See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/343601182

LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage

Presentation · August 2020

CITATIONS READS

10 862

5 authors, including:

Diego F. Aranha
Aarhus University
165 PUBLICATIONS 1,607 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Compression of DLMS smart meter readings View project

Non-cyclotomic Number Fields for Lattice-based Cryptography View project

All content following this page was uploaded by Diego F. Aranha on 12 August 2020.

The user has requested enhancement of the downloaded file.

LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce
Leakage
To appear in CCS’20
ePrint: 2020/615

Diego F. Aranha1 Felipe R. Novaes2 Akira Takahashi1 Mehdi Tibouchi3 Yuval Yarom4
August 12, 2020
1 Dept. of CS and DIGIT, Aarhus University, Denmark

2 University of Campinas, Brazil

3 NTT Corporation, Japan

4 University of Adelaide and Data61, Australia

This talk

New attacks on randomness leakage/bias from ECDSA/Schnorr-type schemes

• Discovered vulnerabilities in ECDSA implementations: OpenSSL and RELIC.

• Theoretical improvements to the attack framework on the Hidden Number
Problem (HNP).
• Part I: How to acquire side-channel information.
• Part II: How to exploit side-channel information to recover the secret key.

1
Background: Attack on ECDSA
Nonces
ECDSA and Schnorr Signatures

• Most popular signature schemes relying on the hardness of the (EC)DLP

• Signing operation involves secret randomness k ∈ Z/qZ, sometimes called nonce

2
Randomness in ECDSA/Schnorr-like Schemes

Alice Bob

Message Alice’s Secret key Alice’s Public key

Sign
Verify 0/1
101101 ・・・
Signed Message

• k is a uniformly random value satisfying

k ≡ |{z} h ·x mod q.
z + |{z}
public public

• k should NEVER be reused/exposed as x = (z − z′ )/(h′ − h) mod q 3

Risk of Biased/Leaky Randomness

Alice Bob

Message Alice’s Secret key Alice’s Public key

Sign
Verify 0/1
101101 ・・・
Signed Message
Bias

• What if k is slightly biased ?

4
Risk of Biased/Leaky Randomness

Alice Bob

Message Alice’s Secret key Alice’s Public key

Leak

Sign
Verify 0/1
101101 ・・・
Signed Message

• What if k is slightly biased or partially leaked?

4
Risk of Biased/Leaky Randomness

Alice

Message Alice’s Secret key

Leak

Sign
101101 ・・・
Signed Message

• What if k is slightly biased or partially leaked? ; Attack!

4
Risk of Biased/Leaky Randomness

Alice

Message Alice’s Secret key

Leak

Sign
101101 ・・・
Signed Message

• What if k is slightly biased or partially leaked? ; Attack!

• Secret key x is recovered by solving the hidden number problem (HNP)

4
Randomness Failure in the Real World

• Poorly designed/implemented RNGs.

• Predictable seed (srand(time(0)).
• VM resets ; same snapshot will end
up with the same seed.
• Side-channel leakage.
• and many more. . .

BBC news. 2011. https://www.bbc.com/news/

technology-12116051

5
Contributions

1. Novel class of cache attacks against ECDSA implemented in OpenSSL 1.0.2u

and 1.1.0l, and RELIC 0.4.0.
Affected curves: NIST P-192, P-224, P-256, P-384, P-521, B-283, K-283,
K-409, B-571, sect163r1, secp192k1, secp256k1
Affected products: VMWare Photon, Chef, Wickr ?

2. Theoretical improvements to Fourier analysis-based attack on the HNP

• Significantly reduced the required input data
• Attack became feasible given less than 1-bit of nonce bias/leakage per signature

3. Implemented a full secret key recovery attack against OpenSSL ECDSA over
sect163r1 and NIST P-192.
6
Curve-based cryptography
Elliptic curves

An elliptic curve is the set of solutions (x, y) ∈ F × F that satisfy the Weierstrass
equation:
E : y2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

where ai ∈ F with ∆ ̸= 0, and a point at infinity ∞.

