Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
DCC
2003
IEEE
2003
IEEE
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
Nguyen and Shparlinski recently presented a polynomial-time algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log1/2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of Howgrave-Graham and Smart who introduced the topic. Here, we obtain similar results for the elliptic curve variant of DSA (ECDSA).
Real-time Traffic| Added | 25 Dec 2009 |
| Updated | 25 Dec 2009 |
| Type | Conference |
| Year | 2003 |
| Where | DCC |
| Authors | Phong Q. Nguyen, Igor Shparlinski |
Comments (0)
Researcher Info
|
