7/30/2019 NR-DSA

1/17

The Insecurity of NybergRueppel

and Other DSA-Like Signature Schemeswith Partially Known Nonces

Edwin El Mahassni,1 Phong Q. Nguyen2

andIgor E. Shparlinski3

1 Department of Computing, Macquarie University, NSW 2109, Australiaeelmaha@ics.mq.edu.au

2 Ecole Normale Superieure, Departement dInformatique,45 rue dUlm, 75005 Paris, France

pnguyen@ens.frhttp://www.di.ens.fr/pnguyen/3 Department of Computing, Macquarie University, NSW 2109, Australia

igor@ics.mq.edu.au http://www.comp.mq.edu.au/igor/

Abstract. It has recently been proved by Nguyen and Shparlinski thatthe Digital Signature Algorithm(DSA) is insecure when a few consecutivebits of the random nonces k are known for a reasonably small numberof DSA signatures. This result confirmed the efficiency of some heuristiclattice attacks designed and numerically verified by Howgrave-Grahamand Smart. Here, we extend the attack to the NybergRueppel variantsof DSA. We use a connection with the hidden number problem introducedby Boneh and Venkatesan and new bounds of exponential sums which

might be of independent interest.

Keywords: DSA, Closest Vector Problem, Hidden Number Prob-lem, Exponential Sums

1 Introduction

1.1 The Digital Signature Algorithm (DSA)

Recall the Digital Signature Algorithm (DSA) used in the Americanfederal digital signature standard. Let p and q 3 be prime numberswith q|p 1. As usual IFp and IFq denote fields of p and q elements

Part of this work is an output of the Turbo-signatures project, supported by theFrench Ministry of Research.

Work supported in part by the Australian Research Council.

7/30/2019 NR-DSA

2/17

which we assume to be represented by the elements {0, . . . , p 1}and {0, . . . , q 1} respectively. For a rational and integer m 1

we denote by m the smallest non-negative residue of modulo m.Let M be the set of messages to be signed and let h : M IFq bean arbitrary hash function. The signer selects a secret key IFqand computes the public key A = gp, where g IFp is a publicelement of multiplicative order q.

For an integer k we define the function

r(k) =

gkp

q. (1)

Finally, for a random element k IFq called a nonce and a message

M we define the function

s(k, ) =

k1 (h() + r(k))q

(2)

and call the pair (r(k), s(k, )) the DSA signature of the message with a nonce k.

1.2 Lattice attacks on DSA

Howgrave-Graham and Smart [6] noticed that if some most signif-

icant bits of k are known for a reasonably small number of signa-tures then one can apply the LLL lattice reduction algorithm [10] toheuristically recover the secret key . They also presented numericalresults to confirm the efficiency of their attack. Nguyen [14] exhibitsa close link between this problem and the hidden number problem(HNP) introduced by Boneh and Venkatesan [3, 4], together withimproved numerical results. HNP can be stated as follows: recover anumber IFq such that for many known random t IFq a certainnumber of the most significant bits of tq are known. Boneh andVenkatesan showed in [3, 4] how to solve HNP in polynomial timewhen the number of bits was roughly log1/2 qand the distribution oftwas uniform, using a reduction to the lattice closest vector problem.

The link between DSA and HNP is the following. Assume thatwe know the least significant bits of a nonce k IFq. That is, weare given an integer a such that 0 a 2 1 and k a = 2b for

7/30/2019 NR-DSA

3/17

some integer b 0. Given a message signed with the nonce k, thesigning equation (1) can be rewritten for s(k, ) = 0 as:

r(k)2s(k, )1

a s(k, )1h()

2 + b (mod q).

Now define the following two elements

t(k, ) =

2r(k)s(k, )1q

u(k, ) =

2

a s(k, )1h()

q

and remark that both t(k, ) and u(k, ) can easily be computedby the attacker from the publicly known information. Recalling that

0 b q/2

, we obtain

t(k, ) u(k, )q < q/2.

