Path: blob/master/Digital-Signatures/Elliptic-Curve-DSA/Attack-k-reuse/README.md
1402 views
Attack k-reuse
Prerequisites:
In this section, we will discuss an attack on Elliptic Curve Digital Signature and Authentication- attack due to improper implementation of ECDSA, leading to knowledge of the private key of the signer and forging of signatures.
Before we move onto the attack, it is important for the reader to know how signatures are generated using Elliptic Curves: Signature Generation using Elliptic Curves
Consider a scenario where the signer (Alice) generates two signatures corresponding to two different messages, using the same value of k. As we already know k is any integer between 1 and n-1, where n is the order of the subgroup generated. Let the signature pairs, that have been generated using the same k be (r1,s1) and (r2, s2).
We will first see that the values of r generated for signing the two messages using the same value k will also be the same ie. r1 = r2:
We know that
, 
and kis common for two signatures generated.Hence for
and 
we can write: 
.
We have signature pairs for two messages M1 and M2 equal to (r, s1) and (r, s2) respectively, generated using the same k. The next step is to retrieve the value of k and then use it to get the value of Alice's private key (Signer's private key). To retrieve the value of k, we can write:
, where z1 and z2 are Ln left-most bits of HASH(M1) and HASH(M2) respectively.Subtracting s1 from s2 we get:
Thus,
Now that we have the value of k, we can calculate Alice's private key. We can use any of the two signatures (the ones that are generated using the same k) to retrieve the value of dA (Alice's private key):
The attacker can use the private key dA to generate a valid signature of any message M.