squeezing a key through a carry bit
play

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda - PowerPoint PPT Presentation

Apr 05, 2024 •163 likes •695 views

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b The code x = a a = a + p a = a - b mod p a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a ?> t a = a - b

  1. Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda

  4. One month later

  5. a = a - b The code x = a a = a + p a = a - b mod p

  6. a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a �?> t

  7. a = a - b a = a - b a < b The code x = a t = a a = a + p a = a - b t += p mod p a �?> t

  8. a = a - b a = a - b x = a t = a The bug a = a + p t += p a �?> t

  9. The bug

  10. Wrong result with probability 2 -32 The bug

  11. A carry propagation bug

  12. ECCCCCCC Elliptic Curve Cryptography Crash Course for CCC • Field: numbers modulo p • Points: like (3, 7); fitting an equation • Group: a generator point and addition • Multiplication: repeated addition

  13. ECCCCCCCC Elliptic Curve Cryptography Crash Course for CCC (cont.) • Multiplication: 5Q = Q + Q + Q + Q + Q • ECDH private key: a big integer d • ECDH public key: Q = dG (think y = g a ) • ECDH shared secret: Q 2 = dQ 1

  14. Double and add Q 2 = dQ 1 d is BIG. Like, 256 bit. Can't add Q to itself 2 256 times.

  15. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q 1 Z +Q

  16. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2

  17. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2

  18. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q 1 Z +Q x2 x2 +Q

  19. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 +Q x2

  20. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q 1 Z +Q x2 x2 +Q x2 +Q

  21. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 +Q x2 +Q x2

  22. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 +Q x2 +Q x2 x2 ...

  23. Back to the carry bug

  24. session key attacker supplied secret key secret = ScalarMult(point, scalar) ← Q 2 = dQ └─ p256PointAddA ffi neAsm └─ p256SubInternal 💦

  25. Q 1 → ScalarMult(Q 1 , ) 1 1 1 0 1 Z +Q 1 x2 x2 +Q 1 x2 +Q 1 x2 +Q 1 💦 Q 2 → ScalarMult(Q 2 , ) 0 1 1 0 1 Z +Q 2 x2 x2 +Q 2 x2 +Q 2 x2 x2 💦

  26. Q 1 → ScalarMult(Q 1 , ) → 💦 ? 1 1 0 1 Q 2 → ScalarMult(Q 2 , ) → ✅ ? 1 1 0 1 1 1 1 0 1

  27. Q 1 → 💦 0 1 1 0 1 Q 2 → 1 1 1 0 1 Q 1 → 0 0 1 1 0 1 Q 2 → 💦 1 0 1 1 0 1 Q 1 → 0 1 0 1 1 0 1 Q 2 → 1 1 0 1 1 0 1

  29. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ��../

  30. Precomp table

  31. Multiplication loop

  32. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ��../ Limbs representation: less overlap and aliasing problems. {1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ��../

  33. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ��../ Attack one limb at a time, instead of one bit. 34 limb values → 17 points / 5 key bits on average.

  34. 💦 Multiplication loop 💦

  35. Assembly hook 💦

  36. 💦 💦

  39. The first limb Precomp Doubling Limb 3 3 x2 x2 x2 x2 x2 → 3 x2 5 💦

  40. The first limb Precomp Doubling Limb 3 3 x2 x2 x2 x2 x2 → 3 x2 5 💦 3 x2 6 x2 x2 x2 x2 x2 → 3 x2 6 💦 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x2 7 💦

  41. The first limb Precomp Doubling Limb 3 3 x2 x2 x2 x2 x2 → 3 x2 5 💦 3 x2 6 x2 x2 x2 x2 x2 → 3 x2 6 💦 🔦 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x2 7 💦 🔦💤

  42. The last bits

  43. Kangaroo jumps depend from the terrain at the start point. 🐿 🐿 🐿 🐿 🐿 🕴 Let a tracked kangaroo loose. Place a trap at the end.

  44. Kangaroo jumps depend from the terrain at the start point. 🐿 🐿 🐿 🐿 🐿 🕴 🐿 🐿 🐿 🐿 If the wild kangaroo intersects the path at any point, 
 it ends up in the trap.

  45. Back to elliptic curves. 🐿 🐿 A jump is Q N+1 = Q N + H(Q N ) where H is a hash. Same starting point, same jump. You run from a known starting point, then from dG. 
 If you collide, you traceback to d!

