Content uploaded by Diego F. Aranha

Author content

All content in this area was uploaded by Diego F. Aranha on Aug 12, 2020

Content may be subject to copyright.

LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce

Leakage

To appear in CCS’20

ePrint: 2020/615

Diego F. Aranha1Felipe R. Novaes2Akira Takahashi1Mehdi Tibouchi3Yuval Yarom4

August 12, 2020

1Dept. of CS and DIGIT, Aarhus University, Denmark

2University of Campinas, Brazil

3NTT Corporation, Japan

4University of Adelaide and Data61, Australia

This talk

New attacks on randomness leakage/bias from ECDSA/Schnorr-type schemes

• Discovered vulnerabilities in ECDSA implementations: OpenSSL and RELIC.

• Theoretical improvements to the attack framework on the Hidden Number

Problem (HNP).

•Part I: How to acquire side-channel information.

•Part II: How to exploit side-channel information to recover the secret key.

1

Background: Attack on ECDSA

Nonces

ECDSA and Schnorr Signatures

• Most popular signature schemes relying on the hardness of the (EC)DLP

• Signing operation involves secret randomness k∈Z/qZ, sometimes called nonce

2

Randomness in ECDSA/Schnorr-like Schemes

Alice Bob

Message Alice’s Secret key

Sign Verify

Alice’s Public key

0/1

Signed Message

101101 ・・・

•kis a uniformly random value satisfying

k≡z

|{z}

public

+h

|{z}

public

·xmod q.

•kshould NEVER be reused/exposed as x= (z−z′)/(h′−h) mod q3

Risk of Biased/Leaky Randomness

Alice Bob

Message Alice’s Secret key

Sign Verify

Alice’s Public key

0/1

Signed Message

101101 ・・・

Bias

• What if kis slightly biased ?

• Secret key xis recovered by solving the hidden number problem (HNP)

4

Risk of Biased/Leaky Randomness

Alice Bob

Message Alice’s Secret key

Sign Verify

Alice’s Public key

0/1

Signed Message

101101 ・・・

Leak

• What if kis slightly biased or partially leaked?

• Secret key xis recovered by solving the hidden number problem (HNP)

4

Risk of Biased/Leaky Randomness

Alice

Message Alice’s Secret key

Sign

Signed Message

101101 ・・・

Leak

• What if kis slightly biased or partially leaked?;Attack!

• Secret key xis recovered by solving the hidden number problem (HNP)

4

Risk of Biased/Leaky Randomness

Alice

Message Alice’s Secret key

Sign

Signed Message

101101 ・・・

Leak

• What if kis slightly biased or partially leaked?;Attack!

• Secret key xis recovered by solving the hidden number problem (HNP)

4

Contributions

1. Novel class of cache attacks against ECDSA implemented in OpenSSL 1.0.2u

and 1.1.0l, and RELIC 0.4.0.

Aected curves: NIST P-192, P-224, P-256, P-384, P-521, B-283, K-283,

K-409, B-571, sect163r1,secp192k1,secp256k1

Aected products: VMWare Photon, Chef, Wickr ?

2. Theoretical improvements to Fourier analysis-based attack on the HNP

• Signicantly reduced the required input data

• Attack became feasible given less than 1-bit of nonce bias/leakage per signature

3. Implemented a full secret key recovery attack against OpenSSL ECDSA over

sect163r1 and NIST P-192.

6

Curve-based cryptography

Elliptic curves

An elliptic curve is the set of solutions (x,y)∈F×Fthat satisfy the Weierstrass

equation:

E:y2+a1xy +a3y=x3+a2x2+a4x+a6

where ai∈Fwith ∆=0, and a point at innity ∞.

E1:y2=x3+ax +bover FpE2:y2+xy =x3+ax2+bover F2m

Group law: The set of points under the operation ⊕(chord and tangent) forms an

additive group of order qwith ∞as the identity.

