Netinfo Security ›› 2022, Vol. 22 ›› Issue (2): 11-20.doi: 10.3969/j.issn.1671-1122.2022.02.002

Previous Articles     Next Articles

An Enhanced Lattice Attack to DSA and ECDSA Scheme

YU Fajiang1,2, JIA Yaomin1,2()   

  1. 1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2. Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430064, China
  • Received:2021-09-23 Online:2022-02-10 Published:2022-02-16
  • Contact: JIA Yaomin E-mail:649154808@qq.com

Abstract:

The basic idea behind one type of lattice attack to DSA and ECDSA scheme is to construct a system of congruences, and convert the hidden number problem into the nearest vector problem. if one of the solutions of the congruences is below a certain bound, the private key can be found by solving the closest vector. If the bound becomes larger, the size of solution within which the attack is effective can be broadened accordingly, thus reducing the level to construct such congruences. A new bound based on the oretical analysis and calculation was presented. The new bound was 6.92 times larger than the original one, reducing the level to launch an effective lattice attack significantly. This paper designed and implemented experiment to verify this new bound by collecting signatures from OpenSSL. The results show that under the new bound, the lattice attack only require solution vector’s elements’ 3 most significant bits to be known, compared with 6 most significant bits to be known before. For DSA, the success rate is about 80% with a lattice of size 350. For ECDSA, the success rate is about 97% with a lattice of size 260. Furthermore, by subtracting a base vector from the solution vector, the requirement of known bits can be reduced to just one, the difficulty to mount an attack can be reduced even further.

Key words: lattice attack, hidden number problem, closest vector problem, DSA, ECDSA

CLC Number: