Extended Hidden Number Problem and Its

Cryptanalytic Applications

Martin Hlaváč1,⋆ and Tomáš Rosa1,2

1
Department of Algebra, Charles University in Prague,
Sokolovská 83, 186 75 Prague 8, Czech Republic
2
eBanka, a.s., Václavské Náměstı́ 43, 110 00 Prague 1, Czech Republic
hlavm1am@artax.karlin.mff.cuni.cz, trosa@ebanka.cz

Abstract. Since its formulation in 1996, the Hidden Number Problem

(HNP) plays an important role in both cryptography and cryptanalysis.
It has a strong connection with proving security of Diffie-Hellman and
related schemes as well as breaking certain implementations of DSA-like
signature schemes. We formulate an extended version of HNP (EHNP)
and present a polynomial time algorithm for solving its instances. Our
extension improves usability of HNP for solving real cryptanalytic prob-
lems significantly. The techniques elaborated here can be used for crypto-
graphic strength proving, as well. We then present a practically feasible
side channel attack on certain implementations of DSA (e.g. OpenSSL),
which emphasizes the security risk caused by a side channel hidden in
the design of Pentium 4 HTT processor for applications like SSH. During
experimental simulations, having observed as few as 6 authentications to
the server, an attacker was able to disclose the server’s private key.

Keywords: side channel analysis, cache analysis, DSA implementation,

hyper-threading, sliding window, lattice.

1 Introduction
In 1996, Boneh and Venkatesan studied the following problem: Fix p and n.
Having given (ki , MSBn (xg ki mod p)) for 1 ≤ i ≤ d, where g is a generator
p
of Z∗p , MSBn (y) satisfies |y − MSBn (y)| < 2n+1 and d is a polynomial function
of log p, find x mod p. The particular unknown value of x was called a hidden
number and the whole problem was named a Hidden Number Problem (HNP).
HNP plays an important role in proving security of most significant bits in
Diffie-Hellman key agreement and related schemes [7]. In 1999, Nguyen showed
a connection between solving HNP and breaking flawed implementations of DSA
[13] attacked sooner by Howgrave-Graham and Smart [10]. It was then extended
together with Shparlinski in [14]. Their formulation of HNP followed from [7]
with a modification allowing them to disclose the private DSA key provided that
they know a sufficiently long block of bits of each nonce for several signatures
(cf. DSA description in §5.1). The limitation of the method in [14] was that
⋆
The first author was partly supported by the institutional grant MSM 0021620839.

E. Biham and A.M. Youssef (Eds.): SAC 2006, LNCS 4356, pp. 114–133, 2007.
c Springer-Verlag Berlin Heidelberg 2007

 Extended Hidden Number Problem and Its Cryptanalytic Applications 115

these known bits had to be consecutively placed on the position of either most
or least significant bits or they had to occupy a block of bits somewhere in the
middle of each nonce. An idea was given on how to overcome this restriction,
based on a multidimensional diophantine approximation. Deeper investigation
of it then showed that it leads to an unnecessary information loss (cf. remark
on §3 below). Furthermore, the method was unaware of direct partial informa-
tion an attacker may have on the private key itself. A practical cryptanalytic
problem may arise, where these factors are limiting. Interestingly, the limiting
focus on most significant bits also persisted in other variants derived from the
original HNP [21], [6]. In this article, we show an extension of HNP (EHNP)
together with a probabilistic algorithm for solving its instances in polynomial
time, which relaxes the strict conditions on the form of partial information in
HNP significantly. It then allows us to develop, for instance, a successful real-
istic side channel attack on certain implementations of DSA presented in §5.
We consider the EHNP elaboration and the attack presented of independent
merit, since we believe that the method presented here can be used as a gen-
eral tool for solving many other cryptanalytic problems leading to instances
of EHNP. Besides (EC)DSA and its variants, we can mention Diffie-Hellman
and related schemes such as El Gamal public key encryption, Shamir message
passing scheme, and Okamoto conference key sharing studied originally in [7].
Using EHNP allows an analyst to exploit partial information in an “individual
bits”-like manner, which is very important with regard to popular side channel
attacks. EHNP also allows us to study cryptographic security of individual bits
of secrets in these schemes. One can, for instance, extend the results on most
significant bits given in [7] to other bits or blocks of bits, as well. It is also
possible to implant the ideas elaborated here into other variants of HNP, such
as [21], [6]. The practical attack presented, on the other hand, illustrates the
significant vulnerability that general widespread applications like SSH server
[19] can acquire when using the Pentium 4 HTT processor [11] as a hosting
platform.
The rest of the paper is organized as follows: In §2, we review elementary
properties of lattices that we use to solve EHNP. We note that instead of a
set of diophantine inequalities, we view HNP and its extensions as a special
kind of a set of linear congruences of truncated variables. In this way, we get
a particular case of the general one studied in [8] (cf. also [4]) which, however,
leads to a far easier solution. This idea itself is not new (cf. [16]). However, we
show how to exploit it to rigorously prove solvability of (E)HNP without relying
on the transforming approximation suggested in [14]. Especially, we exploit the
fact that there is a variable (the hidden number) that appears (with a nonzero
coefficient) in each congruence from the set.
In §3, we illustrate an evolution of EHNP starting from the approach of [14].
We recall the results of [14] being important for us here in a form of theorems.
To stay focused on algorithmic part of the connection in between EHNP and
lattices, we omit otherwise very interesting elaboration of distribution conditions
116 M. Hlaváč and T. Rosa

