Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley


JSON-LD (schema.org) Export

{
  "inLanguage": {
    "alternateName": "eng", 
    "@type": "Language", 
    "name": "English"
  }, 
  "description": "<p>This dataset and software tool are for reproducing the research results related to CVE-2019-18222.</p>\n\n<p>Description</p>\n\n<ul>\n\t<li><code>enum</code> contains the key enumeration tool.</li>\n\t<li><code>kt_candidates</code> contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:</li>\n</ul>\n\n<ol>\n\t<li><code>kt_candidates</code>: list of nonce candidates.</li>\n</ol>\n\n<ul>\n\t<li><code>sig_data</code> contains the JSON for ECDSA signatures, index by trial number. JSON fields:</li>\n</ul>\n\n<ol>\n\t<li><code>p</code>: the prime the curve is defined over. (P-256 here.)</li>\n\t<li><code>Gx</code>, <code>Gy</code>: Generator coordinates.</li>\n\t<li><code>d</code>: Ground truth ECDSA long term key.</li>\n\t<li><code>Px</code>, <code>Py</code>: Public key coordinates.</li>\n\t<li><code>h</code>: SHA-256 digest to sign, encoded to the finite field.</li>\n\t<li><code>k</code>: Ground truth ECDSA nonce.</li>\n\t<li><code>r</code>, <code>s</code>: ECDSA signature.</li>\n</ol>\n\n<p>Build</p>\n\n<pre><code>cd enum\nmake clean\nmake</code></pre>\n\n<p>Run</p>\n\n<p>Start with <code>enum</code> as the working directory.</p>\n\n<pre><code>cd enum</code></pre>\n\n<p>Pull out a <code>kt</code> candidate, in this example index 847.</p>\n\n<pre><code>$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json\n[\n  \"0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0\"\n]</code></pre>\n\n<p>Factor that candidate.</p>\n\n<pre><code>$ time sage -c \"print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)\"\n[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]\n\nreal    0m5.837s\nuser    0m5.648s\nsys 0m0.214s</code></pre>\n\n<p>Now pull out the <code>r</code> component of the ECDSA signature for that index, and convert it from hex to base 10.</p>\n\n<pre><code>$ jq '.r' ../sig_data/sig_data_847.json\n\"0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67\"\n$ python -c \"print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67\"\n22111746808803128586382711090186612204136854333384650261207856620766542674791</code></pre>\n\n<p>Now run the <code>enum</code> tool to recover the nonce.</p>\n\n<pre><code>$ ./enum \nUsage: ./enum &lt;jobs_num&gt; &lt;jobs_id&gt; &lt;target_base_10&gt; space delimited flat list of factors in base ten</code></pre>\n\n<p>The <code>&lt;jobs_num&gt;</code> and <code>&lt;jobs_id&gt;</code> arguments are to ease parallel execution; read the source code. But for a single core, pass them as <code>1 0</code>.</p>\n\n<pre><code>$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195\n32841 572987990320782777757565685333349772719941819448953457732874126833\nINFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67\nINFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048\nINFO:tests:7879</code></pre>\n\n<p>where <code>221..791</code> is the base-10 <code>r</code> component of the ECDSA signature, and <code>2 2 .. 572..833</code> is the full list of blinded nonce factors. In the output:</p>\n\n<ul>\n\t<li><code>INFO:target:&lt;hex&gt;</code> is the hex form of base-10 target input (ECDSA <code>r</code> component).</li>\n\t<li><code>INFO:found:&lt;hex&gt;</code> is the hex form of the recovered ECDSA nonce.</li>\n\t<li><code>INFO:tests:&lt;num&gt;</code> is the number of tested nonce candidates (scalar multiplications).</li>\n</ul>\n\n<p>We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:</p>\n\n<pre><code>$ jq '.k' ../sig_data/sig_data_847.json\n\"0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048\"</code></pre>", 
  "license": "https://opensource.org/licenses/MIT", 
  "creator": [
    {
      "affiliation": "Tampere University", 
      "@id": "https://orcid.org/0000-0002-1544-6772", 
      "@type": "Person", 
      "name": "Alejandro Cabrera Aldaya"
    }, 
    {
      "affiliation": "Tampere University", 
      "@id": "https://orcid.org/0000-0001-9160-0463", 
      "@type": "Person", 
      "name": "Billy Bob Brumley"
    }
  ], 
  "url": "https://zenodo.org/record/3605805", 
  "datePublished": "2020-01-13", 
  "keywords": [
    "side-channel analysis", 
    "ECDSA", 
    "binary GCD", 
    "modular inversion", 
    "Intel SGX", 
    "mbedTLS"
  ], 
  "@context": "https://schema.org/", 
  "distribution": [
    {
      "contentUrl": "https://zenodo.org/api/files/230d0289-1684-4cb4-8355-4bf1d11f437a/research_data.zip", 
      "encodingFormat": "zip", 
      "@type": "DataDownload"
    }
  ], 
  "identifier": "https://doi.org/10.5281/zenodo.3605805", 
  "@id": "https://doi.org/10.5281/zenodo.3605805", 
  "@type": "Dataset", 
  "name": "CVE-2019-18222: research data and tooling"
}
186
14
views
downloads
All versions This version
Views 186186
Downloads 1414
Data volume 18.1 MB18.1 MB
Unique views 164164
Unique downloads 1313

Share

Cite as