Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version

Mulder, Elke De; Hutter, Michael; Marson, Mark E.; Pearson, Peter K.

doi:10.1007/s13389-014-0072-z

Cited by 30 publications

(48 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have Λ * * = Λ. We borrow Bleichenbacher's definition of bias [42]. This definition extends the usual definition of the bias of a coin in Z/2Z: it preserves the fact that any distribution with bias b can be distinguished from uniform with constant probability using Ω(1/b 2 ) samples, as a consequence of Hoeffding's inequality; moreover the bias of the sum of two independent variable is still the product of their biases.…”

Section: Preliminariesmentioning

confidence: 99%

See 1 more Smart Citation

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Kirchner

Fouque

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving within half a day a LWE instance with dimension n = 128, modulus q = n 2 , Gaussian noise α = 1/( n/π log 2 n) and binary secret, using 2 28 samples, while the previous best result based on BKW claims a time complexity of 2 74 with 2 60 samples for the same parameters. We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential time 2(ln 2/2+o(1))n/ log log n . This analysis does not require any heuristic assumption, contrary to other algebraic approaches; instead, it uses a variant of an idea by Lyubashevsky to generate many samples from a small number of samples. This makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption). We are also able to solve subset sum problems in subexponential time for density o(1), which is of independent interest: for such density, the previous best algorithm requires exponential time. As a direct application, we can solve in subexponential time the parameters of a cryptosystem based on this problem proposed at TCC 2010.

show abstract

Section: Preliminariesmentioning

confidence: 99%

“…The attack consists in using lattice reduction to find sums of samples which are equal to zero on most coordinates, and then use FindSecret to find the secret on the remaining coordinates. It has been described for instance in [42].…”

Section: B2 Dual Algorithmmentioning

confidence: 99%

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Kirchner

Fouque

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Most of the above attacks succeeded under the fact that the security of related schemes is guaranteed by the randomness of nounces chosen in the generation step. Different with this, statistical biases derived from partially information leakage have been exploited for key recovery as well [12][13][14][15]. This type of attacks are expected to succeed with knowledge of fewer bits at the cost of larger number of instances.…”

Section: Introductionmentioning

confidence: 99%

Partially known information attack on SM2 key exchange protocol

Wei

Chen

et al. 2019

Sci. China Inf. Sci.

View full text Add to dashboard Cite

“…We use the HNM [7,8] to solve the multivariate polynomials and give different lattice models. There exist many crypto schemes which are designed with the arithmetical operations and the truncate operations, such as IDEA, Salsa20, MD5, SHA0, SHA1, SPECK and so on.…”

Section: Introductionmentioning

confidence: 99%

Hidden Number Problem and Its Applications in Crypto Scheme

Chen¹,

Wang²,

Xu³

2017

dtetr

View full text Add to dashboard Cite

Abstract. This paper is based on the research result of Nguyen's attacking against DSA .We extent the Hidden Number Method (HNM) from the univariate modular polynomials with one order to the univariate modular polynomials with higher order. There are many crypto schemes using the arithmetical and truncate operations. If the constant terms are partly known, these schemes can be written as the modular equations. We analysis a scheme using the arithmetical and truncate operations so as to improve the lattice model. On the supposed condition, we can recover the basic key with the probability 99%.

show abstract

Using Bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA: extended version

Cited by 30 publications

References 19 publications

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Partially known information attack on SM2 key exchange protocol

Hidden Number Problem and Its Applications in Crypto Scheme

Contact Info

Product

Resources

About