DSA signatures with related k and unknown payloads

Question

Suppose that we are given DSA parameters $p$, $q$, $g$, a public key $y = g^x$, and two signatures $(r_1,s_1)$ and $(r_2,s_2)$. We are told that $(r_1,s_1)$ and $(r_2,s_2)$ were produced by related nonces $k_1 = k$ and $k_2 = k+1$, but we do not know the value of $k$, and we do not know the messages.

(In practical terms: the PRNG is broken, but it's somehow well-seeded, and we can't submit any messages for signing. We cannot guess the contents of the messages, e.g. they're encrypted with a secret key.)

So we know $$ \begin{array}{lll} r_1 = (g^k \bmod p) \hphantom{(g\cdot{})} \mod q && s_1 = k^{-1} (h_1 + x \, r_1) \hphantom{{}-s_2} \mod q \\ r_2 = ((g \cdot g^k) \bmod p) \mod q && s_2 = k^{-1} (h_2 + x \, r_2 - s_2) \mod q \\ \end{array} $$ but we don't know the $h_i$. Can we find the private key?

Does it help to have more (but $\ll q$) known signatures made with $k+2, k+3, \ldots$ (but with unknown messages)?

(Inspired by Attack on DSA with signatures made with k, k+1, k+2)

Answer 1

If the messages are unknown, there are no two messages $m_i, m_j$ such that $m_i = m_j$ and the messages have sufficiently high entropy (which might be shared across several messages, if the hash function is a CSOWF and the messages e.g. have low entropy unique sub strings or are made unique in some other way), and the underlying hash function is secure in a random oracle model and has an output bit length equal to or greater than $2n$ such that $q \lt 2^n$ (see below), then this scheme is secure in this hypothetical scenario.

Firstly, note that

$s_i \equiv h(m_i)/(k+i) + xr_i/(k+i) \pmod q$

Case #1 - large untruncated hashes (non-DSA compliant)

Suppose we give the adversary oracle access to the first term of the right hand expression

$h^\prime_i = h(m_i)(k+i)^{-1} \mod q$

Define the adversary $A_h$ such that $i$ is fixed, and that $A_h$ might submit any $j \ne i$ to the oracle and get the corresponding $h^\prime_j$ value. Then $A_h$ submits $i$ and gets either $h^\prime_i$ or $z \leftarrow_{uniform} \mathbb Z_q$. $A_h$ might continue to submit any queries to the oracle subject to the first constraint that $j \ne i $. If the function $h(m)$ and the $m_i$ messages have the assumed properties, $A_h$ will have but negligible probability of succeeding.

As noted, the assumption about the uniformity of $h(m)$ is problematic if the underlying implementation conforms to FIPS 186-3 with the only exception of the way the randomizer values are generated. Since FIPS 186-3 prescribes that the left most $n = |q|$ bits of $h(m)$ are used, we will get a clear bias with $h(m) < 2^n-q$ being twice as probable than $2^n-q \le h(m) < q$. However, if the hash output is at least $cn$ and is not truncated before being reduced $\mod q$ this bias will be at most $2^{-n(c-1)}$

Secondly, note that we now have

$s_i = h^\prime_i + xr_i(k + i)^{-1} \mod q$

Define the adversary $A_s$ such that $A_s$ might adaptively submit any $j$ subject to the same conditions as above. When $A_s$ submits $j = i$, the oracle returns either $s_i$ or $w \leftarrow_{uniform} \mathbb Z_q$. $A_s$ might then continue to submit queries as above.

Now, note that for any $w$ and $i$ there exists a value $z_{w,i}$ such that

$w = z_{w,i} + xr_i(k + i)^{-1} \mod q$

Hence, if the adversary $A_s$ is able to tell if the $s$-oracle returned $w$ or $s_i$, we have a distinguisher for $A_h$ as well, by noting that $A_s$ is able to tell $z_{w,i}$ from $h^\prime_i$.

---

Case #2 - truncated or equisized hashes (DSA compliant)

If the hash output is exactly $n$ bits in length, there will be a significant bias in $h(m) \pmod q$ as noted above. Given the other assumptions regarding the messages and the hash function, we might assume this is the only bias we have to consider. However, presuming $q$ is a uniform prime in the range $2^{n-1} \lt q \lt 2^n$, multiplication by $(k+i)^{-1} \mod q$ will mask this bias to some extent. Given that both terms of the right hand expression share this factor, the above proof is not valid in this case. Intuitively, though, the combined (and theoretically detectable) bias of $h(m_i) + xr_i$ ought to be masked to some reasonable extent by the $(k+1)^{-1}$ factor sequence, as long as the total number of signatures is not large enough.

Answer 2

Even if the messages are not known, if the messages are low-entropy, then this can be broken.

In particular, given a guess at message $m_1$, you can use the DSA signature verification algorithm to test your guess. So keep guessing until you find $m_1$; if $m_1$ is low-entropy, this shouldn't take too long. Similarly, find $m_2$. Then, once you know $m_1,m_2$, you know $h_1,h_2$, and you can solve the system of equations using Gaussian elimination. This reveals the private key $x$. (The latter part is the attack procedure described in the answer to the other question you linked to.) Therefore, the effectiveness of this attack method is determined by how easy it is to guess the messages used.

For example, if each message is a 4-digit PIN, and we have the corresponding DSA signatures, this will be easy to break: after $2 \times 10^4$ guesses (and applications of the DSA signature verification algorithm), you will know both messages, and then the private key falls out immediately.

Thanks to @poncho for this improved attack.