relaxation from the theorems. We slightly generalize the method used there to
exploit the partial information in the middle of each nonce. We define HNP-2H
problem and show how it reduces to HNP to demonstrate the idea of [14] on
how to use the information spread across individual bits. Informally speaking,
the authors suggested using certain kind of diophantine approximation to con-
vert these problems to HNP. With such an approach, however, the amount of
information needed per nonce grows with a multiple of the number of unknown
bit blocks (as already mentioned in [14] and [16]). Contrary to this approach, the
EHNP solving method presented here is compact, which means that it does not
rely on the conversion causing the unnecessary information loss. In this sense,
our method is similar to the one presented by Howgrave-Graham and Smart
in [10] which, however, contains a lot of heuristic assumptions in comparison
with the results presented here. We hope the whole elaboration in §3 is a useful
guideline for a cryptanalyst deciding which method to choose by the kind and
amount of information she has.
In §4, we define EHNP, present a lattice-based algorithm for searching can-
didate solution in polynomial time, and investigate correctness of that solution.
To give an illustrative presentation of our ideas, we use certain bounds for lat-
tice problems employed that are not very tight. Actually, we rely only on the
well known algorithms of Lenstra, Lenstra, Lovász [12], and Babai [3]. Even with
these conservative results, we are able to derive practically acceptable bounds for
the EHNP solving algorithm. As being widely understood in the area of lattice
problems [9], in practice, however, we may reasonably assume that the algo-
rithms (or their equivalents, cf. §2) will behave much better than what would be
guaranteed even by more strict bounds for more matured techniques. Therefore,
we suggest an experimental verification of the EHNP instance solvability for a
particular cryptanalytic problem, even when it seems to be beyond the estimates
guaranteed formally.
In §5, we present a practical side channel attack on certain implementations
of DSA (including the OpenSSL one) when running on the Pentium 4 HTT
platform [11]. Besides being of an independent merit, it serves as an example of
using EHNP approach in a real cryptanalytic case. Finally, we conclude in §6.

2 Preliminaries
The main tool of our approach is a lattice. We define a (full rank) lattice L in
Qd as the set of lattice vectors
 d 

αi bi | αi ∈ Z , (1)
i=1

where b1 , . . . , bd ∈ Qd are linearly independent and are called basis vectors of

lattice L. The matrix whose rows are the basis vectors is called basis matrix
of lattice L. There is an algorithmic problem connected with the lattices called
Approximate Closest Vector Problem (ACVP). Given d linearly independent
 Extended Hidden Number Problem and Its Cryptanalytic Applications 117

basis vectors b1 , . . . , bd ∈ Qd together with v ∈ Qd , the task is to find a lat-

tice vector W ∈ L satisfying v − W ≤ f (d) minA∈L v − A. The coefficient
f (d) is called the approximation factor. The problem is known to be NP-hard for
f (d) = 1 for any norm [9]. In practical cryptanalytic cases, however, a weaker ap-
proximation still suffices. In particular, we will expect there exists a polynomial
d
time algorithm solving ACVP with f (d) = 2 4 , which was the basic assumption
in [7], [14] (cf. Babai algorithm in [3]). We can get such an algorithm by using
various number-theoretic libraries such as NTL [20]. Furthermore, an attacker
will probably choose some of the most recent methods like [15]. Note that Al-
gorithm 1 adapts “automatically” for such modification and the estimates of
Theorem 5 can be adjusted very easily by a change of the parameter κD (cf. the
elaboration in §4 for its precise definition).
To simplify the notation later, it is useful to define symbol |a|N = mink∈Z |a −
kN | where N ∈ N and a ∈ Z. It is easy to see that
1. |a + b|N = 0 ⇔ a ≡ −b ( mod N )
2. |a + b|N ≤ |a|N + |b|N
3. |ab|N ≤ |a|N |b|N
4. |a|N = min{a mod N, N − (a mod N )}
5. |a|N ≤ |a|
for all a, b ∈ Z.
As N is a prime throughout the whole paper, ZN is regarded as the finite
field ZN (+, ·, 0, 1). Unless stated otherwise, the elements of ZN are represented
as integers from the set {0, . . . , N − 1}.

3 On the Way from HNP to EHNP

Definition 1 (Hidden Number Problem). Let N be a prime and let x,
x ∈ ZN be a particular unknown integer that satisfies d congruences

αi x + ρi ki ≡ βi ( mod N ), 1 ≤ i ≤ d,

where αi , αi ≡ 0 ( mod N ), ρi and βi , 1 ≤ i ≤ d are known values. The unknown

integers ki satisfy 0 ≤ ki < 2μ , 1 ≤ i ≤ d, where µ is a known rational constant.
The Hidden Number Problem (HNP) is to find x.

Theorem 1 (Solving HNP). There exists an algorithm running in polynomial

time that solves HNP instance, where αi and ρi , 1 ≤ i ≤ d are uniformly and
independently distributed on 1, N − 1 , with the probability of success

2dμ  d+1 1
d
P >1− 1 + 2 4 (1 + d) 2 .
(N − 1)d−1

Proof. Based on rephrasing the results from [14].

118 M. Hlaváč and T. Rosa

Definition 2 (HNP with Two Holes). Let N be a prime and let x, x ∈ ZN

be a particular unknown integer that satisfies d congruences

αi x + ρi,1 ki,1 + ρi,2 ki,2 ≡ βi ( mod N ), 1 ≤ i ≤ d, (2)

where αi , αi ≡ 0 ( mod N ), ρi,1 , ρi,2 and βi , 1 ≤ i ≤ d are known values.

The unknown integers ki,1 and ki,2 satisfy 0 ≤ ki,1 < 2μ1 and 0 ≤ ki,2 < 2μ2 ,
1 ≤ i ≤ d, where µ1 and µ2 are known rational constants. The Hidden Number
Problem with Two Holes (HNP-2H) is to find x.

Theorem 2 (Dirichlet, [9]). Let α ∈ R and 0 < ε ≤ 1 be given values. Then

there exist p, q ∈ Z such that
 
1  p  ε
1≤q≤ and α −  <
 .
ε q q
Corollary 1. Let us be given A, N ∈ Z and B ∈ R satisfying B ≥ 1 and N > 0.
Then there exists λ, λ ∈ Z such that
N
1≤λ≤B and |λA|N < .
B
 
− pq  < 1
A
Proof. Theorem 2 states there exist p, q ∈ Z such that  N and 1 ≤

Bq
N
q ≤ B. So |qA|N ≤ |qA − N p| < B. Setting λ = q finishes the proof. ⊓
⊔

Remark 1. Note that λ promised by Corollary 1 can be easily found in polyno-

mial time using a technique based on the continued fractions expansion (cf. [9],
[14]).