Thus, the most significant bits of t(k, )q are revealed.Finally, Nguyen and Shparlinski [15] have proved that the heuris-

tic attack of [6, 14] always succeeds. This has been done by gener-alizing the lattice-based proof of Boneh-Venkatesan to cases wherethe distribution of t is not necessarily perfectly uniform, and moreimportantly, by proving some uniformity results on the distributionof t in the case of DSA, using bounds of exponential sums.

1.3 Our results

In this paper, we extend the results of Nguyen and Shparlinski [15]to several known modifications of DSA. Although our method issimilar to that of [15], the exponential sums arising in this paper aredifferent. In particular, we study the five following modifications ofthe signing equation (2) which are outlined in Section 20.4 of [19](see also Section 11.5.2 in [12] and [18])

DSA1: s1(k, ) = k1(r(k) + h())q.

DSA2: s2(k, ) = 1(h() + kr(k))q;DSA3: s3(k, ) = r(k) + kh()q;DSA4: s4(k, ) = h() + kr(k)q;

DSA5: s5(k, ) = 1(r(k) + kh())q.

7/30/2019 NR-DSA

4/17

The DSAi signature on a message is (r(k), si(k, )), i = 1, . . . , 5.We remark that for these DSA variants, , h() and k have the same

meaning as in the original DSA and r(k) is defined by the sameequation (1). By alternating signs in these equations, one obtainsadditional signature schemes which can be studied quite analogously.

We also show that the same method can be applied to yet anothermodification proposed by Nyberg and Rueppel [18] which providesmessage recovery, see also Section 11.5.4 in [12] and Section 20.4of [19]. The initial settings of this scheme are the same except thatinstead of the hash function h mapping M to IFq, we are given afunction H whose values are elements of IFp. In fact, the main ideaof this scheme is to use an easily invertible (and just one-to-one)

function H : M IFp. Then the NR signature (r(k, ), v(k, ) isdefined by signing equation

NR: v(k, ) = r(k, ) + kq,

where

r(k, ) =

H()gkp

In this paper we do not discuss advantages and disadvantages of the

above schemes (for example, some of them are inversion-free andthus the value k = 0 can be selected as well) but remark that for theNR signature scheme one derives

H() gv(k,)Ar(k,)r(k, ) (mod p)

where as before A = gp. So if the function h() is easy to invert,then the message can be recovered from the signature itself.

One can easily verify that if we are given an integer a such that0 a 2 1 and k a = 2b for some integer b 0 then for eachof the signature schemes DSAi, i = 1, . . . , 5 we have,

ti(k, ) ui(k, )q < q/2, i = 1, . . . , 5, (3)

7/30/2019 NR-DSA

5/17

where

t1(k, ) h()

2ls1(k, )

q, u1(k, )

2l

a

r(k)

s1(k, )

q;

t2(k, )

s2(k, )

2lr(k)

q

, u2(k, )

2l

h()

r(k)+ a

q

;

t3(k, )

r(k)

2lh()

q

, u3(k, )

2l

a

s3(k, )

h()

q

;

t4(k, )

h()

2lr(k)

q

, u4(k, )

2l

a

s4(k, )

r(k)

q

;

t5(k, )

s5(k, )

2lh()

q

, u5(k, )

2l

r(k)

h()+ a

q

;

(for the schemes DSA3 and DSA5 we assume that h : M IFq).For the signature scheme NR, we have

2lr(k, ) w(k, )

q

< q/2, (4)

wherew(k, ) =

2l(v(k, ) a)

q

.

It is important to remark that in the above inequalities the mul-tipliers ti(k, ), r(k, ) and the approximations ui(k, ), w(k, ),i = 1, . . . , 5, can be efficiently evaluated from publicly available data.

Thus to obtain analogues of the results of Nguyen and Shparlin-ski [15], one has to study the distribution of ti(k, ), i = 1, . . . , 5,and r(k, ) for randomly selected nonce k IFq and M.

