Presentation is loading. Please wait.

Presentation is loading. Please wait.

Side-Channel Attack on OpenSSL ECDSA Naomi BengerJoop van de Pol Nigel Smart Yuval Yarom 1.

Published byGeorge Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "Side-Channel Attack on OpenSSL ECDSA Naomi BengerJoop van de Pol Nigel Smart Yuval Yarom 1."— Presentation transcript:

1 Side-Channel Attack on OpenSSL ECDSA Naomi BengerJoop van de Pol Nigel Smart Yuval Yarom 1

2 Outline Background ECDSA wNAF scalar multiplication Hidden Number Problem The F LUSH +R ELOAD Technique Attacking OpenSSL ECDSA – Improved lattice technique – Using information from the double and add chain 2

3 ECDSA 3 Signer has a private key 1<α<q-1 and a public key Q=[α]G 1.Compute h=Hash(m) 2.Randomly select an ephemeral key 1<k<q 3.Compute (x,y)=[k]G 4.Take r=x mod q ; If r=0 repeat from 2 5.Take s=(h+r·α)/k mod q ; if s=0 repeat from 2 6.( r,s ) is the signature Note that

4 wNAF Form To compute [d]G, first write d in wNAF form: Such that if d i ≠0 then d i+1 =…=d i+w+1 =0. 4

5 Scalar Multiplication with wNAF form Precompute {±G, ±[3]G,…, ±[2 w -1]G} x=0 for i=n-1 downto 0 x = Double(x) if (d i ≠0) then x = Add(x, [d i ]G) end return x 5

6 Notation 6 Note that implies

7 The Hidden Number Problem Suppose we know numbers t i, u i such that 7

8 The Hidden Number Problem Suppose we know numbers t i, u i such that We can construct a lattice And a vector Which is very close to a lattice vector that depends on α. 8

9 HNP and ECDSA Recall that We want In terms of k : Or in terms of t i and u i : 9 0 n

10 HNP and ECDSA Recall that We want In terms of k : Or in terms of t i and u i : 10 0 n a l

11 HNP and ECDSA Recall that We want In terms of k : Or in terms of t i and u i : 11 0 n 0 l

12 HNP and ECDSA Recall that We want In terms of k : Or in terms of t i and u i : 12 0 n-l

13 HNP and ECDSA Recall that We want In terms of k : Or in terms of t i and u i : 13 0 n-(l+1)

14 HNP and ECDSA – State of the Art Useful information: – l bits for l known LSBs – Between l-1 and l bits for l known MSBs – l/2 bits for arbitrary l consecutive bits Liu and Nguyen 2013 – 160 bit key, 100 signatures, 2 known bits – Expected 200 observed signatures 14

15 The X86 Cache Memory is slower than the processor The cache utilises locality to bridge the gap – Divides memory into lines – Stores recently used lines Shared caches improve performance for multi-core processors Processor Memory Cache 15

16 Cache Consistency Memory and cache can be in inconsistent states – Rare, but possible Solution: Flushing the cache contents – Ensures that the next load is served from the memory Processor Memory Cache 16

17 The F LUSH +R ELOAD Technique Exploits cache behaviour to leak information on victim access to shared memory. – Shared text segments – Shared libraries – Memory de-duplication Spy monitors victim’s access to shared code – Spy can determine what victim does – Spy can infer the data the victim operates on 17

18 F LUSH +R ELOAD F LUSH memory line Wait a bit Measure time to R ELOAD line – slow-> no access – fast-> access Repeat Processor Memory Cache 18

19 Uses OpenSSL AES (Gullasch et al. 2011) GnuPG RSA (CVE 2013-4242) [Yarom & Falkner 2014] OpenSSL ECDSA over binary fields (CVE 2014- 0076) [Yarom & Benger 2014] OpenSSL ECDSA over prime fields – this work. OpenSSL AES (cross-VM) [Irazoqui et al. 2014] PaaS clouds [Zhang et al. 2014] 19

20 Attacking OpenSSL wNAF Achieve sharing with the victim code Use F LUSH +R ELOAD to recover the double and add chain of the wNAF calculation Divide time into slots of 1200 cycles (about 0.4μs) In each slot, probe a memory line in the code of the Double and Add functions. 20

21 Problem I - Speculative Execution 21 Solution: Place probe here x=0 for i=n-1 downto 0 x = Double(x) if (d i ≠0) then x = Add(x, [d i ]G) end return x

22 Problem II - Overlap 22

23 Problem II - Overlap 23 if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err; if (!field_mul(group, n0, n1, n0, ctx)) goto err; if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err; 0x59d62a:mov 0x8(%rsp),%rcx 0x59d62f:mov %rbx,%r8 0x59d632:mov 0x18(%rsp),%rdx 0x59d637:mov %rbp,%rdi 0x59d63a:mov %rcx,%rsi 0x59d63d:callq *0x38(%rsp) 0x59d641:test %eax,%eax

24 Demo 24

25 Sample Trace Raw: D||||D|D|||D||||A||||D|||D||||D|||D|||A|A|||D|||D||| |D|||D||||D|||D|||A||||D|||D|D|||D|||D||||D||A|A|||D |||D|D|||D|||D|||A||||D|||D|||D|||D|||D|||A|A||||D|| |D|||D||||D||A|A|||D||||D|||D|||D|||A|||D|||D|||D|D| ||D|||D|||A||||D|||D|||D|||D|D|||D|||D|||D|||A|||D|D |||D||… 25 Processed: DDDADDDDADDDDDDADDDDDADDDDADDDDDADDDDADDDDADDDDDADDD DDDDADDDDADDDDADDDDDADDDDADDDDDDDADDDDDDADDDDADDDDAD DDDADDDDADDDDADDDDDADDDDDADDDDADDDDADDDDADDDDADDDDAD DDDADDDDDDDADDDDDADDDDADDDDDDADDDDADDDDDDADDDDDADDDD ADDDDDADDDDDADDDDDADDDDDADDDDXDDDADDDDADDDDADDDDADDD DDADDDDADDDDDDADDDDDADDDDADDDDDDADDDDDDADDDDADD

26 Using the LSBs The trace: DDDADDDDADDDDD…DDDDDDADDDDADD Reveals 3 LSBs (100). A different trace might reveal fewer bits. How do we deal with that? 26

27 Using the LSBs The trace: DDDADDDDADDDDD…DDDDDDADDDDADD Reveals 3 LSBs (100). A different trace might reveal fewer bits. How do we deal with that? We vary the z per (t i, u i ) tuple. 27

28 Results For secp256k1 28 Expected # Sigs d Time (s) Success Prob. Time / Prob. 200100611.13.03517460 22011079.67.0203933 240602.68.005536 260652.26.05541 280704.46.29515 3007513.54.53026

29 Using More Information 29 DDDADDDDADDDDDDADDDDDADDDDADDDDDADDDDADDDDADDDDDADDD DDDDADDDDADDDDADDDDDADDDDADDDDDDDADDDDDDADDDDADDDDAD DDDADDDDADDDDADDDDDADDDDDADDDDADDDDADDDDADDDDADDDDAD DDDADDDDDDDADDDDDADDDDADDDDDDADDDDADDDDDDADDDDDADDDD ADDDDDADDDDDADDDDDADDDDDADDDDXDDDADDDDADDDDADDDDADDD DDADDDDADDDDDDADDDDDADDDDADDDDDDADDDDDDADDDDADD We know how to use the revealed LSBs But these give an average of 2 bits per observed signature.

30 Using More Information 30 DDDADDDDADDDDDDADDDDDADDDDADDDDDADDDDADDDDADDDDDADDD DDDDADDDDADDDDADDDDDADDDDADDDDDDDADDDDDDADDDDADDDDAD DDDADDDDADDDDADDDDDADDDDDADDDDADDDDADDDDADDDDADDDDAD DDDADDDDDDDADDDDDADDDDADDDDDDADDDDADDDDDDADDDDDADDDD ADDDDDADDDDDADDDDDADDDDDADDDDXDDDADDDDADDDDADDDDADDD DDADDDDADDDDDDADDDDDADDDDADDDDDDADDDDDDADDDDADD We know how to use the revealed LSBs But these give an average of 2 bits per observed signature. Can we use the information about the MSBs?

