Dataset Open Access

From A to Z: Projective coordinates leakage in the wild: research data and tooling

Aldaya, Alejandro Cabrera; Pereida Garcia, Cesar; Brumley, Billy Bob


MARC21 XML Export

<?xml version='1.0' encoding='UTF-8'?>
<record xmlns="http://www.loc.gov/MARC21/slim">
  <leader>00000nmm##2200000uu#4500</leader>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">side-channel analysis</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">ECDSA</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">CVE-2020-11735</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">CVE-2020-10932</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">applied cryptography</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">libgcrypt</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">mbedTLS</subfield>
  </datafield>
  <datafield tag="653" ind1=" " ind2=" ">
    <subfield code="a">WolfSSL</subfield>
  </datafield>
  <controlfield tag="005">20200415202018.0</controlfield>
  <controlfield tag="001">3752635</controlfield>
  <datafield tag="711" ind1=" " ind2=" ">
    <subfield code="d">14-17 September 2020</subfield>
    <subfield code="g">CHES 2020</subfield>
    <subfield code="a">Conference on Cryptographic Hardware and Embedded Systems 2020</subfield>
    <subfield code="c">Beijing, China</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Tampere University</subfield>
    <subfield code="0">(orcid)0000-0001-6812-8498</subfield>
    <subfield code="a">Pereida Garcia, Cesar</subfield>
  </datafield>
  <datafield tag="700" ind1=" " ind2=" ">
    <subfield code="u">Tampere University</subfield>
    <subfield code="0">(orcid)0000-0001-9160-0463</subfield>
    <subfield code="a">Brumley, Billy Bob</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">1124</subfield>
    <subfield code="z">md5:46c971b597a6751327dfae600179a44c</subfield>
    <subfield code="u">https://zenodo.org/record/3752635/files/LICENSE</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">3662</subfield>
    <subfield code="z">md5:1a4b348af35e74ba57e7f2f1acbab6b2</subfield>
    <subfield code="u">https://zenodo.org/record/3752635/files/README.md</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">6597</subfield>
    <subfield code="z">md5:3d3a4da0cae0c9fbe4124683d464c6bb</subfield>
    <subfield code="u">https://zenodo.org/record/3752635/files/recover_z.py</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="s">193508598</subfield>
    <subfield code="z">md5:07024dd8c23b52351c01991a3c7f6a7f</subfield>
    <subfield code="u">https://zenodo.org/record/3752635/files/traces.tar.gz</subfield>
  </datafield>
  <datafield tag="542" ind1=" " ind2=" ">
    <subfield code="l">open</subfield>
  </datafield>
  <datafield tag="856" ind1="4" ind2=" ">
    <subfield code="y">Conference website</subfield>
    <subfield code="u">https://ches.iacr.org/2020/</subfield>
  </datafield>
  <datafield tag="260" ind1=" " ind2=" ">
    <subfield code="c">2020-04-15</subfield>
  </datafield>
  <datafield tag="909" ind1="C" ind2="O">
    <subfield code="p">openaire_data</subfield>
    <subfield code="o">oai:zenodo.org:3752635</subfield>
  </datafield>
  <datafield tag="100" ind1=" " ind2=" ">
    <subfield code="u">Tampere University</subfield>
    <subfield code="0">(orcid)0000-0002-1544-6772</subfield>
    <subfield code="a">Aldaya, Alejandro Cabrera</subfield>
  </datafield>
  <datafield tag="245" ind1=" " ind2=" ">
    <subfield code="a">From A to Z: Projective coordinates leakage in the wild: research data and tooling</subfield>
  </datafield>
  <datafield tag="536" ind1=" " ind2=" ">
    <subfield code="c">804476</subfield>
    <subfield code="a">Side-Channel Aware Engineering</subfield>
  </datafield>
  <datafield tag="540" ind1=" " ind2=" ">
    <subfield code="u">https://opensource.org/licenses/MIT</subfield>
    <subfield code="a">MIT License</subfield>
  </datafield>
  <datafield tag="650" ind1="1" ind2="7">
    <subfield code="a">cc-by</subfield>
    <subfield code="2">opendefinition.org</subfield>
  </datafield>
  <datafield tag="520" ind1=" " ind2=" ">
    <subfield code="a">&lt;p&gt;Description&lt;/p&gt;

&lt;p&gt;This dataset and software tool are for reproducing the research results related to CVE-2020-10932 and CVE-2020-11735, resulting from the article &amp;quot;From A to Z: Projective coordinates leakage in the wild&amp;quot; (to appear at CHES 2020). The data was used to carry out the attack in Section 6 of the article.&lt;/p&gt;

&lt;p&gt;Data format&lt;/p&gt;

&lt;p&gt;txt files&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;[int].txt&lt;/code&gt; files contain an encoded page-fault trace prefixed by &lt;code&gt;trace:&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;A trace represents the sequence of tracked memory pages that were executed during the generation of an ECDSA signature. The trace is encoded using ASCII characters for better visualization.&lt;/p&gt;

&lt;p&gt;The encoding follows this table:&lt;/p&gt;

