Sciweavers

JOC
2002

The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

13 years 10 months ago
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
We present a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log1/2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of Howgrave-Graham and Smart who recently introduced that topic. Our attack is based on a connection with the hidden number problem (HNP) introduced at Crypto '96 by Boneh and Venkatesan in order to study the bit-security of the Diffie
Phong Q. Nguyen, Igor Shparlinski
Added 22 Dec 2010
Updated 22 Dec 2010
Type Journal
Year 2002
Where JOC
Authors Phong Q. Nguyen, Igor Shparlinski
Comments (0)