E1 : y2 = x3 + ax + b over Fp E2 : y2 + xy = x3 + ax2 + b over F2m

7
Elliptic curves

An elliptic curve is the set of solutions (x, y) ∈ F × F that satisfy the Weierstrass
equation:
E : y2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

where ai ∈ F with ∆ ̸= 0, and a point at infinity ∞.

E1 : y2 = x3 + ax + b over Fp E2 : y2 + xy = x3 + ax2 + b over F2m

Group law: The set of points under the operation ⊕ (chord and tangent) forms an
additive group of order q with ∞ as the identity.

Coordinate system: For efficiency, we represent a point in affine coordinates (x, y)

using projective coordinates (X, Y, Z) such that x = X/Zc and y = Y/Zd . 7
Elliptic curves

(a) Point addition R = P ⊕ Q (b) Point doubling R = [2]P

8
ECDSA signing

Scalar multiplication is critical for performance/security of ECC.

Algorithm 1 ECDSA signature generation

Input: Signing key sk ∈ Zq , message msg ∈ {0, 1}∗ , group order q, base point G, and
cryptographic hash function H : 0, 1∗ → Zq .
Output: A valid signature (r, s)
1: k ←$ Z∗q
2: R = (rx , ry ) ← [k]G
3: r ← rx mod q
4: s ← (H(msg) + r · sk)/k mod q
5: return (r, s)

Critical: It should be implemented in constant time to avoid timing leakage about k. 9

Cache-timing attacks

Modern CPUs have instructions (cflush) that can reveal secrets through cache data
eviction. When programs share a library, a Flush+Reload attack is possible:

10
Side-channel attacks in scalar multiplication

Algorithm 2 Left-to-right Montgomery ladder

Input: P = (x, y), k = (1, kt−2 , . . . , k1 , k0 )
Output: Q = [k]P
For constant-time:
1: R0 ← P, R1 ← [2]P
• Fixed number of iterations
2: for i ← t − 2 downto 0 do
3: if ki ← 1 then • Accumulators Ri in the
4: R0 ← R0 ⊕ R1 ; R1 ← [2]R1 same order.
5: else • Group law is implemented
6: R1 ← R0 ⊕ R1 ; R0 ← [2]R0 in constant time.
7: end if
8: end for
9: return Q = R0

11
Side-channel attacks in scalar multiplication

For constant-time:
Algorithm 3 Left-to-right Montgomery ladder
Input: P = (x, y), k = (1, kt−2 , . . . , k1 , k0 ) • Fixed iterations by
Output: Q = [k]P adding 1 or 2 multiples
of q (preserves MSB of k
1: k′ ← Select (k + q, k + 2q)
in second MSB of k′ when
2: R0 ← P, R1 ← [2]P
q is just below power of 2.
3: for i ← lg(q) − 1 downto 0 do
4: Swap (R0 , R1 ) if k′i = 0 • Replace branch with
5: R0 ← R0 ⊕ R1 ; R1 ← [2]R1 conditional swap (ideally
6: Swap (R0 , R1 ) if k′i = 0 implemented in ASM).
7: end for • Careful implementation
8: return Q = R0 of group law!

12
Side-channel attacks in scalar multiplication

Algorithm 4 Left-to-right Montgomery ladder

Input: P = (x, y), k = (1, kt−2 , . . . , k1 , k0 )
Output: Q = [k]P
1: k′ ← Select (k + q, k + 2q)
2: R0 ← P, R1 ← [2]P
3: for i ← lg(q) − 1 downto 0 do
4: Swap (R0 , R1 ) if k′i = 0
5: R0 ← R0 ⊕ R1 ; R1 ← 2R1
6: Swap (R0 , R1 ) if k′i = 0
7: end for
8: return Q = R0

Critical: Leakage in k allows to build set of biased signatures.

13
Experimental setup

Target platforms:

• Broadwell CPUs (Core i7-5500U @ 2.4GHz and i7-3520M @ 2.9GHz)

• TurboBoost disabled for reducing noise
• Binaries executed in userland runtime, no privileges
• OpenSSL built using default configuration, debugging symbols

Tooling:

• FR-Trace from Mastik side-channel analysis toolkit

• Flush+Reload slot selected as the 5,000 cycles
• Other cores evict code from cache (performance degradation)

14
Cache-timing attacks on prime curves

We can detect if R1 is in affine coordinates in point doubling (k′i = 0).

