DSA Bias Vulnerability

Consequences

Compromise of private signing key

Access required for attack

The attacker needs only to obtain a small number of signatures

Explanation

This vulnerability affects DSA signature operations. Before April 2016, the standard Oracle Java crypto provider contained a flaw that allowed the private key to be calculated based only on the values of 3-5 signatures.

The attack method is well-known and has appeared in academic publications (see below).

References

• CVE-2016-0695 (Oracle Java)
• Google Wycheproof Bugs List
• Lattice Attacks on Digital Signature Schemes, N.A. Howgrave-Graham and N.P. Smart.