartheta _{\alpha ,1} + \ldots + \upvartheta _{\alpha ,i} 2^i\) where \(\upvartheta _{\alpha }^{(i)} = \upvartheta _\alpha \hbox {mod }2^{i+1}\) and \(\upvartheta _{\alpha ,j} \in \{0,1\}\) for \(\alpha \in \{1,2\}\) and \(j \in \{0, \ldots ,i\}\), we get:

$$\begin{aligned} \left\{ \begin{array}{rcl} C &{}=&{} \upvartheta _{1,0} c_2 - \upvartheta _{2,0} c_1 \mod 2 \\ C &{}=&{} (\upvartheta _{1,0} + 2 \upvartheta _{1,1} ) c_2 - (\upvartheta _{2,0} + 2 \upvartheta _{2,1} ) c_1 \mod 2^2 \\ &{} \vdots &{} \\ C &{}=&{} (\sum \nolimits _{i=0}^{n-1} \upvartheta _{1,i} 2^{i}) c_2 - (\sum \nolimits _{i=0}^{n-1} \upvartheta _{2,i} 2^{i}) c_1 \mod 2^n \end{array} \right. \end{aligned}$$
(3)

Thus one can verify, at each step of the bit generations of \(\upvartheta _{1,i}\) and \(\upvartheta _{2,i}\), for i from 0 to \((n-1)\), whether the equation modulo \(2^{i+1}\) of System (3) holds for the pair. If not, the corresponding bit-values for \((\upvartheta _{1,i},\upvartheta _{2,i})\) are not kept as valid ones in the sequel of the bit-generations of \((\upvartheta _{1,j},\upvartheta _{2,j})\) for j going from \((i+1)\) to \((n-1)\). This technique allows to reduce the size of the list \(\mathcal {L}\) containing all final potential candidates \((\upvartheta _1,\upvartheta _2)\). In the following, we show that, in fact, this method leads to a polynomial time algorithm.

Description of the Technique. Let us now explain how to construct the list \(\mathcal {L}\). In the analysis that follows, we use the notation \(\mathcal {L}^{(k)}\) to refer to the state of list \(\mathcal {L}\) at step k of the algorithm. Such a list will be defined as containing elements \((\upvartheta _1,\upvartheta _2)\) that are reduced modulo \(2^{k+1}\).

The basic principle of the algorithm can be sum up that way: the list \(\mathcal {L}^{(0)}\) is first initialized with all pairs of bits \((\upvartheta _{1,0},\upvartheta _{2,0})\) that satisfy Eq. 1 of System (3) modulo 2 and that coincide with the bit-values preliminary known by the adversary on \(r_1\) and \(r_2\). All pairs \((\upvartheta _{1,0},\upvartheta _{2,0})\) in \(\mathcal {L}^{(0)}\) are then lifted to construct values modulo \(2^2\). To do so, one has to generate all possible values for pairs of bits \((\upvartheta _{1,1},\upvartheta _{2,1})\) (which again coincide with the bits known by the adversary on \(r_{1,1}\) and \(r_{2,1}\)) and to construct \(\upvartheta _1^{(1)}\) and \(\upvartheta _2^{(1)}\) respectively as \(\upvartheta _{1,0}+2\upvartheta _{1,1}\) and \(\upvartheta _{2,0}+2 \upvartheta _{2,1}\). From now the obtained values \((\upvartheta _1^{(1)},\upvartheta _2^{(1)})\) are checked to determine whether they satisfy Eq. 2 of System (3) modulo \(2^2\). In case of an invalid answer, the corresponding bit-values for \((\upvartheta _{1,1},\upvartheta _{2,1})\) are evicted and all remaining valid pairs \((\upvartheta _{1}^{(1)},\upvartheta _2^{(1)})\) are put in \(\mathcal {L}^{(1)}\). The process then continues from a bit-position i to the following one, taking all pairs \((\upvartheta _1^{(i)},\upvartheta _2^{(i)})\) belonging to \(\mathcal {L}^{(i)}\) at step i, lifting them by generating all possible bit-pairs \((\upvartheta _{1,i+1},\upvartheta _{2,i+1})\) that coincide with the known bits on \(r_{1,i+1}\) and \(r_{2,i+1}\) and by creating new values \(\upvartheta _1^{(i+1)}=\upvartheta _1^{(i)}+2^{i+1} \upvartheta _{1,i+1}\) and \(\upvartheta _2^{(i+1)}=\upvartheta _2^{(i)}+ 2^{i+1} \upvartheta _{2,i+1}\), and checking whether Equation \((i+2)\) of System (3) is satisfied modulo \(2^{i+2}\). Again, invalid solutions are evicted and the remaining pairs constitute the set \(\mathcal {L}^{(i+1)}\). The algorithm finally stops when i equals n. A description of the whole process is provided in Algorithm 1.

figure a

Complexity Analysis. Estimating the overall complexity of Algorithm 1 can be reduced to the cost of constructing the list \(\mathcal {L}^{(n-1)}\). Since this list has been built recursively from the previous ones \(\mathcal {L}^{(n-2)}, \mathcal {L}^{(n-3)}, \ldots , \mathcal {L}^{(0)}\), we have to evaluate the expected cardinal of all \(\mathcal {L}^{(i)}\) for i going from 0 to \((n-1)\) (denoted \(\mathcal {N}^{(i)}\)).

