Minerva: The curse of ECDSA nonces

D 2020

Minerva: The curse of ECDSA nonces

JANČÁR, Ján, Vladimír SEDLÁČEK, Petr ŠVENDA and Marek SÝS

Basic information

Original name

Minerva: The curse of ECDSA nonces

Authors

JANČÁR, Ján (703 Slovakia, guarantor, belonging to the institution), Vladimír SEDLÁČEK (203 Czech Republic, belonging to the institution), Petr ŠVENDA (203 Czech Republic, belonging to the institution) and Marek SÝS (703 Slovakia, belonging to the institution)

Edition

Německo, IACR Transactions on Cryptographic Hardware and Embedded Systems, p. 281-308, 28 pp. 2020

Publisher

Ruhr-University of Bochum

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

Germany

Confidentiality degree

není předmětem státního či obchodního tajemství

Publication form

electronic version available online

References:

Website

RIV identification code

RIV/00216224:14330/20:00114222

Organization unit

Faculty of Informatics

ISSN

DOI

http://dx.doi.org/10.13154/tches.v2020.i4.281-308

Keywords in English

ECDSA; Hidden Number Problem; side-channel attack; lattice attack; smartcard

Abstract

V originále

We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. The number of signatures needed for a successful attack depends on the chosen method and its parameters as well as on the noise profile, influenced by the type of leakage and used computation platform. We use the set of vulnerabilities reported in this paper, together with the recently published TPM-FAIL vulnerability [MSE+20] as a basis for real-world benchmark datasets to systematically compare our newly proposed methods and all previously published applicable lattice-based key recovery methods. The resulting exhaustive comparison highlights the methods’ sensitivity to its proper parametrization and demonstrates that our methods are more efficient in most cases. For the TPM-FAIL dataset, we decreased the number of required signatures from approximately 40 000 to mere 900.

Links

GA20-03426S, research and development project

Name: Ověření a zlepšení bezpečnosti kryptografie eliptických křivek

Investor: Czech Science Foundation

Citovat

JANČÁR, Ján, Vladimír SEDLÁČEK, Petr ŠVENDA and Marek SÝS. Minerva: The curse of ECDSA nonces. Online. In Amir Moradi, Mehdi Tibouchi. IACR Transactions on Cryptographic Hardware and Embedded Systems. Německo: Ruhr-University of Bochum, 2020, p. 281-308. ISSN 2569-2925. Available from: https://dx.doi.org/10.13154/tches.v2020.i4.281-308.

@inproceedings{1669335,
   author = {Jančár, Ján and Sedláček, Vladimír and Švenda, Petr and Sýs, Marek},
   address = {Německo},
   booktitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
   doi = {http://dx.doi.org/10.13154/tches.v2020.i4.281-308},
   editor = {Amir Moradi, Mehdi Tibouchi},
   keywords = {ECDSA; Hidden Number Problem; side-channel attack; lattice attack; smartcard},
   howpublished = {elektronická verze "online"},
   language = {eng},
   location = {Německo},
   pages = {281-308},
   publisher = {Ruhr-University of Bochum},
   title = {Minerva: The curse of ECDSA nonces},
   url = {https://minerva.crocs.fi.muni.cz/},
   year = {2020}
}

TY  - JOUR
ID  - 1669335
AU  - Jančár, Ján - Sedláček, Vladimír - Švenda, Petr - Sýs, Marek
PY  - 2020
TI  - Minerva: The curse of ECDSA nonces
PB  - Ruhr-University of Bochum
CY  - Německo
KW  - ECDSA
KW  - Hidden Number Problem
KW  - side-channel attack
KW  - lattice attack
KW  - smartcard
UR  - https://minerva.crocs.fi.muni.cz/
L2  - https://minerva.crocs.fi.muni.cz/
N2  - We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. The number of signatures needed for a successful attack depends on the chosen method and its parameters as well as on the noise profile, influenced by the type of leakage and used computation platform. We use the set of vulnerabilities reported in this paper, together with the recently published TPM-FAIL vulnerability [MSE+20] as a basis for real-world benchmark datasets to systematically compare our newly proposed methods and all previously published applicable lattice-based key recovery methods. The resulting exhaustive comparison highlights the methods’ sensitivity to its proper parametrization and demonstrates that our methods are more efficient in most cases. For the TPM-FAIL dataset, we decreased the number of required signatures from approximately 40 000 to mere 900.
ER  -

JANČÁR, Ján, Vladimír SEDLÁČEK, Petr ŠVENDA and Marek SÝS. Minerva: The curse of ECDSA nonces. Online. In Amir Moradi, Mehdi Tibouchi. \textit{IACR Transactions on Cryptographic Hardware and Embedded Systems}. Německo: Ruhr-University of Bochum, 2020, p.~281-308. ISSN~2569-2925. Available from: https://dx.doi.org/10.13154/tches.v2020.i4.281-308.

Detailed Information on Publication Record