Practical Partial-Nonce-Exposure Attack on ECC Algorithm

Power analysis against elliptic curve digital signature algorithm (ECDSA) has been researched for many years. Nowadays traditional methods like simple power analysis (SPA) or differential power analysis (DPA) are no longer effective against secure ECDSA implementations. In this situation, Howgrave-Graham and Smart introduced a new lattice-based attack to recover the secret key of Digital Signature Algorithm (DSA) even if only several bits of the nonce are revealed. Later Nguyen and Shparlinski extended the attack to ECDSA. In this paper, we further extend the attack to SM2 Digital Signature Algorithm (SM2-DSA), which is a Chinese version of ECDSA. We implemented the secure SM2-DSA implementation on Atmega128 microcontroller to evaluate its security under lattice attack. We performed experiments with different parameter configuration to find optimal key-recovery strategies. We also performed the same experiments on ECDSA to show that due to the differences on scheme between the two algorithms, lattice attack on SM2-DSA is harder than on ECDSA.