Guessing Bits: Improved Lattice Attacks on (EC)DSA with Nonce Leakage

Authors

  • Chao Sun Kyoto University, Kyoto, Japan
  • Thomas Espitau NTT Corporation, Tokyo, Japan
  • Mehdi Tibouchi Kyoto University, Kyoto, Japan; NTT Corporation, Tokyo, Japan
  • Masayuki Abe Kyoto University, Kyoto, Japan; NTT Corporation, Tokyo, Japan

DOI:

https://doi.org/10.46586/tches.v2022.i1.391-413

Keywords:

ECDSA, Lattice Attacks, Hidden Number Problem, Success-Time Trade-Off, Cryptanalysis

Abstract

The lattice reduction attack on (EC)DSA (and other Schnorr-like signature schemes) with partially known nonces, originally due to Howgrave-Graham and Smart, has been at the core of many concrete cryptanalytic works, side-channel based or otherwise, in the past 20 years. The attack itself has seen limited development, however: improved analyses have been carried out, and the use of stronger lattice reduction algorithms has pushed the range of practically vulnerable parameters further, but the lattice construction based on the signatures and known nonce bits remain the same.
In this paper, we propose a new idea to improve the attack based on the same data in exchange for additional computation: carry out an exhaustive search on some bits of the secret key. This turns the problem from a single bounded distance decoding (BDD) instance in a certain lattice to multiple BDD instances in a fixed lattice of larger volume but with the same bound (making the BDD problem substantially easier). Furthermore, the fact that the lattice is fixed lets us use batch/preprocessing variants of BDD solvers that are far more efficient than repeated lattice reductions on non-preprocessed lattices of the same size. As a result, our analysis suggests that our technique is competitive or outperforms the state of the art for parameter ranges corresponding to the limit of what is achievable using lattice attacks so far (around 2-bit leakage on 160-bit groups, or 3-bit leakage on 256-bit groups).
We also show that variants of this idea can also be applied to bits of the nonces (leading to a similar improvement) or to filtering signature data (leading to a data-time trade-off for the lattice attack). Finally, we use our technique to obtain an improved exploitation of the TPM–FAIL dataset similar to what was achieved in the Minerva attack.

Downloads

Published

2021-11-19

Issue

Section

Articles

How to Cite

Guessing Bits: Improved Lattice Attacks on (EC)DSA with Nonce Leakage. (2021). IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022(1), 391-413. https://doi.org/10.46586/tches.v2022.i1.391-413