The Insecurity of Nyberg-Rueppel and Other DSA-Like Signature Schemes with Partially Known Nonces

  • Edwin El Mahassni
  • Phong Q. Nguyen
  • Igor E. Shparlinski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2146)


It has recently been proved by Nguyen and Shparlinski that the Digital Signature Algorithm (DSA) is insecure when a few consecutive bits of the random nonces k are known for a reasonably small number of DSA signatures. This result confirmed the efficiency of some heuristic lattice attacks designed and numerically verified by Howgrave-Graham and Smart. Here, we extend the attack to the Nyberg-Rueppel variants of DSA. We use a connection with the hidden number problem introduced by Boneh and Venkatesan and new bounds of exponential sums which might be of independent interest.


DSA Closest Vector Problem Hidden Number Problem Exponential Sums 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Ajtai, R. Kumar and D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, Proc. 33rd ACM Symp. on Theory of Comput., Crete, Greece, July 6–8, 2001 601–610.Google Scholar
  2. 2.
    L. Babai, On Lovász lattice reduction and the nearest lattice point problem, Combinatorica, 6 (1986), 1–13.zbMATHMathSciNetCrossRefGoogle Scholar
  3. 3.
    D. Boneh and R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 129–142.Google Scholar
  4. 4.
    D. Boneh and R. Venkatesan, Rounding in lattices and its cryptographic applications, Proc. 8-rd Annual ACM-SIAM Symp. on Discr. Algorithms, ACM, NY, 1997, 675–681.Google Scholar
  5. 5.
    M. Drmota and R. Tichy, Sequences, discrepancies and applications, Springer-Verlag, Berlin, 1997.zbMATHGoogle Scholar
  6. 6.
    N. A. Howgrave-Graham and N. P. Smart, Lattice attacks on digital signature schemes, Designs, Codes and Cryptography, (to appear).Google Scholar
  7. 7.
    R. Kannan, Algorithmic geometry of numbers, Annual Review of Comp. Sci., 2 (1987), 231–267.MathSciNetCrossRefGoogle Scholar
  8. 8.
    S.V. Konyagin and I. E. Shparlinski, Character sums with exponential functions and their applications, Cambridge Univ. Press, Cambridge, 1999.zbMATHGoogle Scholar
  9. 9.
    R. Kuipers and H. Niederreiter, Uniform distribution of sequences, Wiley-Interscience, NY, 1974.zbMATHGoogle Scholar
  10. 10.
    A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, 261 (1982), 515–534.zbMATHMathSciNetCrossRefGoogle Scholar
  11. 11.
    R. Lidl and H. Niederreiter, Finite fields, Cambridge University Press, Cambridge, 1997.Google Scholar
  12. 12.
    A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, 1996.Google Scholar
  13. 13.
    C. J. Moreno and O. Moreno, Exponential sums and Goppa codes, I, Proc. Amer. Math. Soc., 111 (1991), 523–531.zbMATHMathSciNetCrossRefGoogle Scholar
  14. 14.
    P. Q. Nguyen, The dark side of the hidden number problem: Lattice attacks on DSA, Proc. Workshop on Cryptography and Computational Number Theory, Singapore 1999, Birkhäuser, 2001, 321–330.Google Scholar
  15. 15.
    P. Q. Nguyen and I. E. Shparlinski, The insecurity of the Digital Signature Algorithm with partially known nonces, J. of Cryptology, to appear.Google Scholar
  16. 16.
    P. Q. Nguyen and J. Stern, The hardness of the hidden subset sum problem and its cryptographic implications, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1666 (1999), 31–46.Google Scholar
  17. 17.
    H. Niederreiter, Random number generation and quasi-Monte Carlo methods, SIAM, Philadelphia, 1992.zbMATHGoogle Scholar
  18. 18.
    K. Nyberg and R. A. Rueppel, Message recovery for signature schemes based on the discrete logarithm problem, J. Cryptology, 8 (1995), 27–37.zbMATHMathSciNetCrossRefGoogle Scholar
  19. 19.
    B. Schneier, Applied cryptography, J. Wiley, NY, 1996.Google Scholar
  20. 20.
    C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor. Comp. Sci., 53 (1987), 201–224.zbMATHMathSciNetCrossRefGoogle Scholar
  21. 21.
    C. P. Schnorr and M. Euchner, Lattice basis reduction: improved practical algorithms and solving subset sum problems, Math. Programming, 66 (1994), 181–199.MathSciNetCrossRefGoogle Scholar
  22. 22.
    V. Shoup, Number Theory C++ Library (NTL), Available at
  23. 23.
    I. M. Vinogradov, Elements of number theory, Dover Publ., New York, 1954.zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Edwin El Mahassni
    • 1
  • Phong Q. Nguyen
    • 2
  • Igor E. Shparlinski
    • 3
  1. 1.Department of ComputingMacquarie UniversityAustralia
  2. 2.Département d’InformatiqueÉcole Normale SupérieureParisFrance
  3. 3.Department of ComputingMacquarie UniversityAustralia

Personalised recommendations