Theorem 3 (Solving HNP-2H using Dirichlet’s approximation). There

exists an algorithm running in polynomial time that solves HNP-2H, where αi , ρi,1 ,
and ρi,2 , 1 ≤ i ≤ d are uniformly and independently distributed on 1, N − 1 , with
the probability of success
d
(N 2μ1 +μ2 ) 2  d+9 1
d
P > 1− 4 + 2 4 (1 + d) 2 .
(N − 1)d−1

Proof. Let Ai = (ρi,1 )−1 ρi,2 mod N , γi = ki,1 + Ai ki,2 , α′i = (ρi,1 )−1 αi mod N
and βi′ = (ρi,1 )−1 βi mod N , 1 ≤ i ≤ d. The congruences (2) in Definition 2
become
α′i x + γi ≡ βi′ ( mod N ), 1 ≤ i ≤ d. (3)
Given any B ∈ R, B ≥ 1, we can find non-zero integers λi,B satisfying |λi,B Ai | <
N
B and 1 ≤ λi,B ≤ B for 1 ≤ i ≤ d. It holds

N μ2
|λi,B γi |N = |λi,B ki,1 +λi,B Ai ki,2 |N ≤ |λi,B |N ki,1 +|λi,B Ai |N ki,2 < B2μ1 + 2 .
B
1 µ2 −µ1
N μ2
The choice Bmin = N 2 2 2 minimizes the upper bound B2μ1 + B2 .
 Extended Hidden Number Problem and Its Cryptanalytic Applications 119
 1 µ1 +µ2 +2

We convert HNP-2H to HNP by setting ki′ = λi,Bmin γi + ⌊N 2 2 2 ⌋
1 µ1 +µ2 +4
mod N , ki′ < N 2 2 2 . After several modifications of (3), we obtain congru-
ences in one unknown variable ki′ per congruence, i.e.
(λi,Bmin α′i ) x + λi,Bmin γi ≡ λi,Bmin βi′ ( mod N ),
 1 µ1 +µ2 +2
(λi,Bmin α′i ) x + ki′ ≡ λi,Bmin βi′ + N 2 2 2 ( mod N ),
α′′i x + ki′ ≡ βi′′ ( mod N ), 1≤i≤d
′ 1 µ1 +µ2 +4
defining an instance of HNP. Let µ′ ∈ Q be such that ki′ < 2μ ≤ N 2 2 2 . By
Theorem 1, such a problem can be solved in polynomial time with the probability
′ d (µ1 +µ2 +4)d
2dμ  d+1 1
d N22 2
 d+1 1
d
P >1− d−1
1 + 2 4 (1 + d) 2 ≥ 1 − d−1
1 + 2 4 (1 + d) 2 =
(N − 1) (N − 1)
d d
(N 2μ1 +μ2 ) 2 2d  d+1 1
d (N 2μ1 +μ2 ) 2  d+9 1
d
=1− d−1
2 1 + 2 4 (1 + d) 2 = 1 − d−1
4 + 2 4 (1 + d) 2 .
(N − 1) (N − 1)
⊓
⊔
It is correct to interpret Theorem 3 as saying that we need roughly twice as many
information bits to solve HNP-2H compared to the plain HNP case [16]. This
is caused by the transforming approximation and it is generally independent
on the technique used to solve the transformed HNP. If we continue further
this way to define HNP with more ”holes” (HNP-xH), we will need to use a
multidimensional transforming approximation based e.g. on the scope of the
multidimensional Dirichlet’s theorem and lattice reduction techniques [9]. What
we obtain is then a conjecture stated in [16] that we need at least x-times as many
information bits to solve HNP-xH compared to the plain HNP case. However,
using the algorithmic and mainly the proving strategies described bellow, it
turns out that such a conjecture does not hold generally. We can see it, for
instance, by normalizing the probability estimations given above and bellow
under the assumption that we have an access to an oracle solving the Closest
Vector Problem with an arbitrary precision for the maximum norm. We omit
this demonstration here, since it is beyond the scope of the paper. Therefore, the
conjecture of [16] is not a property of HNP itself, it is a property of a particular
method for solving HNP instead. On the other hand, this is not the only one
selection criterion. As is demonstrated bellow, our method does not suffer from
the expensive transforming approximation, but, on the other hand, it is more
sensitive to the approximation factor of the particular algorithm used for solving
the Approximate Closest Vector Problem.
Theorem 4 (Solving HNP-2H as a special case of EHNP). There exists
an algorithm running in polynomial time that solves HNP-2H, where αi , ρi,1 ,
and ρi,2 , 1 ≤ i ≤ d are uniformly and independently distributed on 1, N − 1 ,
with the probability of success
2(μ1 +μ2 )d  3d+1 1
2d+1
P >1− 1 + 2 4 (1 + 2d) 2 .
N d−1
120 M. Hlaváč and T. Rosa
bits gained per congruence (160 − ⌈µ1 ⌉ − ⌈µ2 ⌉)

EHNP
d (number of congruences) Dirichlet’s approximation

Fig. 1. Dirichlet’s approximation vs. EHNP algorithm solving HNP-2H

Proof. The algorithm arises from the solution of EHNP defined and solved in
the following section, which HNP-2H is a special case of.

Figure 1 shows a comparison of HNP-2H solving using Dirichlet’s approximation

and EHNP for 160 bits long modulus N . The graph lines connect the boundary
points corresponding to probably solvable combinations of the number of bits
gained per congruence and the number of congruences (e.g. signatures of DSA).
The EHNP approach is provably preferable in cases with high amount of informa-
tion available for only few congruences. These are the cases arising, for instance,
in fault side channel attacks, where the device may get burnt soon, however,
revealing a huge amount of information before being irreversibly damaged. In
practice, we may expect a broader preference of EHNP, since the approximation
factor will be probably much better than the estimate we used.