Coordinate system: For eciency, we represent a point in ane coordinates (x,y)

using projective coordinates (X,Y,Z)such that x=X/Zcand y=Y/Zd.

7

Elliptic curves

An elliptic curve is the set of solutions (x,y)∈F×Fthat satisfy the Weierstrass

equation:

E:y2+a1xy +a3y=x3+a2x2+a4x+a6

where ai∈Fwith ∆=0, and a point at innity ∞.

E1:y2=x3+ax +bover FpE2:y2+xy =x3+ax2+bover F2m

Group law: The set of points under the operation ⊕(chord and tangent) forms an

additive group of order qwith ∞as the identity.

Coordinate system: For eciency, we represent a point in ane coordinates (x,y)

using projective coordinates (X,Y,Z)such that x=X/Zcand y=Y/Zd.7

Elliptic curves

(a) Point addition R=P⊕Q(b) Point doubling R= [2]P

8

ECDSA signing

Scalar multiplication is critical for performance/security of ECC.

Algorithm 1 ECDSA signature generation

Input: Signing key sk ∈Zq, message msg ∈ {0,1}∗, group order q, base point G, and

cryptographic hash function H:0,1∗→Zq.

Output: A valid signature (r,s)

1: k←$Z∗

q

2: R= (rx,ry)←[k]G

3: r←rxmod q

4: s←(H(msg) + r·sk)/kmod q

5: return (r,s)

Critical: It should be implemented in constant time to avoid timing leakage about k.9

Cache-timing attacks

Modern CPUs have instructions (cflush) that can reveal secrets through cache data

eviction. When programs share a library, a Flush+Reload attack is possible:

10

Side-channel attacks in scalar multiplication

Algorithm 2 Left-to-right Montgomery ladder

Input: P= (x,y),k= (1,kt−2, . . . , k1,k0)

Output: Q= [k]P

1: R0←P,R1←[2]P

2: for i←t−2downto 0do

3: if ki←1then

4: R0←R0⊕R1;R1←[2]R1

5: else

6: R1←R0⊕R1;R0←[2]R0

7: end if

8: end for

9: return Q=R0

For constant-time:

• Fixed number of iterations

• Accumulators Riin the

same order.

• Group law is implemented

in constant time.

11

Side-channel attacks in scalar multiplication

Algorithm 3 Left-to-right Montgomery ladder

Input: P= (x,y),k= (1,kt−2, . . . , k1,k0)

Output: Q= [k]P

1: k′←Select (k+q,k+2q)

2: R0←P,R1←[2]P

3: for i←lg(q)−1downto 0do

4: Swap (R0,R1) if k′

i=0

5: R0←R0⊕R1;R1←[2]R1

6: Swap (R0,R1) if k′

i=0

7: end for

8: return Q=R0

For constant-time:

• Fixed iterations by

adding 1 or 2 multiples

of q(preserves MSB of k

in second MSB of k′when

qis just below power of 2.

• Replace branch with

conditional swap (ideally

implemented in ASM).

•Careful implementation

of group law!

12

Side-channel attacks in scalar multiplication

Algorithm 4 Left-to-right Montgomery ladder

Input: P= (x,y),k= (1,kt−2, . . . , k1,k0)

Output: Q= [k]P

1: k′←Select (k+q,k+2q)

2: R0←P,R1←[2]P

3: for i←lg(q)−1downto 0do

4: Swap (R0,R1) if k′

i=0

5: R0←R0⊕R1;R1←2R1

6: Swap (R0,R1) if k′

i=0

7: end for

8: return Q=R0

Critical: Leakage in kallows to build set of biased signatures.

13

Experimental setup

Target platforms:

• Broadwell CPUs (Core i7-5500U @ 2.4GHz and i7-3520M @ 2.9GHz)

• TurboBoost disabled for reducing noise

• Binaries executed in userland runtime, no privileges

• OpenSSL built using default conguration, debugging symbols

Tooling:

•FR-Trace from Mastik side-channel analysis toolkit

• Flush+Reload slot selected as the 5,000 cycles

• Other cores evict code from cache (performance degradation)

14

Cache-timing attacks on prime curves

We can detect if R1is in ane coordinates in point doubling (k′

i=0).