1 (...)
2 if (a->Z_is_one) {
3 if (!BN_copy(n0, &a->Y))
4 goto err;
5 } else {
6 if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
7 goto err;
8 }
9 (...)
Performance degradation can amplify the difference to ≈ 15,000 cycles.
Attack: Flush+Reload can detect if BN_copy() is called with > 99% precision.
15
Cache-timing attacks on prime curves
Sample trace for prime case when second MSB is 1
800
Call to BN_copy().
700

Access time (cycles)

Call to next field operation
600 Cache hit threshold
500
400
300
200
100
0
0 10 20 30 40 50 60 70 80 90 100
Sample number

Sample trace for prime case when second MSB is 0

700
Call to BN_copy().
600
Access time (cycles)

Call to next field operation

500 Cache hit threshold

400
300
200
100
0
0 10 20 30 40 50 60 70 80 90 100 16
Sample number
Cache-timing attacks on binary curves

We can detect if R1 has projective coordinates in point addition (k′i = 1).

1 (...)
2 if (!BN_copy(t1, x))
3 goto err;
4 if (!group->meth->field_mul(group, x1, x1, z2, ctx))
5 goto err;
6 if (!group->meth->field_mul(group, z1, z1, x2, ctx))
7 goto err;
8 (...)

Performance degradation can amplify difference to ≈ 100,000 cycles.

Attack: Flush+Reload can detect if z2= 1 with > 99% precision.
17
Cache-timing attacks on binary curves
Sample trace for binary curve case when second MSB is 0
1200
Call to first field mult.

Access time (cycles)

1000 Call to second field mult.
Cache hit threshold
800
600
400
200
0
0 10 20 30 40 50 60 70 80 90 100
Sample number

Sample trace for binary curve case when second MSB is 1

800
Call to first field mult.
700
Access time (cycles)

Call to second field mult.

600 Cache hit threshold
500
400
300
200
100
0
0 10 20 30 40 50 60 70 80 90 100 18
Sample number
Software countermeasures

There are at least three possible fixes:

1. Randomize Z coordinates at the beginning of scalar multiplication.

2. Implement group law in constant time, for example using complete addition
formulas (no branches).
3. Implement ladder over co-Z arithmetic to not handle Z directly.

Coordinated disclosure: reported in December 2019, fixed in April 2020 with the first
countermeasure.

19
Main takeaways

• Securely implementing brittle cryptographic algorithms is still hard.

• Do not underestimate timing leakage without careful analysis, even if tiny.

• Upgrade OpenSSL to 1.1.1 (or 3.0 when available) as soon as possible!

20
 LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce
Leakage
To appear in CCS’20
ePrint: 2020/615

Diego F. Aranha1 Felipe R. Novaes2 Akira Takahashi1 Mehdi Tibouchi3 Yuval Yarom4
August 12, 2020
1 Dept. of CS and DIGIT, Aarhus University, Denmark

2 University of Campinas, Brazil

3 NTT Corporation, Japan

4 University of Adelaide and Data61, Australia

1
How to Exploit Randomness
Bias/Leakage
Overview

• Recover the ECDSA secret by solving the hidden number problem

(HNP) [BV96]
• Improved theoretical analysis of the Fourier analysis-based attack devised by
Bleichenbacher
• The technique applies to other sources of bias/leakage
• Connection with K-list sum algorithms for the generalized birthday problem
(GBP)

2
The problem we tackle: 1-bit of nonce leakage

Definition (Hidden Number Problem with MSB Leakage )

Let hi and ki be uniformly random elements in Zq for each i ∈ [1, M] and

zi = ki − hi · sk mod q.

The HNP asks to find sk, given the pairs (hi , zi ) and MSB(ki ) for all i.

3
The problem we tackle: less than 1-bit of nonce leakage

Definition (Hidden Number Problem with Erroneous MSB Leakage)

Let hi and ki be uniformly random elements in Zq for each i ∈ [1, M] and

zi = ki − hi · sk mod q.

