Comments on: The Debian PGP disaster that almost was http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/ Embedded security, crypto, software protection Thu, 09 Sep 2010 12:45:32 +0000 hourly 1 http://wordpress.com/ By: Jack Lloyd http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/#comment-5169 Jack Lloyd Wed, 15 Jul 2009 17:00:30 +0000 http://rdist.root.org/?p=336#comment-5169 Thanks! I had completely missed this paper as well as the earlier work by Boneh that they cite. I don't know much about lattice theory so it will probably take me a while to work through the whole paper, but their experimental result of recovering the full key from the lowest 3 bits of k for 100 messages is definitely impressive. Thanks! I had completely missed this paper as well as the earlier work by Boneh that they cite. I don’t know much about lattice theory so it will probably take me a while to work through the whole paper, but their experimental result of recovering the full key from the lowest 3 bits of k for 100 messages is definitely impressive.

]]> By: Nate Lawson http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/#comment-5167 Nate Lawson Wed, 15 Jul 2009 16:24:24 +0000 http://rdist.root.org/?p=336#comment-5167 Jack, you're right that knowing only a few bits of k and a single signature is not enough to recover the private key. However, with multiple signatures and partial knowledge of k, you can attack it. This is a very clever attack that I plan to write up soon. It was originated by Boneh and Venkatesan, improved most recently by <a href="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.35.1538" rel="nofollow">Nguyen and Shparlinski</a>. The paper is a bit dense, but I'm hoping to come up with a clearer explanation. The lesson is that in crypto, any partial knowledge you give an attacker can possibly result in a complete compromise. It is extremely fragile. Jack, you’re right that knowing only a few bits of k and a single signature is not enough to recover the private key. However, with multiple signatures and partial knowledge of k, you can attack it.

This is a very clever attack that I plan to write up soon. It was originated by Boneh and Venkatesan, improved most recently by Nguyen and Shparlinski. The paper is a bit dense, but I’m hoping to come up with a clearer explanation.

The lesson is that in crypto, any partial knowledge you give an attacker can possibly result in a complete compromise. It is extremely fragile.

]]> By: Jack Lloyd http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/#comment-5165 Jack Lloyd Wed, 15 Jul 2009 12:02:52 +0000 http://rdist.root.org/?p=336#comment-5165 "knowledge of only a few bits of k can reveal your entire private key to an attacker" You've lost me on this. Knowing the full value of k of course allows recovering the private key very easily (I used it to attack GNU Classpath's DSA implementation last winter), but if knowing only a few bits of k (let's say, 8 bits) for a particular signature allowed recovery of the private key, it would be trivial to convert this to a slightly less efficient attack on any DSA signature: just guess the 8 bits, attempt the attack, and if it doesn't work make another guess. If you knew many but not all bits of k, say, 120 bits, leaving 40 bits unknown, that would of course allow feasible brute force of the remaining k space. I could believe there is a number theory trick of some kind that allows recovering the private key with only partial/inperfect knowledge of k, but I have never seen or heard of it. If you are aware of such a trick, you should definitely explain or reference it! “knowledge of only a few bits of k can reveal your entire private key to an attacker”

You’ve lost me on this. Knowing the full value of k of course allows recovering the private key very easily (I used it to attack GNU Classpath’s DSA implementation last winter), but if knowing only a few bits of k (let’s say, 8 bits) for a particular signature allowed recovery of the private key, it would be trivial to convert this to a slightly less efficient attack on any DSA signature: just guess the 8 bits, attempt the attack, and if it doesn’t work make another guess.

If you knew many but not all bits of k, say, 120 bits, leaving 40 bits unknown, that would of course allow feasible brute force of the remaining k space.

I could believe there is a number theory trick of some kind that allows recovering the private key with only partial/inperfect knowledge of k, but I have never seen or heard of it. If you are aware of such a trick, you should definitely explain or reference it!

]]>