This is a very clever attack that I plan to write up soon. It was originated by Boneh and Venkatesan, improved most recently by Nguyen and Shparlinski. The paper is a bit dense, but I’m hoping to come up with a clearer explanation.

The lesson is that in crypto, any partial knowledge you give an attacker can possibly result in a complete compromise. It is extremely fragile.

]]>You’ve lost me on this. Knowing the full value of k of course allows recovering the private key very easily (I used it to attack GNU Classpath’s DSA implementation last winter), but if knowing only a few bits of k (let’s say, 8 bits) for a particular signature allowed recovery of the private key, it would be trivial to convert this to a slightly less efficient attack on any DSA signature: just guess the 8 bits, attempt the attack, and if it doesn’t work make another guess.

If you knew many but not all bits of k, say, 120 bits, leaving 40 bits unknown, that would of course allow feasible brute force of the remaining k space.

I could believe there is a number theory trick of some kind that allows recovering the private key with only partial/inperfect knowledge of k, but I have never seen or heard of it. If you are aware of such a trick, you should definitely explain or reference it!

]]>