4 Extended Hidden Number Problem

Definition 3 (Extended Hidden Number Problem). Let N be a prime
and let x, x ∈ ZN , be a particular unknown integer such that
m

x = x̄ + 2πj xj , (4)
j=1
 Extended Hidden Number Problem and Its Cryptanalytic Applications 121

where the integers x̄ and πj , 1 ≤ j ≤ m are known. The unknown integers

xj satisfy 0 ≤ xj < 2νj , where νj are known rational constants 1 ≤ j ≤ m.
Furthermore, let us be given d congruences
m
 li

αi 2πj xj + ρi,j ki,j ≡ βi − αi x̄ ( mod N ), 1 ≤ i ≤ d, (5)
j=1 j=1

where αi , αi ≡ 0 ( mod N ), 1 ≤ i ≤ d, πj , 1 ≤ j ≤ m, ρi,j , 1 ≤ i ≤ d,

1 ≤ j ≤ li and βi , 1 ≤ i ≤ d are known values. The unknown integers ki,j
satisfy 0 ≤ ki,j < 2μi,j , where µi,j are known, 1 ≤ i ≤ d, 1 ≤ j ≤ li . We define
m li d
τ = j=1 νj , ξi = j=1 µi,j , 1 ≤ i ≤ d and ξ = i=1 ξi .
The Extended Hidden Number Problem (EHNP) is to find (the hidden number)
x and its instance is represented by

d
m li
x̄, N, {πj , νj }j=1 , αi , {ρi,j , µi,j }j=1 , βi . (6)
i=1

Definition 4 (Lattice L(I, δ) and its basis matrix). For δ > 0 and a given
instance I = IEHN P of the EHNP we define L(I, δ) as the lattice spanned by
the rows of the matrix
⎛ ⎞
⎜ N · Id ∅ ∅ ⎟
⎜ ⎟
⎜ ⎟
⎜ ⎟
⎜ ⎟
⎜ ⎟
B = B(I, δ) = ⎜ A
⎜ X ∅ ⎟
⎟ ∈ QD×D ,
⎜ ⎟
⎜ T ⎟
⎜ ρ1 ⎟
⎜ ⎟
⎜ .. ⎟
⎝ . ∅ K ⎠
ρTd
d
where we define integers L = i=1 li and D = d + m + L, vectors

ρi = (ρi,1 , . . . , ρi,li ) ∈ Zli , 1≤i≤d

and matrices

A = (aj,i )1≤i≤d,1≤j≤m ∈ Zm×d , where aj,i = αi 2πj


δ δ
X = diag , . . . , ∈ Qm×m
2ν1 2νm

δ δ δ δ δ δ
K = diag , . . . , μ1,l , μ2,1 , . . . , μ2,l , . . . , μd,1 . . . , μd,l ∈ QL×L.
2μ1,1 2 1 2 2 2 2 2 d

Lemma 1 (Short vectors in L). Let I be an instance of the EHNP, where

αi , 1 ≤ i ≤ d and ρi,j , 1 ≤ i ≤ d, 1 ≤ j ≤ li are uniformly and independently
122 M. Hlaváč and T. Rosa

Algorithm 1. Finding a solution candidate for EHNP

Input: Instance I of EHNP
Output: Solution candidate z ∈ ZN
D 1
κD ← 2 (m+L) +1
4 2
1: 2
2: Choose  δ such that 0 < κD δ < 1
v ← (β1 − α1 x̄) mod N, . . . , (βd − αd x̄) mod N, δ2 , . . . , 2δ

3:
4: find W ∈ L = L(I, δ), W = (W1 , . . . , WD ) such that W − v ≤
D
2 4 minB∈L v − B //in polynomial time (§2)
5: for j = 1 to m do
ν
W 2 j
6: x′j ← d+j δ
//x′j ∈ Z
7: end for
8: z ← x̄ + m πj ′
j=1 2 xj mod N
9: return z

distributed on 1, N − 1 . Let δ, κD ∈ Q be such that 0 < δ, 0 < κD and κD δ < 1.

Then with the probability
L+m
(2κD ) 2τ +ξ
P >1− (7)
Nd
for each vector ∆ ∈ L = L(I, δ) with coordinates c = (e1 , . . . , ed , y1 , . . ., ym ,
t1,1 , . . . , t1,l1 , . . ., . . . , td,1 , . . . , td,ld ) w.r.t. basis B = B(I, δ) (i. e. ∆ = cB),
satisfying ∆∞ < κD δ

(i) there exists (a witness index) w, 1 ≤ w ≤ d such that

tw,j ≡ 0 ( mod N ), 1 ≤ j ≤ lw , (8)

m
(ii) j=1 2πj yj ≡ 0 ( mod N ) holds,
li
(iii) j=1 ρi,j ti,j ≡ 0 ( mod N ), 1 ≤ i ≤ d holds.

Proof. To be found in Appendix.

Theorem 5 (Correctness of the algorithm solving EHNP). Let x be the

solution of EHNP specified by the instance I = IEHN P where N is prime, αi ,
1 ≤ i ≤ d and ρi,j , 1 ≤ i ≤ d, 1 ≤ j ≤ li are uniformly and independently
distributed on 1, N − 1 . Then with the probability
L+m
(2κD ) 2τ +ξ
P >1− , (9)
Nd
D 1
2 4 (m+L) 2 +1
where κD = 2 , Algorithm 1 returns the correct particular solution of
instance I.
 Extended Hidden Number Problem and Its Cryptanalytic Applications 123