Let us first count the number of elements belonging to \(\mathcal {L}^{(0)}\). By definition, this list contains all bit pairs \((\upvartheta _{1,0},\upvartheta _{2,0})\) coinciding with the (possible) knowledge of \((r_{1,0},r_{2,0})\) and satisfying Eq. (1) of System (3). In fact, the number of solutions to that equation strongly relies on the parity of both \(c_1\) and \(c_2\). Indeed, two even values would give four pairs of solutions (in the general case) opposed to only two for odd values \(c_1\) and \(c_2\). For this reason, we have to split the analysis that follows in two scenarios, depending on the 2-adic valuationFootnote 1 of both \(c_1\) and \(c_2\). In the sequel, we denote as \(\ell _1\) (resp. \(\ell _2\)) the 2-adic valuation of \(c_1\) (resp. \(c_2\)).

  • First analysis when \(\varvec{\ell }_\mathbf{1} \varvec{=\ell }_\mathbf{2}\)

Before coming back to the evaluation of the cardinality of the list \(\mathcal {L}^{(0)}\), let us first see how the relation \(\ell _1=\ell _2\) impacts the shape of the equations belonging to System (3). When \(\ell _1\) and \(\ell _2\) are equal, Eq. (2) can be simplified by dividing both sides of the equality by \(2^{\ell _1}\). Indeed as this can be done for \(c_1\) and \(c_2\), this is obviously also the case for C. Thus, the shape of the relation does not change and the new obtained constants \(c_1/2^{\ell _1}\) and \(c_2/2^{\ell _1}\) are odd. In the following, for the sake of simplicity (and as this does not change the analysis, at the cost of renaming the variables), we still work with Eq. (2) (and thus with System (3)) but assuming that the constants \(c_1\) and \(c_2\) are odd.

From now on, one can easily describe the elements that belong to \(\mathcal {L}^{(0)}\) as bit-values of the form \((\upvartheta _{1,0},\upvartheta _{2,0})\) satisfying \( C=\upvartheta _{1,0} + \upvartheta _{2,0} \mod 2 \), and such that \((\upvartheta _{1,0},\upvartheta _{2,0})\) coincide with possible knowledge of \((r_{1,0},r_{2,0})\). This description allows to evaluate \(\mathcal {N}^{(0)}\), see Lemma 1 (a proof can be found in the full version of the paper [1]).

Lemma 1

We have \(\mathcal {N}^{(0)} = \delta ^2 - 2 \delta + 2\).

We now have to find, for a fixed i between 1 and \((n-1)\), an expression of \(\mathcal {N}^{(i)}\) in function of \(\mathcal {N}^{(i-1)}\). By definition \(\mathcal {L}^{(i)}\) can be described as the set of elements \((\upvartheta _{1}^{(i)},\upvartheta _{2}^{(i)})\) defined as \(\upvartheta _{1}^{(i)}=\upvartheta _{1}^{(i-1)} + 2^i \upvartheta _{1,i}\) and \(\upvartheta _{2}^{(i)}=\upvartheta _{2}^{(i-1)} + 2^i \upvartheta _{2,i}\) with \((\upvartheta _{1}^{(i-1)},\upvartheta _{2}^{(i-1)}) \in \mathcal {L}^{(i-1)}\), \((\upvartheta _{1,i},\upvartheta _{2,i}) \in \{0,1\}^2\) and satisfying Equation \((i+1)\) of System (3), namely:

(4)

Moreover, the pairs \((\upvartheta _{1,i},\upvartheta _{2,i})\) should coincide with possible information on \((r_{1,i},r_{2,i})\). Knowing that \((\upvartheta _{1}^{(i-1)},\upvartheta _{2}^{(i-1)})\) belong to \(\mathcal {L}^{(i-1)}\), the relation \(C=\upvartheta _{1}^{(i-1)} c_2 - \upvartheta _{2}^{(i-1)} c_1 \mod 2^i\) necessarily holds. As a consequence, there exists an integer \(k \in \mathbb {Z}\) such that \(C=\upvartheta _{1}^{(i-1)} c_2 - \upvartheta _{2}^{(i-1)} c_1 + k 2^i\). Putting this relation into Eq. (4) and simplifying the whole expression allows to reach the following new condition:

(5)

The choice of \((\upvartheta _{1,i},\upvartheta _{2,i})\) solutions to (5) and coinciding with possible information on \((r_{1,i},r_{2,i})\), strongly depends on whether \((\upvartheta _{1}^{(i-1)},\upvartheta _{2}^{(i-1)})\) equals \((r_1^{(i-1)},r_{2}^{(i-1)})\) or not. Indeed, if these values are equal, namely \((\upvartheta _{1}^{(i-1)},\upvartheta _{2}^{(i-1)})\) is the beginning of the right solution, then when \(r_{1,i}\) and \(r_{2,i}\) are known, Eq. (5) necessarily holds (obviously as this is the searched solution). In that case, one will choose \((\upvartheta _{1,i},\upvartheta _{2,i})=(r_{1,i},r_{2,i})\). To the contrary, when \((\upvartheta _{1}^{(i-1)},\upvartheta _{2}^{(i-1)}) \ne (r_{1}^{(i-1)},r_{2}^{(i-1)})\), a value is fixed for k and the knowledge of \((r_{1,i},r_{2,i})\) does not necessarily make Eq. (5) be satisfied. In that case, the choice \((r_{1,i},r_{2,i})\) will not be maintained. As we cannot determine whether Eq. (5) would be satisfied or not, we introduce a new parameter \(\gamma \in [0,1]\), which is only defined when \((\upvartheta _{1}^{(i-1)},\upvartheta _{2}^{(i-1)}) \ne (r_{1}^{(i-1)},r_{2}^{(i-1)})\), corresponding to the probability that Eq. (5) holds. A detailed discussion on the value of \(\gamma \) is given in Sect. 3.3 (see also the full version of the paper [1]).