2 Preparations

2.1 Preliminaries

Let

eq(z) = exp(2iz/q) and ep(z) = exp(2iz/p).

We recall a few results about exponential which we use to showthat our attacks work. The first one is the well-known Weil boundon exponential sums with rational functions which is presented inthe form given by C. J. Moreno and O. Moreno [13], see also [11].

7/30/2019 NR-DSA

6/17

Lemma 1. For any polynomials g(X), f(X) IFq[X] such that therational function F(X) = f(X)/g(X) is not constant on IFq, the

boundIFq

eq (F())

(max{deg g, deg f} + u 2) q1/2 +

holds, where

means that the summation is taken over all IFqwhich are not poles of F(X) and

(u, ) =

(v, 1), if deg f deg g,(v + 1, 0), if deg f > deg g,

and v is the number of distinct zeros of g(X) in the algebraic closureof IFq.

We also use the following well-known statement, see Exercise 11.ain Chapter 3 of [23].

Lemma 2. For any integers u and M 1,

M1=0

exp(2izu/M) =

0, if u 0 (mod M);M, if u 0 (mod M).

We also need a result from [15] about the distribution of r(k).For an integer IFq, let N() be the number of solutions of theequation

r(k) = , k IFq.

The following estimate has been obtained in [15] (using somebounds for exponential sums from [8]).

Lemma 3. LetQ be a sufficiently large integer. The following state-ment holds with = 1/3 for all primes p [Q, 2Q], and with = 0for all primes p [Q, 2Q] except at most Q5/6+ of them. For any > 0 there exists > 0 such that for any element g IFp of multi-

plicative order q p+ the bound

N() = O

q1

, [0, q 1],

holds.

7/30/2019 NR-DSA

7/17

We recall that the discrepancy D() of a sequence = (i)Ni=1

of N elements of the interval [0, 1] is defined as

D() = supI[0,1]

A(I, N)N |I | ,

where the supremum is extended over all subintervals I of [0, 1], |I|is the length of I, and A(I, N) denotes the number of points n in

I for 0 n N 1, see [5,9,17].Following [15] we say that a finite sequence T of integers is -

homogeneously distributed modulo q if for any integer a coprime withq the discrepancy of the sequence {atq/q}tT is at most .

For an integer x, we denote by MSB,q(x) any integer u with

|x u| q/2+1.

Remark that in this inequality is not necessarily an integer.The following generalization of Theorem 1 of [3], using -homo-

geneously distributed multipliers in the n number problem, has beenobtained in [15].

Lemma 4. For a prime q, define

= log1/2 q + log log q,

and d = 2

log1/2 q

. Let T be a 2 log1/2 q-homogeneously distributed

modulo q sequence of integer numbers. There exists a deterministicpolynomial time algorithm A such that for any fixed integer inthe interval [0, q 1], given a prime q and 2d integers ti and ui =

MSB,q

tiq

for i = 1 . . . , d, its output satisfies for sufficiently

large q

Prt1,...,tdT

[A (q, t1, . . . , td; u1, . . . , ud) = ] 1 2(log q)1/2 loglog q

if t1, . . . , td are chosen uniformly and independently at random fromthe elements of T.

This result and Theorem 1 of [3] rely heavily on the LLL latticereduction algorithm [10], more precisely on Babais approximation

7/30/2019 NR-DSA

8/17

algorithm [2] for the closest vector problem in a lattice (see [16] fora brief exposition of the proof).

In fact using a combination of the Schnorr modification [20] of thelattice basis reduction with a result of Kannan [7] about reductionof the closest vector problem to the shortest vector problem, one canobtain an analogue of Lemma 4 with a slightly smaller value of .This result can be improved even further if one uses a more recentresult of [1]. All these improvements are of order of some power oflog log q.

