On the Security of the Digital Signature Algorithm

Authors:
Ian F. Blake;Theodoulos Garefalakis
Affiliations:
Department of Electrical and Computer Engineering, University of Toronto, Toronto, M5S 3G4, Canada ifblake@comm.toronto.edu;Department of Mathematics, Royal Hollaway College, Information Security Group, Egham, Surrey TW20 0EX, UK theo.garefalakis@rhul.ac.uk
Venue:
Designs, Codes and Cryptography
Year:
2002

Citing 11
Cited 1

A hierarchy of polynomial time lattice basis reduction algorithms

Theoretical Computer Science
Solving simultaneous modular equations of low degree

SIAM Journal on Computing - Special issue on cryptography
The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)

STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Handbook of Applied Cryptography

Handbook of Applied Cryptography
How to Guess l-th Roots Modulo n by Reducing Lattice Bases

AAECC-6 Proceedings of the 6th International Conference, on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes
Finding Small Roots of Univariate Modular Equations Revisited

Proceedings of the 6th IMA International Conference on Cryptography and Coding
The Complexity of Some Lattice Problems

ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
Lattice Reduction in Cryptology: An Update

ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
Finding a small root of a univariate modular equation

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0:292

EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0.292

IEEE Transactions on Information Theory

A variant of Digital Signature Algorithm

Designs, Codes and Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a key-recovery attack against the Digital Signature Algorithm (DSA). Our method is based on the work of Coppersmith [7], and is similar in nature to the attacks of Boneh et al. [5,9] which use lattice reduction techniques to determine upper bounds on the size of an RSA decryption exponent under which it will be revealed by the attack. This work similarly determines provable upper bounds on the sizes of the two key parameters in the DSA for which the system can be broken. Specifically if about half of the total number of bits in the secret and ephemeral keys, assuming contiguous unknown bits in each key, are known, the system can be shown to be insecure. The same technique shows that if about half of the total number of bits in two ephemeral keys are known, again assumed contiguous unknown bits in each key, but with no knowledge of the secret key, the system can be shown to be insecure.