The Insecurity of Esign in Practical Implementations

Provable security usually makes the assumption that a source of perfectly random and secret data is available. However, in practical applications, and especially when smart cards are used, random generators are often far from being perfect or may be monitored using probing or electromagnetic analysis. The consequence is the need of a careful evaluation of actual security when idealized random generators are implemented. In this paper, we show that Esign signature scheme, like many cryptosystems, is highly vulnerable to so called partially known nonces attacks. Using a 1152-bit modulus, the generation of an Esign signature requires to draw at random a 768-bit integer. We show that the exposure of only 8 bits out of those 768 bits, for 57 signatures, is enough to recover the whole secret signature key in a few minutes. It should be clear that we do not cryptanalyze a good implementation of Esign nor do we find a theoretical flaw. However, our results show that random data used to generate signatures must be very carefully produced and protected against any kind of exposure, even partial. As an independent result, we show that the factorization problem is equivalent to the existence of an oracle returning the most or least significant bits of S mod p, on input S randomly chosen in Zpq.