&lt;pre&gt;&lt;code class="language-markdown"&gt;| Functions              | Symbol | Page offset |
| ---------------------- |:------:|:-------:|
| _gcry_ecc_ecdsa_sign   |    T   | 0xa1000 |
| _gcry_mpi_invm         |    .   | 0xcf000 |
| _gcry_mpi_set          |    S   | 0xd5000 |
| _gcry_mpi_add          |    A   | 0xcd000 |
| _gcry_mpih_sub_n       |    -   | 0xd8000 |
| _gcry_mpih_rshift      |    -   | 0xd8000 |&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;code&gt;_gcry_ecc_ecdsa_sign&lt;/code&gt; is the highest level function tracked in the attack. This allows to differentiate different calls to the &lt;code&gt;_gcry_mpi_invm&lt;/code&gt; function which contains an insecure version of a Binary Extended Euclidean Algorithm (BEEA).&lt;/p&gt;

&lt;p&gt;Using these pages it is possible to locate the execution of &lt;code&gt;_gcry_mpi_invm&lt;/code&gt; corresponding to the computation of &lt;code&gt;Z mod p&lt;/code&gt; during projective to affine coordinates conversion (see &lt;code&gt;preprocess_trace&lt;/code&gt; function).&lt;/p&gt;

&lt;p&gt;It can be seen, that &lt;code&gt;_gcry_mpih_sub_n&lt;/code&gt; and &lt;code&gt;_gcry_mpih_rshift&lt;/code&gt; shares a page. However, they can be differentiated using mainly the caller memory page. This sharing, instead of being a drawback, allows a straightforward recovery of BEEA execution flow (see &lt;code&gt;extract_Zi&lt;/code&gt; and &lt;code&gt;extract_Xi&lt;/code&gt; functions in &lt;code&gt;recover_z.py&lt;/code&gt;).&lt;/p&gt;

&lt;p&gt;dat files&lt;/p&gt;

&lt;p&gt;The format of the &lt;code&gt;[int].dat&lt;/code&gt; files is as follows.&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;code&gt;# X [hex]&lt;/code&gt;: Ground truth projective output of scalar multiplication, before affine conversion&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# Y [hex]&lt;/code&gt;: Ground truth projective output of scalar multiplication, before affine conversion&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# Z [hex]&lt;/code&gt;: Ground truth projective output of scalar multiplication, before affine conversion&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# curve_name [str]&lt;/code&gt;: The curve (P256)&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# h [hex]&lt;/code&gt;: Hash of the message to be signed&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# k [hex]&lt;/code&gt;: Ground truth ECDSA nonce&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# q [hex]&lt;/code&gt;: Curve order&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# r [hex]&lt;/code&gt;: First component of the ECDSA signature&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# s [hex]&lt;/code&gt;: Second component of the ECDSA signature&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# x [hex]&lt;/code&gt;: Ground truth ECDSA private key&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# y [hex] [hex]&lt;/code&gt;: Public key coordinates&lt;/li&gt;
	&lt;li&gt;&lt;code&gt;# leak_pad [int],[int],[int]&lt;/code&gt;: Leakage recovered during backtracking. Example: &lt;code&gt;0,4,15 =&amp;gt; 0 = k % 2**4 = k &amp;amp; 15&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Tooling&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;recover_z.py&lt;/code&gt; script&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Loads a trace.&lt;/li&gt;
	&lt;li&gt;Recovers the corresponding Z coordinate from the trace data.&lt;/li&gt;
	&lt;li&gt;verifies the recovered Z matches the ground truth Z.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Example&lt;/p&gt;

&lt;p&gt;Unpack the data:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;tar xf traces.tar.gz&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;Run the tooling on trace index 123:&lt;/p&gt;

&lt;pre&gt;&lt;code&gt;$ python2 recover_z.py 123
INFO:recovered Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213
INFO:     real Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;The output demonstrates the recovered Z coordinate is correct, i.e. matches the ground truth.&lt;/p&gt;

&lt;p&gt;Credits&lt;/p&gt;

&lt;p&gt;Authors&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Alejandro Cabrera Aldaya (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Cesar Pereida Garc&amp;iacute;a (Tampere University, Tampere, Finland)&lt;/li&gt;
	&lt;li&gt;Billy Bob Brumley (Tampere University, Tampere, Finland)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Funding&lt;/p&gt;

&lt;p&gt;This project has received funding from the European Research Council (ERC) under the European Union&amp;rsquo;s Horizon 2020 research and innovation programme (grant agreement No 804476).&lt;/p&gt;

&lt;p&gt;License&lt;/p&gt;

&lt;p&gt;This project is distributed under MIT license.&lt;/p&gt;

&lt;p&gt;&amp;nbsp;&lt;/p&gt;</subfield>
  </datafield>
  <datafield tag="773" ind1=" " ind2=" ">
    <subfield code="n">doi</subfield>
    <subfield code="i">isVersionOf</subfield>
    <subfield code="a">10.5281/zenodo.3752634</subfield>
  </datafield>
  <datafield tag="024" ind1=" " ind2=" ">
    <subfield code="a">10.5281/zenodo.3752635</subfield>
    <subfield code="2">doi</subfield>
  </datafield>
  <datafield tag="980" ind1=" " ind2=" ">
    <subfield code="a">dataset</subfield>
  </datafield>
</record>
140
47
views
downloads
All versions This version
Views 140140
Downloads 4747
Data volume 2.3 GB2.3 GB
Unique views 123123
Unique downloads 2222

Share

Cite as