Attacking (EC)DSA scheme with ephemeral keys sharing specific bits

TL;DR

This paper introduces a deterministic attack on (EC)DSA that exploits shared bits in ephemeral keys across multiple signatures, enabling private key recovery through lattice techniques.

Contribution

The paper presents a novel lattice-based attack on (EC)DSA leveraging shared bits in ephemeral keys, which was not previously known.

Findings

The attack can recover private keys efficiently with enough signatures sharing specific bits.

Shared bits in ephemeral keys can compromise (EC)DSA security.

The method uses lattice techniques and Kannan's enumeration algorithm for key recovery.

Abstract

In this paper, we present a deterministic attack on (EC)DSA signature scheme, providing that several signatures are known such that the corresponding ephemeral keys share a certain amount of bits without knowing their value. By eliminating the shared blocks of bits between the ephemeral keys, we get a lattice of dimension equal to the number of signatures having a vector containing the private key. We compute an upper bound for the distance of this vector from a target vector, and next, using Kannan's enumeration algorithm, we determine it and hence the secret key. The attack can be made highly efficient by appropriately selecting the number of shared bits and the number of signatures.