Research on ECDSA Key Recovery Attacks Based on the Extended  Hidden Number Problem

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (2): 174-.

Previous Articles Next Articles

Research on ECDSA Key Recovery Attacks Based on the Extended Hidden Number Problem

Wang Zongxin and Hu Honggang

(School of Cyber Science, University of Science and Technology of China, Hefei 230027)

Online:2026-02-07 Published:2026-01-28

基于扩展隐藏数问题的ECDSA密钥恢复攻击研究

王宗昕胡红钢

(中国科学技术大学网络空间安全学院合肥230027)

通讯作者: 胡红钢博士，教授，博士生导师.主要研究方向为格密码学、网络安全. hghu2005@ustc.edu.cn
作者简介:王宗昕硕士.主要研究方向为格密码学及应用. wzx0322@mail.ustc.edu.cn 胡红钢博士，教授，博士生导师.主要研究方向为格密码学、网络安全. hghu2005@ustc.edu.cn
基金资助:
国家自然科学基金项目(62472397)

Abstract

Abstract: Elliptic curve digital signature algorithm (ECDSA) is one of the most widely used digital signature algorithms. During the signing process, it requires computing scalar multiplication on elliptic curves, which is typically the most timeconsuming component of the signature. In many present cryptographic libraries, the windowed nonadjacent form representation is commonly used to represent the ephemeral key in order to reduce time consumption. This exposes sidechannel vulnerability to malicious attackers, allowing them to extract partial information about the ephemeral key from sidechannel traces and subsequently recover the signing key. Leveraging the extended hidden number problem to extract information from sidechannel traces and applying latticebased attacks to recover keys constitutes one of the mainstream attack frameworks against ECDSA. Based on above, we propose three optimization methods. First, we introduce a neighboring dynamic constraint merge strategy. By dynamically adjusting the merging parameters, we reduce the dimension of the lattice and control the amount of known information lost during the attack, ensuring high success rates for key recovery across all signatures. Second, we analyze and optimize the embedding number in the lattice, reducing the Euclidean norm of the target vector by approximately 8%, thereby improving the success rate and reducing time consumption. Finally, we propose a linear predicate method which significantly reduces the time overhead of the lattice sieving. In this work, we achieve a success rate of 0.99 in recovering the private key using only two signatures.

Key words: elliptic curve digital signature algorithm, sidechannel attack, extended hidden number problem, lattice attack, lattice sieving

摘要： 椭圆曲线数字签名算法(elliptic curve digital signature algorithm, ECDSA)是应用最广的数字签名算法之一，在签名过程中需要计算椭圆曲线上的标量乘法，该操作通常是签名中最耗时的部分.在目前许多密码库的实现中都使用非相邻窗口形式表示临时密钥，从而减少标量乘法的计算时间，但是也使得攻击者能够通过侧信道攻击获取临时密钥的部分信息，恢复签名密钥.使用扩展隐藏数问题提取侧信道轨迹中的信息，并通过格攻击恢复密钥，是针对ECDSA的主流攻击框架之一.基于此，提出了3方面的优化方法：1)邻域动态约束合并策略.通过动态的合并参数可以降低格的维数，并控制攻击过程中已知信息的损失量，使得对于任意的签名均能够以很高成功率恢复密钥.2)对于格中嵌入数进行分析与优化，使得目标向量的欧几里得范数减少约8%，有效提高了攻击的成功率并减少了时间开销.3)提出了一种线性断言方法，能够显著降低格筛法的时间开销.在使用2个签名的情况下以0.99的成功率恢复签名密钥.

关键词: 椭圆曲线数字签名算法, 侧信道攻击, 扩展隐藏数问题, 格攻击, 格筛法

CLC Number:

TP309.2

王宗昕, 胡红钢, . 基于扩展隐藏数问题的ECDSA密钥恢复攻击研究[J]. 信息安全研究, 2026, 12(2): 174-.

References

［1］Fan Shuqin, Wang Wenbo, Cheng Qingfeng. Attacking OpenSSL implementation of ECDSA with a few signatures［C］ Proc of the 2016 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2016: 15051515［2］Yarom Y, Falkner K. FLUSH+RELOAD: A high resolution, low noise, L3 cache sidechannel attack［C］ Proc of the 23rd USENIX Security Symposium. Berkeley, CA: USENIX Association, 2014: 719732［3］Hlavac M, Rosa T. Extended hidden number problem and its cryptanalytic applications［C］ Proc of the 13th Int Workshop on Selected Areas in Cryptography (SAC 2006). Berlin: Springer, 2006: 114133［4］Allan T, Brumley B B, Falkner K, et al. Amplifying side channels through performance degradation［C］ Proc of the 32nd Annual Conf on Computer Security Applications (ACSAC 2016). New York: ACM, 2016: 422435［5］De Micheli G, Piau R, Pierrot C. A tale of three signatures: Practical attack of ECDSA with wNAF［C］ Proc of the 12th Int Conf on Cryptology in Africa (AFRICACRYPT 2020). Berlin: Springer, 2020: 361381［6］Cao Jinzheng, Cheng Qingfeng, Weng Jian. EHNP strikes back:Analyzing SM2 implementations［C］ Proc of the 13th Int Conf on Cryptology in Africa (AFRICACRYPT 2022). Berlin: Springer, 2022: 576600［7］Ma Ziqiang, Li Shuaigang, Lin Jingqiang,et al. Another lattice attack against ECDSA with the wNAF to recover more bits per signature［C］ Proc of the 18th EAI Int Conf on Security and Privacy in Communication Networks (SecureComm 2022). Berlin: Springer, 2022: 111129［8］Gruss D, Maurice C, Wagner K, et al. Flush+Flush: A fast and stealthy cache attack［C］ Proc of the 13th Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2016). Berlin: Springer, 2016: 279299

[1]	. A Graphembedded Data Security Audit Scheme Based on Risk Elements [J]. Journal of Information Security Reserach, 2026, 12(2): 100-.
[2]	. Research on the Development Challenges and Governance Pathways of Network Data Labeling and Tagging Technology [J]. Journal of Information Security Reserach, 2026, 12(2): 118-.
[3]	. Research on Dynamic Risk Assessment and Security Supervision System of Enterprise Outbound Data Transfer [J]. Journal of Information Security Reserach, 2026, 12(2): 124-.
[4]	. Research on the Regulation of Crossborder Data Flow in China from the Perspective of Dynamic Systems Theory [J]. Journal of Information Security Reserach, 2026, 12(2): 181-.
[5]	. Smart Contract Vulnerabilities Based on Differential Evolutionary Algorithms and Solution Time Prediction Detection#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 24-.
[6]	. PUFbased Identity Authentication for Internet of Things Against Machine Learning Attacks in Zerotrust Architecture#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 33-.
[7]	. Object Removal Video Tampering Detection and Localization Based on Learnable Ptuning#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 61-.
[8]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 8-.
[9]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 12-.
[10]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 19-.
[11]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 25-.
[12]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 31-.
[13]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 35-.
[14]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 48-.
[15]	. [J]. Journal of Information Security Reserach, 2025, 11(E2): 58-.

Research on ECDSA Key Recovery Attacks Based on the Extended Hidden Number Problem

基于扩展隐藏数问题的ECDSA密钥恢复攻击研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics