## Description
This dataset and software tool are for reproducing the research results related to CVE-2020-10932 and CVE-2020-11735, resulting from the article "From A to Z: Projective coordinates leakage in the wild" (to appear at CHES 2020). The data was used to carry out the attack in Section 6 of the article.
## Data format
### txt files
The `[int].txt` files contain an encoded page-fault trace prefixed by `trace:`.
A trace represents the sequence of tracked memory pages that were executed during
the generation of an ECDSA signature.
The trace is encoded using ASCII characters for better visualization.
The encoding follows this table:
| Functions | Symbol | Page offset |
| ---------------------- |:------:|:-------:|
| _gcry_ecc_ecdsa_sign | T | 0xa1000 |
| _gcry_mpi_invm | . | 0xcf000 |
| _gcry_mpi_set | S | 0xd5000 |
| _gcry_mpi_add | A | 0xcd000 |
| _gcry_mpih_sub_n | - | 0xd8000 |
| _gcry_mpih_rshift | - | 0xd8000 |
`_gcry_ecc_ecdsa_sign` is the highest level function tracked in the attack.
This allows to differentiate different calls to the `_gcry_mpi_invm` function
which contains an insecure version of a Binary Extended Euclidean Algorithm (BEEA).
Using these pages it is possible to locate the execution of `_gcry_mpi_invm`
corresponding to the computation of `Z mod p` during projective to affine coordinates conversion (see `preprocess_trace` function).
It can be seen, that `_gcry_mpih_sub_n` and `_gcry_mpih_rshift` shares a page.
However, they can be differentiated using mainly the caller memory page.
This sharing, instead of being a drawback, allows a straightforward recovery of BEEA execution flow (see `extract_Zi` and `extract_Xi` functions in `recover_z.py`).
### dat files
The format of the `[int].dat` files is as follows.
* `# X [hex]`: Ground truth projective output of scalar multiplication, before affine conversion
* `# Y [hex]`: Ground truth projective output of scalar multiplication, before affine conversion
* `# Z [hex]`: Ground truth projective output of scalar multiplication, before affine conversion
* `# curve_name [str]`: The curve (P256)
* `# h [hex]`: Hash of the message to be signed
* `# k [hex]`: Ground truth ECDSA nonce
* `# q [hex]`: Curve order
* `# r [hex]`: First component of the ECDSA signature
* `# s [hex]`: Second component of the ECDSA signature
* `# x [hex]`: Ground truth ECDSA private key
* `# y [hex] [hex]`: Public key coordinates
* `# leak_pad [int],[int],[int]`: Leakage recovered during backtracking. Example: `0,4,15 => 0 = k % 2**4 = k & 15`
## Tooling
The `recover_z.py` script
* Loads a trace.
* Recovers the corresponding Z coordinate from the trace data.
* verifies the recovered Z matches the ground truth Z.
## Example
Unpack the data:
```
tar xf traces.tar.gz
```
Run the tooling on trace index 123:
```
$ python2 recover_z.py 123
INFO:recovered Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213
INFO: real Z:65b9b7006bc7b030218bef1b6e569f9f7acaee059b53d669388c6b860f67e213
```
The output demonstrates the recovered Z coordinate is correct, i.e. matches the ground truth.
## Credits
### Authors
* Alejandro Cabrera Aldaya (Tampere University, Tampere, Finland)
* Cesar Pereida García (Tampere University, Tampere, Finland)
* Billy Bob Brumley (Tampere University, Tampere, Finland)
### Funding
This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 804476).
## License
This project is distributed under MIT license.