A Survey of Lattice Attack on Digital Signature Algorithm

Proceedings of Second International Workshop on Practice and Theory in Public Key Cryptography, PKC'99, H. Imai and Y. Zheng (Eds.), Volume 1560 of Lecture Notes in Computer Science , 1999

At Eurocrypt '96,
Coppersmith presented a novel applica tion of lattice reduction to nd small roots of a univariate modular polynomial equation This led to rigorous polynomial attacks against RSA with low public exponent
in some particular settings such as encryption of stereotyped messages
random padding
or broadcast applications
a la Hastad Theoretically
these are the most powerful known attacks against low exponent RSA However
the practical behaviour of Coppersmiths method was unclear On the one hand
the method requires reductions of high dimensional lattices with huge entries
which could be out of reach. On the other hand
it is well known that lattice reduction algorithms out put better results than theoretically expected
which might allow better bounds than those given by Coppersmiths theorems In this paper
we present extensive experiments with Coppersmiths method
and discuss various trade os together with practical improvements Overall
prac tice meets theory The warning is clear one should be very cautious when using the low exponent RSA encryption scheme
or one should use larger exponents

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

In this paper, we analyze the implementation level fault vulnerabilities of deterministic lattice-based signature schemes. In particular, we extend the practicality of skip-addition fault attacks through exploitation of determinism in certain variants of Dilithium (Deterministic variant) and qTESLA signature scheme (originally submitted deterministic version), which are two leading candidates for the NIST standardization of post-quantum cryptography. We show that single targeted faults injected in the signing procedure allow to recover an important portion of the secret key. Though faults injected in the signing procedure do not recover all the secret key elements, we propose a novel forgery algorithm that allows the attacker to sign any given message with only the extracted portion of the secret key. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4 microcontroller. We also show that our attacks break two well known countermeasures known to protect against skip-addition fault attacks. We further propose an efficient mitigation strategy against our attack that exponentially increases the attacker's complexity at almost zero increase in computational complexity. CCS CONCEPTS • Security and privacy → Digital signatures; Hardware attacks and countermeasures; Side-channel analysis and countermeasures; Embedded systems security.

Designs, Codes and Cryptography, 2019

In this paper we revisit the modular lattice signature scheme and its efficient instantiation known as pqNTRUSign. First, we show that a modular lattice signature scheme can be based on a standard lattice problem. The fundamental problem that needs to be solved by the signer or a potential forger is recovering a lattice vector with a restricted norm, given the least significant bits. We show that this problem is equivalent to the short integer solution (SIS) problem over the corresponding lattice. In addition, we show that by replacing the uniform sampling in pqN-TRUSign with a bimodal Gaussian sampling, we can further reduce the size of a signature. An important new contribution, enabled by this Gaussian sampling version of pqNTRUSign, is that we can now perform batch verification of messages signed by the same public key, which allows the verifier to check approximately 24 signatures in a single verification process.

Lecture Notes in Computer Science, 2009

In 1988, Håstad proposed the classical broadcast attack against public key cryptosystems. The scenario of a broadcast attack is as follows. A single message is encrypted by the sender directed for several recipients who have different public keys. By observing the ciphertexts only, an attacker can derive the plaintext without requiring any knowledge of any recipient's secret key. Håstad's attack was demonstrated on the RSA algorithm, where low exponents are used. In this paper, we consider the broadcast attack in the lattice-based cryptography, which interestingly has never been studied in the literature. We present a general method to rewrite lattice problems that have the same solution in one unique easier problem. Our method is obtained by intersecting lattices to gather the required knowledge. These problems are used in lattice based cryptography and to model attack on knapsack cryptosystems. In this work, we are able to present some attacks against both lattice and knapsack cryptosystems. Our attacks are heuristics. Nonetheless, these attacks are practical and extremely efficient. Interestingly, the merit of our attacks is not achieved by exploring the weakness of the trapdoor as usually studied in the literature, but we merely concentrate on the problem itself. As a result, our attacks have many security implications on most of the lattice-based or knapsack cryptosystems.

