Using bleichenbacher's solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA

Authors:
Elke De Mulder;Michael Hutter;Mark E. Marson;Peter Pearson
Affiliations:
Cryptography Research, Inc., San Francisco, CA;Cryptography Research, Inc., San Francisco, CA and Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Graz, Austria;Cryptography Research, Inc., San Francisco, CA;Cryptography Research, Inc., San Francisco, CA
Venue:
CHES'13 Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems
Year:
2013

Citing 15
Cited 0

On Lova´sz' lattice reduction and the nearest lattice point problem

Combinatorica
Lattice basis reduction: improved practical algorithms and solving subset sum problems

Mathematical Programming: Series A and B
Lattice Attacks on Digital Signature Schemes

Designs, Codes and Cryptography
Distinguishing Exponent Digits by Observing Modular Subtractions

CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Differential Power Analysis

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Montgomery Exponentiation with no Final Subtractions: Improved Results

CHES '00 Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems
Template Attacks

CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces

Designs, Codes and Cryptography
Attacking ECDSA-Enabled RFID Devices

ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Exponent Recoding and Regular Exponentiation Algorithms

AFRICACRYPT '09 Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology
Experimenting with faults, lattices and the DSA

PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
BKZ 2.0: better lattice security estimates

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Solving BDD by enumeration: an update

CT-RSA'13 Proceedings of the 13th international conference on Topics in Cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. We confirmed our attack by extracting the entire signing key using a 5-bit nonce leak from 4000 signatures.