The HNP with error rate ϵ ∈ [0, 1/2] asks to find sk, given the pairs (hi , zi ) and given
MSB(ki ) (resp. MSB(ki ) ⊕ 1) with probability 1 − ϵ (resp. ϵ). for all i.

The error rate ϵ models the attacker’s misdetection during the side-channel
acquisition.

3
How to attack the HNP

More bias/leakage
&
Fewer signatures Lattice

Less bias/leakage Fourier

& Analysis
More signatures

4
We set new records!

Table 1: Comparison with the previous records of solutions to HNP

<1 1 2 3 4

384-bit [CABuH+ 19] [DHMP13]

[PGB17, DDE+ 18, Rya18]
256-bit [TTA18] [TTA18],[AGB20]
[Rya19, MSEH19, WSBS20]
192-bit This work This work
This work (less data),
160-bit This work [LN13] [NS02]
[AFG+ 14, Ble05]

• For 160-bit HNP with 1-bit leak:

• From 8 billion inputs (Asiacrypt’14) to 8 million
• (Presumably) reproduced the mysterious experimental result from Crypto’05 rump
session.
• First practical solution to 192-bit HNP with (less than) 1-bit leak!
5
Fundamentals of Bleichenbacher’s
Framework
The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈ 20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)
, Can exploit arbitrary small bias/leakage of randomness to solve HNP.
• cf. Lattice attacks typically require at least 3 bits
, Can handle erroneous input out of the box
/ Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6
The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈ 20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)
, Can exploit arbitrary small bias/leakage of randomness to solve HNP.
• cf. Lattice attacks typically require at least 3 bits
, Can handle erroneous input out of the box
/ Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6
The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈ 20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)
, Can exploit arbitrary small bias/leakage of randomness to solve HNP.
• cf. Lattice attacks typically require at least 3 bits
, Can handle erroneous input out of the box
/ Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6
The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈ 20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)
, Can exploit arbitrary small bias/leakage of randomness to solve HNP.
• cf. Lattice attacks typically require at least 3 bits
, Can handle erroneous input out of the box
/ Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6
The Fourier analysis-based attack?

• Originally proposed by Bleichenbacher ≈ 20 years ago, revisited by De Mulder et

al. (CHES’13), Aranha et al. (ASIACRYPT’14) and Takahashi et al. (CHES’18)
, Can exploit arbitrary small bias/leakage of randomness to solve HNP.
• cf. Lattice attacks typically require at least 3 bits
, Can handle erroneous input out of the box
/ Large data complexity: billions of signatures to attack 1-bit leakage

Can we reduce the data complexity?

6
Bleichenbacher’s Attack: High-level Overview

• Step 1. Quantify the modular bias of randomness k.

• Biasq (K) = 0 if k is uniform in Zq .
• Biasq (K) ≈ 1 if k is biased.
• Step 2. Find a candidate secret key which leads to the peak of Biasq (K).
• Optimization: collision search of integers h.
• Detect the bias peak correctly and efficiently

7
Bleichenbacher’s Attack: High-level Overview

• Step 1. Quantify the modular bias of randomness k.

• Biasq (K) = 0 if k is uniform in Zq .
• Biasq (K) ≈ 1 if k is biased.
• Step 2. Find a candidate secret key which leads to the peak of Biasq (K).
• Optimization: collision search of integers h.
• Detect the bias peak correctly and efficiently

7
Bleichenbacher’s Attack: High-level Overview

• Step 1. Quantify the modular bias of randomness k.

• Biasq (K) = 0 if k is uniform in Zq .
• Biasq (K) ≈ 1 if k is biased.
• Step 2. Find a candidate secret key which leads to the peak of Biasq (K).
• Optimization: collision search of integers h.
• Detect the bias peak correctly and efficiently

7
Step 1. Bias Function (Essentially DFT)

Definition
The sampled bias of a set of points K = {ki }i∈[1,M] in Z/qZ is defined by

1 ∑ 2πiki /q
Biasq (K) = e .
M
i∈[1,M]

8
Handy Form of the Bias Function

b 0 1 2 3 4
|Biasq (K)| 0 0.6366 0.9003 0.9745 0.9936

Lemma (informal)
If the randomness k’s top b bits are fixed, e.g.,

k1 = 011101 . . .
k2 = 010110 . . .
..
.

then its modular bias can be estimated as

2b ( )
|Biasq (K)| ≈ · sin π/2b
π

9
Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given M samples of signatures {(hi , zi )}i∈[1,M] , satisfying ki ≡ zi + hi · sk mod q.