International Journal of Network Security & Its Applications, 2012

Lattice reduction is a powerful concept for solving diverse problems involving point lattices. Lattice reduction has been successfully utilizing in Number Theory, Linear algebra and Cryptology. Not only the existence of lattice based cryptosystems of hard in nature, but also has vulnerabilities by lattice reduction techniques. In this survey paper, we are focusing on point lattices and then describing an introduction to the theoretical and practical aspects of lattice reduction. Finally, we describe the applications of lattice reduction in Number theory, Linear algebra.

International Journal of Applied Cryptography, 2008

In Crypto 1997, Goldreich, Goldwasser and Halevi (GGH) proposed a lattice analogue of McEliece public key cryptosystem, in which security is related to the hardness of approximating the Closest Vector Problem in a lattice. Furthermore, they also described how to use the same principle of their encryption scheme to provide a signature scheme. Practically, this cryptosystem uses the Euclidean norm, l 2 -norm, which has been used in many algorithms based on lattice theory. Nonetheless, many drawbacks have been studied and these could lead to cryptanalysis of the scheme. In this article, we present a novel method of reducing a vector under the l -norm and propose a digital signature scheme based on it. Our scheme takes advantage of the l -norm to increase the resistance of the GGH scheme and to decrease the signature length. Furthermore, after some other improvements, we obtain a very efficient signature scheme, that trades the security level, speed and space.

Int. Arab J. Inf. Technol., 2021

We use lattice basis reduction for ciphertext-only attack on RSA. Our attack is applicable in the conditions when known attacks are not applicable, and, contrary to known attacks, it does not require prior knowledge of a part of a message or key, small encryption key, e, or message broadcasting. Our attack is successful when a vector, comprised of a message and its exponent, is likely to be the shortest in the lattice, and meets Minkowski's Second Theorem bound. We have conducted experiments for message, keys, and encryption/decryption keys with sizes from 40 to 8193 bits, with dozens of thousands of successful RSA cracks. It took about 45 seconds for cracking 2001 messages of 2050 bits and for large public key values related with Euler’s totient function, and the same order private keys. Based on our findings, for RSA not to be susceptible to the proposed attack, it is recommended avoiding RSA public key form used in our experiments

Lecture Notes in Computer Science, 1997

We show that some RSA signature schemes using fixed or modular redundancy and dispersion of redundancy bits are insecure. Our attack is based on the multiplicative property of RSA signature function and extends old results of De Jonge and Chaum [DJC] as well as recent results of Girault and Misarsky [GM]. Our method uses the lattice basis reduction [LLL] and algorithms of IAszl6 Babai [B].

Designs, Codes and Cryptography

Analyzing the security of cryptosystems under attacks based on the malicious modification of memory registers is a research topic of high importance. This type of attacks may affect the randomness of the secret parameters by forcing a limited number of bits to a certain value which can be unknown to the attacker. In this context, we revisit the attack on DSA presented by Faugère, Goyet and Renault during the conference SAC 2012: we simplify their method and we provide a probabilistic approach in opposition to the heuristic proposed in the former to measure the limits of the attack. More precisely, the main problem is formulated as the search for a closest vector to a lattice, then we study the distribution of the vectors with bounded norms in a this family of lattices and we apply the result to predict the behavior of the attack. We validated this approach by computational experiments.

Lecture Notes in Computer Science, 2015

At CT-RSA 2014 Bai and Galbraith proposed a lattice-based signature scheme optimized for short signatures and with a security reduction to hard standard lattice problems. In this work we first refine the security analysis of the original work and propose a new 128-bit secure parameter set chosen for software efficiency. Moreover, we increase the acceptance probability of the signing algorithm through an improved rejection condition on the secret keys. Our software implementation targeting Intel CPUs with AVX/AVX2 and ARM CPUs with NEON vector instructions shows that even though we do not rely on ideal lattices, we are able to achieve high performance. For this we optimize the matrixvector operations and several other aspects of the scheme and finally compare our work with the state of the art.