Abstract
Provable security usually makes the assumption that asource of perfectly random and secret data is available. However, in practical applications, and especially when smart cards are used, random generators are often far from being perfect or may be monitored using probing or electromagnetic analysis. The consequence is the need of a careful evaluation of actual security when idealized random generators are implemented.
In this paper, we show that Esign signature scheme, like many cryptosystems, is highly vulnerable to so called partially known nonces attacks. Using a 1152-bit modulus, the generation of an Esign signature requires to draw at random a 768-bit integer. We show that the exposure of only 8 bits out of those 768 bits, for 57 signatures, is enough to recover the whole secret signature key in a few minutes.
It should be clear that we do not cryptanalyze a good implementation of Esign nor do we find a theoretical flaw. However, our results show that random data used to generate signatures must be very carefully produced and protected against any kind of exposure, even partial.
As an independent result, we show that the factorization problem is equivalent to the existence of an oracle returning the most or least significant bits of S mod p, on input S randomly chosen in ℤ pq .
Chapter PDF
References
Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the 33rd Annual Symposium on the Theory of Computing (STOC) 2001, pp. 601–610. ACM Press, New York (2001)
Bellare, M., Goldwasser, S., Miccianco, D.: “Pseudo-Random” Number Generation within Cryptographic Algorithms: the DSS Case. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)
Bleichenbacher, D.: On the Generation of DSA One-Time Keys. In: The 6th Workshop on Elliptic Curve Cryptography, ECC 2002 (2002)
Boneh, D.: Simplified OAEP for the RSA and Rabin Functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 275–291. Springer, Heidelberg (2001)
Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring n = prq for large r. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a fraction on the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)
Boneh, D., Venkatesan, R.: Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)
Brickell, E.F., DeLaurentis, J.M.: An attack on a signature scheme proposed by Okamoto and Shiraishi. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 28–32. Springer, Heidelberg (1986)
Brickell, E.F., Odlyzko, A.M.: Cryptanalysis: A Survey of Recent Results. In: Simmons, G.J. (ed.) Contemporary Cryptology – The Science of Information Integrity, pp. 501–540. IEEE Press, Los Alamitos (1991)
Fouque, P.A., Martinet, G., Poupard, G.: Attacking Unbalanced RSA-CRT using SPA. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 254–268. Springer, Heidelberg (2003)
Fujisaki, E., Kobayashi, T., Morita, H., Oguro, H., Okamoto, T., Okasaki, S.: ESIGN: Efficient Digital Signature Scheme (2000) (submission to NESSIE)
van zur Gathen, J., Gerhard, J.: Modern Computer Algebra. Cambridge University Press, Cambridge (1999)
Girault, M., Toffin, P., Vallée, B.: Computation of Approximate l-th Roots Modulo n and Application to Cryptography. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 100–117. Springer, Heidelberg (1990)
Granboulan, L.: How to repair Esign. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 234–240. Springer, Heidelberg (2003)
Howgrave-Graham, N.: A Review of the ESIGN digital signature standard (2001), Available at: http://www.shiba.tao.go.jp/kenkyu/CRYPTREC/fy15/cryptrec20030424outrp.html Report#1007
Howgrave-Graham, N., Smart, N.P.: Lattice Attacks on Digital Signature Schemes. Design, Codes and Cryptography 23, 283–290 (2001)
Kannan, R.: Algorithmic geometry of numbers. Annual Review of Computer Science 2, 231–267 (1987)
Lenstra, K., Lenstra, H.W., Lovász, L.: Factoring Polynomials with Rational Coeficients. Mathematische Annalen 261(4), 515–534 (1982)
Nguyen, P.Q., Shparlinski, I.E.: The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. Journal of Cryptology 15(3), 151–176 (2002)
Nguyên, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)
NIST. Digital Signature Standard (DSS). Federal Information Processing Standards PUBlication 186 (November 1994)
Novak, R.: SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 252–261. Springer, Heidelberg (2002)
Okamoto, T., Shiraishi, A.: A Digital Signature Scheme Based on Quadratic Inequalities. In: Proceedings of Symposium on Security and Privacy, pp. 123–132 (1985)
Shoup, V.: Number Theory C++ Library (NTL), version 5.0b, Available at: http://www.shoup.net
Stern, J., Pointcheval, D., Malone Lee, J., Smart, P.: Flaws in Applying Proof Methodologies to Signatures Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002)
Vallée, B., Girault, M., Toffin, P.: How to Break Okamoto’s Cryptosystem by Reducing Lattices Bases. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 281–291. Springer, Heidelberg (1988)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fouque, PA., Howgrave-Graham, N., Martinet, G., Poupard, G. (2003). The Insecurity of Esign in Practical Implementations. In: Laih, CS. (eds) Advances in Cryptology - ASIACRYPT 2003. ASIACRYPT 2003. Lecture Notes in Computer Science, vol 2894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-40061-5_31
Download citation
DOI: https://doi.org/10.1007/978-3-540-40061-5_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20592-0
Online ISBN: 978-3-540-40061-5
eBook Packages: Springer Book Archive