We can finally express the number of elements belonging to \(\mathcal {L}^{(i)}\) in function of those of \(\mathcal {L}^{(i-1)}\), as claimed by the following lemma.

Lemma 2

Under our heuristic, we have \(\mathcal {N}^{(i)}=\mathcal {N}^{(i-1)} ( \gamma \delta ^2 - 2 \delta + 2 ) + \delta ^2 (1 - \gamma )\).

A proof of this lemma can be found in the full version of the paper, see [1]. Combining Lemmas 1 and 2, we obtain:

$$ \begin{array}{ccl} \mathcal {N}^{(n-1)} &{} = &{} \mathcal {N}^{(n-2)} (\gamma \delta ^2 - 2 \delta + 2) + \delta ^2 (1- \gamma ) \\ &{} \vdots &{} \\ &{}=&{} (\gamma \delta ^2 - 2 \delta + 2)^{n-1} (\delta ^2 - 2 \delta + 2) + \frac{\delta ^2 (1- \gamma )}{2 \delta -\gamma \delta ^2 - 1} ( 1 - (\gamma \delta ^2 - 2 \delta + 2)^{n-1}) \end{array} $$

The goal of the adversary being to construct the set \(\mathcal {L}^{(n-1)}\) in polynomial time, this attack will only be made practical if the quantity \((\gamma \delta ^2 - 2 \delta + 2)\) is strictly smaller than 1. In that case, the cardinality of the list \(\mathcal {L}^{(n-1)}\) will not grow too fast when n tends toward infinity. Since \(\gamma \) is unknown, we have to evaluate it in order to reach some necessary condition on \(\delta \). Setting \(\gamma \) to 1 / 2 seems to be a reasonable choice, see Sect. 3.3. We finally reach the condition \(\frac{1}{2} \delta ^2 - 2 \delta + 2 < 1\), which is satisfied for \(\delta > 2 - \sqrt{2} \simeq 0.59\). By taking this value as a lower bound on \(\delta \), we are able to determine the expected size of the set \(\mathcal {L}^{(n-1)}\), namely \((3-2 \sqrt{2})n+1\). Knowing that n refers to the bit-size of the random values generated during the signature process, we thus obtain a polynomial time complexity for our attack.

Theorem 1

(Two Signatures and \(\varvec{\ell }_\mathbf{1}\varvec{=\ell }_\mathbf{2}\) ). An adversary able to learn a proportion of \( \delta = (2 - \sqrt{2})\) bits of the random nonces used during the generation of two known signatures can (heuristically) break the scheme in polynomial time. In that case, the expected space required for performing the attack is \((3-2 \sqrt{2})n^2+1 \simeq 0.17n^2+1\).

  • Second analysis when \(\varvec{\ell }_\mathbf{1} \varvec{\ne } \varvec{\ell }_\mathbf{2}\)

The study is a bit more tedious here, but the analysis can be adapted to prove Theorem 2. The entire proof is provided in the full version of the paper [1].

Theorem 2

(Two Signatures and \(\varvec{\ell }_\mathbf{1} \varvec{< \ell }_\mathbf{2}\) ). An adversary, able to learn a proportion of \( \delta = (2 - \sqrt{2})\) bits of the random nonces used during the generation of two known signatures, can (heuristically) break the scheme in polynomial time. In that case, the expected space required for performing the attack is \((\sqrt{2}-1) n^2+1 \simeq 0.41n^2+1\).

When comparing Theorems 1 and 2, one notices that the lower bound on \(\delta \) is the same for both cases “\(\ell _1 = \ell _2\)” and “\(\ell _1 < \ell _2\)”. However the space required to construct the sets \(\mathcal {L}^{(i)}\) is higher when \(\ell _1 \ne \ell _2\) than in the other case. This actually impacts the efficiency of the attack since the number of constructed solutions is larger.

3.2 The Attack Knowing t Signatures

Let us now consider the case of an adversary that is given access to t signatures \(\sigma _1, \ldots ,\sigma _t\) corresponding to known messages \(m_1, \ldots ,m_t\). We denote \(\sigma _i = (s_i,c_i)\) the signatures and \(r_i\) the nonces used in their generation (s.t. \(c_i = \mathcal {H}(m_i,g^{r_i})\)) for i in \(\{1, \ldots ,t\}\). We denote \(r_{i,j}\) the j-th bit of \(r_i\) for each j in \(\{1, \ldots ,n \}\) and i in \(\{1, \ldots ,t\}\). We have \(s_i = r_i + c_i \cdot x\) for \(i \in \{1, \ldots ,t\}\) and we obtain:

$$\begin{aligned} \left\{ \begin{array}{ccl} C_{1,2} &{}=&{} r_1 c_2 - r_2 c_1 \\ &{} \vdots &{} \\ C_{1,t}&{}=&{} r_1 c_t - r_t c_1 \end{array} \right. \end{aligned}$$
(6)

where \(C_{1,j} = s_1 c_j - s_j c_1\) for \(j \in \{2, \ldots ,t\}\). As above, our algorithm retrieves the nonces \(r_1, \ldots ,r_t\) by collecting all tuples \((\upvartheta _{1}, \ldots ,\upvartheta _{t})\) satisfying System (6) and coinciding with possible knowledge on the bits \(r_{i,j}\). As previously, \(\mathcal {L}\) denotes the set containing such elementsFootnote 2. The complexity of the attack can thus be reduced to the cost of constructing \(\mathcal {L}\).