2.2 Distribution of Multipliers

Let us denote by Si the set of pairs (k, ) [1, q 1] M for which

the corresponding equation for ti(k, ) and ti(k, ) does not containdivision by zero. Then

|Si| = q|M|

1 + O

q

, i = 1, . . . , 5, (5)

for all p and q satisfying the conditions of Lemma 3.Our results are based on the bounds of exponential sums

i(c) =

(k,)Si

eq (cti(k, )) , i = 1, . . . , 5,

and(c) =

MkIFq

ep (cr(k, )) .

For a hash function h : M IFq we also denote by W thenumber of pairs (1, 2) M

2 with h(1) = h(2). Thus, W/|M|2

is a probability of a collision and our results for the schemes DSAi,i = 1, . . . , 5, are nontrivial under a reasonable assumption that thisprobability is of order of magnitude close to 1/q.

Lemma 5. LetQ be a sufficiently large integer. The following state-ment holds with = 1/3 for all primes p [Q, 2Q], and with = 0for all primes p [Q, 2Q] except at most Q5/6+ of them. For any > 0 there exists > 0 such that for any element g IFp of multi-

plicative order q p+ the bound

maxcIFq

|i(c)| = O(W1/2q3/2)

holds.

7/30/2019 NR-DSA

9/17

Proof. Define R() to be the number of M with h() = . Then

M

R()2

= W. (6)

From the definition of si(k, ) and ti(k, ) we see that

i =IFq

R()kIFq

eq

cF(i)k ()

, i = 1, . . . , 6,

where

F(1)k () =

k

r(k) + , F

(2)k () =

kr(k)

r(k), F

(3)k () =

r(k)

,

F(4)k () = r(k) , F(5)k () = r(k) + k .

Using the Cauchy inequality and the identity (6), we obtain

|i(c)|2 W

IFq

kIFq

eq

cF(i)(k,m)()

2

= W

k,mIFq

IFq

eq

c

F(i)k,m()

,

where F(i)

k,m() = F(i)

k () F(i)

m () and as before

means that thesummation is taken over all IFq which are not poles of F

(i)k,m,

i = 1, . . . , 5.For i = 1, . . . , 5 we denote by Ni the number of pairs (k, m)

IFq2

for which the rational function F(i)k,m() is constant. For these

k and m we estimate the inner sum over trivially as q. For otherk and m, to estimate the inner sum over we use Lemma 1 (fori = 1, 5), Lemma 2 (for i = 2, 4) and the identity

IFq

eq(a1) =

IFq

eq() = 1, a IFq,

(for i = 3). Thus we derive the bound

maxcIFq

|i(c)|2 = O

W

Niq+ q2Bi

, i = 1, . . . , 5, (7)

7/30/2019 NR-DSA

10/17

where Bi is the bound on the corresponding exponential sums, thatis

Bi =

q1/2

, if i = 1, 5;0, if i = 2, 4;1, if i = 3.

Now, we remark that

F(1)(k,m)() =

k

r(k) +

m

r(m) +

F(2)(k,m)() =

kr(k)

r(k)

mr(m)

r(m)

are constant only when k = m, thus N1 = N2 = q 1.For other i = 3, 4, 5 the functions

F(3)(k,m)() =

r(k)

r(m)

,

F(4)(k,m)() =

r(k)

r(m),

F(5)(k,m)() =

r(k) + k

r(m) + m

are constant only when r(k) = r(m). Using Lemma 3, we find thatNi = O(q

2), i = 3, 4, 5. Without loss of generality we may assume

that < 1/4. Substituting the bounds on Bi q1/2

and Ni =O(q2), i = 1, . . . , 5, in the inequality (7), we obtain the desiredresult.

For a function H : M IFp we also denote by U the number ofpairs (1, 2) M

2 with H(1) = H(2). As we have mentioned, inpractical applications of the NR scheme H is a one to one functionthus U = |M| in this case (although our results remain nontrivialfor U of large order).

The following statement is a variant of Exercise 14.a, of Chapter6 of [23] and can be proved quite similarly.

