Lattice Attack Research Articles

Attacking OpenSSL ECDSA with a small amount of side-channel information

In this work, we mount a lattice attack on the ECDSA signatures implemented by the latest version of OpenSSL which uses the windowed non-adjacent form method to implement the scalar multiplication. We first develop a new way of extracting information from the side-channel results of the ECDSA signatures. Just given a small fraction of the information about a side-channel result denoted as double-and-add chain, we take advantage of the length of the chain together with positions of two non-zero digits to recover information about the ephemeral key. Combining the information of both the most significant digits and the least significant bits, we are able to gain more information about the ephemeral key. The problem of recovering ECDSA secret key is then translated to the hidden number problem which can be solved by lattice reduction algorithms. Our attack is mounted to the series secp256k1 curve, and the result shows that 85 signatures would be enough to recover the secret key, which is better than the result that previous attack gained only utilizing the information extracted from the least significant bits, using about 200 signatures to recover the secret key.

(EC)DSA lattice attacks based on Coppersmith's method

We provide an attack to (EC)DSA digital signature built upon Coppersmith's method. We prove that, if a,k are the private and ephemeral key, respectively, of the (EC)DSA scheme and (k−1modq)2a<0.262⋅q1.157, then we can efficiently find a.

ECDSA Passive Attacks, Leakage Sources, and Common Design Mistakes

Elliptic Curves Cryptography (ECC) tends to replace RSA for public key cryptographic services. ECC is involved in many secure schemes such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, Elliptic Curve Integrated Encryption Scheme (ECIES), and Elliptic Curve Digital Signature Algorithm (ECDSA). As for every cryptosystem, implementation of such schemes may jeopardize the inherent security provided by the mathematical properties of the ECC. Unfortunate implementation or algorithm choices may create serious vulnerabilities. The elliptic curve scalar operation is particularly sensitive among these schemes. This article surveys passive attacks against well-spread elliptic curve scalar multiplication algorithms highlighting leakage sources and common mistakes that can be used to attack the ECDSA scheme. Experimental results are provided to illustrate and demonstrate the effectiveness of each vulnerability. Finally, the article describes the link between partial leakage and lattice attack in order to understand and demonstrate the impact of small leakages on the security of ECDSA. An example of side channel and lattice attack combination on NIST P-256 is provided in the case where the elliptic curve scalar multiplication is not protected against DPA/CPA and a controllable device is not accessible.

New lattice attacks on DSA schemes

AbstractWe prove that a system of linear congruences of a particular form has at most a unique solution below a certain bound which can be computed efficiently. Using this result, we develop attacks against the DSA schemes which, under some assumptions, can provide the secret key in the case where one or several signed messages are available.

Fast key generation for Gentry-style homomorphic encryption

The key issue of original implementation for Gentry-style homomorphic encryption scheme is the so called slow key generation algorithm. Ogura proposed a key generation algorithm for Gentry-style somewhat homomorphic scheme that controlled the bound of the evaluation circuit depth by using the relation between the evaluation circuit depth and the eigenvalues of the primary matrix. However, their proposed key generation method seems to exclude practical application. In order to address this problem, a new key generation algorithm based on Gershgorin circle theorem was proposed. The authors choose the eigenvalues of the primary matrix from a desired interval instead of selecting the module. Compared with the Ogura's work, the proposed key generation algorithm enables one to create a more practical somewhat homomorphic encryption scheme. Furthermore, a more aggressive security analysis of the approximate shortest vector problem (SVP) against lattice attacks is given. Experiments indicate that the new key generation algorithm is roughly twice as efficient as the previous methods.

Attack on Fully Homomorphic Encryption over the Integers

This paper presents an attack on the fully homomorphic encryption over the integers by using lattice reduction algorithm. Our result shows that the FHE in [4] is not secure for some parameter settings. We also present an improvement FHE scheme to avoid this lattice attack. Keywords: Fully Homomorphic Encryption, Cryptanalysis, Lattice Reduction

Group key agreement for secure group communication in dynamic peer systems

Self-organizing group key agreement protocols without a centralized administrator are essential to secure group communication in dynamic peer systems. In this paper, we propose a generic construction of a one-round self-organizing group key agreement protocol based on the Chinese Remainder Theorem. In the proposed construction, all group members contribute their own public keys to negotiate a shared encryption public key, which corresponds to all different decryption keys. Using his/her own secret key, each group member is able to decrypt any ciphertext encrypted by the shared encryption key. Following the generic construction, we instantiate a one-round self-organizing group key agreement protocol using the efficient and computationally inexpensive public key cryptosystem NTRU. Both the public key and the message in this protocol are secure against the known lattice attacks. Furthermore, we also briefly describe another concrete scheme with our generic idea, based on the ElGamal public key cryptosystem.

Cryptanalysis of the Double-Moduli Cryptosystem

In this article we present a lattice attack done on a NTRU-like scheme introduced by Verkhovsky in [1]. We show how, based on the relation between the public and private key, we can construct an attack which allows any passive adversary to decrypt the encrypted messages. We explain, step by step, how an attacker can construct an equivalent private key and guess what the original plaintext was. Our attack is efficient and provides good experimental results.

Some lattice attacks on DSA and ECDSA

In this paper, using the LLL reduction method and computing the integral points of two classes of conics, we develop attacks on DSA and ECDSA in case where the secret and the ephemeral key of a signed message or theirs modular inverses are sufficiently small and in case where the ephemeral keys or theirs modular inverses of two signed messages are sufficiently small.

