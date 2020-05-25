(AGENPARL) – WORLD WIDE, lun 25 maggio 2020
Cryptology ePrint Archive: Report 2020/615
LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage
Diego F. Aranha and Felipe Rodrigues Novaes and Akira Takahashi and Mehdi Tibouchi and Yuval Yarom
Abstract: Although it is one of the most popular signature schemes today, ECDSA
presents a number of implementation pitfalls, in particular due to the
very sensitive nature of the random value (known as the nonce)
generated as part of the signing algorithm. It is known that any small
amount of nonce exposure or nonce bias can in principle lead to a full
key recovery: the key recovery is then a particular instance of Boneh and
Venkatesan’s hidden number problem (HNP). That observation has
been practically exploited in many attacks in the literature, taking
advantage of implementation defects or side-channel vulnerabilities in
various concrete ECDSA implementations. However, most of the attacks so
far have relied on at least 2 bits of nonce bias (except for the
special case of curves at the $80$-bit security level, for which attacks
against $1$-bit biases are known, albeit with a very high number of
required signatures).
In this paper, we uncover LadderLeak, a novel class of
side-channel vulnerabilities in implementations of the Montgomery ladder
used in ECDSA scalar multiplication. The vulnerability is in particular
present in several recent versions of OpenSSL. However, it leaks
less than $1$ bit of information about the nonce, in the sense
that it reveals the most significant bit of the nonce, but with
probability $<1$. Exploiting such a mild leakage would be intractable
using techniques present in the literature so far. However, we present a
number of theoretical improvements of the Fourier analysis approach to
solving the HNP (an approach originally due to Bleichenbacher), and this
lets us practically break LadderLeak-vulnerable ECDSA
implementations instantiated over the sect163r1 and NIST P-192
elliptic curves. In so doing, we achieve several significant
computational records in practical attacks against the HNP.
Category / Keywords: side-channel attacks, ECDSA, OpenSSL, Montgomery Ladder, hidden number problem, Bleichenbacher’s attack, list sum problem
Date: received 25 May 2020