General Idea. As for the “two-signature case”, a way to retrieve \((r_1, \ldots ,r_t)\) would consist in performing an exhaustive search on all bit-values \(r_{i,j}\), for i going from 1 to t and j from 0 to \((n-1)\), using some possible additional information on the bits \(r_{i,j}\), and to detect the invalid candidates during the process. The technique consists in generating all tuples \((\upvartheta _{1}^{(k)}, \ldots ,\upvartheta _{t}^{(k)})\) satisfying System (6) modulo \(2^{k+1}\) and to select among them, the one that can be lifted to solutions modulo \(2^{k+2}\). Of course, these operations should be consistent with the possible knowledge on some bits of the \(r_{i}\)’s. In this algorithm, parameter k will vary from 0 to \((n-1)\). At the end of the procedure, the set \(\mathcal {L}^{(n-1)}\) containing all elements \((\upvartheta _{1}^{(n-1)}, \ldots ,\upvartheta _{t}^{(n-1)})\) satisfying System (6) modulo \(2^{n}\) and coinciding with known information on the bits \(r_{i,j}\), is in fact the desired one: \(\mathcal {L}\). A precise description of the whole method is provided in Algorithm 2.

figure b

Complexity Analysis. Let us now determine the number of elements belonging to \(\mathcal {L}\) by evaluating the expected cardinal of all \(\mathcal {L}^{(i)}\) for i going from 0 to \((n-1)\) (denoted \(\mathcal {N}^{(i)}\)). We start with \(\mathcal {L}^{(0)}\) which, by definition, contains all tuples \((\upvartheta _{1,0}, \ldots ,\upvartheta _{t,0})\) in \(\{0,1\}^t\) coinciding with possible knowledge on bits \((r_{1,0} \ldots ,r_{t,0})\) and verifying System (6) modulo 2. One notices that the number of such solutions strongly depends on the 2-adic valuations of \(c_1, \ldots ,c_t\). For this reason, and similarly to the “two signatures case”, we split the analysis in two configurations depending on whether the 2-adic valuations of \(c_1, \ldots , c_t\) are all equal or not. In the rest of the paper, we denote as \(\ell _i\) the 2-adic valuation of \(c_i\) (for \(i \in \{1, \ldots ,t\}\)).

  • First analysis with \(\varvec{\ell }_\mathbf{1}\varvec{= \ell }_\mathbf{2}\varvec{= \cdots =\ell }_{\varvec{t}}\)

When the 2-adic valuations are all equal, System (6) can be simplified by dividing each equation by \(2^{\ell _1}\). One thus reaches a new system involving simpler equations, say \(C'_{1,j}=r_1 d_j - r_j d_1\) where \(C'_{1,j}=C_{1,j}/2^{\ell _1}\) is known to the attacker. To simplify the analysis that follows - and since it does not change anything but renaming the variables - we assume that we keep working with System (6) but using odd values \(c_i\). Now if we come back to our analysis on the set \(\mathcal {L}^{(0)}\), namely considering System (6) modulo 2, we reach the following new system:

$$\begin{aligned} \left\{ \begin{array}{ccc} C_{1,2} &{}=&{} \upvartheta _{1,0} + \upvartheta _{2,0} \mod 2 \\ \vdots &{} &{} \vdots \\ C_{1,t}&{}=&{} \upvartheta _{1,0} + \upvartheta _{t,0} \mod 2 \end{array} \right. \end{aligned}$$
(7)

It now becomes easy to count the number of elements belonging to \(\mathcal {L}^{(0)}\). Indeed, either none of the \(r_{i,0}\) is known by the adversary, and in that case there are two possible values for \(\upvartheta _{1,0}\), say 0 or 1 and each of them fixes the rest for \(\upvartheta _{2,0}, \ldots ,\upvartheta _{t,0}\). In the second configuration, when there is at least one of the \(r_{i,0}\) which is known by the attacker (say \(r_{1,0}\) for instanceFootnote 3), the value \(\upvartheta _{1,0}\) is fixed to \(r_{1,0}\) and thus the other values \(\upvartheta _{2,0}, \ldots ,\upvartheta _{t,0}\) are fixed too (see System (7)). As a consequence, there is unique solution for the uple \((\upvartheta _{1,0}, \ldots ,\upvartheta _{t,0})\). The construction of the whole set \(\mathcal {L}^{(0)}\) is summed up in Algorithm 2a, which can be seen as an adaptation of the initialisation phase of Algorithm 2 when all \(\ell _i\) are equal (process to a replacement of lines 3–7 of Algorithm 2 by Algorithm 2a).

figure c

The expected cardinal \(\mathcal {N}^{(0)}\) of the list \(\mathcal {L}^{(0)}\) can thus be expressed easily:

  • when none of the \(r_{i,0}\)’s is known, which holds with probability \((1-\delta )^t\), there are two candidates for \((\upvartheta _{1,0}, \ldots ,\upvartheta _{1,t})\).

