Hello there!

Let’s introduce a couple of Lattice-based cryptanalyses

In both DSA and ECDSA (the elliptic-curve DSA) procedures, the signature output is a pair (r,s) of integer numbers such that

s × k ≡ ( h + α × r ) mod q,

where α, h, and k are the private key, the hash of the message to be signed, and the ephemeral key 1, respectively. In particular, r is either the output of the exponentiation (DSA case: gk) or the scalar point multiplication (ECDSA case: [k]P) procedure.

The following lattice descriptions are based on the results presented in [4], which is more focused on the practical Side-Channel Analysis. However, for a deep read, I suggest the paper by Gabrielle De Micheli and Nadia Heninger.

Timing attacks

Lattice-based cryptanalysis using timing attacks are commonly focused on determining a few bits from the ephemeral key, which can be easily correlated with the private key by using the above equation. For instance, if the exponentiation or scalar point multiplication procedures have been implemented in non-constant-time, then by a simple timing analysis it is possible to find a sample of d signatures (ri, si) with shorter-than-average ephemeral key ki < q / 2i for some positive integer ℓi. Moreover, the dimensional-(d+1) lattice



B =
 [ 2W1 × q
[ 0
[ ⋮
[ 0		 0
2W2 × q




0

0
2Wd × q		 0 ]
⋮ ]
⋮ ]
0 ]
[ 2W1 × t1 2W2 × t2 2Wd × td 1 ]

and the integer vectors u = ( 2W1 × û1 + q, …, 2W1 × û1 + q, 0 ), z = ( λ1, …, λd, α ), and y = ( 2W1 × ν1, …, 2Wd × νd, α ) satisfy zB - u = y with Wi = 2i, λi ∊ { -q, …, q }, and νi ∊ { -(q - 1)/2, …, (q - 1)/2 } the signed modular reduction of ûi + q/(2Wi) mod q.

wNAF trace approach

Let’s focus on scalar point multiplications using wNAF scalar codifications. Assuming a window width equals w, two kwnon consecutive non-zero coefficients κj and κj + ℓ leads to an equation with δ α-correlated bits. Each column of the lattice B (with same shape as given above), is determined by the pair (κj, κj + ℓ) along with the public values h and (r,s).

In particular, the entries of the integer vector t coincide with r × s-1 × 2m - j - ℓ - 1 mod q, W = 2δ where δ is equal to (ℓ - w) and (ℓ - w + 1) for the unsigned and signed approaches 2 3, respectively. In both cases, the integer vector has the same shape like in the timing attack but without the term q, and the entries of u are equal to

Solving the lattice

In summary, the private key recovery can be reduced to a Closest Vector Problem (CVP) instance of a given lattice. However, any CVP instance with input lattice B and vector u can be mapped into a Shortest Vector Problem (SVP) instance by looking for a short lattice basis vector in the dimensional-(d + 2) lattice B’

[ B 0 ]
[ u q ]

In both SVP and CVP instances, one proceeds by reducing the lattice with the LLL or BKZ procedures. But in practice, one proceeds by applying the method by Gama et al. [3], which can be summarized as follows:

References
[1] T. Allan, B. B. Brumley, K. Falkner, J. van de Pol, Y. Yarom, Amplifying side channels through performance degradation, Annual Computer Security Applications Conference - ACSAC 2016, ACM (2016), 422-435 🔗;
[2] G. De Micheli and N. Heninger, Recovering cryptographic keys from partial information, by example, IACR Cryptol. ePrint Arch. 2020: 1506 (2020) 🔗;
[3] N. Gama, P. Q. Nguyen, O. Regev, Lattice Enumeration Using Extreme Pruning, Advances in Cryptology - EUROCRYPT 2010, LNCS 6110, 257-278, 2010 🔗;
[4] S. ul Hassan, I. Gridin, I. M. Delgado-Lozano, C. Pereida-García, J.-J. Chi-Domínguez, A. Cabrera Aldaya, B. B. Brumley, Déjà Vu: Side-Channel Analysis of Mozilla’s NSS, Conference on Computer and Communications Security - CCS 2020, ACM (2020), 1887-1902 🔗;
[5] J. van de Pol, N. P. Smart, Y. Yarom, Just a Little Bit More, Topics in Cryptology - CT-RSA 2015, LNCS 9048, 3-21, 2015 🔗.

  1. In some papers, the integer k is named by nonce but in my opinion, I prefer the term ephemeral key. 

  2. The unsigned case refers when it is only possible to determine non-zero wNAF-coefficients, and thus the signed case allows to guess the sign of the wNAF-coefficients. 

  3. Here, m denotes the bitlength of q.