New Conditions for Secure Knapsack Schemes against Lattice Attack

Many knapsack cryptosystems have been proposed but almost all the schemes are vulnerable to lattice attack because of their low density. To prevent the lattice attack, Chor and Rivest proposed a low weight knapsack scheme, which made the density higher than critical density. In Asiacrypt2005, Nguyen and Stern introduced pseudo-density and proved that if the pseudo-density is low enough (even if the usual density is not low enough), the knapsack scheme can be broken by a single call to SVP/CVP oracle. However, the usual density and the pseudo-density are not sufficient to measure the resistance to the lattice attack individually. In this paper, we first introduce the new notion of density D, which naturally unifies the previous two density. Next, we derive conditions for our density so that a knapsack scheme is secure against lattice attack. We obtain a critical bound of density which depends only on the rate of the message length and its Hamming weight. Furthermore, we show that if D < 0.8677, the knapsack scheme is solved by lattice attack. Next, we show that the critical bound goes to 1 if the Hamming weight decreases, which means that it is (almost) impossible to construct a low weight knapsack scheme which is supported by an argument of density.

NTRU over rings beyond $${\mathbb{Z}}$$

The NTRU cryptosystem is constructed on the base ring $${\mathbb{Z}}$$ . We give suitability conditions on rings to serve as alternate base rings. We present an example of an NTRU-like cryptosystem based on the Eisenstein integers $${\mathbb{Z}[\zeta_3]}$$ , which has a denser lattice structure than $${\mathbb{Z}}$$ for the same dimension, and which furthermore presents a more difficult lattice problem for lattice attacks, for the same level of decryption failure security.

Quadratic compact knapsack public-key cryptosystem

Knapsack-type cryptosystems were among the first public-key cryptographic schemes to be invented. Their NP-completeness nature and the high speed in encryption/decryption made them very attractive. However, these cryptosystems were shown to be vulnerable to the low-density subset-sum attacks or some key-recovery attacks. In this paper, additive knapsack-type public-key cryptography is reconsidered. We propose a knapsack-type public-key cryptosystem by introducing an easy quadratic compact knapsack problem. The system uses the Chinese remainder theorem to disguise the easy knapsack sequence. The encryption function of the system is nonlinear about the message vector. Under the relinearization attack model, the system enjoys a high density. We show that the knapsack cryptosystem is secure against the low-density subset-sum attacks by observing that the underlying compact knapsack problem has exponentially many solutions. It is shown that the proposed cryptosystem is also secure against some brute-force attacks and some known key-recovery attacks including the simultaneous Diophantine approximation attack and the orthogonal lattice attack.

Fast public-key encryption scheme based on Chinese remainder theorem

Traditional public-key cryptosystems suffer from a relatively low encryption/decryption speed, which hampers their applications in resource-constrained environments. A fast public-key cryptosystem is proposed to remedy this drawback. The new algorithm uses Chinese remainder theorem to hide the trapdoor information. The encryption of the system only carries out several modular multiplication operations, and the decryption only needs a modular multiplication and a low-dimensional matrixvector multiplication, which makes the speed of the encryption and the decryption of the scheme very high. The security of the system is based on two difficult number-theoretic problems. The attacker has to solve the integer factorization problem and the simultaneous Diophantine approximation problem simultaneously to recover the secret key from the public key. The proposed cryptosystem is also shown to be secure against lattice attack. The analysis shows that the encryption algorithm is a secure, fast and efficient public-key cryptosystem.

Simple Backdoors on RSA Modulus by Using RSA Vulnerability

This investigation proposes two methods for embedding backdoors in the RSA modulus N=pq rather than in the public exponent e. This strategy not only permits manufacturers to embed backdoors in an RSA system, but also allows users to choose any desired public exponent, such as e=216+1, to ensure efficient encryption. This work utilizes lattice attack and exhaustive attack to embed backdoors in two proposed methods, called RSASBLT and RSASBES, respectively. Both approaches involve straightforward steps, making their running time roughly the same as that of normal RSA key-generation time, implying that no one can detect the backdoor by observing time imparity.

On the Linear Complexity of the Power Generator

We obtain a lower bound on the linear complexity of the power generator of pseudo-random numbers, which in some special cases is also known as the RSA generator and as the Blum–Blum–Shub generator. In some very important cases this bound is essentially the best possible. In particular, this implies that lattice reduction attacks on such generators are not feasible.

Lattice Attacks on Digital Signature Schemes

We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, m_i, under the assumption that a proportion of the bits of each of the associated ephemeral keys, y_i, can be recovered by alternative techniques.

Sur les propriétés particulières de certains sites d'échanges dans la vermiculite

The acid character of the hydrogens supported by some OH groups, which should appear after irregular cationic substitutions in tetrahedral and octahedral layers, is responsible of the peculiar properties of some exchange sites. We distinguish : — sites I, which can be occupied by all the cations studied whatever their characteristics may be ; — sites II, subject to the repulsive influence of these hydrogens with acid characters and so, accessible only to hydrated cations. The study of these acid functions shows that their acid character is very weak. Their neutralization is complete only in a non aqueous medium, since they are submitted to a hydrolysis equilibrium. The peculiar role ofl K+ ion, a non hydrated cation, in the exchange processes, was introduced, especially in course of the phenomena of lattice attack by dilute acid solutions.