Paper 2023/305

A Novel Related Nonce Attack for ECDSA

Marco Macchetti, Kudelski (Switzerland)
Abstract

We describe a new related nonce attack able to extract the original signing key from a small collection of ECDSA signatures generated with weak PRNGs. Under suitable conditions on the modulo order of the PRNG, we are able to attack linear, quadratic, cubic as well as arbitrary degree recurrence relations (with unknown coefficients) with few signatures and in negligible time. We also show that for any collection of randomly generated ECDSA nonces, there is one more nonce that can be added following the implicit recurrence relation, and that would allow retrieval of the private key; we exploit this fact to present a novel rogue nonce attack against ECDSA. Up to our knowledge, this is the first known attack exploiting generic and unknown high-degree algebraic relations between nonces that do not require assumptions on the value of single bits or bit sequences (e.g. prefixes and suffixes).

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
ECDSAPRNGnonce attack
Contact author(s)
marco macchetti @ kudelskisecurity com
History
2023-03-03: approved
2023-03-01: received
See all versions
Short URL
https://ia.cr/2023/305
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX 

@misc{cryptoeprint:2023/305,
      author = {Marco Macchetti},
      title = {A Novel Related Nonce Attack for ECDSA},
      howpublished = {Cryptology ePrint Archive, Paper 2023/305},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/305}},
      url = {https://eprint.iacr.org/2023/305}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.