  46. A target • JSON Object Signing and Encryption, JOSE (JWT) • ECDH-ES public key algorithm • go-jose and Go 1.8.1 • Check if the service successfully decrypts payload

  47. Spot instance infrastructure Sage dispatcher /work 💼 /result

  48. Figures! • Each key: ~52 limbs, modulo the kangaroo • Each limb: ~16 points on average • Each point: ~2 26 candidate points • (2 26 * 16) candidate points: ~85 CPU hours • 85 CPU hours: $1.26 EC2 spot instances • Total: 4,400 CPU hours / $65 on EC2

  49. Demo

  50. Demo

  51. Demo

  52. Thank you! No bug is small enough. Sean Devlin @spdevlin Filippo Valsorda @FiloSottile

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing Information from Temporal Spatial Datasets Leverage exascale data and 2 computer resources to squeeze the most out of image, sensor or

642 views • 36 slides
Study and experiment on the alternative technique of frequencydependent squeezing generation

Study and experiment on the alternative technique of frequencydependent squeezing generation

Study and experiment on the alternative technique of frequencydependent squeezing generation with EPR entanglement for next generation of gravitational wave detectors. Mateusz Bawaj on behalf of Virgo squeezing team Noise sources in Adv

248 views • 11 slides
Outline Introduction to CMOS VLSI Single-bit Addition Design Carry-Ripple Adder

Outline Introduction to CMOS VLSI Single-bit Addition Design Carry-Ripple Adder

Outline Introduction to CMOS VLSI Single-bit Addition Design Carry-Ripple Adder Carry-Skip Adder Carry-Lookahead Adder Lecture 11: Carry-Select Adder Adders Carry-Increment Adder Tree Adder David Harris Harvey Mudd

193 views • 8 slides
ex Addition: 1-bit half adder A + Sum B Carry out Carry A B Sum out 0 0 A 0 1 Sum

ex Addition: 1-bit half adder A + Sum B Carry out Carry A B Sum out 0 0 A 0 1 Sum

ex Addition: 1-bit half adder A + Sum B Carry out Carry A B Sum out 0 0 A 0 1 Sum B 1 0 1 1 Carry out Carry in ex Addition: 1-bit full adder A + Sum B Carry out Carry Carry Carry in A B Sum in out 0 0 0 A 0

343 views • 12 slides
FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA)

FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA)

1 FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA) Switched carry-ripple adder Carry-skip adder Carry-lookahead adder Prefix adder Carry-select adder and conditional-sum adder

921 views • 57 slides
Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska

Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska

Plan INTRODUCTION DEPHASING MODEL LOSSES TEMPERATURE Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska , Li Yun, J.-C. Dornsetter Laboratoire Kastler Brossel, Ecole Normale Sup erieure,

645 views • 28 slides
Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP,

Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP,

Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP, vol.10, 113014 (2008) M. Owari 1,2 , M.B. Plenio 1,2 , E.S. Polzik 3 , A. Serafini 4 , and M. M. Wolf 3 Institute of Mathematical Science, Imperial

686 views • 32 slides
Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov

Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov

Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov University of Illinois at Urbana-Champaign Quasilinear equations, inverse problems and their applications dedicated to the memory of Gennadi

1.11k views • 85 slides
Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019

Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019

Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019 www.cs.northwestern.edu/~simonec/Research.html#Research_Variability Difficult to achieve energy wins in tiny devices Tiny devices include: Nano drones Implantable

490 views • 17 slides
ex start small with a 1-bit (half) adder A B Carry out Sum A 0 0 Sum 0 1 B 1 0 1 1

ex start small with a 1-bit (half) adder A B Carry out Sum A 0 0 Sum 0 1 B 1 0 1 1

Addition: ex start small with a 1-bit (half) adder A B Carry out Sum A 0 0 Sum 0 1 B 1 0 1 1 Carry out Carry in ex 1-bit full adder A + Sum B Carry out n-bit addition: Sum i = A i + B i + CarryOut i-1 Need a bigger adder!