1(...)

2if (a->Z_is_one) {

3if (!BN_copy(n0, &a->Y))

4goto err;

5}else {

6if (!field_mul(group, n0, &a->Y, &a->Z, ctx))

7goto err;

8}

9(...)

Performance degradation can amplify the dierence to ≈15,000 cycles.

Attack: Flush+Reload can detect if BN_copy() is called with >99% precision. 15

Cache-timing attacks on prime curves

0

100

200

300

400

500

600

700

800

0 10 20 30 40 50 60 70 80 90 100

Access time (cycles)

Sample number

Sample trace for prime case when second MSB is 1

Call to BN_copy().

Call to next field operation

Cache hit threshold

0

100

200

300

400

500

600

700

0 10 20 30 40 50 60 70 80 90 100

Access time (cycles)

Sample number

Sample trace for prime case when second MSB is 0

Call to BN_copy().

Call to next field operation

Cache hit threshold

16

Cache-timing attacks on binary curves

We can detect if R1has projective coordinates in point addition (k′

i=1).

1(...)

2if (!BN_copy(t1, x))

3goto err;

4if (!group->meth->field_mul(group, x1, x1, z2, ctx))

5goto err;

6if (!group->meth->field_mul(group, z1, z1, x2, ctx))

7goto err;

8(...)

Performance degradation can amplify dierence to ≈100,000 cycles.

Attack: Flush+Reload can detect if z2=1with >99% precision.

17

Cache-timing attacks on binary curves

0

200

400

600

800

1000

1200

0 10 20 30 40 50 60 70 80 90 100

Access time (cycles)

Sample number

Sample trace for binary curve case when second MSB is 0

Call to first field mult.

Call to second field mult.

Cache hit threshold

0

100

200

300

400

500

600

700

800

0 10 20 30 40 50 60 70 80 90 100

Access time (cycles)

Sample number

Sample trace for binary curve case when second MSB is 1

Call to first field mult.

Call to second field mult.

Cache hit threshold

18

Software countermeasures

There are at least three possible xes:

1. Randomize Zcoordinates at the beginning of scalar multiplication.

2. Implement group law in constant time, for example using complete addition

formulas (no branches).

3. Implement ladder over co-Zarithmetic to not handle Zdirectly.

Coordinated disclosure: reported in December 2019, xed in April 2020 with the rst

countermeasure.

19

Main takeaways

• Securely implementing brittle cryptographic algorithms is still hard.

• Do not underestimate timing leakage without careful analysis, even if tiny.

•Upgrade OpenSSL to 1.1.1 (or 3.0 when available) as soon as possible!

20

LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce

Leakage

To appear in CCS’20

ePrint: 2020/615

Diego F. Aranha1Felipe R. Novaes2Akira Takahashi1Mehdi Tibouchi3Yuval Yarom4

August 12, 2020

1Dept. of CS and DIGIT, Aarhus University, Denmark

2University of Campinas, Brazil

3NTT Corporation, Japan

4University of Adelaide and Data61, Australia

1

How to Exploit Randomness

Bias/Leakage

Overview

• Recover the ECDSA secret by solving the hidden number problem

(HNP) [BV96]

• Improved theoretical analysis of the Fourier analysis-based attack devised by

Bleichenbacher

• The technique applies to other sources of bias/leakage

• Connection with K-list sum algorithms for the generalized birthday problem

(GBP)

2

The problem we tackle: 1-bit of nonce leakage

Denition (Hidden Number Problem with MSB Leakage )

Let hiand kibe uniformly random elements in Zqfor each i∈[1,M]and

zi=ki−hi·sk mod q.

The HNP asks to nd sk, given the pairs (hi,zi)and MSB(ki)for all i.

