Dataset Open Access

From A to Z: Projective coordinates leakage in the wild: research data and tooling

Aldaya, Alejandro Cabrera; Pereida Garcia, Cesar; Brumley, Billy Bob


DCAT Export

<?xml version='1.0' encoding='utf-8'?>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:adms="http://www.w3.org/ns/adms#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dct="http://purl.org/dc/terms/" xmlns:dctype="http://purl.org/dc/dcmitype/" xmlns:dcat="http://www.w3.org/ns/dcat#" xmlns:duv="http://www.w3.org/ns/duv#" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:frapo="http://purl.org/cerif/frapo/" xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#" xmlns:gsp="http://www.opengis.net/ont/geosparql#" xmlns:locn="http://www.w3.org/ns/locn#" xmlns:org="http://www.w3.org/ns/org#" xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:prov="http://www.w3.org/ns/prov#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:schema="http://schema.org/" xmlns:skos="http://www.w3.org/2004/02/skos/core#" xmlns:vcard="http://www.w3.org/2006/vcard/ns#" xmlns:wdrs="http://www.w3.org/2007/05/powder-s#">
  <rdf:Description rdf:about="https://doi.org/10.5281/zenodo.3752635">
    <rdf:type rdf:resource="http://www.w3.org/ns/dcat#Dataset"/>
    <dct:type rdf:resource="http://purl.org/dc/dcmitype/Dataset"/>
    <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#anyURI">https://doi.org/10.5281/zenodo.3752635</dct:identifier>
    <foaf:page rdf:resource="https://doi.org/10.5281/zenodo.3752635"/>
    <dct:creator>
      <rdf:Description rdf:about="http://orcid.org/0000-0002-1544-6772">
        <rdf:type rdf:resource="http://xmlns.com/foaf/0.1/Agent"/>
        <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#string">0000-0002-1544-6772</dct:identifier>
        <foaf:name>Aldaya, Alejandro Cabrera</foaf:name>
        <foaf:givenName>Alejandro Cabrera</foaf:givenName>
        <foaf:familyName>Aldaya</foaf:familyName>
        <org:memberOf>
          <foaf:Organization>
            <foaf:name>Tampere University</foaf:name>
          </foaf:Organization>
        </org:memberOf>
      </rdf:Description>
    </dct:creator>
    <dct:creator>
      <rdf:Description rdf:about="http://orcid.org/0000-0001-6812-8498">
        <rdf:type rdf:resource="http://xmlns.com/foaf/0.1/Agent"/>
        <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#string">0000-0001-6812-8498</dct:identifier>
        <foaf:name>Pereida Garcia, Cesar</foaf:name>
        <foaf:givenName>Cesar</foaf:givenName>
        <foaf:familyName>Pereida Garcia</foaf:familyName>
        <org:memberOf>
          <foaf:Organization>
            <foaf:name>Tampere University</foaf:name>
          </foaf:Organization>
        </org:memberOf>
      </rdf:Description>
    </dct:creator>
    <dct:creator>
      <rdf:Description rdf:about="http://orcid.org/0000-0001-9160-0463">
        <rdf:type rdf:resource="http://xmlns.com/foaf/0.1/Agent"/>
        <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#string">0000-0001-9160-0463</dct:identifier>
        <foaf:name>Brumley, Billy Bob</foaf:name>
        <foaf:givenName>Billy Bob</foaf:givenName>
        <foaf:familyName>Brumley</foaf:familyName>
        <org:memberOf>
          <foaf:Organization>
