This repository includes the implementation of Lattice Attacks on (EC)DSA, described in the following research paper:
Chao Sun,Thomas Espitau, Mehdi Tibouchi, and Masayuki Abe, "Guessing Bits: Improved Lattice Attacks on (EC)DSA with Nonce Leakage", to appear at IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2022/1.
- For example, use the "load" command: load("example.sage")
- or use the "attach" command: attach("example.sage")
- or directly copy the code into the sage terminal.
- Note that in order to use the "load" and "attach" command, check you are in the right path by "pwd".
This script implements the typical standard way to perform lattice attacks on (EC)DSA. Standard techniques such as Recentering are already implemented.
This is the code for Section 4 of the paper. By enumerating some bits of the secret key, we are able to improve the success rate.
This is the code for Section 5 of the paper. By enumerating more bits of nonces of some signatures, we are able to improve the success rate.
This is the code for Section 6 of the paper. By filtering signatures and get smaller t, we are able to improve the success rate.
This is the TPM-FAIL dataset. The first row of the dataset contains the public key and the message being signed. Each of the other rows contains (r, s) and t, where (r, s) is the signature and t is the signing time.
This is the code for Section 9.4 of the paper. By combining our technique of guessing bits of the secret key with the geometric assignment of leakage in Minerva, we are able to recover the secret key.