Advertisement

A probabilistic analysis on a lattice attack against DSA

  • Ana I. Gomez
  • Domingo Gomez-PerezEmail author
  • Guénaël Renault
Article
  • 10 Downloads

Abstract

Analyzing the security of cryptosystems under attacks based on the malicious modification of memory registers is a research topic of high importance. This type of attack may affect the randomness of the secret parameters by forcing a limited number of bits to a certain value which can be unknown to the attacker. In this context, we revisit the attack on DSA presented by Faugère, Goyet and Renault during the conference SAC 2012: we modify their method and provide a probabilistic approach in opposition to the heuristic proposed therein to measure the limits of the attack. More precisely, the main problem is formulated as a closest vector problem in a lattice, then we study the distribution of vectors with bounded norm in the lattices involved and apply the result to predict the attack behavior. The benefits of this approach are several: The probability of success of this attack can be lower bounded under some conjecture, which is validated by computational experiments. Also, it finds applications to the FLUSH+RELOAD side-channel attack, studied by van de Pol et al. At the end of the article, there is a summary of findings.

Keywords

DSA Lattices Closest vector problem Exponential sums 

Mathematics Subject Classification

11T71 11T23 11H06 11Y16 

Notes

Acknowledgements

We thank Igor Shparlinski for his time, ideas, and comments during the development of the paper. We also thank the referees for their comments.

