A hierarchy of polynomial time lattice basis reduction algorithms
Theoretical Computer Science
Solving simultaneous modular equations of low degree
SIAM Journal on Computing - Special issue on cryptography
The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Handbook of Applied Cryptography
Handbook of Applied Cryptography
How to Guess l-th Roots Modulo n by Reducing Lattice Bases
AAECC-6 Proceedings of the 6th International Conference, on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
The Complexity of Some Lattice Problems
ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
Lattice Reduction in Cryptology: An Update
ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
Finding a small root of a univariate modular equation
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
A variant of Digital Signature Algorithm
Designs, Codes and Cryptography
Hi-index | 0.00 |
We present a key-recovery attack against the Digital Signature Algorithm (DSA). Our method is based on the work of Coppersmith [7], and is similar in nature to the attacks of Boneh et al. [5,9] which use lattice reduction techniques to determine upper bounds on the size of an RSA decryption exponent under which it will be revealed by the attack. This work similarly determines provable upper bounds on the sizes of the two key parameters in the DSA for which the system can be broken. Specifically if about half of the total number of bits in the secret and ephemeral keys, assuming contiguous unknown bits in each key, are known, the system can be shown to be insecure. The same technique shows that if about half of the total number of bits in two ephemeral keys are known, again assumed contiguous unknown bits in each key, but with no knowledge of the secret key, the system can be shown to be insecure.