31 Using the MSBs Assume d m+l, d m ≠0 Before adding [d m ]G, x is: 31 x=0 for i=n-1 downto 0 x = Double(x) if (d i ≠0) then x = Add(x, [d i ]G) end return x 1000…000 0 l+1

32 Using the MSBs Assume d m+l, d m ≠0 Before adding [d m ]G, x is: After adding [d m ]G, for d m >0 it is And for d m <0 32 x=0 for i=n-1 downto 0 x = Double(x) if (d i ≠0) then x = Add(x, [d i ]G) end return x 1000…000 0 l+1 100…00 0 l+1 w 011…11 0 l+1 w

33 Using the MSBs Assume d m+l, d m ≠0 Before adding [d m ]G, x is: After adding [d m ]G, for d m >0 it is And for d m <0 Either way, 33 x=0 for i=n-1 downto 0 x = Double(x) if (d i ≠0) then x = Add(x, [d i ]G) end return x 1000…000 0 l+1 100…00 0 l+1 w 011…11 0 l+1 w k+2 m+w 100…00 0 m+l+1m+w+1 n

34 Observation For many “standard” curves, q is close to a power of two. That is, q=2 n -ε such that |ε|<2 p for p ≪ n. For example for secp256k1 q = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF EBAAEDCE6AF48A03BBFD25E8CD0364141 Adding or subtracting q to an n bit number is unlikely to change the MSBs 34

35 + aε 0 n+p-m-l-1 For m>p Using all the Information 35 100…00 a 0 m+l+1m+w+1 n 100…00 a 0n+w-l n-m-l-1 n 0 0 a 0n+w-l n-m-l-1 n 0 0 0n+w-l n-m-l-1 n 0

36 + aε 0 n+p-m-l-1 For m>p Using all the Information 36 0 a 0n+w-l n-m-l-1 n 0 0 0n+w-l n-m-l-1 n 0 0 n+w-l n 0 100…00 a 0 m+l+1m+w+1 n 100…00 a 0n+w-l m+l+1 n 0

37 + aε 0 n+p-m-l-1 For m>p Using all the Information 37 0 a 0n+w-l n-m-l-1 n 0 0 0n+w-l n-m-l-1 n 0 0 n+w-l n 0 0 n+w-l-1 n 0 0

38 Results With a very high probability, observing 25 signatures yields more than 13 perfect traces. 38 # perfect traces Time (s) Success probability 102.250.07 11 4.660.25 127.680.38 1311.30.54

39 Summary F LUSH +R ELOAD provides a nearly perfect cross- core, cross-VM side channel No need for a fixed number of bits in HNP Can handle the negative digits in wNAF Can handle non-consecutive bits Curve choice allows using almost half of the information in each perfect trace We can break a 256 bit curve after observing as little as 25 signatures. 39

Download ppt "Side-Channel Attack on OpenSSL ECDSA Naomi BengerJoop van de Pol Nigel Smart Yuval Yarom 1."

Similar presentations

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
SE-292 High Performance Computing

SE-292 High Performance Computing
Cross-VM Side Channels and Their Use to Extract Private Keys

Cross-VM Side Channels and Their Use to Extract Private Keys
SE-292 High Performance Computing Memory Hierarchy R. Govindarajan

SE-292 High Performance Computing Memory Hierarchy R. Govindarajan
Instruction Set Design

Instruction Set Design
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Click to add text www.ibm.com © 2006-2008 IBM Corporation Optimization Issues in SSE/AVX-compatible functions on PowerPC Ian McIntosh November 5, 2014.

Click to add text © IBM Corporation Optimization Issues in SSE/AVX-compatible functions on PowerPC Ian McIntosh November 5, 2014.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Hashing as a Dictionary Implementation

Hashing as a Dictionary Implementation
© 2004 Goodrich, Tamassia Hash Tables1   0 1 2 3 4 451-22-0004 981-10-0002 025-61-0001.

© 2004 Goodrich, Tamassia Hash Tables1  
© Karen Miller, 2011 1 What do we want from our computers?  correct results we assume this feature, but consider... who defines what is correct?  fast.

© Karen Miller, What do we want from our computers?  correct results we assume this feature, but consider... who defines what is correct?  fast.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Hashing Techniques.

Hashing Techniques.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Dictionaries and Hash Tables1   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Dictionaries and Hash Tables1  
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Hash Tables1 Part E Hash Tables   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Hash Tables1 Part E Hash Tables  
Hash Tables1 Part E Hash Tables   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Hash Tables1 Part E Hash Tables  
Hash Tables1 Part E Hash Tables   0 1 2 3 4 451-229-0004 981-101-0002 025-612-0001.

Hash Tables1 Part E Hash Tables  

Similar presentations

Ads by Google