针对wNAF实现ECDSA的格攻击研究OA
Research on Lattice Attack on ECDSA Implemented with wNAF
利用标量乘法的窗口非相邻形式(windowed non-adjacent form,wNAF)的实现攻击椭圆曲线数字签名算法(the elliptic curve digital signature algorithm,ECDSA)首先需要一些侧信道分析收集信息,然后使用基于格的方法恢复密钥.由于从侧信道分析收集的关于签名私钥等秘密参数的信息是部分的,因此通常需要几十个或几百个签名才能恢复出完整签名私钥.然而,在实际攻击中,签名的个数是有严格限制的,攻击者难以获取如此多的签名数据.为了更大程度上利用侧信道分析收集的信息并且仅用几个签名恢复出完整的私钥,提出一种基于扩展隐藏数问题(the extended hidden number problem,EHNP)的格攻击构造方法:首先,利用缓存侧信道攻击收集ECDSA算法实际运行过程中的"Double-Add-Invert链";然后将其转换为EHNP问题,利用EHNP构造1个格矩阵,使得其中存在1个带有私钥的目标格向量;最后通过BKZ(block Korkin-Zolotarev)格基约减算法找到这个目标格向量,进而恢复出私钥.实验结果显示,该方案仅需要2个签名就可以恢复出完整的签名私钥,达到了理论极限.
To mount an attack on the elliptic curve digital signature algorithm(ECDSA)using the windowed non-adjacent form(wNAF)for scalar multiplication,one first requires side-channel analysis to gather information,followed by lattice-based methods to recover the private key.Since the information collected from side-channel analysis about secret parameters such as the signing private key is partial,it typically necessitates scores or even hundreds of signatures to fully recover the private key.However,in practical attacks,there are stringent limitations on the number of signatures available,making it challenging for attackers to obtain such a large volume of signature data.To maximize the utilization of information gathered through side-channel analysis and recover the complete private key using only a few signatures,a lattice attack construction method based on the extended hidden number problem(EHNP)is proposed.Initially,cache side-channel attacks are employed to collect Double-Add-Invert chains during the actual execution of the ECDSA algorithm.Subsequently,these Double-Add-Invert chains are converted into EHNP instances.Next,EHNP is leveraged to construct a lattice matrix,within which exists a target lattice vector bearing the private key.Finally,the block Korkin-Zolotarev(BKZ)lattice basis reduction algorithm is applied to locate this target lattice vector,thereby recovering the private key.Experimental results demonstrate that the proposed attack scheme can recover the complete signing private key using only two signatures,achieving the theoretical limit.
马自强;孟誉卓;魏良根;王名宇;张娟洋
宁夏大学信息工程学院 银川 750021||宁夏"东数西算"人工智能与信息安全重点实验室(宁夏大学) 银川 750021||宁夏大数据与人工智能省部共建协同创新中心(宁夏大学) 银川 750021宁夏大学信息工程学院 银川 750021||宁夏"东数西算"人工智能与信息安全重点实验室(宁夏大学) 银川 750021||宁夏大数据与人工智能省部共建协同创新中心(宁夏大学) 银川 750021宁夏大学信息工程学院 银川 750021||宁夏"东数西算"人工智能与信息安全重点实验室(宁夏大学) 银川 750021||宁夏大数据与人工智能省部共建协同创新中心(宁夏大学) 银川 750021大连海事大学信息科学技术学院 辽宁大连 116026宁夏大学信息工程学院 银川 750021||宁夏"东数西算"人工智能与信息安全重点实验室(宁夏大学) 银川 750021||宁夏大数据与人工智能省部共建协同创新中心(宁夏大学) 银川 750021
信息技术与安全科学
椭圆曲线数字签名算法缓存侧信道攻击格攻击扩展隐藏数问题私钥
ECDSAcache side-channel attacklattice attackEHNPprivate key
《信息安全研究》 2026 (4)
319-329,11
宁夏自然科学基金青年项目B类(2025AAC050015)
评论