Lemma 6. The bound

maxcIFp

|(c)| U1/2p1/2q1/2

holds.

7/30/2019 NR-DSA

11/17

Proof. Define Q() to be the number of M with H() = .Then as in the proof of Lemma 5 we have

(c) =IFp

Q()kIFq

ep

cgk

, b IFp.

From the Cauchy inequality we derive

|(c)|2 IFp

Q()2IFp

q1k=1

ep

cgk

2

= U

k,mIFq

IFq

ep

c(gk gm)

.

Using Lemma 2, we see that if gcd(c, p) = 1 the sum over is equalp if gk gm (mod q), that is, if k = m, and vanishes otherwise andthe result follows.

Lemma 7. Let Q be a sufficiently large integer. The following state-ment holds with = 1/3 for all primes p [Q, 2Q], and with = 0for all primes p [Q, 2Q] except at most Q5/6+ of them. For any > 0, there exists > 0 such that for any element g IFp ofmultiplicative order q p+ the sequences ti(k, ), (k, ) Si, are

2 log1/2 q homogeneously distributed modulo q for every i = 1, . . . , 5,

provided that

W

|M|2

q1 .

Proof. Let us fix an integer a coprime with q. According to a generaldiscrepancy bound, given by ( [17], Corollary 3.11) for the discrep-ancy Di(a) of the set

ati(k, )q

q: (k, ) Si

, i = 1, . . . , 5,

we have

maxaIFq

Di(a) log q

|Si|maxcIFq

|i(c)|.

From Lemma 5 and (5) we obtainmaxaIFq

Di(a) = O(W1/2q1/2|M|1 log q)

= O(q/2 log q) = O(2 log1/2 q),

7/30/2019 NR-DSA

12/17

provided that q is sufficiently large, i = 1, . . . , 5.

Similarly, from Lemma 6 we have a similar result for the NRscheme.

Lemma 8. For any element g IFp of multiplicative order q the

sequence 2lr(k, ), (k, ) IFq M, are 2 log1/2 q homogeneously

distributed modulo q, provided that

U |M|2q3

p3.

for some > 0.

Proof. Let a be an integer with gcd(a, q) = 1.Let I [0, 1] be an interval. Then the condition

a2lr(k, )q

q I (8)

is equivalent to the congruence

a2lr(k, ) q + (mod p), (9)

with some integer such that /q I and some integer such that0 q + p 1.

Let L = (p 1)/q and let the integer I be defined is the lengthof the largest interval of the form

J + 1

q,

J + I

q

I

with integer I. Thus I = q|I| + O(1).For each fixed [0, L1] as before, from Lemma 2 we conclude

that the number of pairs (k, ) IFq M satisfying (9) with /q Iis

1

pcIFp

M

kIFq

J+I

=J+1

ep c 2lr(k, ) q

=|M|qI

p+ O

1

p

cIFp

|(c2l)|

J+I

=J+1

ep (c)

.

7/30/2019 NR-DSA

13/17

From Lemma 6 and the estimate

cIFp

J+I

=J+1

ep (c) = O(p logp),

see Exercise 11.c of Chapter 3 of [23], we conclude that there are

|M|qI

p+ O

U1/2p1/2q1/2

=

|M|q2|I|

p+ O

U1/2p1/2q1/2 + |M|qp1

such pairs (k, ) IFq M.For = L the only possible value of is = 0. Obviously for each

M there is at most one value of k which satisfies the congruence

a2lr(k, ) p 1 (mod p),

thus it holds for at most |M| pairs (k, ) IFq M. Putting every-thing together we see that (8) holds for

|M|q2|I|

pL + O

LU1/2p1/2q1/2 + L|M|qp1 + |M|

= |M|q|I| + O

U1/2p3/2q1/2 + |M|

pairs (k, ) IFq M. One verifies that

U1/2p3/2q1/2 |M|q1/2

under the condition of the theorem and the result follows.