3

The problem we tackle: less than 1-bit of nonce leakage

Denition (Hidden Number Problem with Erroneous MSB Leakage)

Let hiand kibe uniformly random elements in Zqfor each i∈[1,M]and

zi=ki−hi·sk mod q.

The HNP with error rate ϵ∈[0,1/2]asks to nd sk, given the pairs (hi,zi)and given

MSB(ki)(resp. MSB(ki)⊕1) with probability 1−ϵ(resp. ϵ). for all i.

The error rate ϵmodels the attacker’s misdetection during the side-channel

acquisition.

3

How to attack the HNP

More bias/leakage

&

Fewer signatures

Less bias/leakage

&

More signatures

Lattice

Fourier

Analysis

4

We set new records!

Table 1: Comparison with the previous records of solutions to HNP

<11 2 3 4

384-bit [CABuH+19] [DHMP13]

256-bit [TTA18] [TTA18],[AGB20] [PGB17, DDE+18, Rya18]

[Rya19, MSEH19, WSBS20]

192-bit This work This work

160-bit This work This work (less data),[LN13] [NS02]

[AFG+14, Ble05]

• For 160-bit HNP with 1-bit leak:

• From 8 billion inputs (Asiacrypt’14) to 8 million

• (Presumably) reproduced the mysterious experimental result from Crypto’05 rump

session.

• First practical solution to 192-bit HNP with (less than) 1-bit leak!

5

Fundamentals of Bleichenbacher’s

Framework

The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)

,Can exploit arbitrary small bias/leakage of randomness to solve HNP.

• cf. Lattice attacks typically require at least 3 bits

,Can handle erroneous input out of the box

/Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6

The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)

,Can exploit arbitrary small bias/leakage of randomness to solve HNP.

• cf. Lattice attacks typically require at least 3 bits

,Can handle erroneous input out of the box

/Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6

The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)

,Can exploit arbitrary small bias/leakage of randomness to solve HNP.

• cf. Lattice attacks typically require at least 3 bits

,Can handle erroneous input out of the box

/Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6

The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)

,Can exploit arbitrary small bias/leakage of randomness to solve HNP.

• cf. Lattice attacks typically require at least 3 bits

,Can handle erroneous input out of the box

/Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6

The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)

,Can exploit arbitrary small bias/leakage of randomness to solve HNP.

• cf. Lattice attacks typically require at least 3 bits

,Can handle erroneous input out of the box

/Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6

Bleichenbacher’s Attack: High-level Overview

• Step 1. Quantify the modular bias of randomness k.

• Biasq(K) = 0if kis uniform in Zq.

• Biasq(K)≈1if kis biased.

• Step 2. Find a candidate secret key which leads to the peak of Biasq(K).

• Optimization: collision search of integers h.

• Detect the bias peak correctly and eciently

7

Bleichenbacher’s Attack: High-level Overview

• Step 1. Quantify the modular bias of randomness k.

• Biasq(K) = 0if kis uniform in Zq.

• Biasq(K)≈1if kis biased.

• Step 2. Find a candidate secret key which leads to the peak of Biasq(K).

• Optimization: collision search of integers h.

• Detect the bias peak correctly and eciently

7

Bleichenbacher’s Attack: High-level Overview

• Step 1. Quantify the modular bias of randomness k.

• Biasq(K) = 0if kis uniform in Zq.

• Biasq(K)≈1if kis biased.

• Step 2. Find a candidate secret key which leads to the peak of Biasq(K).

• Optimization: collision search of integers h.

• Detect the bias peak correctly and eciently

7

Step 1. Bias Function (Essentially DFT)

Denition

The sampled bias of a set of points K={ki}i∈[1,M]in Z/qZis dened by

Biasq(K) = 1

M

i∈[1,M]

e2πiki/q.

