minerva
play

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, - PowerPoint PPT Presentation

Aug 16, 2023 •19 likes •549 views

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Systematic analysis of lattice attacks on noisy leakage of

  1. Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

  2. Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

  4. Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces

  5. Discovery EC Tester Tool for testing black-box ECC implementations � JavaCards ○ Software libraries (15 supported) ○ Idea: Independently verify implementations are well-behaved and do not � contain bugs 12 test suites � � crocs-muni/ECTester � Jan Jancar Minerva: The curse of ECDSA nonces 2 / 17

  6. Discovery ECDSA y − ( P + Q ) Q Sign (message m , private key x ) P $ 1 k ← Z n (nonce) x 2 r ≡ ([ k ] G ) x mod n 3 s ≡ k − 1 ( H ( m ) + rx ) mod n ( P + Q ) 4 Output ( r , s ) as ASN.1 DER SEQUENCE y 2 ≡ x 3 + ax + b over F p G ∈ E ( F p ) , | G | = n (prime) Jan Jancar Minerva: The curse of ECDSA nonces 3 / 17

  7. Discovery ECDSA tests ASN.1 parsing � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  8. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  9. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  10. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  11. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  12. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  13. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  14. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  15. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  16. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  17. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  18. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Let’s test timing as well! Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  19. Discovery ECDSA tests ASN.1 parsing � � Signature malleability � � Test-vectors � ~ � Nonce randomness � � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  20. Discovery ECDSA tests ASN.1 parsing � � 1 � Minerva Signature malleability � 5 � � Test-vectors � ~ � Nonce randomness � � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  21. Discovery ECDSA tests ASN.1 parsing � � 1 � Minerva Signature malleability � 5 � � Test-vectors � ~ � Nonce randomness � 2 TPM-FAIL � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  22. Discovery ECDSA tests ASN.1 parsing � � 1 � Minerva 1 � Déjà Vu Signature malleability � 5 � � Test-vectors � ~ � ... Nonce randomness � 2 TPM-FAIL � Timing � � � Jan Jancar Minerva: The curse of ECDSA nonces 4 / 17

  23. Discovery Tested Type Name Version/Model Scalar multiplier Leakage OpenSSL 1.1.1d Montgomery ladder no BouncyCasle 1.58 Comb method no Window-NAF no SunEC JDK 7 - JDK 12 Lopez-Dahab ladder yes* WolfSSL 4.0.0 Sliding window yes BoringSSL 974f4dddf Window method no Library libtomcrypt v1.18.2 Sliding window no libgcrypt 1.8.4 Double-and-add yes* Botan 2.11.0 Window method no Microsoft CNG 10.0.17134.0 Window method no mbedTLS 2.16.0 Comb method no MatrixSSL 4.2.1 Sliding window yes Intel PP Crypto 2020 Window-NAF no Crypto++ 8.2 unknown yes Athena IDProtect unknown yes* 010b.0352.0005 NXP JCOP3 unknown no Card J2A081, J2D081, J3H145 Infineon JTOP unknown no 52GLA080AL, SLE78 G+D SmartCafe unknown no v6, v7 Jan Jancar Minerva: The curse of ECDSA nonces 5 / 17

  24. Discovery Leak Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17

  25. Discovery Leak [ k ] G Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17

  26. Discovery Leak [ k ] G 152000 151500 80 151000 signature time ( s ) 60 150500 150000 40 149500 149000 20 148500 0 248 249 250 251 252 253 254 255 256 nonce bit-length Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17

  27. Discovery Leak L = base + iter _ time · B + N base iter _ time // secp256r1 curve B ∼ Geom ( p = 1 / 2 , (256 , 255 , . . . , 0)) sdev N ∼ Norm (0 , sdev 2 ) all 1400 256b 255b 1200 254b 253b 1000 252b 251b count 800 250b 249b 600 400 200 0 3570000 3600000 3630000 3660000 3690000 3720000 3750000 3780000 3810000 time (ns) Jan Jancar Minerva: The curse of ECDSA nonces 6 / 17

  28. Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17

  29. Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � [1] Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17

  30. Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Hidden Number Problem (HNP) [1] Given an oracle computing: O b , t () = MSB l ( at + b mod n ) with t u.i.d. in Z ∗ n , find a . Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17

  31. Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Hidden Number Problem (HNP) [1] Given an oracle computing: O r , s () = MSB l ( k mod n ) Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17

  32. Exploitation Hidden Number Problem Average 1 LZB per signature � There is noise � Hidden Number Problem (HNP) [1] Given an oracle computing: O r , s () = MSB l ( xs − 1 r + H ( m ) s − 1 mod n ) find x . Jan Jancar Minerva: The curse of ECDSA nonces 7 / 17

  33. Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17

  34. Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17

  35. Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Construct a lattice with basis B and reduce it: � 2 l 1 n  0 0 . . . 0 0  0 2 l 2 n 0 0 0 . . .     . .  . .  B = . .     2 l d n 0 0 0 0  . . .    2 l 1 t 1 2 l 2 t 2 2 l 3 t 3 2 l d t d . . . 1 Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17

