Sentinel ("trick") values for lattice attack on DSA with biased k (MSB)

Igor Matyuh

12/13/22, 7:09 PM

I'm studying lattice attack using this sage script. There are 2 options in script: LSB and MSB. The most interesting option for me is MSB. It recovers private key with less then 100 signatures provided with script. When I run it with my PQG generated by openssl and my own signatures with zeroed 8-bit MSB I was able to recover private key with 800 signatures in one case and unable to recover even with 1000 signatures in another case. It seems to me 800-1000 signatures is too much for 8 known bits. Sentinel value for this attack is 1. There is similar solution from mimoo for ECDSA. Sentinel value in this script is called "trick". As far as I understand this solution is for ECDSA only and I can't use it for DSA key recovery. Can anybody suggest sentinel values I can use to reduce the number of signatures?

0 + 0

dsa

randomness

lattice-crypto

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Sentinel ("trick") values for lattice attack on DSA with biased k (MSB)

TH: ค่า Sentinel ("trick") สำหรับการโจมตีขัดแตะบน DSA ด้วย biased k (MSB)

RO: Valori Sentinel ("trick") pentru atacul lattice pe DSA cu biased k (MSB)

RU: Значения Sentinel («трюк») для решетчатой атаки на DSA со смещенным k (MSB)

VI: Các giá trị Sentinel ("lừa") để tấn công mạng trên DSA với độ lệch k (MSB)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.