  • when at least one of the \(r_{i,0}\) is known, what happens with probability \(1-(1-\delta )^t\), there is a unique solution for \((\upvartheta _{1,0}, \ldots ,r_{t,0})\).

One can thus reach \(\mathcal {N}^{(0)} = 2 (1-\delta )^t + 1 - (1-\delta )^t =1+(1-\delta )^t\). We will now determine by induction the expected size \(\mathcal {N}^{(k)}\) from \(\mathcal {N}^{(k-1)}\) for \(k \in \{1, \ldots ,n-1\}\), knowing that it contains all elements of the form \((\upvartheta _{1}^{(k)}, \ldots ,\upvartheta _{t}^{(k)})\) coinciding with possible knowledge on \((r_{1,k}, \ldots ,r_{t,k})\) and satisfying:

$$\begin{aligned} \left\{ \begin{array}{ccc} C_{1,2} &{}=&{} (\upvartheta _{1,0} + \cdots + \upvartheta _{1,k} 2^k) \cdot c_2 + (\upvartheta _{2,0}+ \cdots +\upvartheta _{2,k} 2^k) \cdot c_1 \mod 2^{k+1} \\ \vdots &{} &{} \vdots \\ C_{1,t}&{}=&{} (\upvartheta _{1,0}+ \cdots +\upvartheta _{1,k}2^k) \cdot c_t + (\upvartheta _{t,0} + \cdots + \upvartheta _{t,k} 2^k) \cdot c_1 \mod 2^{k+1} \end{array} \right. \end{aligned}$$
(8)

Putting such expressions inside System (8) finally leads to the following new relations:

(9)

Now it is easier to determine the number of solutions \((\upvartheta _{1,k}, \ldots ,\upvartheta _{t,k})\) that will be chosen to lift elements \((\upvartheta _{1}^{(k-1)}, \ldots ,\upvartheta _{t}^{(k-1)})\) from \(\mathcal {L}^{(k-1)}\) to \(\mathcal {L}^{(k)}\). Nevertheless one should be careful during this analysis, since it strongly depends on whether the chosen element \((\upvartheta _{1}^{(k-1)}, \ldots ,\upvartheta _{t}^{(k-1)})\) equals \((r_1^{(k-1)}, \ldots ,r_{t}^{(k-1)})\) or not. Indeed when this condition is not satisfied, the choice of an element \((\upvartheta _{1}^{(k-1)}, \ldots , \upvartheta _{t}^{(k-1)})\) fixes all integers \(k_1, \ldots ,k_t\) implying some possible invalid restrictions on the values \(\upvartheta _{1,k}, \ldots ,\upvartheta _{t,k}\). As a consequence, when some of the \(r_{i,k}\)’s are known (precisely more than two), the corresponding equalities in (9) are not necessarily satisfied. Since we do not know in advance when it happens, we assume each equation in (9) holds independently with some fixed probability \(\gamma \in [0,1]\) during the whole run of our algorithmFootnote 4. In the other case, namely when the \(r_{i,k}\)’s are unknown or when the element \((\upvartheta _{1}^{(k-1)}, \ldots ,\upvartheta _{t}^{(k-1)})\) corresponds to the right solution, the lifting process behaves as usual, see the “two signatures case”. Taking all these considerations into account, one can finally determine the size of the set \(\mathcal {L}^{(k)}\), see Algorithm 2b for a precise description (this algorithm can be seen as an adaptation of the main loop of Algorithm 2, lines 10 –19).

From now on, we are able to deduce the size \(\mathcal {N}^{(k)}\) of the set \(\mathcal {L}^{(k)}\), knowing that:

  • when the adversary does not know any of the \(r_{i,k}\), what holds with probability \((1-\delta )^t\), there are \(2 \mathcal {N}^{(k-1)}\) solutions;

  • when exactly one of the \(r_{i,k}\) is known, which happens with probability \(t \delta (1-\delta )^{t-1}\), there are \(\mathcal {N}^{(k-1)}\) solutions;

  • in the other case, this number depends on the element \((\upvartheta _{1}^{(k-1)}, \ldots ,\upvartheta _{t}^{(k-1)})\). When this element is equal to \((r_{1}^{(k-1)}, \ldots ,r_t^{(k-1)})\) (this is the right candidate), there is a unique solution. In the other case, there are \(\gamma (\mathcal {N}^{(k-1)}-1)\) solutions when exactly two \(r_{i,k}\) are known, what holds with probability \({t \atopwithdelims ()2} \delta ^2 (1-\delta )^{(t-2)}\); there are \(\gamma ^2 (\mathcal {N}^{(k-1)}-1)\) solutions when exactly three \(r_{i,k}\) are known, which holds with probability \({t \atopwithdelims ()3} \delta ^3 (1-\delta )^{(t-3)}\); and so on; there are \(\gamma ^{t-1} (\mathcal {N}^{(k-1)}-1)\) solutions when all the \(r_{i,k}\) are known, what happens with probability \({t \atopwithdelims ()t} \delta ^{t}\).