Proof. Let δ ∈ Q be such that 0 < κD δ < 1. By Definition 3 there exists vector
h = (c1 , . . . , cd , x1 , . . . , xm , k1,1 , . . . , k1,l1 , . . . , . . . , kd,1 , . . . , kd,ld ) ∈ ZD such
that
 m  li
ci N + αi 2πj xj + ρi,j ki,j = βi − αi x̄, 1 ≤ i ≤ d, (10)
j=1 j=1
0 ≤ xj < 2νj , 1 ≤ j ≤ m, (11)
0 ≤ ki,j < 2μi,j , 1 ≤ i ≤ d, 1 ≤ j ≤ li (12)
hold. Let B = B(I, δ) be the matrix defined in Definition 4 and let
H = hB ∈ L, L = L(I, δ),
δ δ
v = ((β1 − α1 x̄) mod N, . . . , (βd − αd x̄) mod N, , . . . , ) ∈ ZD .
2 2
Since the vector H − v is equal to

k k1,l1
0, . . . , 0, δ 2xν11 − 2δ , . . . , δ 2xνmm − 2δ , δ 2µ1,1 δ δ
1,1 − 2 , . . . , δ µ1,l1 − 2 , . . . ,
2

k δ kd,ld δ
d,1 − 2 , . . . , δ µd,ld − 2
. . . , δ 2µd,1 ,
2

and the bounds (11), (12) hold, we can write

δ
. v − H∞ <
2
A lattice vector W found in step 4 of the algorithm satisfies
D 1
D D 2 4 δ(m + L) 2
v − W ≤ 2 4 min v − A ≤ 2 4 v − H < . (13)
A∈L 2
Let ∆ = H − W ∈ L. Since a∞ ≤ a for all a ∈ ZD , by triangle inequality
we have
D 1
δ 2 4 δ(m + L) 2
∆∞ ≤ H − v∞ + v − W < + = κD δ. (14)
2 2
Let w, γ be the coordinate vectors of W, ∆, respectively, w.r.t. basis B and
w = (c′1 , . . . , c′d , x′1 , . . . , x′m , k1,1
′ ′
, . . . , k1,l 1
′
, . . . , . . . , kd,1 ′
, . . . , kd,l d
)
γ = (e1 , . . . , ed , y1 , . . . , ym , t1,1 , . . . , t1,l1 , . . . , . . . , td,1 , . . . , td,ld )
m
and z = x̄ + j=1 2πj x′j be the candidate returned by Algorithm 1. Since B is
L+m τ +ξ
nonsingular, γ = h−w. Then with the probability greater than 1− (2κD ) N d 2
,
guaranteed by Lemma 1, it holds
⎛ ⎞ ⎛ ⎞
m
 m

x − z ≡ ⎝x̄ + 2πj xj ⎠ − ⎝x̄ + 2πj x′j ⎠ ≡
j=1 j=1
m
 m

≡ 2πj (xj − x′j ) ≡ 2πj yj ≡ 0 ( mod N ).
j=1 j=1

Finally, since x, z ∈ ZN , we have x = z. ⊓

⊔
124 M. Hlaváč and T. Rosa

The distribution conditions in Theorem 5 can be, in a particular cryptanalytic

case, further relaxed using techniques like in [14]. For verification of the attack
in §5, however, we decided to use an experimental approach instead.

5 Real Scenario - Digital Signature Algorithm

5.1 DSA Key Disclosure Problem
Let us briefly recall the Digital Signature Algorithm (DSA) [1]. The public pa-
rameters are specified by triplet (p, q, g), where p and q are prime numbers
satisfying q|p − 1 and g ∈ Z∗p is a generator of the subgroup of order q in Z∗p . The
second revision of [1] requires 21023 < p < 21024 and 2159 < q < 2160 . The private
key x ∈ Zq is chosen uniformly at random from Zq and the corresponding public
key y ∈ Zp is computed as y = g x mod p. The couple (x, y) is called the DSA
key pair.
To create a signature (r, s) of a message m ∈ {0, 1}∗, the owner of the private
key x first generates a random number k ∈ Z∗q , which is usually referred to as
a nonce (number used once). Then she computes r = g k mod p mod q and
 

s = k −1 (h(m) + xr) mod q, where h is the hash function SHA-1 (see [2]) and
k −1 k ≡ 1 ( mod q).
To verify the signature pair (r, s) of a message m, having checked that 0 <
r < q and 0 < s < q, one computes w = s−1 mod q, u1 = h(m)w mod q, u2 =
rw mod q and v = (g u1 y u2 mod p) mod q. She accepts the message signature if
and only if v = r.
Definition 5 (DSA-KDP problem). Let (p, q, g) be public DSA parameters
and (x, y) DSA key pair. Let

ri = g ki mod p mod q, 1 ≤ i ≤ d
 
(15)
si = ki−1 (h(mi ) + xri ) mod q, 1≤i≤d (16)

be known signature pairs of known hashed messages h(mi ). Suppose an additional

information about the private key x and the nonces ki is known, as well, i.e.
m

x = x̄ + 2πj xj , 0 ≤ xj < 2νj , 1≤j≤m (17)
j=1
li

ki = k̄i + 2λi,j ki,j , 0 ≤ ki,j < 2μi,j , 1 ≤ i ≤ d, 1 ≤ j ≤ li , (18)
j=1

d
m l
where x̄, {πj , νj }j=1 , k̄i , {λi,j , µi,j }j=1
i
are known integers satisfying
i=1

x̄ ∈ Zq , k̄i ∈ Zq , 1≤i≤d
πj λi,j
2 ∈ Zq , 1 ≤ j ≤ m, 2 ∈ Zq , 1 ≤ i ≤ d, 1 ≤ j ≤ li
νj μi,j
2 ∈ Zq , 1 ≤ j ≤ m, 2 ∈ Zq , 1 ≤ i ≤ d, 1 ≤ j ≤ li
 Extended Hidden Number Problem and Its Cryptanalytic Applications 125

DSA key disclosure problem (DSA-KDP) is to find the private key x and its
instance IDSA is represented by

d
d m li
x̄, q, {ri , si , h(mi )}i=1 , {πj , νj }j=1 , k̄i , {λi,j , µi,j }j=1 .
i=1

Lemma 2 (Transition from DSA-KDP to EHNP). Let x be the particular

solution of the DSA-KDP problem specified by the instance IDSA . Let
N = q,
αi = ri , 1 ≤ i ≤ d
ρi,j = −si 2λi,j mod N, 1 ≤ i ≤ d, 1 ≤ j ≤ li ,
 
