Attacks on EDCSA and the security of elliptic curves
This attack on ECDSA can recover the private key, [d]
, if the random key (ephemeral key), [k]
, is not completely random or it is used multiple times for signing the hash of the message (z
).
This attack, implemented to extract the signing key used for the PlayStation 3 gaming console in 2010, recovered the keys of more than 77 million accounts.
To better understand this disruptive attack (because it will recover not only the message but also the private key, [d]
), we will divide it into two steps. In this example, we consider the case when two messages, [M]
and [M1]
, are digitally signed using the same private keys, [k]
and [d]
.
Step 1 – Discovering the random key, [k]
The signature (S = 47
) generated at the time (t0
) from the hash of the message, [M]
, as we know, is given by the following mathematical passages:
S ≡ (z + r*d )/k (mod p)
Here it is presented in numbers:
S ≡ (17 + 62 * 2)/3...