            <foaf:name>Tampere University</foaf:name>
          </foaf:Organization>
        </org:memberOf>
      </rdf:Description>
    </dct:creator>
    <dct:title>From A to Z: Projective coordinates leakage in the wild: research data and tooling</dct:title>
    <dct:publisher>
      <foaf:Agent>
        <foaf:name>Zenodo</foaf:name>
      </foaf:Agent>
    </dct:publisher>
    <dct:issued rdf:datatype="http://www.w3.org/2001/XMLSchema#gYear">2020</dct:issued>
    <dcat:keyword>side-channel analysis</dcat:keyword>
    <dcat:keyword>ECDSA</dcat:keyword>
    <dcat:keyword>CVE-2020-11735</dcat:keyword>
    <dcat:keyword>CVE-2020-10932</dcat:keyword>
    <dcat:keyword>applied cryptography</dcat:keyword>
    <dcat:keyword>libgcrypt</dcat:keyword>
    <dcat:keyword>mbedTLS</dcat:keyword>
    <dcat:keyword>WolfSSL</dcat:keyword>
    <frapo:isFundedBy rdf:resource="info:eu-repo/grantAgreement/EC/H2020/804476/"/>
    <schema:funder>
      <foaf:Organization>
        <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#string">10.13039/501100000780</dct:identifier>
        <foaf:name>European Commission</foaf:name>
      </foaf:Organization>
    </schema:funder>
    <dct:issued rdf:datatype="http://www.w3.org/2001/XMLSchema#date">2020-04-15</dct:issued>
    <owl:sameAs rdf:resource="https://zenodo.org/record/3752635"/>
    <adms:identifier>
      <adms:Identifier>
        <skos:notation rdf:datatype="http://www.w3.org/2001/XMLSchema#anyURI">https://zenodo.org/record/3752635</skos:notation>
        <adms:schemeAgency>url</adms:schemeAgency>
      </adms:Identifier>
    </adms:identifier>
    <dct:isVersionOf rdf:resource="https://doi.org/10.5281/zenodo.3752634"/>
    <owl:versionInfo>1</owl:versionInfo>
    <dct:description>&lt;p&gt;Description&lt;/p&gt; &lt;p&gt;This dataset and software tool are for reproducing the research results related to CVE-2020-10932 and CVE-2020-11735, resulting from the article &amp;quot;From A to Z: Projective coordinates leakage in the wild&amp;quot; (to appear at CHES 2020). The data was used to carry out the attack in Section 6 of the article.&lt;/p&gt; &lt;p&gt;Data format&lt;/p&gt; &lt;p&gt;txt files&lt;/p&gt; &lt;p&gt;The &lt;code&gt;[int].txt&lt;/code&gt; files contain an encoded page-fault trace prefixed by &lt;code&gt;trace:&lt;/code&gt;.&lt;/p&gt; &lt;p&gt;A trace represents the sequence of tracked memory pages that were executed during the generation of an ECDSA signature. The trace is encoded using ASCII characters for better visualization.&lt;/p&gt; &lt;p&gt;The encoding follows this table:&lt;/p&gt; &lt;pre&gt;&lt;code class="language-markdown"&gt;| Functions | Symbol | Page offset | | ---------------------- |:------:|:-------:| | _gcry_ecc_ecdsa_sign | T | 0xa1000 | | _gcry_mpi_invm | . | 0xcf000 | | _gcry_mpi_set | S | 0xd5000 | | _gcry_mpi_add | A | 0xcd000 | | _gcry_mpih_sub_n | - | 0xd8000 | | _gcry_mpih_rshift | - | 0xd8000 |&lt;/code&gt;&lt;/pre&gt; &lt;p&gt;&lt;code&gt;_gcry_ecc_ecdsa_sign&lt;/code&gt; is the highest level function tracked in the attack. This allows to differentiate different calls to the &lt;code&gt;_gcry_mpi_invm&lt;/code&gt; function which contains an insecure version of a Binary Extended Euclidean Algorithm (BEEA).&lt;/p&gt; &lt;p&gt;Using these pages it is possible to locate the execution of &lt;code&gt;_gcry_mpi_invm&lt;/code&gt; corresponding to the computation of &lt;code&gt;Z mod p&lt;/code&gt; during projective to affine coordinates conversion (see &lt;code&gt;preprocess_trace&lt;/code&gt; function).&lt;/p&gt; &lt;p&gt;It can be seen, that &lt;code&gt;_gcry_mpih_sub_n&lt;/code&gt; and &lt;code&gt;_gcry_mpih_rshift&lt;/code&gt; shares a page. However, they can be differentiated using mainly the caller memory page. This sharing, instead of being a drawback, allows a straightforward recovery of BEEA execution flow (see &lt;code&gt;extract_Zi&lt;/code&gt; and &lt;code&gt;extract_Xi&lt;/code&gt; functions in &lt;code&gt;recover_z.py&lt;/code&gt;).&lt;/p&gt; &lt;p&gt;dat files&lt;/p&gt; &lt;p&gt;The format of the &lt;code&gt;[int].dat&lt;/code&gt; files is as follows.&lt;/p&gt; &lt;ul&gt; &lt;li&gt;&lt;code&gt;# X [hex]&lt;/code&gt;: Ground truth projective output of scalar multiplication, before affine conversion&lt;/li&gt; &lt;li&gt;&lt;code&gt;# Y [hex]&lt;/code&gt;: Ground truth projective output of scalar multiplication, before affine conversion&lt;/li&gt; &lt;li&gt;&lt;code&gt;# Z [hex]&lt;/code&gt;: Ground truth projective output of scalar multiplication, before affine conversion&lt;/li&gt; &lt;li&gt;&lt;code&gt;# curve_name [str]&lt;/code&gt;: The curve (P256)&lt;/li&gt; &lt;li&gt;&lt;code&gt;# h [hex]&lt;/code&gt;: Hash of the message to be signed&lt;/li&gt; &lt;li&gt;&lt;code&gt;# k [hex]&lt;/code&gt;: Ground truth ECDSA nonce&lt;/li&gt; &lt;li&gt;&lt;code&gt;# q [hex]&lt;/code&gt;: Curve order&lt;/li&gt; &lt;li&gt;&lt;code&gt;# r [hex]&lt;/code&gt;: First component of the ECDSA signature&lt;/li&gt; &lt;li&gt;&lt;code&gt;# s [hex]&lt;/code&gt;: Second component of the ECDSA signature&lt;/li&gt; &lt;li&gt;&lt;code&gt;# x [hex]&lt;/code&gt;: Ground truth ECDSA private key&lt;/li&gt; &lt;li&gt;&lt;code&gt;# y [hex] [hex]&lt;/code&gt;: Public key coordinates&lt;/li&gt; &lt;li&gt;&lt;code&gt;# leak_pad [int],[int],[int]&lt;/code&gt;: Leakage recovered during backtracking. Example: &lt;code&gt;0,4,15 =&amp;gt; 0 = k % 2**4 = k &amp;amp; 15&lt;/code&gt;&lt;/li&gt; &lt;/ul&gt; &lt;p&gt;Tooling&lt;/p&gt; &lt;p&gt;The &lt;code&gt;recover_z.py&lt;/code&gt; script&lt;/p&gt; &lt;ul&gt; &lt;li&gt;Loads a trace.&lt;/li&gt; &lt;li&gt;Recovers the corresponding Z coordinate from the trace data.&lt;/li&gt; &lt;li&gt;verifies the recovered Z matches the ground truth Z.&lt;/li&gt; &lt;/ul&gt; &lt;p&gt;Example&lt;/p&gt; &lt;p&gt;Unpack the data:&lt;/p&gt; &lt;pre&gt;&lt;code&gt;tar xf traces.tar.gz&lt;/code&gt;&lt;/pre&gt; &lt;p&gt;Run the tooling on trace index 123:&lt;/p&gt; &lt;pre&gt;&lt;code&gt;$ python2 recover_z.py 123 INFO:recovered Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213 INFO: real Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213&lt;/code&gt;&lt;/pre&gt; &lt;p&gt;The output demonstrates the recovered Z coordinate is correct, i.e. matches the ground truth.&lt;/p&gt; &lt;p&gt;Credits&lt;/p&gt; &lt;p&gt;Authors&lt;/p&gt; &lt;ul&gt; &lt;li&gt;Alejandro Cabrera Aldaya (Tampere University, Tampere, Finland)&lt;/li&gt; &lt;li&gt;Cesar Pereida Garc&amp;iacute;a (Tampere University, Tampere, Finland)&lt;/li&gt; &lt;li&gt;Billy Bob Brumley (Tampere University, Tampere, Finland)&lt;/li&gt; &lt;/ul&gt; &lt;p&gt;Funding&lt;/p&gt; &lt;p&gt;This project has received funding from the European Research Council (ERC) under the European Union&amp;rsquo;s Horizon 2020 research and innovation programme (grant agreement No 804476).&lt;/p&gt; &lt;p&gt;License&lt;/p&gt; &lt;p&gt;This project is distributed under MIT license.&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt;</dct:description>
    <dct:accessRights rdf:resource="http://publications.europa.eu/resource/authority/access-right/PUBLIC"/>
    <dct:accessRights>
      <dct:RightsStatement rdf:about="info:eu-repo/semantics/openAccess">
        <rdfs:label>Open Access</rdfs:label>
      </dct:RightsStatement>
    </dct:accessRights>
    <dcat:distribution>
      <dcat:Distribution>
        <dct:rights>
          <dct:RightsStatement rdf:about="https://opensource.org/licenses/MIT">
            <rdfs:label>MIT License</rdfs:label>
          </dct:RightsStatement>
        </dct:rights>
        <dcat:accessURL rdf:resource="https://doi.org/10.5281/zenodo.3752635"/>
      </dcat:Distribution>
    </dcat:distribution>
    <dcat:distribution>
      <dcat:Distribution>
        <dcat:accessURL rdf:resource="https://doi.org/10.5281/zenodo.3752635"/>
        <dcat:byteSize>1124</dcat:byteSize>
        <dcat:downloadURL rdf:resource="https://zenodo.org/record/3752635/files/LICENSE"/>
      </dcat:Distribution>
    </dcat:distribution>
    <dcat:distribution>
      <dcat:Distribution>
        <dcat:accessURL rdf:resource="https://doi.org/10.5281/zenodo.3752635"/>
        <dcat:byteSize>3662</dcat:byteSize>
        <dcat:downloadURL rdf:resource="https://zenodo.org/record/3752635/files/README.md"/>
      </dcat:Distribution>
    </dcat:distribution>
    <dcat:distribution>
      <dcat:Distribution>
        <dcat:accessURL rdf:resource="https://doi.org/10.5281/zenodo.3752635"/>
        <dcat:byteSize>6597</dcat:byteSize>
        <dcat:downloadURL rdf:resource="https://zenodo.org/record/3752635/files/recover_z.py"/>
        <dcat:mediaType>text/x-python</dcat:mediaType>
      </dcat:Distribution>
    </dcat:distribution>
    <dcat:distribution>
      <dcat:Distribution>
        <dcat:accessURL rdf:resource="https://doi.org/10.5281/zenodo.3752635"/>
        <dcat:byteSize>193508598</dcat:byteSize>
        <dcat:downloadURL rdf:resource="https://zenodo.org/record/3752635/files/traces.tar.gz"/>
        <dcat:mediaType>application/x-tar</dcat:mediaType>
      </dcat:Distribution>
    </dcat:distribution>
  </rdf:Description>
  <foaf:Project rdf:about="info:eu-repo/grantAgreement/EC/H2020/804476/">
    <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#string">804476</dct:identifier>
    <dct:title>Side-Channel Aware Engineering</dct:title>
    <frapo:isAwardedBy>
      <foaf:Organization>
        <dct:identifier rdf:datatype="http://www.w3.org/2001/XMLSchema#string">10.13039/501100000780</dct:identifier>
        <foaf:name>European Commission</foaf:name>
      </foaf:Organization>
    </frapo:isAwardedBy>
  </foaf:Project>
</rdf:RDF>
140
47
views
downloads
All versions This version
Views 140140
Downloads 4747
Data volume 2.3 GB2.3 GB
Unique views 123123
Unique downloads 2222

Share

Cite as