figure d

By combining all these results, we obtain the following formula for \(\mathcal {N}^{(k)}\):

$$ 2 (1-\delta )^t \mathcal {N}^{(k-1)} + ( 1-(1- \delta )^t) + \frac{1}{\gamma } ( \mathcal {N}^{(k-1)}-1) \sum _{i=1, \ldots ,t} {t \atopwithdelims ()i} (\gamma \delta )^i (1-\delta )^{t-i} $$

Evaluating the quantity inside the summation leads to the following relation:

$$ \mathcal {N}^{(k)} = \mathcal {N}^{(k-1)} \left( \frac{1}{\gamma } (\gamma \delta + 1 - \delta )^t + (2-\frac{1}{\gamma }) (1-\delta )^t \right) + 1 - \frac{1}{\gamma }(\gamma \delta + 1 -\delta )^t + \left( \frac{1}{\gamma }-1\right) (1-\delta )^t $$

Denoting as \(\mathcal {A(\gamma , \delta )}\) the quantity \(\frac{1}{\gamma } (\gamma \delta + 1 - \delta )^t + (2-\frac{1}{\gamma }) (1-\delta )^t \) and using the formula obtained for \(\mathcal {N}^{(0)}\), we reach:

$$ \begin{array}{ccl} \mathcal {N}^{(n-1)} &{}=&{} (1 + (1-\delta )^t) \mathcal {A}(\gamma , \delta )^{n-1} \\ &{} + &{} \big ( 1 - \frac{1}{\gamma }(\gamma \delta + 1 -\delta )^t + (\frac{1}{\gamma }-1) (1-\delta )^t \big ) \sum \nolimits _{i=0 \ldots n-2} \mathcal {A}(\gamma , \delta ) ^i \end{array} $$

The goal of the adversary being to construct the set \(\mathcal {L}^{(n-1)}\) in polynomial time, this attack will only be made practical if the quantity \(\mathcal {A(\gamma , \delta )}\) is strictly smaller than 1. In that case, the size of the list \(\mathcal {L}^{(n-1)}\) will not grow too fast when n tends toward infinity. Setting \(\gamma \) to 1 / 2 (see Sect. 3.3 for experimental results on that point) leads to the condition \( 2 (1 -\frac{\delta }{2})^t < 1\), which is satisfied for \(\delta > 2 - 2^{1-1/t}\). By taking this value as a lower bound on \(\delta \), we are able to determine the expected maximum size of the set \(\mathcal {L}^{(n-1)}\), namely \((2^{1-\frac{1}{t}}-1)^{t}n+1\).

Theorem 3

( \(\mathbf{t}\) Signatures and \(\varvec{\ell }_\mathbf{1} \mathbf{= \cdots = \ell }_{\varvec{t}}\) ). An adversary able to learn a proportion of \(\delta = 2 - 2^{1-1/t}\) bits of the random nonces used in the generation of t known signatures can (heuristically) break the scheme in polynomial time. In that case, the expected space required for performing the attack is \((2^{1-\frac{1}{t}}-1)^t n^2 + 1\).

  • Second analysis when some of the \(\varvec{\ell }_{\varvec{i}}\) ’s are different

The analysis is more tedious here but can still be adapted to the case when some of the \(\mathbf {\ell _i}\)’s are different, see Theorem 4 below (the proof is provided in the full version of the paper [1]).

Theorem 4

( \(\mathbf {t}\) Signatures with \(\varvec{\ell }_{\varvec{i}}\) Different). An adversary able to learn a proportion of \(\delta = 2 - 2^{1-1/t}\) bits of the random nonces used in the generation of t known signatures can (heuristically) break the scheme in polynomial time. In that case, the expected space required for performing the attackFootnote 5 is \((2^{1-\frac{1}{t}}-1)^e n^2+1\).

Remark 1

Using the coding viewpoint from [19], one can obtain limits on the performance of any algorithm for selecting candidate nonces in the erasure correction scenario. Their argument is based on the converse to Shannon’s noisy-channel coding theoremFootnote 6. The underlying code is made of the \(2^n\) words on tn bits obtain by the naive algorithm without pruning (i.e. with code rate 1 / t) so simple variants of our algorithm cannot be efficient for \(\delta < 1/t\) and our algorithm is optimal up to the multiplicative constant \(\ln (2)\).

3.3 Experimental Results

To confirm the validity of the attack and of our heuristic, extensive experiments have been performed for various values of t and \(\delta \). For each pair \((t,\delta )\), the attack has been launched and its complexity has been measured by counting the sum of the cardinality of the sets \(\mathcal {L}^{(i)}\) for i in \(\{0, \ldots ,n\}\). The obtained results are analysed below.

With \(\varvec{32}\) and \(\varvec{64}\) Signatures. We performed experiments using 32 and 64 signatures (using a security parameter \(\kappa \) equal to 128). Since the experiments were time-consuming, we performed 1000 experiments for each pair \((t,\delta )\). The results for \(t=32\) are provided on Fig. 1, for values of \(\delta \) varying from 0.04 to 0.06 and the ones for \(t=64\) are illustrated on Fig. 2, for values of \(\delta \) between 0.02 and 0.04 (namely from \(2\,\%\) to \(4\,\%\)). These experiments show that it works better in practice than what was predicted. Indeed, the bounds below which the attack begins to become unpractical are approximately 0.04 for \(t=32\) signatures and 0.02 for \(t=64\). These values are better than the ones reached by the theoretical analysis, say \(2-2^{1-1/32} \simeq 0.043\) and \(2-2^{1-1/64} \simeq 0.022\).