8

Handy Form of the Bias Function

b0 1 2 3 4

|Biasq(K)|0 0.6366 0.9003 0.9745 0.9936

Lemma (informal)

If the randomness k’s top bbits are xed, e.g.,

k1=011101 . . .

k2=010110 . . .

.

.

.

then its modular bias can be estimated as

|Biasq(K)| ≈ 2b

π·sin π/2b

9

Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given Msamples of signatures {(hi,zi)}i∈[1,M], satisfying ki≡zi+hi·sk mod q.

2. Pick a secret key candidate w∈Zqand compute the corresponding randomness

Kw={zi+hi·wmod q}i∈[1,M].

3. Compute Biasq(Kw)with FFT.

4. If the guess is correct, we can detect the signicant nonzero sampled bias!

w

1

|Biasq(Kw)|

1

√M

sk

10

Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given Msamples of signatures {(hi,zi)}i∈[1,M], satisfying ki≡zi+hi·sk mod q.

2. Pick a secret key candidate w∈Zqand compute the corresponding randomness

Kw={zi+hi·wmod q}i∈[1,M].

3. Compute Biasq(Kw)with FFT.

4. If the guess is correct, we can detect the signicant nonzero sampled bias!

w

1

|Biasq(Kw)|

1

√M

sk

10

Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given Msamples of signatures {(hi,zi)}i∈[1,M], satisfying ki≡zi+hi·sk mod q.

2. Pick a secret key candidate w∈Zqand compute the corresponding randomness

Kw={zi+hi·wmod q}i∈[1,M].

3. Compute Biasq(Kw)with FFT.

4. If the guess is correct, we can detect the signicant nonzero sampled bias!

w

1

|Biasq(Kw)|

1

√M

sk

10

Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given Msamples of signatures {(hi,zi)}i∈[1,M], satisfying ki≡zi+hi·sk mod q.

2. Pick a secret key candidate w∈Zqand compute the corresponding randomness

Kw={zi+hi·wmod q}i∈[1,M].

3. Compute Biasq(Kw)with FFT.

4. If the guess is correct, we can detect the signicant nonzero sampled bias!

w

1

|Biasq(Kw)|

1

√M

sk

10

Problem: Naïve Approach is Inecient!

• The peak only appears if you hit the exact solution, i.e., w=sk.

• Clearly infeasible for large q!

• For input table size q, FFT takes O(q)space & O(qlog q)time

w

1

|Biasq(Kw)|

1

√M

sk

11

Solution: Collision Search to Broaden the Peak

• Bleichenbacher’s observation: reduce the range of hi’s to [0,L]with L≪qby

taking linear combinations of hi’s

,Peak width broadens!

/Peak height decays.

• Sucient to check Lcandidates wi=iq/Lfor i∈[0,L]!

• Now FFT only takes O(L)space & O(Llog L)time

w

1

|Biasq(Kw)|

1

√M′

q

L

|Biasq(K)|K

sk

12

Collision Search Problem in Bleichenbacher’s Framework

Given: Msignature pairs {(hi,zi)}i∈[1,M]and memory budget for FFT LFFT ≪q

Find: suciently many (say M′) linear combinations

h′

j=ω1,j·h1+. . . +ωM,j·hM

s′

j=ω1,j·s1+. . . +ωM,j·sM

for j∈[0,M′], such that

•Small h′

j<LFFT

•Sparse coecients K:=i|ωi,j|such that |Biasq(K)|K≫1/√M′(i.e., The

peak height must be larger than the noise oor)

Looks like a subset sum problem?

Dierence: need many linear combinations instead of a single exact solution.

13

Applying K-list Sum Algorithm for

Generalized Birthday Problem

(GBP) and Unied Tradeos

K-list Sum Algorithm for GBP (e.g., K=4)

Initially

14

K-list Sum Algorithm for GBP (e.g., K=4)

Initially

14

K-list Sum Algorithm for GBP (e.g., K=4)

Find

Initially

14

Applying Howgrave-Graham and Joux’s K-list Sum Algorithm

• More exible than Wagner’s original K-list algorithm for the GBP.

