Attacking DSA Under a Repeated Bits Assumption

Leadbitter, Peter James; Page, Daniel; Smart, Nigel P.

doi:10.1007/978-3-540-28632-5_31

Cited by 12 publications

(4 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At CHES 2004, three papers based on the idea of collision attack were published [9,10,11]. Additionally, at the same conference, Leadbitter et al [12] reported that they had expanded the attack exploiting internal collision to apply it on DSA style signature schemes. This section surveys the attacks exploiting internal collision published after the proposal of the original cache attack [2].…”

Section: Introductionmentioning

confidence: 98%

“…It also describes the results of experiment to determine how many messages said attack requires for recovering entire secret key for MISTY1 when implemented on a PC, and more importantly, when the key estimation method is improved and average method is embodied in it. [7] Analysis Not used 1 [12] Not used 2 [9,10,8,11,13] 2 Attacks exploiting internal collision…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Improving cache attacks by considering cipher structure

Tsunoo

Tsujihara²,

Shigeri

et al. 2005

Int. J. Inf. Secur.

View full text Add to dashboard Cite

A concrete attack using side channel information from cache memory behaviour was proposed for the first time at ISITA 2002. The attack uses the difference between execution times associated with S-box cache-hits and cachemisses to recover the intermediate key. Recently, a theoretical estimation of the number of messages needed for the attack was proposed and it was reported that the average method obtains key information with fewer messages than maximum threshold or intermediate threshold method. Taking the structure of cipher into account, this paper provided the cache attack in which the average method is embodied, and provides improved key estimation. This paper includes the study on the attack that exploits internal collision.

show abstract

Section: Introductionmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

Improving cache attacks by considering cipher structure

Tsunoo

Tsujihara²,

Shigeri

et al. 2005

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…Very few results on the security of elliptic-curve signatures with noisy partial information on the nonces are known. In [LPS04], Leadbitter, Page and Smart considered adversaries that can determine some relation amongst the bits of the secret nonces rather than their specific values (but this relation is known with certainty). This work was recently extended by Faugère, Goyet and Renault in [FGR13].…”

Section: Introductionmentioning

confidence: 99%

Lattice Attacks Against Elliptic-Curve Signatures with Blinded Scalar Multiplication

Goudarzi

Rivain

Vergnaud

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Elliptic curve cryptography is today the prevailing approach to get efficient public-key cryptosystems and digital signatures. Most of elliptic curve signature schemes use a nonce in the computation of each signature and the knowledge of this nonce is sufficient to fully recover the secret key of the scheme. Even a few bits of the nonce over several signatures allow a complete break of the scheme by lattice-based attacks. Several works have investigated how to efficiently apply such attacks when partial information on the nonce can be recovered through side-channel attacks. However, these attacks usually target unprotected implementation and/or make ideal assumptions on the recovered information, and it is not clear how they would perform in a scenario where common countermeasures are included and where only noisy information leaks via side channels. In this paper, we close this gap by applying such attack techniques against elliptic-curve signature implementations based on a blinded scalar multiplication. Specifically, we extend the famous Howgrave-Graham and Smart lattice attack when the nonces are blinded by the addition of a random multiple of the elliptic-curve group order or by a random Euclidean splitting. We then assume that noisy information on the blinded nonce can be obtained through a template attack targeting the underlying scalar multiplication and we show how to characterize the obtained likelihood scores under a realistic leakage assumption. To deal with this scenario, we introduce a filtering method which given a set of signatures and associated likelihood scores maximizes the success probability of the lattice attack. Our approach is backed up with attack simulation results for several signal-to-noise ratio of the exploited leakage.

show abstract

“…A number of papers address the question when a large number of observations are available [6,11,12,9]. When only one observation is possible, probabilistic algorithms are known, but they usually assumed that the known bitstring is either in the most or the least significant bits of the key [15,16,23].…”

Section: Introductionmentioning

confidence: 99%

Solving Discrete Logarithms from Partial Knowledge of the Key

Gopalakrishnan

Thériault

Yao

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. For elliptic curve based cryptosystems, the discrete logarithm problem must be hard to solve. But even when this is true from a mathematical point of view, side-channel attacks could be used to reveal information about the key if proper countermeasures are not used. In this paper, we study the difficulty of the discrete logarithm problem when partial information about the key is revealed by side channel attacks. We provide algorithms to solve the discrete logarithm problem for generic groups with partial knowledge of the key which are considerably better than using a square-root attack on the whole key or doing an exhaustive search using the extra information, under two different scenarios. In the first scenario, we assume that a sequence of contiguous bits of the key is revealed. In the second scenario, we assume that partial information on the "Square and Multiply Chain" is revealed.

show abstract

Attacking DSA Under a Repeated Bits Assumption

Cited by 12 publications

References 16 publications

Improving cache attacks by considering cipher structure

Improving cache attacks by considering cipher structure

Lattice Attacks Against Elliptic-Curve Signatures with Blinded Scalar Multiplication

Solving Discrete Logarithms from Partial Knowledge of the Key

Contact Info

Product

Resources

About