 
βi = si k̄i − h(mi ) mod N, 1 ≤ i ≤ d.
Then x can be found as the solution of EHNP specified by the instance

d
m li
x̄, N, {πj , νj }j=1 , αi , {ρi,j , µi,j }j=1 , βi . (19)
i=1

Proof. The lemma follows directly when (17) and (18) are substituted into (16)
in Definition 5. ⊓
⊔

5.2 Hyper-threading Technology

In [18], the author explores a side channel hidden in certain processors design
employing the Hyper-Threading Technology (HTT). The processors affected are
Intel Pentium 4, Mobile Pentium 4 and Xeon.
The size of L1 cache memory in hyper-threaded Pentium 4 is 8 KB (or 16
KB)1 . It is divided into 32 cache address classes consisting of 4 (or 8) cache lines
of 64 bytes. When a memory line is requested by a process, the processor first
checks whether the line is already loaded in L1 cache in the corresponding cache
class. In case it is, we say a cache hit occurs, contrary to a cache miss when the
line has to be loaded to L1 cache. Therefore, a cache miss takes a much longer
time than a cache hit and that can be recognized by the process.
A hyper-threaded Pentium 4 multiplexes two independent instruction streams
over one set of execution resources creating two virtual processing cores that
share certain physical resources, namely the L1 cache memory. This is an archi-
tectural design that leaves the Confinement Problem [5] unsolved leading to a
vital side channel. To the operating system, this platform appears as two logi-
cal CPUs, thus it can schedule two processes to be run at the same time. One
process cannot read the data of the other process, however, it can determine
whether the process running on the second virtual core used certain line of the
L1 cache or not by measuring the amount of time it takes to repeatedly read
several data blocks from the same cache address class.
In this way, we get a side information which can be used to discriminate
between two different operations performed by the process being spied [17], [18].
1
Depending on actual type.
126 M. Hlaváč and T. Rosa

When the two operations are different enough with respect to the memory access
they induce, we can easily identify them basing on a different “footprint” left in
the access time measurements (cf. Figure 2).
In [18], this side information was used to break an implementation of RSA
scheme. Here, we show that by using the EHNP approach described before, we
can break certain implementation of DSA algorithm, as well. In practice, this
attack threatens, for instance, applications like SSH [19], when the server runs on
an unsecured HTT platform and uses DSA for the server authentication. When
the attacker logs on the server, she can run the spy process on one processor
core, while she opens another SSH session with the server, hoping that it will
run on the second core. In this way, she gains the side information about DSA
signature computation when the server authenticates itself for the newly opened
connection. Collecting several such measurements, she can get enough informa-
tion to be able to solve the associated EHNP. From here, she gets the server’s
private key allowing her to impersonate the server.

5.3 Sliding Window Exponentiation

An OpenSSL-based SSH server uses the sliding window (SW) exponentiation al-
gorithm (cf. Algorithm 2)2 in the process of DSA authentication when computing
r = g k mod p. Two operations to be discriminated on the HTT platform by the
aforesaid technique are squaring (S) and multiplication (M ). Being able to iden-
tify the SW algorithm execution, the attacker obtains a sequence S ∈ {S, M }∗ .
To convert S to an information suitable for EHNP, one sets k ′ = 0 as the
first approximation of the nonce k. Then, she takes the next operation from S
and multiplies k ′ by 2 if the operation is S or adds 1 and adds a new “hole” for
M . Finally, the holes of zero length are filtered out from the output sequence.
This procedure, described by Algorithm 3, outputs the decomposition k = k ′ +
l λj μj
j=1 2 kj , 0 ≤ kj < 2 . On average case, the algorithm provides us with
78 known bits separated by 31 holes for the exponent size of 160 bits with the
sliding window length set to 4 (to match its definition in OpenSSL 0.9.7e).
In Figure 2, we can see the execution of SW algorithm from the spy process view-
point. The rows, each representing one of 32 memory classes in L1 cache, change
color from white standing for a very fast read operation, to black for slow data
reloads. To emphasize the different footprints, the extra top row displays the aver-
age gray level for the selected cache classes (in our case 24th, 25th and 26th class).
This row allows us to identify squaring and multiplication operations easily.

5.4 Practical Experiments

Algorithm 1 was implemented in C++ employing Shoup’s NTL library [20].
Several experiments were run for different number of signatures d. Each exper-
iment consisted of 10 instances of DSA-KDP with random public parameters,
2
Valid for the versions up to 0.9.7g. As from version 0.9.7h, OpenSSL uses fixed
window modular exponentiation by default for RSA, DSA, and DH private key
operations to prevent cache timing attacks.
 Extended Hidden Number Problem and Its Cryptanalytic Applications 127

Algorithm 2. Sliding window (SW) exponentiation; s is the SW length

Input: g, e = (et et−1 . . . e0 )2 , et = 1, s ≥ 1
Output: g e
1: g1 ← g, g2 ← g 2
2: for i = 1 to 2s−1 − 1 do
3: g2i+1 ← g2i−1 g2
4: end for
5: A ← 1, i ← t
6: while i ≥ 0 do
7: if ei = 0 then
8: A ← A2 //squaring
9: i ← i−1
10: else
11: find longest string (ei ei−1 . . . el ) such that i − l + 1 ≤ s and el = 1
i−l+1
12: A ← A2 g(ei ei−1 ...el )2 //i − l + 1 squarings, 1 multiplication
13: i←l−1
14: end if
15: end while
16: return A

31
L1 classes

0 ✲
Latency scans

Fig. 2. SW exponentiation observed through the side channel of L1 cache

random key pair and the signature pairs for d random messages. The results
of the experiments are displayed in Figures 3 and 4. The computing platform
employed was running GNU/Linux Debian on AMD Opteron 844. We used the
side channel emulation in these computations. Its real existence and usability
was successfully verified by technical experiments with an SSH server powered
by OpenSSL 0.9.7e on an unprotected Pentium 4 HTT platform, as well.
The bases were reduced by LLL reduction with delta = 0.99 (LLL XD(),
marked “LLL”). If such reduction did not lead to the key disclosure, stronger
Block Korkin-Zolotarev reduction with Givens rotations (G BKZ XD(), marked
“BKZ”) was employed with delta = 0.99, BlockSize = 40 and Prune = 15.
We ran several experiments with random DSA-KDP instances with the size
of DSA prime q set to 256 bits (which is the highest size allowed by the draft
128 M. Hlaváč and T. Rosa