2. Pick a secret key candidate w ∈ Zq and compute the corresponding randomness

Kw = {zi + hi · w mod q}i∈[1,M] .

3. Compute Biasq (Kw ) with FFT.

4. If the guess is correct, we can detect the significant nonzero sampled bias!
|Biasq (Kw )|
1

√1
M w
sk

10
Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given M samples of signatures {(hi , zi )}i∈[1,M] , satisfying ki ≡ zi + hi · sk mod q.

2. Pick a secret key candidate w ∈ Zq and compute the corresponding randomness

Kw = {zi + hi · w mod q}i∈[1,M] .

3. Compute Biasq (Kw ) with FFT.

4. If the guess is correct, we can detect the significant nonzero sampled bias!
|Biasq (Kw )|
1

√1
M w
sk

10
Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given M samples of signatures {(hi , zi )}i∈[1,M] , satisfying ki ≡ zi + hi · sk mod q.

2. Pick a secret key candidate w ∈ Zq and compute the corresponding randomness

Kw = {zi + hi · w mod q}i∈[1,M] .

3. Compute Biasq (Kw ) with FFT.

4. If the guess is correct, we can detect the significant nonzero sampled bias!
|Biasq (Kw )|
1

√1
M w
sk

10
Step 2. Detecting the Bias Peak (Naïve Approach)

1. Given M samples of signatures {(hi , zi )}i∈[1,M] , satisfying ki ≡ zi + hi · sk mod q.

2. Pick a secret key candidate w ∈ Zq and compute the corresponding randomness

Kw = {zi + hi · w mod q}i∈[1,M] .

3. Compute Biasq (Kw ) with FFT.

4. If the guess is correct, we can detect the significant nonzero sampled bias!
|Biasq (Kw )|
1

√1
M w
sk

10
Problem: Naïve Approach is Inefficient!

• The peak only appears if you hit the exact solution, i.e., w = sk.
• Clearly infeasible for large q !
• For input table size q, FFT takes O(q) space & O(q log q) time

|Biasq (Kw )|
1

√1
M w
sk

11
Solution: Collision Search to Broaden the Peak

• Bleichenbacher’s observation: reduce the range of hi ’s to [0, L] with L ≪ q by

taking linear combinations of hi ’s
, Peak width broadens!
/ Peak height decays.
• Sufficient to check L candidates wi = iq/L for i ∈ [0, L]!
• Now FFT only takes O(L) space & O(L log L) time

|Biasq (Kw )|
1

q
L
|Biasq (K)|K
√1
M′ w
sk

12
Collision Search Problem in Bleichenbacher’s Framework

Given: M signature pairs {(hi , zi )}i∈[1,M] and memory budget for FFT LFFT ≪ q
Find: sufficiently many (say M′ ) linear combinations

h′j = ω1,j · h1 + . . . + ωM,j · hM

s′j = ω1,j · s1 + . . . + ωM,j · sM

for j ∈ [0, M′ ], such that

• Small h′j < LFFT
∑ √
• Sparse coefficients K := i |ωi,j | such that |Biasq (K)|K ≫ 1/ M′ (i.e., The
peak height must be larger than the noise floor)

Looks like a subset sum problem?

Difference: need many linear combinations instead of a single exact solution.
13
Applying K-list Sum Algorithm for
Generalized Birthday Problem
(GBP) and Unified Tradeoffs
K-list Sum Algorithm for GBP (e.g., K = 4)

Initially

14
K-list Sum Algorithm for GBP (e.g., K = 4)

Initially

14
K-list Sum Algorithm for GBP (e.g., K = 4)

Initially

Find

14
Applying Howgrave-Graham and Joux’s K-list Sum Algorithm

• More flexible than Wagner’s original K-list algorithm for the GBP.
• Advantages:
, Configurable time-memory tradeoffs
, Highly parallelizable
• Question:
For given MSB info from HNP and the attacker’s budget for computational
resources, what would be the optimal balance between the time, memory, and
input data complexities?

