Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda - - PowerPoint PPT Presentation

squeezing a key through a carry bit
SMART_READER_LITE
LIVE PREVIEW

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda - - PowerPoint PPT Presentation

Apr 05, 2024 163 likes •696 views

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b The code x = a a = a + p a = a - b mod p a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a ?> t a = a - b

slide-1
SLIDE 1

Squeezing a key through a carry bit

Sean Devlin, Filippo Valsorda

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4

One month later

slide-5
SLIDE 5

The code a = a - b mod p

a = a - b x = a a = a + p

slide-6
SLIDE 6

The code a = a - b mod p

a = a - b x = a a = a + p a = a - b t = a t += p a ?> t

slide-7
SLIDE 7

The code a = a - b mod p

a = a - b x = a a = a + p

a < b

a = a - b t = a t += p a ?> t

slide-8
SLIDE 8

a = a - b x = a a = a + p

The bug

a = a - b t = a t += p a ?> t

slide-9
SLIDE 9

The bug

slide-10
SLIDE 10

The bug

Wrong result with probability 2-32

slide-11
SLIDE 11

A carry propagation bug

slide-12
SLIDE 12

ECCCCCCC

Elliptic Curve Cryptography Crash Course for CCC

  • Field: numbers modulo p
  • Points: like (3, 7); fitting an equation
  • Group: a generator point and addition
  • Multiplication: repeated addition
slide-13
SLIDE 13

ECCCCCCCC

Elliptic Curve Cryptography Crash Course for CCC (cont.)

  • Multiplication: 5Q = Q + Q + Q + Q + Q
  • ECDH private key: a big integer d
  • ECDH public key: Q = dG (think y = ga)
  • ECDH shared secret: Q2 = dQ1
slide-14
SLIDE 14

Double and add

Q2 = dQ1 d is BIG. Like, 256 bit. Can't add Q to itself 2256 times.

slide-15
SLIDE 15

Double and add

Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1

+Q1 Z +Q

slide-16
SLIDE 16

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

x2 Z +Q x2

Q2 = dQ1

slide-17
SLIDE 17

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

x2 Z +Q x2 x2

Q2 = dQ1

slide-18
SLIDE 18

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

+Q1 Z +Q x2 x2 +Q

Q2 = dQ1

slide-19
SLIDE 19

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

Z +Q x2 x2 +Q x2 x2

Q2 = dQ1

slide-20
SLIDE 20

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

Z +Q x2 x2 +Q x2 +Q +Q1

Q2 = dQ1

slide-21
SLIDE 21

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

Z +Q x2 x2 +Q x2 +Q x2 x2

Q2 = dQ1

slide-22
SLIDE 22

Double and add

1 0 1 0 1 1 1 0 1 0 1 1 0 1

Z +Q x2 x2 +Q x2 +Q x2 x2 ... x2

Q2 = dQ1

slide-23
SLIDE 23

Back to the carry bug

slide-24
SLIDE 24

secret = ScalarMult(point, scalar) ← Q2 = dQ

└─ p256PointAddAffineAsm

└─ p256SubInternal 💦

attacker supplied secret key session key

slide-25
SLIDE 25

Q1 → ScalarMult(Q1, ) Q2 → ScalarMult(Q2, )

1 1 1 0 1

Z +Q1 x2 x2 +Q1 x2 +Q1 x2 +Q1 💦

0 1 1 0 1

Z +Q2 x2 x2 +Q2 x2 +Q2 x2 x2 💦

slide-26
SLIDE 26

Q1 → ScalarMult(Q1, ) → 💦 Q2 → ScalarMult(Q2, ) → ✅

? 1 1 0 1 ? 1 1 0 1 1 1 1 0 1

slide-27
SLIDE 27

Q1 → Q2 →

0 1 1 0 1 1 1 1 0 1

Q1 → Q2 →

0 0 1 1 0 1 1 0 1 1 0 1

Q1 → Q2 →

0 1 0 1 1 0 1 1 1 0 1 1 0 1

💦 💦

slide-28
SLIDE 28
slide-29
SLIDE 29

Go implementation of ScalarMult

Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times.

01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ../

slide-30
SLIDE 30

Precomp table

slide-31
SLIDE 31

Multiplication loop

slide-32
SLIDE 32

Go implementation of ScalarMult

Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. Limbs representation: less overlap and aliasing problems.

01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ../

{1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ../

slide-33
SLIDE 33

Go implementation of ScalarMult

Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. Attack one limb at a time, instead of one bit. 34 limb values → 17 points / 5 key bits on average.

01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ../

slide-34
SLIDE 34

Multiplication loop

💦 💦

slide-35
SLIDE 35

Assembly hook

💦

slide-36
SLIDE 36

💦 💦

slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39

The first limb

3 3 x2 x2 x2 x2 x2 → 3 x25 Precomp Doubling Limb

💦

slide-40
SLIDE 40

The first limb

3 3 x2 x2 x2 x2 x2 → 3 x25 3 x2 6 x2 x2 x2 x2 x2 → 3 x26 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27 Precomp Doubling Limb

💦 💦 💦

slide-41
SLIDE 41

The first limb

3 3 x2 x2 x2 x2 x2 → 3 x25 3 x2 6 x2 x2 x2 x2 x2 → 3 x26 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27 Precomp Doubling Limb

💦 💦 💦 🔦 🔦💤

slide-42
SLIDE 42

The last bits

slide-43
SLIDE 43

🕴 🐿 🐿 🐿 🐿 🐿

Kangaroo jumps depend from the terrain at the start point. Let a tracked kangaroo loose. Place a trap at the end.

slide-44
SLIDE 44

🕴 🐿 🐿 🐿 🐿 🐿 🐿 🐿 🐿 🐿

Kangaroo jumps depend from the terrain at the start point. If the wild kangaroo intersects the path at any point,
 it ends up in the trap.

slide-45
SLIDE 45

Back to elliptic curves. A jump is QN+1 = QN + H(QN) where H is a hash. Same starting point, same jump. You run from a known starting point, then from dG.
 If you collide, you traceback to d!

🐿 🐿

slide-46
SLIDE 46

A target

  • JSON Object Signing and Encryption, JOSE (JWT)
  • ECDH-ES public key algorithm
  • go-jose and Go 1.8.1
  • Check if the service successfully decrypts payload
slide-47
SLIDE 47

Spot instance infrastructure

💼

Sage dispatcher

/work /result

slide-48
SLIDE 48

Figures!

  • Each key: ~52 limbs, modulo the kangaroo
  • Each limb: ~16 points on average
  • Each point: ~226 candidate points
  • (226 * 16) candidate points: ~85 CPU hours
  • 85 CPU hours: $1.26 EC2 spot instances
  • Total: 4,400 CPU hours / $65 on EC2
slide-49
SLIDE 49

Demo

slide-50
SLIDE 50

Demo

slide-51
SLIDE 51

Demo

slide-52
SLIDE 52

Filippo Valsorda

@FiloSottile

Sean Devlin

@spdevlin

Thank you!

No bug is small enough.