信息网络安全 ›› 2022, Vol. 22 ›› Issue (2): 11-20.doi: 10.3969/j.issn.1671-1122.2022.02.002

• 技术研究 • 上一篇    下一篇

对DSA和ECDSA的一种改进格攻击

余发江1,2, 贾耀民1,2()   

  1. 1.武汉大学国家网络安全学院,武汉 430072
    2.武汉大学空天信息安全与可信计算教育部重点实验室,武汉 430064
  • 收稿日期:2021-09-23 出版日期:2022-02-10 发布日期:2022-02-16
  • 通讯作者: 贾耀民 E-mail:649154808@qq.com
  • 作者简介:余发江(1980—),男,湖北,副教授,博士,主要研究方向为可信计算、系统安全、密码学|贾耀民(1995—),男,湖北,硕士研究生,主要研究方向为可信计算、系统安全、密码学
  • 基金资助:
    国家自然科学基金(61772384)

An Enhanced Lattice Attack to DSA and ECDSA Scheme

YU Fajiang1,2, JIA Yaomin1,2()   

  1. 1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2. Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430064, China
  • Received:2021-09-23 Online:2022-02-10 Published:2022-02-16
  • Contact: JIA Yaomin E-mail:649154808@qq.com

摘要:

利用格攻击DSA和ECDSA的方法,通过构造同余方程组可以将隐藏数字问题转化为格中最近向量问题,当同余方程组至多有一个解小于给定界限时,可通过求解格中最近向量获取签名私钥。给定界限越大,对解向量的大小要求越宽松,攻击的难度也越低。文章提出一种新的给定界限,其大小是原有界限的6.92倍,显著降低了格攻击的难度。利用从OpenSSL收集到的DSA和ECDSA的签名数据,设计验证新界限的格攻击实验。实验结果表明,新界限对已知解向量元素的要求由最高比特位6位降低到3 位。对于DSA,当格的维度为350时,攻击成功率达80%;对于ECDSA,当格的维度为260时,攻击成功率达97%。通过解向量减去一个基准向量,可将对已知解向量元素的要求降低至1位,从而降低格攻击的难度。

关键词: 格攻击, 隐藏数字问题, 最近向量问题, DSA, ECDSA

Abstract:

The basic idea behind one type of lattice attack to DSA and ECDSA scheme is to construct a system of congruences, and convert the hidden number problem into the nearest vector problem. if one of the solutions of the congruences is below a certain bound, the private key can be found by solving the closest vector. If the bound becomes larger, the size of solution within which the attack is effective can be broadened accordingly, thus reducing the level to construct such congruences. A new bound based on the oretical analysis and calculation was presented. The new bound was 6.92 times larger than the original one, reducing the level to launch an effective lattice attack significantly. This paper designed and implemented experiment to verify this new bound by collecting signatures from OpenSSL. The results show that under the new bound, the lattice attack only require solution vector’s elements’ 3 most significant bits to be known, compared with 6 most significant bits to be known before. For DSA, the success rate is about 80% with a lattice of size 350. For ECDSA, the success rate is about 97% with a lattice of size 260. Furthermore, by subtracting a base vector from the solution vector, the requirement of known bits can be reduced to just one, the difficulty to mount an attack can be reduced even further.

Key words: lattice attack, hidden number problem, closest vector problem, DSA, ECDSA

中图分类号: