Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley


JSON Export

{
  "files": [
    {
      "links": {
        "self": "https://zenodo.org/api/files/230d0289-1684-4cb4-8355-4bf1d11f437a/research_data.zip"
      }, 
      "checksum": "md5:a73cffa5165ba847fb525f545b398be5", 
      "bucket": "230d0289-1684-4cb4-8355-4bf1d11f437a", 
      "key": "research_data.zip", 
      "type": "zip", 
      "size": 1295611
    }
  ], 
  "owners": [
    87802
  ], 
  "doi": "10.5281/zenodo.3605805", 
  "stats": {
    "version_unique_downloads": 13.0, 
    "unique_views": 164.0, 
    "views": 186.0, 
    "version_views": 186.0, 
    "unique_downloads": 13.0, 
    "version_unique_views": 164.0, 
    "volume": 18138554.0, 
    "version_downloads": 14.0, 
    "downloads": 14.0, 
    "version_volume": 18138554.0
  }, 
  "links": {
    "doi": "https://doi.org/10.5281/zenodo.3605805", 
    "conceptdoi": "https://doi.org/10.5281/zenodo.3605804", 
    "bucket": "https://zenodo.org/api/files/230d0289-1684-4cb4-8355-4bf1d11f437a", 
    "conceptbadge": "https://zenodo.org/badge/doi/10.5281/zenodo.3605804.svg", 
    "html": "https://zenodo.org/record/3605805", 
    "latest_html": "https://zenodo.org/record/3605805", 
    "badge": "https://zenodo.org/badge/doi/10.5281/zenodo.3605805.svg", 
    "latest": "https://zenodo.org/api/records/3605805"
  }, 
  "conceptdoi": "10.5281/zenodo.3605804", 
  "created": "2020-01-13T08:22:01.123711+00:00", 
  "updated": "2020-01-24T19:26:16.426156+00:00", 
  "conceptrecid": "3605804", 
  "revision": 3, 
  "id": 3605805, 
  "metadata": {
    "access_right_category": "success", 
    "doi": "10.5281/zenodo.3605805", 
    "description": "<p>This dataset and software tool are for reproducing the research results related to CVE-2019-18222.</p>\n\n<p>Description</p>\n\n<ul>\n\t<li><code>enum</code> contains the key enumeration tool.</li>\n\t<li><code>kt_candidates</code> contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:</li>\n</ul>\n\n<ol>\n\t<li><code>kt_candidates</code>: list of nonce candidates.</li>\n</ol>\n\n<ul>\n\t<li><code>sig_data</code> contains the JSON for ECDSA signatures, index by trial number. JSON fields:</li>\n</ul>\n\n<ol>\n\t<li><code>p</code>: the prime the curve is defined over. (P-256 here.)</li>\n\t<li><code>Gx</code>, <code>Gy</code>: Generator coordinates.</li>\n\t<li><code>d</code>: Ground truth ECDSA long term key.</li>\n\t<li><code>Px</code>, <code>Py</code>: Public key coordinates.</li>\n\t<li><code>h</code>: SHA-256 digest to sign, encoded to the finite field.</li>\n\t<li><code>k</code>: Ground truth ECDSA nonce.</li>\n\t<li><code>r</code>, <code>s</code>: ECDSA signature.</li>\n</ol>\n\n<p>Build</p>\n\n<pre><code>cd enum\nmake clean\nmake</code></pre>\n\n<p>Run</p>\n\n<p>Start with <code>enum</code> as the working directory.</p>\n\n<pre><code>cd enum</code></pre>\n\n<p>Pull out a <code>kt</code> candidate, in this example index 847.</p>\n\n<pre><code>$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json\n[\n  \"0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0\"\n]</code></pre>\n\n<p>Factor that candidate.</p>\n\n<pre><code>$ time sage -c \"print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)\"\n[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]\n\nreal    0m5.837s\nuser    0m5.648s\nsys 0m0.214s</code></pre>\n\n<p>Now pull out the <code>r</code> component of the ECDSA signature for that index, and convert it from hex to base 10.</p>\n\n<pre><code>$ jq '.r' ../sig_data/sig_data_847.json\n\"0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67\"\n$ python -c \"print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67\"\n22111746808803128586382711090186612204136854333384650261207856620766542674791</code></pre>\n\n<p>Now run the <code>enum</code> tool to recover the nonce.</p>\n\n<pre><code>$ ./enum \nUsage: ./enum &lt;jobs_num&gt; &lt;jobs_id&gt; &lt;target_base_10&gt; space delimited flat list of factors in base ten</code></pre>\n\n<p>The <code>&lt;jobs_num&gt;</code> and <code>&lt;jobs_id&gt;</code> arguments are to ease parallel execution; read the source code. But for a single core, pass them as <code>1 0</code>.</p>\n\n<pre><code>$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195\n32841 572987990320782777757565685333349772719941819448953457732874126833\nINFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67\nINFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048\nINFO:tests:7879</code></pre>\n\n<p>where <code>221..791</code> is the base-10 <code>r</code> component of the ECDSA signature, and <code>2 2 .. 572..833</code> is the full list of blinded nonce factors. In the output:</p>\n\n<ul>\n\t<li><code>INFO:target:&lt;hex&gt;</code> is the hex form of base-10 target input (ECDSA <code>r</code> component).</li>\n\t<li><code>INFO:found:&lt;hex&gt;</code> is the hex form of the recovered ECDSA nonce.</li>\n\t<li><code>INFO:tests:&lt;num&gt;</code> is the number of tested nonce candidates (scalar multiplications).</li>\n</ul>\n\n<p>We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:</p>\n\n<pre><code>$ jq '.k' ../sig_data/sig_data_847.json\n\"0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048\"</code></pre>", 
    "language": "eng", 
    "title": "CVE-2019-18222: research data and tooling", 
    "license": {
      "id": "MIT"
    }, 
    "relations": {
      "version": [
        {
          "count": 1, 
          "index": 0, 
          "parent": {
            "pid_type": "recid", 
            "pid_value": "3605804"
          }, 
          "is_last": true, 
          "last_child": {
            "pid_type": "recid", 
            "pid_value": "3605805"
          }
        }
      ]
    }, 
    "grants": [
      {
        "code": "804476", 
        "links": {
          "self": "https://zenodo.org/api/grants/10.13039/501100000780::804476"
        }, 
        "title": "Side-Channel Aware Engineering", 
        "acronym": "SCARE", 
        "program": "H2020", 
        "funder": {
          "doi": "10.13039/501100000780", 
          "acronyms": [], 
          "name": "European Commission", 
          "links": {
            "self": "https://zenodo.org/api/funders/10.13039/501100000780"
          }
        }
      }
    ], 
    "keywords": [
      "side-channel analysis", 
      "ECDSA", 
      "binary GCD", 
      "modular inversion", 
      "Intel SGX", 
      "mbedTLS"
    ], 
    "publication_date": "2020-01-13", 
    "creators": [
      {
        "orcid": "0000-0002-1544-6772", 
        "affiliation": "Tampere University", 
        "name": "Alejandro Cabrera Aldaya"
      }, 
      {
        "orcid": "0000-0001-9160-0463", 
        "affiliation": "Tampere University", 
        "name": "Billy Bob Brumley"
      }
    ], 
    "access_right": "open", 
    "resource_type": {
      "type": "dataset", 
      "title": "Dataset"
    }, 
    "related_identifiers": [
      {
        "scheme": "url", 
        "identifier": "https://eprint.iacr.org/2020/055", 
        "relation": "isCitedBy", 
        "resource_type": "publication-preprint"
      }, 
      {
        "scheme": "doi", 
        "identifier": "10.5281/zenodo.3605804", 
        "relation": "isVersionOf"
      }
    ]
  }
}
186
14
views
downloads
All versions This version
Views 186186
Downloads 1414
Data volume 18.1 MB18.1 MB
Unique views 164164
Unique downloads 1313

Share

Cite as