Fig. 1.
figure 1

Total number of constructed \((\upvartheta _1, \ldots ,\upvartheta _{32})\) in function of \(\delta \) (\(t=32\) and \(\kappa =128\)).

Full size image
Fig. 2.
figure 2

Total number of constructed \((\upvartheta _1, \ldots ,\upvartheta _{64})\) in function of \(\delta \) (\(t=64\) and \(\kappa =128\)).

Full size image

With \(\mathbf 710 \) Signatures. We finally considered the case where the adversary knows (on average) only one bit per nonce \(r_i\) (i.e. \(\delta = 1/512\)). For a security parameter \(\kappa \) equals to 128, our theoretical analysis claims that an attacker will be able to break the scheme knowing 710 signatures. In this case, our attack succeeded in a few minutes (using a very naive implementation) with a total size of generated elements equal to 2437. To go further, we also tried to launch the attack for a smaller number of signatures, but still keeping \(\delta =1/512\). The cases \(t=650\) and \(t=600\) were also successful. The time required for the last case was approximately a few hours and the total sum of elements was 53770 (again using a very naive implementation).

Impact of \(\varvec{\gamma }\) . The formula obtained in Sects. 3.1 and 3.2 strongly depend on the value of the parameter \(\gamma \). In our theoretical analysis, we decided to take \(\gamma =1/2\). In practice, several tests have been launched to determine whether this assumption is correct. In every experiments we performed, the observed value for \(\gamma \) was very near from 1 / 2, what confirms our initial assumption.

4 Error Correction Scenario

In the erasure correction scenario (see previous sections), we compared each nonce candidate with its given fragmentary version in order to determine the nonce uniquely with overwhelming probability. In this section, the error correction scenario, we proceed similarly: we assume an adversary obtain some error-prone nonces in a discrete-logarithm based authentication scheme which are derived from the actual nonces by flipping each bit individually with some fixed probability \(\delta \in [0,1/2)\). Intuitively, if \(\delta \) is below 1 / 2, then among all nonce candidates, the Hamming distance between the least significant bits of the actual nonces and the nonces with noise should be minimal. The analysis is simpler than in the previous section and relies on the technique proposed by Henecka, May and Meurer in [12].

We consider the case of an adversary that is given access to t signatures (or authentication sessions) \(\sigma _1, \ldots ,\sigma _t\) corresponding to known messages \(m_1, \ldots ,m_t\). Again, each signature \(\sigma _i\) is defined as a pair \((s_i,c_i)\) where \(s_i = r_i + c_i x\) and x is the signers’ secret key. Moreover we assume that each bit of each nonce \(r_i\) is known with some error: to formalize this model we denote by \(\delta \) the probability that for each nonce \(r_i\), its j-th bit \(r_{i,j}\) is flipped (for j in \(\{1, \ldots ,n\}\)). By definition, the bit \(r_{i,j}\) is correct with probability \((1-\delta )\).

Making the quantity x disappear from all the expressions, one reaches the simple system of equations (6). The adversary can retrieve the nonces \(r_1, \ldots ,r_t\) by collecting all tuples \((\upvartheta _{1}, \ldots ,\upvartheta _{t})\) satisfying System (6) and minimizing the Hamming distance with the bits \(r_{i,j}\). The algorithm performs a clever exhaustive search, consisting in generating all tuples \((\upvartheta _{1}^{(k)}, \ldots ,\upvartheta _{t}^{(k)})\) satisfying System (6) modulo \(2^{k+1}\) and then selecting among them, those that can be lifted to solutions modulo \(2^{k+2}\). These operations should minimize the distance with the knowledge on some bits of the \(r_{i}\)’s.

Contrary to the erasure correction scenario, one cannot easily prune partial solutions that do not coincide with the known secret key bits. Indeed this process may discard the correct solution, since this solution does not fully agree with the noisy nonce material. Thus, in this scenario, we do no longer compare bit by bit but we compare larger blocks of bits. More precisely, we grow subtrees of depth T (for some parameter T) for each t-tuple of nonce candidate. We will see that this results in \(2^T\) new candidates which we all compare with our noisy nonce material. If the Hamming distance with this material in these T bits is above some threshold parameter d we keep the candidate, otherwise we discard it. The only difficulty here consists in estimating these parameters T and d:

  • the parameter T cannot be chosen too large since in each iteration the search tree grows by a factor \(2^T\);

  • the parameter T has to be sufficiently large in order to guarantee that the actual t-tuple of nonces has a small Hamming distance with the noisy nonce material (in each block of successive T bits) but incorrect t-tuples of nonces are separable by the threshold parameter d;

  • the threshold parameter d has to be large enough to guarantee that with probability close to 1 the actual t-tuple of nonces will never be discarded during the execution of the algorithm;

  • the parameter d cannot be chosen too large since otherwise we obtain too many faulty t-tuples candidates for the next iteration.