15
Unified Time-Memory-Data Tradeoffs

Generalizing [Din19], for i-th round of HGJ’s 4-list sum

24 Mi+1 = Ti M2i /Ni

where

Mi+1 Number of output samples (=solutions)

Ti Time complexity
Mi Memory complexity
M0 Number of input samples
Ni = 2ni ni -bit collision is found

We can estimate the optimal time-memory-data complexity balance together with the
constraints from Bleichenbacher!
16
Tradeoff Graphs for 1-bit Bias

Time sect163r1 Time P-192 Time P-224 Time P-256

65 `FFT = 35
65 `FFT = 35
65 `FFT = 35
65
60 `FFT = 40 60 `FFT = 40 60 `FFT = 40 60
`FFT = 45 `FFT = 45 `FFT = 45
55 55 55 55
50 50 50 50
45 45 45 45
40 40 40 40
35 35 35 35 `FFT = 35
30 30 30 30 `FFT = 40
`FFT = 45
25 Data 25 Data 25 Data 25 Data
20 25 30 35 40 45 50 25 30 35 40 45 50 55 30 35 40 45 50 55 60 40 45 50 55 60 65 70

Figure 1: Time–Data tradeoffs when memory is fixed to 235 .

*Paper has various tradeoff graphs and improved complexity estimates for 2-3 bits bias.

17
Experimental Results on Full Key Recovery

Target Facility Error rate Input Output Thread Time RAM LFFT Recovered
(Collision) (Collision) (Collision) MSBs

NIST P-192 AWS EC2 0 229 229 96 × 24 113h 492GB 238 39

NIST P-192 AWS EC2 1% 235 230 96 × 24 52h 492GB 237 39
sect163r1 Cluster 0 223 227 16 × 16 7h 80GB 235 36
sect163r1 Workstation 2.7% 224 229 48 42h 250GB 234 35

• Recovering remaining bits is much cheaper in Bleichenbacher’s framework.

• Attack on sect163r1 is even feasible with a laptop.
• Attacks on P-224 with 1-bit bias or P-256 with 2-bit bias are also tractable.

18
Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)
• Open questions:
• More list sum algorithms and tradeoffs?
• Improvements to FFT computation?
• Other sources of small leakage?
• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.
• Analyze the behavior of bias function for more patterns of noisy leakages.
Thank you! & Questions?
More details at https://ia.cr/2020/615

19
Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)
• Open questions:
• More list sum algorithms and tradeoffs?
• Improvements to FFT computation?
• Other sources of small leakage?
• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.
• Analyze the behavior of bias function for more patterns of noisy leakages.
Thank you! & Questions?
More details at https://ia.cr/2020/615

19
Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)
• Open questions:
• More list sum algorithms and tradeoffs?
• Improvements to FFT computation?
• Other sources of small leakage?
• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.
• Analyze the behavior of bias function for more patterns of noisy leakages.
Thank you! & Questions?
More details at https://ia.cr/2020/615

19
Conclusion

• Even less than 1-bit of nonce leakage becomes a practical concern!

• Interesting connection between the HNP and GBP (from symmetric key crypto)
• Open questions:
• More list sum algorithms and tradeoffs?
• Improvements to FFT computation?
• Other sources of small leakage?
• 2 or 3 bits of leakage/bias can be attacked with much less input signatures.
• Analyze the behavior of bias function for more patterns of noisy leakages.
Thank you! & Questions?
More details at https://ia.cr/2020/615

19
References i

Diego F. Aranha, Pierre-Alain Fouque, Benoît Gérard, Jean-Gabriel Kammerer,

Mehdi Tibouchi, and Jean-Christophe Zapalowicz.
GLV/GLS decomposition, power analysis, and attacks on ECDSA
signatures with single-bit nonce bias.
In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part I, volume 8873
of LNCS, pages 262–281. Springer, Heidelberg, December 2014.
Alejandro Cabrera Aldaya, Cesar Pereida García, and Billy Bob Brumley.
From a to z: Projective coordinates leakage in the wild.
Cryptology ePrint Archive, Report 2020/432, 2020.
https://eprint.iacr.org/2020/432.
References ii