3 Lattice attacks on DSA-like algorithms

3.1 Main results

For i = 1, . . . , 5 and an integer we define the oracle ODSAi, which,for any given DSA signature (r(k), si(k, )), (k, ) Si, returns the least significant bits of k. Combining the inequality (3), Lemma 4and Lemma 7, we obtain:

7/30/2019 NR-DSA

14/17

Theorem 1. Let Q be a sufficiently large integer. The followingstatement holds with = 1/3 for all primes p [Q, 2Q], and with

= 0 for all primes p [Q, 2Q] except at most Q5/6+ of them. Fori = 1, . . . , 5 and any > 0 there exists > 0 such that for any ele-ment g IFp of multiplicative order q p

+, and any hash function

h with

W |M|2

q1,

given an oracle ODSAi, with =

log1/2 q

+ log log q, there exists a

probabilistic polynomial time algorithm to recover the signers DSAi

secret key , from O

log1/2 q

signatures (r(k), si(k, )) with k

[0, q1] and M selected independently and uniformly at random.

The probability of success is at least 1 2(log q)1/2 loglog q.

For an integer we define the oracle ONR which, for any givenDSA signature (r(k, ), v(k, )), k IFq, M, returns the leastsignificant bits of k. Combining the inequality (4), Lemma 4 andLemma 8, we obtain:

Theorem 2. For any element g IFp of multiplicative order q p1, any fixed > 0 and any function H with

U |M|2q3

p3

given an oracle ONR with =

log1/2 q

+ log log q, there exists

a probabilistic polynomial time algorithm to recover the signers NR

secret key , from O

log1/2 q

signatures (r(k, ), v(k, )) with k

[0, q1] and M selected independently and uniformly at random.

The probability of success is at least 1 2(log q)1/2 loglog q.

As noticed previously, it is reasonable to expect that W is close to|M|2/q so that the corresponding condition of Theorem 1 is almostalways satisfied.

Furthermore, for the function H in the NR signature, in the mostinteresting case we have U = |M| thus the corresponding inequalityof Theorem 2 takes the form |M| p3q3+. In particular, if the mes-sage set M is dense (that is, of order p) then Theorem 2 applies for

7/30/2019 NR-DSA

15/17

q p2/3+. On the other hand, in almost all practical applications qis much smaller than this bound and it would be very interesting to

extend Theorem 2 to smaller values of q. We remark that studyingthe NR scheme has turned out to be harder than studying the clas-sical DSA scheme in [15] and its modifications DSAi, i = 1, . . . , 5,in this paper. The reason is that for the NR scheme the multiplierr(k, )q is not a product of two distinct quantities taken moduloq (although r(k, ) is such a product taken modulo p this propertyis lost after reducing modulo q). Accordingly the technique of es-timation of double exponential sums which is used in [15] and inthis paper for DSAi, i = 1, . . . , 5 cannot be applied to the studyingr(k, ).

Similar results can be obtained for other modifications of theDSA which are outlined in [12, 18, 19].

3.2 Experimental results

We experimented the attack with the NTL library [22]. The runningtime is less than half an hour for a number of signatures d less thana hundred, on a 500 MHz DEC Alpha. We used a 160-bit prime q,and a 512-bit prime q. For each choice of parameters size, we ran theattack several times on newly generated parameters (including the

prime q and the multipliers of the DSAHNP).The results are exactly the same as those obtained in [15]. The

proof of Lemma 4 relies on the ability to approximate the closestvector problem in a lattice. Due to the well-known experimental factthat lattice reduction algorithms behave better than theoreticallyexpected, it is in practice possible to obtain much better boundsthan those of Lemma 4. In [15], it is shown that = 2 instead ofroughly log1/2 q is sufficient for the attack to work, if ideal latticereduction is assumed.

