2013
DOI: 10.1007/978-3-642-40349-1_25
|View full text |Cite
|
Sign up to set email alerts
|

Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Abstract: Abstract. In this paper we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
13
0

Year Published

2015
2015
2023
2023

Publication Types

Select...
6
1

Relationship

0
7

Authors

Journals

citations
Cited by 31 publications
(13 citation statements)
references
References 19 publications
0
13
0
Order By: Relevance
“…Moreover, all these works only considered the setting where HNP samples come without any errors in the MSB information. In such an ideal case, our tradeoff formula actually allows to mount the attack given only 2 23 samples with almost the same time and space complexity. Appendix B describes how it can be achieved in detail.…”
Section: Concrete Parameters To Attack Opensslmentioning
confidence: 99%
See 3 more Smart Citations
“…Moreover, all these works only considered the setting where HNP samples come without any errors in the MSB information. In such an ideal case, our tradeoff formula actually allows to mount the attack given only 2 23 samples with almost the same time and space complexity. Appendix B describes how it can be achieved in detail.…”
Section: Concrete Parameters To Attack Opensslmentioning
confidence: 99%
“…The concrete attack parameters for the former are described in Appendix B and the ones for the latter were already described in Section 4.3. We first generated 2 23 and 2 24 ECDSA signatures like in the case of P-192, which took 1.8 and 3.6 CPU hours respectively. The measured experimental results are in Table 3.…”
Section: Attack Experimentsmentioning
confidence: 99%
See 2 more Smart Citations
“…Howgrave-Graham and Smart [19] noted that if a few bits of the ephemeral exponent are known for sufficiently many signatures, then the scheme can be broken, based on the so-called hidden number problem introduced by Boneh and Venkatesan [27]. Recently, De Mulder et al [28] demonstrated that, in practice, the lattice attack required as few as four bits of the ephemeral exponent assuming that some hundreds of such signatures could be obtained. However, this information would not be available to an adversary.…”
Section: Algorithm 7: Blinded Montgomery Powering Laddermentioning
confidence: 99%