Skip to main content
SpringerLink
Log in

Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version

  • CHES 2013
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

In this paper, we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. We confirmed our attack by extracting the entire signing key using a 5-bit nonce leak from 4,000 signatures.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. \(Pr\{K_{j,hi} == \lfloor q_b\rfloor \}\) will be less than for all other values of \(K_{j,hi}\) in the interval.

  2. We wrote Eq. (4) as an equality because the \(k_j\) can take on negative values. With this understanding, for the remainder of the paper, we will simply write ‘\(\,\mathrm{mod}\,\ {q}\)’.

  3. We acknowledge the abuse of notation in writing \(B_q(w)\) instead of \(B_q(V_w)\), but this is consistent with Bleichenbacher’s notes and will simplify the exposition.

  4. Throughout the paper, we will refer to the size of \(B_q(w)\), by which we mean \(|B_q(w)|\). With this understanding, for the remainder of the paper, we will leave off the absolute value bars.

  5. Curiously, the coefficient distributions output by LLL were better modeled by geometric distributions.

References

  1. Minutes from the IEEE P1363 Working Group for Public-Key Cryptography Standards, November 15 (2000)

  2. ANSI X9.62:2005: Public key cryptography for the Financial Services Industry, The elliptic curve digital signature algorithm (ECDSA) (2005)

  3. Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)

    Article  MATH  MathSciNet  Google Scholar 

  4. Bleichenbacher, D.: On the generation of one-time keys in DL signature schemes. Presentation at IEEE P1363 Working Group meeting, November (2000)

  5. Bleichenbacher, D.: On the generation of DSA one-time keys. Presentation at cryptography research Inc., San Francisco, CA (2007)

    Google Scholar 

  6. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie–Hellman and related schemes. In Koblitz, N. (ed.) CRYPTO 1996, volume 1109 of LNCS, pp. 129–142 (1996)

  7. D. Cadé, Pujol, X., Stehlé, D.: fplll-4.0.1 Lattice Reduction Library (2012)

  8. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski B.S. Jr., Koç, Ç.K., Paar, C. (eds.) CHES 2002, volume 2523 of LNCS, pp 13–28. Springer, New York (2002)

  9. Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: ASIACRYPT, volume 7073 of Lecture Notes in Computer Science, pp 1–20. Springer (2011)

  10. Hachez, G., Quisquater, J.-J.: Montgomery exponentiation with no final subtractions: improved results. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000, volume 1965 of LNCS, pp. 91–100. Springer (2000)

  11. Hamburg M.: Fast and compact elliptic-curve cryptography. IACR Cryptology ePrint Archive 309 (2012)

  12. Hedabou, M., Pinel, P., Beneteau, L.: A comb method to render ECC resistant against side channel attacks. IACR Cryptology ePrint Archive 342 (2004)

  13. Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (August 2001)

  14. Hutter, M., Medwed, M., Hein, D., Wolkerstorfer, J.: Attacking ECDSA-enabled RFID devices. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds) ACNS 2009, volume 5536 of LNCS, pp 519–534. Springer (2009)

  15. Joye, M., Tunstall, M.: Exponent recoding and regular exponentiation algorithms. In: Preneel B. (ed.) AFRICACRYPT 2009, volume 5580 of LNCS, pp 334–349 (2009)

  16. Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed) CRYPTO 1996, volume 1109 of LNCS, pp 104–113. Springer (1996)

  17. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed) CRYPTO 1999, volume 1666 of LNCS, pp 388–397 (1999)

  18. Lenstra, A.K., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)

    Article  MATH  MathSciNet  Google Scholar 

  19. Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed) Topics in cryptology-CT-RSA 2013, volume 7779 of LNCS, pp 293–309. Springer (2013)

  20. Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) brainpool standard curves and curve generation. RFC 5639 (Informational), March (2010)

  21. Naccache, D., Nguyen, P.Q., Tunstall, M., Whelan, C.: Experimenting with faults, lattices and the DSA. In: Vaudenay, S. (ed) PKC 2005, volume 3386 of LNCS, pp 16–28. Springer, New York (2005)

  22. National Institute of Standards and Technology (NIST). FIPS-186-2 (+Change Notice): Digital Signature Standard (DSS), January 2000. Available online at http://www.itl.nist.gov/fipspubs/

  23. Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)

    Article  MATH  MathSciNet  Google Scholar 

  24. Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  25. Quisquater, J.-J., Koene, F.: DSA security evaluation of the signature scheme and primitive. Technical report, Math RiZK, K2Crypt, February (2002)

  26. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    Article  MATH  MathSciNet  Google Scholar 

  27. Shoup, V.: NTL: a library for doing number theory (2012)

  28. Vaudenay, S.: Evaluation report on DSA. IPA work delivery 1002 (2001)

  29. Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electron. Lett. 35, 1831–1832 (1999)

    Article  Google Scholar 

  30. Walter, C.D., Thompson, S.: Distinguishing exponent digits by observing modular subtractions. In: Naccache, D. (ed) CT-RSA 2001, volume 2020 of LNCS, pp 192–207. Springer, New York (2001)

Download references

Acknowledgments

We would like to thank Pankaj Rohatgi and Mike Hamburg for many fruitful discussions and valuable suggestions.

Author information

Authors and Affiliations

  1. Cryptography Research, Inc., 425 Market Street, 11th Floor, San Francisco, CA,  94105, USA

    Elke De Mulder, Mark E. Marson & Peter Pearson

  2. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, 8010 , Graz, Austria

    Michael Hutter

Authors
  1. Elke De Mulder
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Hutter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mark E. Marson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peter Pearson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elke De Mulder.

Rights and permissions

Reprints and permissions

About this article

Cite this article

De Mulder, E., Hutter, M., Marson, M.E. et al. Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version. J Cryptogr Eng 4, 33–45 (2014). https://doi.org/10.1007/s13389-014-0072-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-014-0072-z

Keywords

Search

Navigation