  • First analysis with \(\varvec{\ell }_\mathbf{1}\varvec{= \ell }_\mathbf{2}\varvec{= \cdots =\ell }_{\varvec{t}}\)

As above, one can assume we are using odd values \(c_i\). We have to determine the size \(\mathcal {N}^{(k)}\) of the sets \(\mathcal {L}^{(k)}\). For \(k=0\), since none of the \(r_{i,0}\) is known for sure by the adversary, there are two possible values for the bit \(\upvartheta _{1,0}\) and each of them fixes the other bits \(\upvartheta _{2,0}, \ldots ,\upvartheta _{t,0}\) (using System (7)). Therefore, we obtain \(\mathcal {N}^{(0)} = 2\). Similarly, using System (9), one can see that if there is no pruning at the depth k then \(\mathcal {N}^{(k)}\) is simply equal to \(2 \mathcal {N}^{(k-1)}\).

  • Second analysis when some of the \(\varvec{\ell }_{\varvec{i}}\) ’s are different

In this case, we can still show that \(\mathcal {N}^{(0)}=2\) and that we have, before pruningFootnote 7, \(\mathcal {N}^{(T-1)} = 2^T\) at iteration T (see [1] for a complete proof of this result).

We now consider the pruning phase. Let us define a random variable \(X_c\) for the number of matching bits between the actual t-tuple of nonces and the noisy nonce material in a block of T consecutive bits. Clearly \(X_c\) is the binomial distribution with parameters tT and probability \((1-\delta )\): \(\Pr [X_c = m] = {tT \atopwithdelims ()m} (1-\delta )^m \delta ^{tT-m}\) for m in \(\{0, \ldots ,tT\}.\)

Considering an incorrect partial solution for the t-tuple of nonces, we denote \(X_b\) for the number of matching bits between the expansion of this incorrect solution by T bits and the noisy nonce material in the corresponding block of T consecutive bits. We make use of the following heuristic assumption.

Heuristic 1

Every solution generated by applying the expansion phase to an incorrect partial solution is an ensemble of T randomly chosen bit slices.

Therefore every expansion of an incorrect candidate in the expansion phase results in tT uniformly random bits. We verified the validity of this heuristic experimentally. Under this assumption, we obtain \(\Pr [X_b = m] = {tT \atopwithdelims ()m} (2)^{-tT} \hbox { for } m \in \{0, \ldots ,tT\}.\)

Henecka, May and Meurer proved in [12, Main Theorem 7] that these conditions are sufficient to insure the existence of an expansion parameter T and a threshold parameter d such that the two distributions are sufficiently separated and the growing factor \(2^T\) in the expansion phase is polynomial.

Theorem 5

([12]). Under the previous heuristic, for every \(\epsilon > 0\), the following holds: let \(n,t \ge 2\) be two integers, let \( T = \left\lceil \frac{\ln (n)}{t \epsilon ^2} \right\rceil , \gamma = \sqrt{(1+1/T) \frac{\ln (2)}{2t}}, \hbox { and } d = tT\left( \frac{1}{2} + \gamma \right) . \) An adversary able to learn (in the error correction scenario) the individual bits of random nonces of t known signatures of length n with probability \(\delta < \frac{1}{2} - \gamma - \epsilon \) can recover the nonces (and therefore the secret key) in expected time \(O(n^{2+\ln (2)/t\epsilon ^2})\) with success probability at least \(1 - (m\epsilon ^2/\ln (n) + 1/n)\).

Remark 2

The following table gives the limit crossover probability \(\delta \) (i.e. with \(\epsilon \longrightarrow 0\) and \(T \longrightarrow + \infty \)) in the error correction scenario depending on the number of signatures/identification sessions available t known to the adversary:

t

2

3

4

5

6

7

8

9

t

\(\delta \quad \)

0.084

0.160

0.205

0.237

0.260

0.277

0.292

0.303

\(1/2 - \sqrt{\ln (2)/2t}\)

\(\delta ^*\)

0.110

0.174

0.214

0.243

0.264

0.281

0.295

0.306

\(H_2^{-1}(1-1/t)\)

The value \(\delta ^*\) corresponds to the optimal value of \(\delta \) one can derive from the converse to Shannon’s noisy-channel coding theorem as in Remark 1 using the fact that the channel capacity of (memoryless) binary symmetric channel with crossover probability \(\delta \) is \(1-H_2(\delta )\) where \(H_2(\delta ) = - \delta \log _2(\delta ) - (1-\delta ) \log _2(1-\delta )\) is the entropy function. For a 128-bit security level, with nonces of binary length 512, each signature provides only one bit of information for \(\delta \simeq 1/2 - 10^{-4}\) and one needs in theory around \(70 \cdot 10^6\) signatures in order to recover the secret key.

5 Conclusion

In this paper, we proposed attacks on discrete-logarithm based authentication schemes where an adversary has some information on the nonces used during the signature generation process or during some identification sessions, in the erasure correction scenario and the error correction scenario. The following table sums up the limit crossover probability \(\delta \) in the two scenarios depending on the number \(N_r\) of signatures/identification sessions known to the adversary:

\(N_r\)

2

3

4

5

6

7

t

\(\delta \) (erasure correction)

0.586

0.413

0.318

0.259

0.218

0.188

\(\simeq \ln (2)/t\)

\(\delta \) (error correction)

0.084

0.160

0.205

0.237

0.260

0.277

\(1/2 - \sqrt{\ln (2)/2t}\)

Our methods can be generalized to the Z-channel considered in [19].