Another Lattice Attack Against ECDSA with the wNAF to Recover More Bits per Signature | SpringerLink
Skip to main content
Springer Nature Link
Log in

Another Lattice Attack Against ECDSA with the wNAF to Recover More Bits per Signature

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2022)

  • 1829 Accesses

Abstract

In the resource-constrained environment such as the Internet of Things, the windowed Non-Adjacent-Form (wNAF) representation is usually used to improve the calculation speed of the scalar multiplication of ECDSA. This paper presents a practical cache side channel attack on ECDSA implementations which use wNAF representation. Compared with existing works, our method exploits more information from the cache side channels, which is then efficiently used to construct lattice attacks in the ECDSA private key recovery. First, we additionally monitor the invert function which is related to the sign of the wNAF digits, and obtain a Double-Add-Invert chain through the Flush+Flush cache side channel. Then, we develop effective methods extracting 154.2 bits information of the ephemeral key per signature for 256-bit ECDSA from this chain, much more than the best known result which extracts 105.8 bits per signature. Finally, to efficiently use the extracted information, we convert the problem of recovering the private key to the Hidden Number Problem (HNP) and the Extended Hidden Number Problem (EHNP) respectively, which are solved by lattice reduction algorithms. We applied the attack on ECDSA with the secp256k1 curve in OpenSSL 1.1.0h. The experimental results show that only 3 signatures are enough to recover the private key. To the best of our knowledge, this work exploits the signs of the wNAF representation, along with the Double-Add chain against ECDSA, to recover the private key with the least number of signatures.

This work was supported in part by the Open Subject of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences under Grant 2020-MS-08; in part by the Ningxia Natural Science Foundation of China under Grant 2021AAC03078; in part by the Key RD plan of Ningxia Hui Autonomous Region, China under Grant 2021BEB04047; in part by the National Key RD Plan of China under Grant 2020YFB1005803; in part by National Natural Science Foundation of China under Grant 62072398, by National Key Laboratory of Science and Technology on Information System Security, by State Key Laboratory of Mathematical Engineering and Advanced Computing, and by Key Laboratory of Cyberspace Situation Awareness of Henan Province.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 13727
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 17159
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Cryptlib Encryption Toolkit. https://www.cs.auckland.ac.nz/pgut001/cryptlib/ (2020)

  2. The Legion of the Bouncy Castle (2020). http://www.bouncycastle.org/

  3. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  4. Allan, T., Brumley, B.B., Falkner, K., van de Pol, J., Yarom, Y.: Amplifying side channels through performance degradation. In: Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC), pp. 422–435 (2016)

    Google Scholar 

  5. American National Standards Institute: ANSI X9.62-2005, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) (2005)

    Google Scholar 

  6. Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “ooh aah... just a little bit" : a small amount of side channel can go a long way. In: 16th International Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 75–92 (2014)

    Google Scholar 

  7. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in diffie-hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_11

    Chapter  MATH  Google Scholar 

  8. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    Chapter  Google Scholar 

  9. Fan, S., Wang, W., Cheng, Q.: Attacking OpenSSL implementation of ECDSA with a few signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1505–1515 (2016)

    Google Scholar 

  10. Gruss, D., Maurice, C., Wagner, K., Mangard, S.: Flush+ Flush: a fast and stealthy cache attack. In: 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 279–299 (2016)

    Google Scholar 

  11. Hai, H., Ning, N., Lin, X., Zhiwei, L., Bin, Y., Shilei, Z.: An improved wnaf scalar-multiplication algorithm with low computational complexity by using prime precomputation. IEEE Access 9, 31546–31552 (2021)

    Article  Google Scholar 

  12. Hlaváč, M., Rosa, T.: Extended hidden number problem and its cryptanalytic applications. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 114–133. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74462-7_9

    Chapter  Google Scholar 

  13. Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptogr. 23(3), 283–290 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  14. Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format (RFC 4880) (2007)

    Google Scholar 

  15. Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)

    Article  Google Scholar 

  16. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  17. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy, S &P 2015, pp. 605–622 (2015)

    Google Scholar 

  18. Liu, S., Qi, G., Wang, X.A.: Fast and secure elliptic curve scalar multiplication algorithm based on a kind of deformed fibonacci-type series. In: 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), pp. 398–402 (2015)

    Google Scholar 

  19. De Micheli, G., Piau, R., Pierrot, C.: A tale of three signatures: practical attack of ECDSA with wNAF. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 361–381. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_18

    Chapter  Google Scholar 

  20. Möller, B.: Algorithms for multi-exponentiation. In: International Workshop on Selected Areas in Cryptography, pp. 165–180 (2001)

    Google Scholar 

  21. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf

  22. Nguyen, P.Q.: The dark side of the hidden number problem: lattice attacks on DSA. In: Cryptography and Computational Number Theory, pp. 321–330 (2001)

    Google Scholar 

  23. Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  24. Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  25. Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. IACR Cryptol. ePrint Arch. 2002, 169 (2002)

    Google Scholar 

  26. van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: The Cryptographers’ Track at the RSA Conference (CT-RSA), pp. 3–21 (2015)

    Google Scholar 

  27. Rankl, W.: Smart card applications: design models for using and programming smart cards (2007)

    Google Scholar 

  28. Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  29. Solinas, J.A.: Efficient arithmetic on koblitz curves. Des. Codes Cryptogr. 19(2), 195–249 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  30. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2 (RFC 5246) (2008)

    Google Scholar 

  31. The FPLLL development team: fplll, a lattice reduction library (2016). https://github.com/fplll/fplll

  32. Wang, W., Fan, S.: Attacking OpenSSL ECDSA with a small amount of side-channel information. Sci. China Inf. Sci. 61(3), 032105:1–032105:14 (2017)

    Google Scholar 

  33. Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Conference on Security Symposium, pp. 719–732 (2014)

    Google Scholar 

  34. Zhao, S.l., Yang, X.Q., Liu, Z.W., Yu, B., Huang, H.: An improved wnaf scalar-multiplication algorithm with low computational complexity. Acta Electonica Sinica, 1–7 (2022)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Engineering, Ningxia University, Yinchuan, China

    Ziqiang Ma

  2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Shuaigang Li & Quanwei Cai

  3. School of Cyber Security, University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  4. State Key Laboratory of Cryptology, Beijing, China

    Shuqin Fan

  5. School of Cyber Science and Technology, College of Computer Science and Technology, Zhejiang University, Hangzhou, 310027, China

    Fan Zhang

  6. Key Laboratory of Blockchain and Cyberspace Governance of Zhejiang Province, Hangzhou, 310027, China

    Fan Zhang

  7. Department of Electrical Engineering and Computer Science, University of Kansas, Lawrence, USA

    Bo Luo

Authors
  1. Ziqiang Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shuaigang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jingqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Quanwei Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shuqin Fan
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Fan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Bo Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jingqiang Lin .

Editor information

Editors and Affiliations

  1. University of Kansas, Lawrence, KS, USA

    Fengjun Li

  2. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  3. The Ohio State University, Columbus, OH, USA

    Zhiqiang Lin

  4. Norwegian University of Science and Tech, Gjøvik, Norway

    Sokratis K. Katsikas

Rights and permissions

Reprints and permissions

Copyright information

© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ma, Z. et al. (2023). Another Lattice Attack Against ECDSA with the wNAF to Recover More Bits per Signature. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds) Security and Privacy in Communication Networks. SecureComm 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 462. Springer, Cham. https://doi.org/10.1007/978-3-031-25538-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25538-0_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25537-3

  • Online ISBN: 978-3-031-25538-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics