Dataset Open Access

From A to Z: Projective coordinates leakage in the wild: research data and tooling

Aldaya, Alejandro Cabrera; Pereida Garcia, Cesar; Brumley, Billy Bob


JSON Export

{
  "files": [
    {
      "links": {
        "self": "https://zenodo.org/api/files/bfe2f08a-0c31-431e-ba96-08c0ec74ddb8/LICENSE"
      }, 
      "checksum": "md5:46c971b597a6751327dfae600179a44c", 
      "bucket": "bfe2f08a-0c31-431e-ba96-08c0ec74ddb8", 
      "key": "LICENSE", 
      "type": "", 
      "size": 1124
    }, 
    {
      "links": {
        "self": "https://zenodo.org/api/files/bfe2f08a-0c31-431e-ba96-08c0ec74ddb8/README.md"
      }, 
      "checksum": "md5:1a4b348af35e74ba57e7f2f1acbab6b2", 
      "bucket": "bfe2f08a-0c31-431e-ba96-08c0ec74ddb8", 
      "key": "README.md", 
      "type": "md", 
      "size": 3662
    }, 
    {
      "links": {
        "self": "https://zenodo.org/api/files/bfe2f08a-0c31-431e-ba96-08c0ec74ddb8/recover_z.py"
      }, 
      "checksum": "md5:3d3a4da0cae0c9fbe4124683d464c6bb", 
      "bucket": "bfe2f08a-0c31-431e-ba96-08c0ec74ddb8", 
      "key": "recover_z.py", 
      "type": "py", 
      "size": 6597
    }, 
    {
      "links": {
        "self": "https://zenodo.org/api/files/bfe2f08a-0c31-431e-ba96-08c0ec74ddb8/traces.tar.gz"
      }, 
      "checksum": "md5:07024dd8c23b52351c01991a3c7f6a7f", 
      "bucket": "bfe2f08a-0c31-431e-ba96-08c0ec74ddb8", 
      "key": "traces.tar.gz", 
      "type": "gz", 
      "size": 193508598
    }
  ], 
  "owners": [
    98135
  ], 
  "doi": "10.5281/zenodo.3752635", 
  "stats": {
    "version_unique_downloads": 22.0, 
    "unique_views": 123.0, 
    "views": 140.0, 
    "version_views": 140.0, 
    "unique_downloads": 22.0, 
    "version_unique_views": 123.0, 
    "volume": 2322266013.0, 
    "version_downloads": 47.0, 
    "downloads": 47.0, 
    "version_volume": 2322266013.0
  }, 
  "links": {
    "doi": "https://doi.org/10.5281/zenodo.3752635", 
    "conceptdoi": "https://doi.org/10.5281/zenodo.3752634", 
    "bucket": "https://zenodo.org/api/files/bfe2f08a-0c31-431e-ba96-08c0ec74ddb8", 
    "conceptbadge": "https://zenodo.org/badge/doi/10.5281/zenodo.3752634.svg", 
    "html": "https://zenodo.org/record/3752635", 
    "latest_html": "https://zenodo.org/record/3752635", 
    "badge": "https://zenodo.org/badge/doi/10.5281/zenodo.3752635.svg", 
    "latest": "https://zenodo.org/api/records/3752635"
  }, 
  "conceptdoi": "10.5281/zenodo.3752634", 
  "created": "2020-04-15T09:39:55.146719+00:00", 
  "updated": "2020-04-15T20:20:18.505144+00:00", 
  "conceptrecid": "3752634", 
  "revision": 2, 
  "id": 3752635, 
  "metadata": {
    "access_right_category": "success", 
    "doi": "10.5281/zenodo.3752635", 
    "version": "1", 
    "license": {
      "id": "MIT"
    }, 
    "title": "From A to Z: Projective coordinates leakage in the wild: research data and tooling", 
    "related_identifiers": [
      {
        "scheme": "doi", 
        "identifier": "10.5281/zenodo.3752634", 
        "relation": "isVersionOf"
      }
    ], 
    "relations": {
      "version": [
        {
          "count": 1, 
          "index": 0, 
          "parent": {
            "pid_type": "recid", 
            "pid_value": "3752634"
          }, 
          "is_last": true, 
          "last_child": {
            "pid_type": "recid", 
            "pid_value": "3752635"
          }
        }
      ]
    }, 
    "grants": [
      {
        "code": "804476", 
        "links": {
          "self": "https://zenodo.org/api/grants/10.13039/501100000780::804476"
        }, 
        "title": "Side-Channel Aware Engineering", 
        "acronym": "SCARE", 
        "program": "H2020", 
        "funder": {
          "doi": "10.13039/501100000780", 
          "acronyms": [], 
          "name": "European Commission", 
          "links": {
            "self": "https://zenodo.org/api/funders/10.13039/501100000780"
          }
        }
      }
    ], 
    "keywords": [
      "side-channel analysis", 
      "ECDSA", 
      "CVE-2020-11735", 
      "CVE-2020-10932", 
      "applied cryptography", 
      "libgcrypt", 
      "mbedTLS", 
      "WolfSSL"
    ], 
    "publication_date": "2020-04-15", 
    "creators": [
      {
        "orcid": "0000-0002-1544-6772", 
        "affiliation": "Tampere University", 
        "name": "Aldaya, Alejandro Cabrera"
      }, 
      {
        "orcid": "0000-0001-6812-8498", 
        "affiliation": "Tampere University", 
        "name": "Pereida Garcia, Cesar"
      }, 
      {
        "orcid": "0000-0001-9160-0463", 
        "affiliation": "Tampere University", 
        "name": "Brumley, Billy Bob"
      }
    ], 
    "meeting": {
      "acronym": "CHES 2020", 
      "url": "https://ches.iacr.org/2020/", 
      "dates": "14-17 September 2020", 
      "place": "Beijing, China", 
      "title": "Conference on Cryptographic Hardware and Embedded Systems 2020"
    }, 
    "access_right": "open", 
    "resource_type": {
      "type": "dataset", 
      "title": "Dataset"
    }, 
    "description": "<p>Description</p>\n\n<p>This dataset and software tool are for reproducing the research results related to CVE-2020-10932 and CVE-2020-11735, resulting from the article &quot;From A to Z: Projective coordinates leakage in the wild&quot; (to appear at CHES 2020). The data was used to carry out the attack in Section 6 of the article.</p>\n\n<p>Data format</p>\n\n<p>txt files</p>\n\n<p>The <code>[int].txt</code> files contain an encoded page-fault trace prefixed by <code>trace:</code>.</p>\n\n<p>A trace represents the sequence of tracked memory pages that were executed during the generation of an ECDSA signature. The trace is encoded using ASCII characters for better visualization.</p>\n\n<p>The encoding follows this table:</p>\n\n<pre><code class=\"language-markdown\">| Functions              | Symbol | Page offset |\n| ---------------------- |:------:|:-------:|\n| _gcry_ecc_ecdsa_sign   |    T   | 0xa1000 |\n| _gcry_mpi_invm         |    .   | 0xcf000 |\n| _gcry_mpi_set          |    S   | 0xd5000 |\n| _gcry_mpi_add          |    A   | 0xcd000 |\n| _gcry_mpih_sub_n       |    -   | 0xd8000 |\n| _gcry_mpih_rshift      |    -   | 0xd8000 |</code></pre>\n\n<p><code>_gcry_ecc_ecdsa_sign</code> is the highest level function tracked in the attack. This allows to differentiate different calls to the <code>_gcry_mpi_invm</code> function which contains an insecure version of a Binary Extended Euclidean Algorithm (BEEA).</p>\n\n<p>Using these pages it is possible to locate the execution of <code>_gcry_mpi_invm</code> corresponding to the computation of <code>Z mod p</code> during projective to affine coordinates conversion (see <code>preprocess_trace</code> function).</p>\n\n<p>It can be seen, that <code>_gcry_mpih_sub_n</code> and <code>_gcry_mpih_rshift</code> shares a page. However, they can be differentiated using mainly the caller memory page. This sharing, instead of being a drawback, allows a straightforward recovery of BEEA execution flow (see <code>extract_Zi</code> and <code>extract_Xi</code> functions in <code>recover_z.py</code>).</p>\n\n<p>dat files</p>\n\n<p>The format of the <code>[int].dat</code> files is as follows.</p>\n\n<ul>\n\t<li><code># X [hex]</code>: Ground truth projective output of scalar multiplication, before affine conversion</li>\n\t<li><code># Y [hex]</code>: Ground truth projective output of scalar multiplication, before affine conversion</li>\n\t<li><code># Z [hex]</code>: Ground truth projective output of scalar multiplication, before affine conversion</li>\n\t<li><code># curve_name [str]</code>: The curve (P256)</li>\n\t<li><code># h [hex]</code>: Hash of the message to be signed</li>\n\t<li><code># k [hex]</code>: Ground truth ECDSA nonce</li>\n\t<li><code># q [hex]</code>: Curve order</li>\n\t<li><code># r [hex]</code>: First component of the ECDSA signature</li>\n\t<li><code># s [hex]</code>: Second component of the ECDSA signature</li>\n\t<li><code># x [hex]</code>: Ground truth ECDSA private key</li>\n\t<li><code># y [hex] [hex]</code>: Public key coordinates</li>\n\t<li><code># leak_pad [int],[int],[int]</code>: Leakage recovered during backtracking. Example: <code>0,4,15 =&gt; 0 = k % 2**4 = k &amp; 15</code></li>\n</ul>\n\n<p>Tooling</p>\n\n<p>The <code>recover_z.py</code> script</p>\n\n<ul>\n\t<li>Loads a trace.</li>\n\t<li>Recovers the corresponding Z coordinate from the trace data.</li>\n\t<li>verifies the recovered Z matches the ground truth Z.</li>\n</ul>\n\n<p>Example</p>\n\n<p>Unpack the data:</p>\n\n<pre><code>tar xf traces.tar.gz</code></pre>\n\n<p>Run the tooling on trace index 123:</p>\n\n<pre><code>$ python2 recover_z.py 123\nINFO:recovered Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213\nINFO:     real Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213</code></pre>\n\n<p>The output demonstrates the recovered Z coordinate is correct, i.e. matches the ground truth.</p>\n\n<p>Credits</p>\n\n<p>Authors</p>\n\n<ul>\n\t<li>Alejandro Cabrera Aldaya (Tampere University, Tampere, Finland)</li>\n\t<li>Cesar Pereida Garc&iacute;a (Tampere University, Tampere, Finland)</li>\n\t<li>Billy Bob Brumley (Tampere University, Tampere, Finland)</li>\n</ul>\n\n<p>Funding</p>\n\n<p>This project has received funding from the European Research Council (ERC) under the European Union&rsquo;s Horizon 2020 research and innovation programme (grant agreement No 804476).</p>\n\n<p>License</p>\n\n<p>This project is distributed under MIT license.</p>\n\n<p>&nbsp;</p>"
  }
}
140
47
views
downloads
All versions This version
Views 140140
Downloads 4747
Data volume 2.3 GB2.3 GB
Unique views 123123
Unique downloads 2222

Share

Cite as