Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys
Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys
Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces
Discovery EC Tester Tool for testing black-box ECC implementations � JavaCards ○ Software libraries (15 supported) ○ Idea: Independently verify implementations are well-behaved and do not � contain bugs 12 test suites � � crocs-muni/ECTester � Jan Jancar Minerva: The curse of ECDSA nonces 2 / 17
Discovery ECDSA y − ( P + Q ) Q Sign (message m , private key x ) P $ 1 k ← Z n (nonce) x 2 r ≡ ([ k ] G ) x mod n 3 s ≡ k − 1 ( H ( m ) + rx ) mod n ( P + Q ) 4 Output ( r , s ) as ASN.1 DER SEQUENCE y 2 ≡ x 3 + ax + b over F p G ∈ E ( F p ) , | G | = n (prime) Jan Jancar Minerva: The curse of ECDSA nonces 3 / 17
Discovery ECDSA tests ASN.1 parsing � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � 1 � Minerva Signature malleability � 5 � � Test-vectors � ~ � Nonce randomness � � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � 1 � Minerva Signature malleability � 5 � � Test-vectors � ~ � Nonce randomness � 2 TPM-FAIL � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery ECDSA tests ASN.1 parsing � � 1 � Minerva 1 � Déjà Vu Signature malleability � 5 � � Test-vectors � ~ � ... Nonce randomness � 2 TPM-FAIL � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17
Discovery Tested Type Name Version/Model Scalar multiplier Leakage OpenSSL 1.1.1d Montgomery ladder no BouncyCasle 1.58 Comb method no Window-NAF no SunEC JDK 7 - JDK 12 Lopez-Dahab ladder yes* WolfSSL 4.0.0 Sliding window yes BoringSSL 974f4dddf Window method no Library libtomcrypt v1.18.2 Sliding window no libgcrypt 1.8.4 Double-and-add yes* Botan 2.11.0 Window method no Microsoft CNG 10.0.17134.0 Window method no mbedTLS 2.16.0 Comb method no MatrixSSL 4.2.1 Sliding window yes Intel PP Crypto 2020 Window-NAF no Crypto++ 8.2 unknown yes Athena IDProtect unknown yes* 010b.0352.0005 NXP JCOP3 unknown no Card J2A081, J2D081, J3H145 Infineon JTOP unknown no 52GLA080AL, SLE78 G+D SmartCafe unknown no v6, v7 Jan Jancar Minerva: The curse of ECDSA nonces 5 / 17
Discovery Leak Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17
Discovery Leak [ k ] G Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17
Discovery Leak [ k ] G 152000 151500 80 151000 signature time ( s ) 60 150500 150000 40 149500 149000 20 148500 0 248 249 250 251 252 253 254 255 256 nonce bit-length Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17
Discovery Leak L = base + iter _ time · B + N base iter _ time // secp256r1 curve B ∼ Geom ( p = 1 / 2 , (256 , 255 , . . . , 0)) sdev N ∼ Norm (0 , sdev 2 ) all 1400 256b 255b 1200 254b 253b 1000 252b 251b count 800 250b 249b 600 400 200 0 3570000 3600000 3630000 3660000 3690000 3720000 3750000 3780000 3810000 time (ns) Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17
Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17
Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � [1] Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17
Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Hidden Number Problem (HNP) [1] Given an oracle computing: O b , t () = MSB l ( at + b mod n ) with t u.i.d. in Z ∗ n , find a . Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17
Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Hidden Number Problem (HNP) [1] Given an oracle computing: O r , s () = MSB l ( k mod n ) Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17
Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Hidden Number Problem (HNP) [1] Given an oracle computing: O r , s () = MSB l ( xs − 1 r + H ( m ) s − 1 mod n ) find x . Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17
Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17
Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17
Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Construct a lattice with basis B and reduce it: � 2 l 1 n 0 0 . . . 0 0 0 2 l 2 n 0 0 0 . . . . . . . B = . . 2 l d n 0 0 0 0 . . . 2 l 1 t 1 2 l 2 t 2 2 l 3 t 3 2 l d t d . . . 1 Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17
Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Construct a lattice with basis B and reduce it: � 2 l 1 n 0 0 . . . 0 0 0 2 l 2 n 0 0 0 . . . . . . . B = . . 2 l d n 0 0 0 0 . . . 2 l 1 t 1 2 l 2 t 2 2 l 3 t 3 2 l d t d . . . 1 Construct a target u = (2 l 1 u 1 , . . . , 2 l d u d , 0) � Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17
Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Construct a lattice with basis B and reduce it: � 2 l 1 n 0 0 . . . 0 0 0 2 l 2 n 0 0 0 . . . . . . . B = . . 2 l d n 0 0 0 0 . . . 2 l 1 t 1 2 l 2 t 2 2 l 3 t 3 2 l d t d . . . 1 Construct a target u = (2 l 1 u 1 , . . . , 2 l d u d , 0) � Solve CVP( B , u ). The closest lattice point is often: v = (2 l 1 t 1 x , . . . , 2 l d t d x , x ) � Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17
Recommend
More recommend
![Learning to Predict the Global Risks Interconnections from the Web [ Minerva: AI/ML for News ]](https://c.sambuz.com/900615/learning-to-predict-the-global-risks-interconnections-s.jpg)