Using Schnorrs improved lattice reduction [21] to solve the clos-est vector problem in a lattice, we were always able to solve theDSA-like problems with = 3 and d = 100 (on more than 50 trials).We always failed with = 2 and d = 150, perhaps because currentlattice basis reduction algorithms are more suited to the Euclideannorm than the infinity norm.

7/30/2019 NR-DSA

16/17

Finally, as in [15] we remark that one of the possible ways toobtain several most significant bits of the nonce k is to use timing

or power attacks and select signatures corresponding to small valuesof k, thus to values whose most significant bits are zeros.

References

1. M. Ajtai, R. Kumar and D. Sivakumar, A sieve algorithm for the shortest latticevector problem, Proc. 33rd ACM Symp. on Theory of Comput., Crete, Greece,July 6-8, 2001 (to appear).

2. L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Com-binatorica, 6 (1986), 113.

3. D. Boneh and R. Venkatesan, Hardness of computing the most significant bitsof secret keys in DiffieHellman and related schemes, Lect. Notes in Comp. Sci.,

Springer-Verlag, Berlin, 1109 (1996), 129142.4. D. Boneh and R. Venkatesan, Rounding in lattices and its cryptographic appli-

cations, Proc. 8-rd Annual ACM-SIAM Symp. on Discr. Algorithms, ACM, NY,1997, 675681.

5. M. Drmota and R. Tichy, Sequences, discrepancies and applications, Springer-Verlag, Berlin, 1997.

6. N. A. Howgrave-Graham and N. P. Smart, Lattice attacks on digital signatureschemes, Designs, Codes and Cryptography, (to appear).

7. R. Kannan, Algorithmic geometry of numbers, Annual Review of Comp. Sci., 2(1987), 231267.

8. S. V. Konyagin and I. E. Shparlinski, Character sums with exponential functionsand their applications, Cambridge Univ. Press, Cambridge, 1999.

9. R. Kuipers and H. Niederreiter, Uniform distribution of sequences, Wiley-Interscience, NY, 1974.

10. A. K. Lenstra, H. W. Lenstra and L. Lovasz, Factoring polynomials with rationalcoefficients, Mathematische Annalen, 261 (1982), 515534.

11. R. Lidl and H. Niederreiter, Finite fields, Cambridge University Press, Cambridge,1997.

12. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of Applied Cryp-tography, CRC Press, Boca Raton, FL, 1996.

13. C. J. Moreno and O. Moreno, Exponential sums and Goppa codes, I, Proc. Amer.Math. Soc., 111 (1991), 523531.

14. P. Q. Nguyen, The dark side of the hidden number problem: Lattice attacks onDSA, Proc. Workshop on Cryptography and Computational Number Theory, Sin-gapore 1999, Birkhauser, 2001, 321330.

15. P. Q. Nguyen and I. E. Shparlinski, The insecurity of the Digital Signature Algo-rithm with partially known nonces, Preprint, 2000, 126. Available on the authorsswebpages.

16. P. Q. Nguyen and J. Stern, The hardness of the hidden subset sum problem andits cryptographic implications, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin,1666 (1999), 3146.

17. H. Niederreiter, Random number generation and quasiMonte Carlo methods,SIAM, Philadelphia, 1992.

7/30/2019 NR-DSA

17/17

18. K. Nyberg and R. A. Rueppel, Message recovery for signature schemes based onthe discrete logarithm problem, J. Cryptology, 8 (1995), 2737.

19. B. Schneier, Applied cryptography, J. Wiley, NY, 1996.20. C. P. Schnorr, A hierarchy of polynomial time basis reduction algorithms, Theor.Comp. Sci., 53 (1987), 201224.

21. C. P. Schnorr and M. Euchner, Lattice basis reduction: improved practical algo-rithms and solving subset sum problems, Math. Programming, 66 (1994), 181199.

22. V. Shoup, Number Theory C++ Library (NTL), Available athttp://www.shoup.net/ntl/.

23. I. M. Vinogradov, Elements of number theory, Dover Publ., New York, 1954.