• Advantages:

,Congurable time-memory tradeos

,Highly parallelizable

• Question:

For given MSB info from HNP and the attacker’s budget for computational

resources, what would be the optimal balance between the time, memory, and

input data complexities?

15

Unied Time-Memory-Data Tradeos

Generalizing [Din19], for i-th round of HGJ’s 4-list sum

24Mi+1=TiM2

i/Ni

where

Mi+1Number of output samples (=solutions)

TiTime complexity

MiMemory complexity

M0Number of input samples

Ni=2nini-bit collision is found

We can estimate the optimal time-memory-data complexity balance together with the

constraints from Bleichenbacher!

16

Tradeo Graphs for 1-bit Bias

20 25 30 35 40 45 50Data

25

30

35

40

45

50

55

60

65

Time sect163r1

`

FFT =35

`

FFT =40

`

FFT =45

25 30 35 40 45 50 55Data

25

30

35

40

45

50

55

60

65

Time P-192

`

FFT =35

`

FFT =40

`

FFT =45

30 35 40 45 50 55 60Data

25

30

35

40

45

50

55

60

65

Time P-224

`

FFT =35

`

FFT =40

`

FFT =45

40 45 50 55 60 65 70Data

25

30

35

40

45

50

55

60

65

Time P-256

`

FFT =35

`

FFT =40

`

FFT =45

Figure 1: Time–Data tradeos when memory is xed to 235.

*Paper has various tradeo graphs and improved complexity estimates for 2-3 bits bias.

17

Experimental Results on Full Key Recovery

Target Facility Error rate Input Output Thread Time RAM LFFT Recovered

(Collision) (Collision) (Collision) MSBs

NIST P-192 AWS EC2 0 229 229 96 ×24 113h 492GB 238 39

NIST P-192 AWS EC2 1% 235 230 96 ×24 52h 492GB 237 39

sect163r1 Cluster 0 223 227 16 ×16 7h 80GB 235 36

sect163r1 Workstation 2.7% 224 229 48 42h 250GB 234 35

• Recovering remaining bits is much cheaper in Bleichenbacher’s framework.

• Attack on sect163r1 is even feasible with a laptop.

• Attacks on P-224 with 1-bit bias or P-256 with 2-bit bias are also tractable.

18

Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)

• Open questions:

• More list sum algorithms and tradeos?

• Improvements to FFT computation?

• Other sources of small leakage?

• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.

• Analyze the behavior of bias function for more patterns of noisy leakages.

Thank you! & Questions?

More details at https://ia.cr/2020/615

19

Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)

• Open questions:

• More list sum algorithms and tradeos?

• Improvements to FFT computation?

• Other sources of small leakage?

• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.

• Analyze the behavior of bias function for more patterns of noisy leakages.

Thank you! & Questions?

More details at https://ia.cr/2020/615

19

Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)

• Open questions:

• More list sum algorithms and tradeos?

• Improvements to FFT computation?

• Other sources of small leakage?

• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.

• Analyze the behavior of bias function for more patterns of noisy leakages.

Thank you! & Questions?

More details at https://ia.cr/2020/615

19

Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)

• Open questions:

• More list sum algorithms and tradeos?

• Improvements to FFT computation?

• Other sources of small leakage?

• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.

• Analyze the behavior of bias function for more patterns of noisy leakages.

Thank you! & Questions?

More details at https://ia.cr/2020/615

19

References i

Diego F. Aranha, Pierre-Alain Fouque, Benoît Gérard, Jean-Gabriel Kammerer,

Mehdi Tibouchi, and Jean-Christophe Zapalowicz.

GLV/GLS decomposition, power analysis, and attacks on ECDSA

signatures with single-bit nonce bias.

In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part I, volume 8873

of LNCS, pages 262–281. Springer, Heidelberg, December 2014.

Alejandro Cabrera Aldaya, Cesar Pereida García, and Billy Bob Brumley.

