Abstract
In this paper we present the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication. We present a two stage attack on the elliptic curve variant of MQV in which one party may recover the other party’s static private key from partial knowledge of the nonces from several runs of the protocol. The first stage reduces the attack to a hidden number problem which is partially solved by considering a closest vector problem and using Babai’s algorithm. This stage is closely related to the attack of Howgrave-Graham, Smart, Nguyen and Shparlinski on DSA but is complicated by a non-uniform distribution of multipliers. The second stage recovers the rest of the key using the baby-step/giant-step algorithm or Pollard’s Lambda algorithm and runs in time O(q 1/4). The attack has been proven to work with high probability and validated experimentally. We have thus reduced the security from O(q 1/2) down to O(q 1/4) when partial knowledge of the nonces is given.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Babai, L.: On Lovàsz lattice reduction and the nearest lattice point problem. Combinatoria 6, 1–13 (1986)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)
Boneh, D., Halevi, S., Howgrave-Graham, N.: The Modular Inversion Hidden Number Problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001)
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology 10, 233–260 (1997)
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Designs, Codes and Cryptography 23, 283–290 (2001)
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography (to appear)
Lenstra, A.L., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math Ann. 261, 515–534 (1982)
Merkle, R., Hellman, M.: Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory IT-24, 525–530 (1978)
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the Digital Signature Algorithm with partially known nonces. J. Cryptology 15, 151–176 (2002)
Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve Digital Signature Algorithm with partially known nonces. Designs, Codes and Cryptography (to appear)
Nguyen, P.Q., Stern, J.: Lattice reduction in cryptology: An update. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 85–112. Springer, Heidelberg (2000)
Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp. 32, 918–924 (1978)
Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)
Shamir, A.: A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In: Proc. of 23rd FOCS, pp. 145–152. IEEE, Los Alamitos (1982)
de Weger, B.M.M.: Solving exponential diophantine equations using lattice basis reduction algorithms. J. Number Theory 26, 325–367 (1987)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Leadbitter, P.J., Smart, N.P. (2003). Analysis of the Insecurity of ECMQV with Partially Known Nonces. In: Boyd, C., Mao, W. (eds) Information Security. ISC 2003. Lecture Notes in Computer Science, vol 2851. Springer, Berlin, Heidelberg. https://doi.org/10.1007/10958513_19
Download citation
DOI: https://doi.org/10.1007/10958513_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20176-2
Online ISBN: 978-3-540-39981-0
eBook Packages: Springer Book Archive