Algorithm 3. Conversion of sequence from {S, M }∗ to the decomposition of k;

s is the SW length; (N is the upper bound on k)
Input: S ∈ {S, M }∗ , s ≥ 1, (N > 1)
Output: k̄, l, {λj , µj }lj=1
1: k̄ ← 0, L ← 0, Λ0 ← 1, w0 ← s − 1 //L, Λ, and w are internal only
2: A ← first(S)
3: repeat
4: if A = S then
5: k̄ ← 2k̄
6: for j = 0 to L do
7: Λj ← Λj + 1 //shift existing holes
8: end for
9: else
10: k̄ ← k̄ + 1
11: L ← L + 1, ΛL ← 1
12: wL ← min(s − 1, ΛL−1 + wL−1 − s − 1) //new, possibly empty, hole
13: end if
14: until A ← next(S)
15: if N is defined and Λ1 + w1 > ⌈log 2 N ⌉ then
16: w1 = ⌈log 2 N ⌉ − Λ1 //adjust the first hole
17: end if
18: l←0
19: for j = 1 to L do
20: if wj > 0 then
21: l ← l + 1, λl ← Λj , µl ← wj //keep the nonempty holes
22: end if
23: end for

10 16
LLL LLL
14
BKZ BKZ
8 12
time [103 s]

10
hit rate

6
8
4 6
4
2
2
0 0
0 5 10 15 20 25 0 5 10 15 20 25
d d

Fig. 3. The hit rate and the average duration of EHNP algorithm solving 10 random
instances of DSA-KDP, each derived from a simulated side channel leakages during the
signing operation with ⌈log2 q⌉ = 160
 Extended Hidden Number Problem and Its Cryptanalytic Applications 129

10 4.5
LLL 4 LLL

8 3.5

time [103 s]
3
hit rate

6 2.5
2
4
1.5
2 1
0.5
0 0
20 25 30 35 40 45 20 25 30 35 40 45
d d

Fig. 4. Hit rate and the average duration of EHNP algorithm solving 10 random in-
stances of DSA-KDP, each derived from a simulated side channel leakages during the
signing operation with ⌈log2 q⌉ = 256. Blocks of known bits shorter than 5 in length
are ignored (to reduce running time)

of Third revision of FIPS 186). The dimension of lattices associated is higher

resulting in longer running time, however, as shown in Figure 4, the private key
can be extracted for these instances, as well.

6 Conclusion
The Hidden Number Problem (HNP) was originally presented as a tool for prov-
ing cryptographic security of Diffie-Hellman and related schemes [7]. It was then
shown in [13] and [14] that HNP can be used for solving cryptanalytic problems
arising around DSA, as well. However, it still retained certain properties that
limited its suitability for real cryptanalytic attacks. In this article, we showed
how to overcome these limitations by formulation of the Extended Hidden Num-
ber Problem (EHNP) that covers significantly broader area of practical cases.
Algorithm for solving EHNP together with its formal analysis were presented.
We employed EHNP to develop a practically feasible side channel attack on
the OpenSSL implementation of DSA. This part of the paper is of independent
merit showing an inherent insecurity of the Pentium 4 HTT processor platform
for applications like SSH. For instance, having observed only 6 authentications to
the OpenSSL-powered SSH server, an attacker was able to disclose the server’s
private key.

Acknowledgment
The authors would like to thank Colin Percival for kindly providing them the
source code for his experiments and the anonymous referees for their valuable
130 M. Hlaváč and T. Rosa

comments. The first author thanks Jozef Jurı́ček for helpful discussions covering
several topics in probability theory. The second author appreciates eBanka a.s.
supporting these research activities.

References
1. Digital signature standard. National Institute of Standards and Technology, Wash-
ington (Note: Federal Information Processing Standard 186-2) (2000), URL:
http://csrc.nist.gov/publications/fips/
2. Secure hash standard. National Institute of Standards and Technology, Wash-
ington ( Note: Federal Information Processing Standard 180-2) (2002), URL:
http://csrc.nist.gov/publications/fips/
3. Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. In:
Mehlhorn, K. (ed.) STACS 85. LNCS, vol. 182, pp. 13–20. Springer, Heidelberg
(1984)
4. Bellare, M., Goldwasser, S., Micciancio, D.: ”Pseudo-Random” number genera-
tion within cryptographic algorithms: The DDS case. In: Kaliski Jr., B.S. (ed.)
CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)
5. Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Reading (2003)
6. Boneh, D., Halevi, S., Howgrave-Graham, N.: The modular inversion hidden num-
ber problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51.
Springer, Heidelberg (2001)
7. Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of
secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO
1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)
8. Frieze, A.M., Hastad, J., Kannan, R., Lagarias, J.C., Shamir, A.: Reconstructing
truncated integer variables satisfying linear congruences. SIAM Journal of Com-
puting 17(2), 262–280 (1988)
9. Groetschel, M., Lovász, L., Schrijver, A.: Geometric Algorithms and Combinatorial
Optimization, 2nd edn. Springer, Heidelberg (1993)
10. Howgrave-Graham, N.-A., Smart, N.P.: Lattice attacks on digital signature
schemes. Design, Codes and Cryptography 23, 283–290 (2001)
11. Intel Corporation. Intel(R) Pentium(R) 4 Processor supporting Hyper-Threading
Technology. URL:
http://www.intel.com/products/processor/pentium4/index.htm
12. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational
coefficients. Mathematische Ann. 261, 513–534 (1982)
13. Nguyen, P.Q.: The dark side of the hidden number problem: Lattice attacks on
DSA. In: Proc. of the Workshop on Cryptography and Computational Number
Theory (CCNT ’99), Basel, CH, pp. 321–330. Birkhäuser (2001)
14. Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with
partially known nonces. J. Cryptology 15(3), 151–176 (2002)
15. Nguyen, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R.J.F. (ed.)
EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)
16. Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H.
(ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)
17. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: The
case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20.
Springer, Heidelberg (2006)
 Extended Hidden Number Problem and Its Cryptanalytic Applications 131

