Reconstructing truncated integer variables satisfying linear congruences
SIAM Journal on Computing - Special issue on cryptography
Algebraic aspects of cryptography
Algebraic aspects of cryptography
Elliptic curves in cryptography
Elliptic curves in cryptography
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Elliptic Curve Public Key Cryptosystems
Elliptic Curve Public Key Cryptosystems
Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices
ICALP '00 Proceedings of the 27th International Colloquium on Automata, Languages and Programming
"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
FC '00 Proceedings of the 4th International Conference on Financial Cryptography
Design Validations for Discrete Logarithm Based Signature Schemes
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Lattice Reduction in Cryptology: An Update
ANTS-IV Proceedings of the 4th International Symposium on Algorithmic Number Theory
Enhancing Simple Power-Analysis Attacks on Elliptic Curve Cryptosystems
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Computers and Electrical Engineering
Practical modifications of leadbitter et al.'s repeated-bits side-channel analysis on (EC)DSA
WISA'05 Proceedings of the 6th international conference on Information Security Applications
| Hi-index | 0.04 |
In this article we will be concerned with a polynomial-time attack against the ECDSA, which computes the secret key of the ECDSA if a few bits of the ephemeral-key from several ECDSA-signatures are known. The number of needed bits per signature is 12, if one has access to an ideal lattice basis reduction algorithm computing the nth successive minimum of a lattice with rank n. The aforesaid bits of the ephemeral-key can be obtained from insecure ECDSA implementations by so called side-channel-attacks like Timing, Simple-Power-Analysis, Differential-Power-Analysis, Electromagnetic or Differential-Fault attacks. Our attack combines a recent idea of Howgrave-Graham and Smart with an old lattice attack against linear congruential pseudo-random number generators due to Frieze, Hastad, Kannan, Lagarias und Shamir. In contrast to Howgrave-Graham and Smart, our approach enables the exact determination of the number of needed (side-channel) bits and uses an easier lattice problem making the attack very practical.