From a to z: Projective coordinates leakage in the wild.

Cryptology ePrint Archive, Report 2020/432, 2020.

https://eprint.iacr.org/2020/432.

References ii

Daniel Bleichenbacher.

Experiments with DSA.

Rump session at CRYPTO 2005, 2005.

Available from https://www.iacr.org/conferences/crypto2005/r/3.pdf.

Dan Boneh and Ramarathnam Venkatesan.

Hardness of computing the most signicant bits of secret keys in

Die-Hellman and related schemes.

In Neal Koblitz, editor, CRYPTO’96, volume 1109 of LNCS, pages 129–142.

Springer, Heidelberg, August 1996.

References iii

Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida

García, and Nicola Tuveri.

Port contention for fun and prot.

In 2019 IEEE Symposium on Security and Privacy, pages 870–887. IEEE

Computer Society Press, May 2019.

Fergus Dall, Gabrielle De Micheli, Thomas Eisenbarth, Daniel Genkin, Nadia

Heninger, Ahmad Moghimi, and Yuval Yarom.

CacheQuote: Eciently recovering long-term secrets of SGX EPID via

cache attacks.

IACR TCHES, 2018(2):171–191, 2018.

https://tches.iacr.org/index.php/TCHES/article/view/879.

References iv

Elke De Mulder, Michael Hutter, Mark E. Marson, and Peter Pearson.

Using Bleichenbacher’s solution to the hidden number problem to attack

nonce leaks in 384-bit ECDSA.

In Guido Bertoni and Jean-Sébastien Coron, editors, CHES 2013, volume 8086 of

LNCS, pages 435–452. Springer, Heidelberg, August 2013.

Itai Dinur.

An algorithmic framework for the generalized birthday problem.

Des. Codes Cryptogr., 87(8):1897–1926, 2019.

Mingjie Liu and Phong Q. Nguyen.

Solving BDD by enumeration: An update.

In Ed Dawson, editor, CT-RSA 2013, volume 7779 of LNCS, pages 293–309.

Springer, Heidelberg, February / March 2013.

References v

Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger.

TPM-FAIL: TPM meets timing and lattice attacks.

CoRR, abs/1911.05673, 2019.

To appear at USENIX Security 2020.

Phong Q. Nguyen and Igor Shparlinski.

The insecurity of the digital signature algorithm with partially known

nonces.

Journal of Cryptology, 15(3):151–176, June 2002.

Cesar Pereida García and Billy Bob Brumley.

Constant-time callees with variable-time callers.

In Engin Kirda and Thomas Ristenpart, editors, USENIX Security 2017, pages

83–98. USENIX Association, August 2017.

References vi

Keegan Ryan.

Return of the hidden number problem.

IACR TCHES, 2019(1):146–168, 2018.

https://tches.iacr.org/index.php/TCHES/article/view/7337.

Keegan Ryan.

Hardware-backed heist: Extracting ECDSA keys from qualcomm’s

TrustZone.

In Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz,

editors, ACM CCS 2019, pages 181–194. ACM Press, November 2019.

References vii

Akira Takahashi, Mehdi Tibouchi, and Masayuki Abe.

New Bleichenbacher records: Fault attacks on qDSA signatures.

IACR TCHES, 2018(3):331–371, 2018.

https://tches.iacr.org/index.php/TCHES/article/view/7278.

Samuel Weiser, David Schrammel, Lukas Bodner, and Raphael Spreitzer.

Big numbers - big troubles: Systematically analyzing nonce leakage in

(ec)dsa implementations.

In USENIX Security 2020), Boston, MA, August 2020. USENIX Association.

How HGJ–SS Helps

Given M=4×2asamples

{hi}i∈[1,M]. For each

c∈[0,2a):

1. Search partial collisions

in top abits, between 2

sorted lists with target

value c.

2. Search more collisions in

remaining bits, between

new sorted lists A(1)and

A(2).