References

  1. 1.
    Adleman L., DeMarrais J.: A subexponential algorithm for discrete logarithms over all finite fields. In: Advances in Cryptology—CRYPTO ’93, 13th Annual International Cryptology Conference, Lecture Notes in Comput. Sci., pp. 147–158. Springer, Berlin (1993).Google Scholar
  2. 2.
    Barbulescu R., Gaudry P., Joux A., Thomé E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Advances in Cryptology—EUROCRYPT 2014, 33rd Annual International Conference, Lecture Notes in Comput. Sci., pp. 1–16. Springer, Berlin (2014).Google Scholar
  3. 3.
    Cohen H., Frey G., Avanzi R., Doche C., Lange T., Nguyen K., Vercauteren F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press, Boca Raton (2005).CrossRefzbMATHGoogle Scholar
  4. 4.
    De Mulder E., Hutter M., Marson M., Pearson P.: Using Bleichenbacher’s solution to the Hidden Number Problem to attack nonce leaks in 384-bit ECDSA. In: Cryptographic Hardware and Embedded Systems-CHES 2013, Lecture Notes in Comput. Sci., pp. 435–452. Springer, Berlin (2013).Google Scholar
  5. 5.
    De Mulder E., Hutter M., Marson M., Pearson P.: Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J. Cryptogr. Eng. 4(1), 33–45 (2014).CrossRefGoogle Scholar
  6. 6.
    Diem C.: On the discrete logarithm problem in elliptic curves II. Algebra Number Theory 7(6), 1281–1323 (2013).MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Drmota M., Tichy R.: Sequences, Discrepancies, and Applications. Springer, Berlin (1997).CrossRefzbMATHGoogle Scholar
  8. 8.
    Fan S., Wang W., Cheng Q.: Attacking OpenSSL implementation of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security—CCS’16, pp. 1505–1515. ACM, New York (2016).Google Scholar
  9. 9.
    Faugère J., Marinier R., Renault G.: Implicit factoring with shared most significant and middle bits. In: Public Key Cryptography, Lecture Notes in Comput. Sci., pp. 70–87. Springer, Berlin (2010).Google Scholar
  10. 10.
    Faugère J., Goyet C., Renault G.: Attacking (EC)DSA given only an implicit hint. In: Selected Areas in Cryptography, 19th International Conference, SAC 2012, Lecture Notes in Comput. Sci., pp. 252–274. Springer, Berlin (2012).Google Scholar
  11. 11.
    FIPS. Digital Signature Standard (DSS). National Institute of Standards and Technology (NIST) (1994).Google Scholar
  12. 12.
    FIPS. Digital Signature Standard (DSS). pub-NIST, pub-NIST:adr (2013).Google Scholar
  13. 13.
    Galbraith S., Gaudry P.: Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Cryptogr. 78(1), 51–72 (2016).MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Garaev M.: Sums and products of sets and estimates of rational trigonometric sums in fields of prime order. Russ. Math. Surv. 65(4), 599 (2010).MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Genkin D., Shamir A., Tromer E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Lecture Notes in Comput. Sci., pp. 444–461. Springer, Berlin (2014).Google Scholar
  16. 16.
    Göloglu F., Granger R., McGuire G., Zumbrägel J.: On the function field sieve and the impact of higher splitting probabilities. In: Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Lecture Notes in Comput. Sci., pp. 109–128. Springer, Berlin (2013).Google Scholar
  17. 17.
    Göloglu F., Granger R., McGuire G., Zumbrägel J.: Solving a 6120 -bit DLP on a desktop computer. In: Selected Areas in Cryptography - SAC 2013 - 20th International Conference, Lecture Notes in Comput. Sci., pp. 136–152. Springer, Berlin (2013).Google Scholar
  18. 18.
    Gómez-Pérez D., Shparlinski I.: Subgroups generated by rational functions in finite fields. Monatsh. Math. 176(2), 241–253 (2014).MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Howgrave-Graham N., Smart N.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (2001).MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Joux A.: Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In: Advances in Cryptology—EUROCRYPT 2013, 32nd Annual International Conference, Lecture Notes in Comput. Sci., pp. 177–193. Springer, Berlin (2013).Google Scholar
  21. 21.
    Kannan R.: Algorithmic geometry of numbers. Annu. Rev. Comput. Sci. 2(1), 231–267 (1987).MathSciNetCrossRefGoogle Scholar
  22. 22.
    Koblitz N., Menezes A.: A riddle wrapped in an enigma. IEEE Secur. Priv. 14(6), 34–42 (2016).CrossRefGoogle Scholar
  23. 23.
    Lenstra A., Lenstra H., Lovász L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982).MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    May A., Ritzenhofen R.: Implicit factoring: on polynomial time factoring given only an implicit hint. In: Public Key Cryptography, Lecture Notes in Comput. Sci., pp. 1–14. Springer, Berlin (2009).Google Scholar
  25. 25.
    Moreno C., Moreno O.: Exponential sums and Goppa codes. Proc. Am. Math. Soc. 111(2), 523–531 (1991).MathSciNetzbMATHGoogle Scholar
  26. 26.
    National Security Agency. Cryptography today. http://tinyurl.com/SuiteB. Accessed 19 July 2018.
  27. 27.
    Nguyen P., Shparlinski I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002).MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Nguyen P., Shparlinski I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003).MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Nguyen P., Vallée B.: The LLL Algorithm. Springer, Berlin (2010).CrossRefzbMATHGoogle Scholar
  30. 30.
    Niederreiter H.: Random Number Generation and Quasi-Monte Carlo Methods. Society for Industrial and Applied Mathematics, Philadelphia (1987).zbMATHGoogle Scholar
  31. 31.
    Niederreiter H.: Random Number Generation and Quasi-Monte Carlo Methods. Society for Industrial and Applied Mathematics, Philadelphia (1992).CrossRefzbMATHGoogle Scholar
  32. 32.
    Rivest R., Shamir A.: Efficient factoring based on partial information. In: Advances in Cryptology—CRYPTO ’85, 5th Annual International Cryptology Conference, Lecture Notes in Comput. Sci., pp. 31–34. Springer, New York (1986).Google Scholar
  33. 33.
    Sarkar S., Maitra S.: Further results on implicit factoring in polynomial time. Adv. Math. Commun. 3(2), 205–217 (2009).MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Schnorr C.: Efficient identification and signatures for smart cards. In: Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Lecture Notes in Comput. Sci., pp. 239–252. Springer, New York (1990).Google Scholar
  35. 35.
    Sutherland A.: Structure computation and discrete logarithms in finite abelian p-groups. Math. Comput. 80(273), 477–500 (2011).MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    van de Pol J., Smart N., Yarom Y.: Just a little bit more. In: Cryptographer’s Track at RSA Conference, Lecture Notes in Comput. Sci., pp. 3–21. Springer, Berlin (2015).Google Scholar
  37. 37.
    Vinogradov I.: Elements of Number Theory (Dover Phoenix Editions). Dover, Dover Publications (2003).Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Facultad de CienciasUniversidad de CantabriaSantanderSpain
  2. 2.Agence Nationale de la Sécurité des Systèmes d’InformationParis 07France
  3. 3.Université Pierre et Marie Curie LIP6 - Équipe projet INRIA/UPMC POLSYSParis Cedex 5France

Personalised recommendations