INDOCRYPT 2007: Progress in Cryptology – INDOCRYPT 2007 pp 224-237

# Solving Discrete Logarithms from Partial Knowledge of the Key

• K. Gopalakrishnan
• Nicolas Thériault
• Chui Zhi Yao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4859)

## Abstract

For elliptic curve based cryptosystems, the discrete logarithm problem must be hard to solve. But even when this is true from a mathematical point of view, side-channel attacks could be used to reveal information about the key if proper countermeasures are not used. In this paper, we study the difficulty of the discrete logarithm problem when partial information about the key is revealed by side channel attacks. We provide algorithms to solve the discrete logarithm problem for generic groups with partial knowledge of the key which are considerably better than using a square-root attack on the whole key or doing an exhaustive search using the extra information, under two different scenarios. In the first scenario, we assume that a sequence of contiguous bits of the key is revealed. In the second scenario, we assume that partial information on the “Square and Multiply Chain” is revealed.

## Keywords

Discrete Logarithm Problem Generic Groups Side Channel Attacks

## References

1. 1.
Brier, É., Déchène, I., Joye, M.: Unified point addition formulæ for elliptic curve cryptosystems. In: Embedded Cryptographic Hardware: Methodologies and Architectures, pp. 247–256. Nova Science Publishers (2004)Google Scholar
2. 2.
Brier, É., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)
3. 3.
Cheng, Q.: On the bounded sum-of-digits discrete logarithm problem in finite fields. SIAM J. Comput. 34(6), 1432–1442 (2005)
4. 4.
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)
5. 5.
Gordon, D.M.: A survey of fast exponentiation methods. Journal of Algorithms 27, 129–146 (1998)
6. 6.
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (2001)
7. 7.
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
8. 8.
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
9. 9.
Leadbitter, P.J., Page, D., Smart, N.P.: Attacking DSA under a repeated bits assumption. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 428–440. Springer, Heidelberg (2004)Google Scholar
10. 10.
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton (1996)Google Scholar
11. 11.
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)
12. 12.
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)
13. 13.
Odlyzko, A.M.: Discrete logarithms: The past and the future. Designs, Codes and Cryptography 19, 129–145 (2000)
14. 14.
Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory 24, 106–110 (1978)
15. 15.
Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32(143), 918–924 (1978)
16. 16.
Pollard, J.M.: Kangaroos, Monopoly and discrete logarithms. Journal of Cryptology 13(4), 437–447 (2000)
17. 17.
Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): Measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)
18. 18.
Schrijver, A.: Theory of Linear and Integer Programming. In: Wiley-Interscience Series in Discrete Mathematics, John Wiley & Sons, Chichester (1986)Google Scholar
19. 19.
Shanks, D.: Class number, a theory of factorization and genera. In: Proc. Symp. Pure Math., vol. 20, pp. 415–440 (1971)Google Scholar
20. 20.
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)Google Scholar
21. 21.
Stebila, D., Thériault, N.: Unified point addition formulae and side-channel attacks. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 354–368. Springer, Heidelberg (2006)
22. 22.
Stinson, D.: Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem. Math. Comp. 71(237), 379–391 (2002)
23. 23.
Teske, E.: Square-root algorithms for the discrete logarithm problem (a survey). In: Public-Key Cryptography and Computational Number Theory, pp. 283–301. Walter de Gruyter, Berlin (2001)Google Scholar
24. 24.
Walter, C.D.: Simple power analysis of unified code for ECC double and add. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 191–204. Springer, Heidelberg (2004)Google Scholar

## Authors and Affiliations

• K. Gopalakrishnan
• 1
• Nicolas Thériault
• 2
• Chui Zhi Yao
• 3
1. 1.Department of Computer Science, East Carolina University, Greenville, NC 27858
2. 2.Instituto de Matemática y Física, Universidad de Talca, Casilla 747, TalcaChile
3. 3.Department of Mathematics, University of California - Riverside, CA 92521