18. Percival, C.: Cache missing for fun and profit (2005), URL:
http://www.daemonology.net/papers/htt.pdf
19. OpenBSD project members. OpenSSH Suite. URL:
http://www.openssh.com/
20. Shoup, V.: NTL: A Library for doing Number Theory. URL:
http://www.shoup.net/ntl/
21. Shparlinski, I., Winterhof, A.: A hidden number problem in small subgroups. Math-
ematics of Computation 74(252), 2073–2080 (2005)

Appendix
Lemma 3 (Short solutions). Given prime N and s ∈ ZN , let ρ1 , . . . , ρl be
uniformly and independently distributed on ZN . Then the probability that the
congruence
l
ρj xj ≡ s ( mod N ) (20)
j=1

has a “short” non-trivial solution (t1 , . . . , tl ) ∈ (ZN )l satisfying |tj |N < Tj ,

1 ≤ j ≤ l is lower than
2l lj=1 Tj

. (21)
N
Proof. Let t = (t1 , . . . , tl ) be a non-zero l-tuple in (ZN )l with tk = 0. There
exist exactly N l−1 l-tuples
⎛ ⎛ ⎞ ⎞
l

(ρ1 , . . . , ρl ) = ⎝ρ1 , . . . , ρk−1 , (tk )−1 ⎝s − ρj tj ⎠ mod N, ρk+1 , . . . , ρl ⎠
j=1,j=k

such that t is a solution of (20). Consequently, there exist no more than

⎛⎛ ⎞ ⎞
l l
N l−1 ⎝⎝ (2Tj − 1)⎠ − 1⎠ < N l−1 2l Tj
j=1 j=1

l-tuples (ρ1 , . . . , ρl ) such that “short” non-trivial solution of (20) exists. Since
N l is total number of all l-tuples on ZN , the lemma follows. ⊓
⊔
Proof (of Lemma 1 on Short vectors in L). Let ∆ ∈ L be such that ∆∞ <
κD δ < 1. Then
 

d li 
πj
 
ei N + αi
 2 y j + ρ i,j i,j  =
t  |∆i | < 1, 1 ≤ i ≤ d (22)
 j=1 j=1 
 
 δ 
 2νj yj  =
  |∆d+j | < κD δ, 1 ≤ j ≤ m(23)
  
 δ   
1≤i≤d
 = ∆
t d+m+j+ u=1 lu  < κD δ, 1 ≤ j ≤ l(24)

 i,j i−1
 2μi,j  i
132 M. Hlaváč and T. Rosa

respectively implying
 
  d li 
πj
 
αi
 2 y j + ρ t
i,j i,j 
 = 0, 1≤i≤d (25)
 j=1 j=1 
N
|yj | < κD 2νj , 1≤j≤m (26)
|ti,j | < κD 2μi,j , 1 ≤ i ≤ d, 1 ≤ j ≤ li , (27)
since the expression on the left-hand side of (22) is an integer. Furthermore, (25)
is equivalent to the congruence
li
 d

ρi,j ti,j ≡ −αi 2πj yj ( mod N ), 1 ≤ i ≤ d. (28)
j=1 j=1

To prove (i), we have to show the probability PF that for all i, 1 ≤ i ≤ d

there exists j, 1 ≤ j ≤ li such that ti,j ≡ 0( mod N ) is bounded above as
L+m τ +ξ
PF < (2κD ) N d 2 . Regarding the algorithmic viewpoint of the whole paper,
it is worth emphasizing the following probability elaboration is focused on the
event that an “unwanted” vector does exist in the lattice at all, rather than
investigating the properties of a particular vector chosen. The algorithmic inter-
pretation is then that, obviously, the particular vector computed cannot have
the properties that no such vector in the lattice L(I, δ) has.
d
Fix an m-tuple (y1 , . . . , ym ) ∈ Zm and define Ri = −αi j=1 2πj yj mod N .
The substitution to congruence (28) gives
li

ρi,j ti,j ≡ Ri ( mod N ), 1 ≤ i ≤ d. (29)
j=1

Lemma 3 states non-trivial solution of (29) satisfying the bounds (27) exists
with the probability
 li
2li j=1 κD 2μi,j (2κD )li 2ξi
pi (y1 , . . . , ym ) < = . (30)
N N
For a fixed m-tuple (y1 , . . . , ym ), the probability that (29) and (27) can be
non-trivially satisfied for all i, 1 ≤ i ≤ d is
d d l L
  (2κD ) i 2ξi (2κD ) 2ξ
p(y1 , . . . , ym ) ≤ pi (y1 , . . . , ym ) < = . (31)
i=1 i=1
N Nd
m
There is no more than j=1 2κD 2νj = (2κD )m 2τ m-tuples (y1 , . . . , ym ) that
satisfy (26), therefore
L+m
 (2κD ) 2τ +ξ
PF ≤ p(y1 , . . . , ym ) < . (32)
Nd
y = (y1 , . . . , ym )
y satisfies (26)
 Extended Hidden Number Problem and Its Cryptanalytic Applications 133

To prove the congruence (ii) holds, it suffices to substitute tw,j ≡ 0 ( mod N ),

1 ≤ j ≤ lw from (i) to (28), i.e.
m
 lw

2πj yj ≡ −(αw )−1 ρw,j tw,j ≡ 0 ( mod N ), (33)
j=1 j=1

since (αw )−1 mod N exists, because αw ≡ 0 mod N and N is a prime.

Finally, substituting (ii) to the congruence (28), i.e.
li
 m

ρi,j ti,j ≡ −αi 2πj yj ≡ 0 ( mod N ), (34)
j=1 j=1

finishes the proof of (iii). ⊓

⊔