328 views • 12 slides
Figure5.2 Half-adder x i y i c 00 01 11 10 i 1 1 0 c i x i y c s i i + 1 i 1 1

Figure5.2 Half-adder x i y i c 00 01 11 10 i 1 1 0 c i x i y c s i i + 1 i 1 1

x 0 0 1 1 + y + 0 + 1 + 0 + 1 c s 0 0 0 1 0 1 1 0 Carry Sum (a) The four possible cases Carry Sum x y c s 0 0 0 0 0 1 0 1 1 0 0 1 1 1 1 0 (b) Truth table x s y x s HA y c c (c) Circuit (d)

232 views • 7 slides
CSE Cout Cin Inputs: A, B, Carry-in 311 Outputs: Sum, Carry-out A A A A A B B B

CSE Cout Cin Inputs: A, B, Carry-in 311 Outputs: Sum, Carry-out A A A A A B B B

1-bit Binary Adder CSE Cout Cin Inputs: A, B, Carry-in 311 Outputs: Sum, Carry-out A A A A A B B B B B S S S S S A B Cin Cout S 0 0 0 0 0 0 0 0 1 1 A 0 1 0 0 1 S Foundations of 0 1 1 1 0 B 1

401 views • 7 slides
Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 .

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 .

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 . 1 ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain, Belgium. 2 ANSSI, 51 Bd de la Tour-Maubourg, 75700 Paris 07 SP, France. CARDIS

895 views • 68 slides
Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

388 views • 23 slides
GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory

GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory

GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory Bandwidth GPGPU 2015: High Performance Computing with CUDA University of Cape Town (South Africa), April, 20 th -24 th , 2015 GPU 6x faster on

178 views • 4 slides
Squeezing down the computing Edit Master text styles Second level requirements of deep neural

Squeezing down the computing Edit Master text styles Second level requirements of deep neural

Squeezing down the computing Edit Master text styles Second level requirements of deep neural networks Third level Fourth level Fifth level Albert Shaw, Daniel Hunter, Sammy Sidhu, and Forrest Iandola Levels of automated driving Edit

1.19k views • 45 slides
A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based

327 views • 19 slides
AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret

AMMI Introduction to Deep Learning 8.4. Optimizing inputs Fran cois Fleuret https://fleuret.org/ammi-2018/ Thu Sep 6 16:00:44 CAT 2018 COLE POLYTECHNIQUE FDRALE DE LAUSANNE Maximum response samples Fran cois Fleuret AMMI

686 views • 45 slides
International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best

International Challenge on Informatics and Computational Thinking Informatics Europe Best Practices in Education Award 2015 Valentina Dagiene, Wolfgang Pohl www.bebras.org Informatics @ School www.bebras.org ~ 1980: hardware, algorithms

586 views • 17 slides
Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi

Balancing Usability and Security in a Video CAPTCHA Kurt Alfred Kluever Richard Zanibbi Google, Inc. Rochester Institute of Technology kak@google.com rlaz@cs.rit.edu Symposium on Usable Privacy and Security (SOUPS) 2009 July 15th-17th,

272 views • 26 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

708 views • 34 slides
M obile Transactions and Synchronization M obile Transactions and Synchronization Can Trker

M obile Transactions and Synchronization M obile Transactions and Synchronization Can Trker

M obile Transactions and Synchronization M obile Transactions and Synchronization Can Trker ETH Zurich S eminar &quot;Ubiquitous Information&quot;, 28.1 1 .2001 ... towards Pervasive Computing ... towards Pervasive Computing Gartner

448 views • 24 slides
Exploiting multilingual lexical resources to predict the compositionality of MWEs Paul Cook

Exploiting multilingual lexical resources to predict the compositionality of MWEs Paul Cook

Exploiting multilingual lexical resources to predict the compositionality of MWEs Paul Cook University of New Brunswick Compositionality Many MWEs exhibit semantic idiomaticity Compositionality: The extent to which the meaning of an MWE

599 views • 38 slides
Logical Structures in Natural Language: First order Logic (FoL): Entailment R AFFAELLA B ERNARDI U

Logical Structures in Natural Language: First order Logic (FoL): Entailment R AFFAELLA B ERNARDI U

Logical Structures in Natural Language: First order Logic (FoL): Entailment R AFFAELLA B ERNARDI U NIVERSIT ` A DEGLI S TUDI DI T RENTO E - MAIL : BERNARDI @ DISI . UNITN . IT Contents First Last Prev Next Contents 1 Satisfiability and

494 views • 13 slides

More recommend