Daniel Bleichenbacher.
Experiments with DSA.
Rump session at CRYPTO 2005, 2005.
Available from https://www.iacr.org/conferences/crypto2005/r/3.pdf.
Dan Boneh and Ramarathnam Venkatesan.
Hardness of computing the most significant bits of secret keys in
Diffie-Hellman and related schemes.
In Neal Koblitz, editor, CRYPTO’96, volume 1109 of LNCS, pages 129–142.
Springer, Heidelberg, August 1996.
References iii

Alejandro Cabrera Aldaya, Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida
García, and Nicola Tuveri.
Port contention for fun and profit.
In 2019 IEEE Symposium on Security and Privacy, pages 870–887. IEEE
Computer Society Press, May 2019.
Fergus Dall, Gabrielle De Micheli, Thomas Eisenbarth, Daniel Genkin, Nadia
Heninger, Ahmad Moghimi, and Yuval Yarom.
CacheQuote: Efficiently recovering long-term secrets of SGX EPID via
cache attacks.
IACR TCHES, 2018(2):171–191, 2018.
https://tches.iacr.org/index.php/TCHES/article/view/879.
References iv

Elke De Mulder, Michael Hutter, Mark E. Marson, and Peter Pearson.

Using Bleichenbacher’s solution to the hidden number problem to attack
nonce leaks in 384-bit ECDSA.
In Guido Bertoni and Jean-Sébastien Coron, editors, CHES 2013, volume 8086 of
LNCS, pages 435–452. Springer, Heidelberg, August 2013.
Itai Dinur.
An algorithmic framework for the generalized birthday problem.
Des. Codes Cryptogr., 87(8):1897–1926, 2019.
Mingjie Liu and Phong Q. Nguyen.
Solving BDD by enumeration: An update.
In Ed Dawson, editor, CT-RSA 2013, volume 7779 of LNCS, pages 293–309.
Springer, Heidelberg, February / March 2013.
References v

Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger.

TPM-FAIL: TPM meets timing and lattice attacks.
CoRR, abs/1911.05673, 2019.
To appear at USENIX Security 2020.
Phong Q. Nguyen and Igor Shparlinski.
The insecurity of the digital signature algorithm with partially known
nonces.
Journal of Cryptology, 15(3):151–176, June 2002.
Cesar Pereida García and Billy Bob Brumley.
Constant-time callees with variable-time callers.
In Engin Kirda and Thomas Ristenpart, editors, USENIX Security 2017, pages
83–98. USENIX Association, August 2017.
References vi

Keegan Ryan.
Return of the hidden number problem.
IACR TCHES, 2019(1):146–168, 2018.
https://tches.iacr.org/index.php/TCHES/article/view/7337.
Keegan Ryan.
Hardware-backed heist: Extracting ECDSA keys from qualcomm’s
TrustZone.
In Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz,
editors, ACM CCS 2019, pages 181–194. ACM Press, November 2019.
References vii

Akira Takahashi, Mehdi Tibouchi, and Masayuki Abe.

New Bleichenbacher records: Fault attacks on qDSA signatures.
IACR TCHES, 2018(3):331–371, 2018.
https://tches.iacr.org/index.php/TCHES/article/view/7278.
Samuel Weiser, David Schrammel, Lukas Bodner, and Raphael Spreitzer.
Big numbers - big troubles: Systematically analyzing nonce leakage in
(ec)dsa implementations.
In USENIX Security 2020), Boston, MA, August 2020. USENIX Association.
How HGJ–SS Helps

Given M = 4 × 2a samples
{hi }i∈[1,M] . For each
c ∈ [0, 2a ):
1. Search partial collisions
in top a bits, between 2
sorted lists with target
value c.
2. Search more collisions in
remaining bits, between
new sorted lists A(1) and
A(2) .

View publication stats