Dataset Open Access

CVE-2019-18222: research data and tooling

Alejandro Cabrera Aldaya; Billy Bob Brumley


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nmm##2200000uu#4500</leader>
  <datafield tag="041" ind1=" " ind2=" ">
    <subfield code="a">eng</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">side-channel analysis</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">ECDSA</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">binary GCD</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">modular inversion</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">Intel SGX</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">mbedTLS</subfield>
  </datafield>
  <controlfield tag="005">20200124192616.0</controlfield>
  <controlfield tag="001">3605805</controlfield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Tampere University</subfield>
    <subfield code="0">(orcid)0000-0001-9160-0463</subfield>
    <subfield code="a">Billy Bob Brumley</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">1295611</subfield>
    <subfield code="z">md5:a73cffa5165ba847fb525f545b398be5</subfield>
    <subfield code="u">https://zenodo.org/record/3605805/files/research_data.zip</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2020-01-13</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire_data</subfield>
    <subfield code="o">oai:zenodo.org:3605805</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">Tampere University</subfield>
    <subfield code="0">(orcid)0000-0002-1544-6772</subfield>
    <subfield code="a">Alejandro Cabrera Aldaya</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">CVE-2019-18222: research data and tooling</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">804476</subfield>
    <subfield code="a">Side-Channel Aware Engineering</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">https://opensource.org/licenses/MIT</subfield>
    <subfield code="a">MIT License</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;This dataset and software tool are for reproducing the research results related to CVE-2019-18222.&lt;/p&gt;

&lt;p&gt;Description&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;enum&lt;/code&gt; contains the key enumeration tool.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;kt_candidates&lt;/code&gt; contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields:&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
	&lt;li&gt;&lt;code&gt;kt_candidates&lt;/code&gt;: list of nonce candidates.&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;sig_data&lt;/code&gt; contains the JSON for ECDSA signatures, index by trial number. JSON fields:&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
	&lt;li&gt;&lt;code&gt;p&lt;/code&gt;: the prime the curve is defined over. (P-256 here.)&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;Gx&lt;/code&gt;, &lt;code&gt;Gy&lt;/code&gt;: Generator coordinates.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;d&lt;/code&gt;: Ground truth ECDSA long term key.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;Px&lt;/code&gt;, &lt;code&gt;Py&lt;/code&gt;: Public key coordinates.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;h&lt;/code&gt;: SHA-256 digest to sign, encoded to the finite field.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;k&lt;/code&gt;: Ground truth ECDSA nonce.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;r&lt;/code&gt;, &lt;code&gt;s&lt;/code&gt;: ECDSA signature.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Build&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;cd enum
make clean
make&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Run&lt;/p&gt;

&lt;p&gt;Start with &lt;code&gt;enum&lt;/code&gt; as the working directory.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;cd enum&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Pull out a &lt;code&gt;kt&lt;/code&gt; candidate, in this example index 847.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json
[
  "0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0"
]&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Factor that candidate.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)"
[2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833]

real    0m5.837s
user    0m5.648s
sys 0m0.214s&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Now pull out the &lt;code&gt;r&lt;/code&gt; component of the ECDSA signature for that index, and convert it from hex to base 10.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ jq '.r' ../sig_data/sig_data_847.json
"0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
$ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67"
22111746808803128586382711090186612204136854333384650261207856620766542674791&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Now run the &lt;code&gt;enum&lt;/code&gt; tool to recover the nonce.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ ./enum 
Usage: ./enum &amp;lt;jobs_num&amp;gt; &amp;lt;jobs_id&amp;gt; &amp;lt;target_base_10&amp;gt; space delimited flat list of factors in base ten&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The &lt;code&gt;&amp;lt;jobs_num&amp;gt;&lt;/code&gt; and &lt;code&gt;&amp;lt;jobs_id&amp;gt;&lt;/code&gt; arguments are to ease parallel execution; read the source code. But for a single core, pass them as &lt;code&gt;1 0&lt;/code&gt;.&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195
32841 572987990320782777757565685333349772719941819448953457732874126833
INFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67
INFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048
INFO:tests:7879&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;where &lt;code&gt;221..791&lt;/code&gt; is the base-10 &lt;code&gt;r&lt;/code&gt; component of the ECDSA signature, and &lt;code&gt;2 2 .. 572..833&lt;/code&gt; is the full list of blinded nonce factors. In the output:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;INFO:target:&amp;lt;hex&amp;gt;&lt;/code&gt; is the hex form of base-10 target input (ECDSA &lt;code&gt;r&lt;/code&gt; component).&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;INFO:found:&amp;lt;hex&amp;gt;&lt;/code&gt; is the hex form of the recovered ECDSA nonce.&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;INFO:tests:&amp;lt;num&amp;gt;&lt;/code&gt; is the number of tested nonce candidates (scalar multiplications).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ jq '.k' ../sig_data/sig_data_847.json
"0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048"&lt;/code&gt;&lt;/pre&gt;</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">url</subfield>
    <subfield code="i">isCitedBy</subfield>
    <subfield code="a">https://eprint.iacr.org/2020/055</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isVersionOf</subfield>
    <subfield code="a">10.5281/zenodo.3605804</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.3605805</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">dataset</subfield>
  </datafield>
</record>
186
14
views
downloads
All versions This version
Views 186186
Downloads 1414
Data volume 18.1 MB18.1 MB
Unique views 164164
Unique downloads 1313

Share

Cite as