  36. Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Construct a lattice with basis B and reduce it: � 2 l 1 n  0 0 . . . 0 0  0 2 l 2 n 0 0 0 . . .     . .  . .  B = . .     2 l d n 0 0 0 0  . . .    2 l 1 t 1 2 l 2 t 2 2 l 3 t 3 2 l d t d . . . 1 Construct a target u = (2 l 1 u 1 , . . . , 2 l d u d , 0) � Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17

  37. Exploitation Basic attack [2] Collect N signatures, take d of the fastest � Assume some bounds l i : | k i | = | xt i − u i | = | xs − 1 r i + H ( m i ) s − 1 | < n / 2 l i � i i Construct a lattice with basis B and reduce it: � 2 l 1 n  0 0 . . . 0 0  0 2 l 2 n 0 0 0 . . .     . .  . .  B = . .     2 l d n 0 0 0 0  . . .    2 l 1 t 1 2 l 2 t 2 2 l 3 t 3 2 l d t d . . . 1 Construct a target u = (2 l 1 u 1 , . . . , 2 l d u d , 0) � Solve CVP( B , u ). The closest lattice point is often: v = (2 l 1 t 1 x , . . . , 2 l d t d x , x ) � Jan Jancar Minerva: The curse of ECDSA nonces 8 / 17

Recommend

MINERVA Project introduction www.minerva-project.eu Project Intro MINERVA motivation: improve

MINERVA Project introduction www.minerva-project.eu Project Intro MINERVA motivation: improve

MId- to NEaR infrared spectroscopy for improVed medical diAgnostics MINERVA Project introduction www.minerva-project.eu Project Intro MINERVA motivation: improve early cancer diagnosis Early cancer diagnosis reduces mortality Single

558 views • 14 slides
EXPLORATION OF DEEP CONVOLUTIONAL AND DOMAIN ADVERSARIAL NEURAL NETWORKS IN MINERVA. 1

EXPLORATION OF DEEP CONVOLUTIONAL AND DOMAIN ADVERSARIAL NEURAL NETWORKS IN MINERVA. 1

JONATHAN MILLER UNIVERSIDAD TECNICA FEDERICO SANTA MARIA FOR THE MINERVA COLLABORATION EXPLORATION OF DEEP CONVOLUTIONAL AND DOMAIN ADVERSARIAL NEURAL NETWORKS IN MINERVA. 1 ACKNOWLEDGEMENTS THE MINERVA COLLABORATION The MINERvA

511 views • 27 slides
MINERvA in 10 Minutes New Perspectives 2017 Fermilab June 5, 2017 Marianette Wospakrik

MINERvA in 10 Minutes New Perspectives 2017 Fermilab June 5, 2017 Marianette Wospakrik

MINERvA in 10 Minutes New Perspectives 2017 Fermilab June 5, 2017 Marianette Wospakrik University of Florida (Representing the MINERvA collaboration) 1 What is MINERvA? MINERvA : a dedicated on-axis neutrino-nucleus scattering

697 views • 23 slides
Neutron Measurements in MINERvA Tejin Cai University of Rochester MINERvA Collaboration 1

Neutron Measurements in MINERvA Tejin Cai University of Rochester MINERvA Collaboration 1

Neutron Measurements in MINERvA Tejin Cai University of Rochester MINERvA Collaboration 1 Neutrino Cross Section Strategy Workshop Our first neutron paper is almost ready! There has been great interests in measuring neutrons lately.

525 views • 34 slides
Working together for the benefit of all Minerva Learning Trust MINERVA LEARNING TRUST FOURTH

Working together for the benefit of all Minerva Learning Trust MINERVA LEARNING TRUST FOURTH

Working together for the benefit of all Minerva Learning Trust MINERVA LEARNING TRUST FOURTH ANNUAL GENERAL MEETING 23 MARCH 2020* * Please note that the AGM was cancelled due to the Corona Virus pandemic. Any questions that would have been

417 views • 24 slides
MINERVA Project overview presentation Project Overview www.minerva-project.eu Presentation

MINERVA Project overview presentation Project Overview www.minerva-project.eu Presentation

MId- to NEaR infrared spectroscopy for improVed medical diAgnostics MINERVA Project overview presentation Project Overview www.minerva-project.eu Presentation Motivation: to improve early cancer diagnosis One in four Europeans will die

843 views • 21 slides
Experiment Readiness Review For MINERvA Howard Budd, University of Rochester Feb 8, 2013

Experiment Readiness Review For MINERvA Howard Budd, University of Rochester Feb 8, 2013

Experiment Readiness Review For MINERvA Howard Budd, University of Rochester Feb 8, 2013 Physics Overview MINERvA is studying neutrino interactions in unprecedented detail on a variety of different nuclei He, C, CH 2, H 2 0,Fe,Pb

1.03k views • 46 slides
Overview of MINERvA DAQ Clarence Wret ArgonCube 2x2 Electronics &amp; Readout Integratjon

Overview of MINERvA DAQ Clarence Wret ArgonCube 2x2 Electronics &amp; Readout Integratjon

Overview of MINERvA DAQ Clarence Wret ArgonCube 2x2 Electronics &amp; Readout Integratjon meetjng 4 September 2019 Overview MINERvA planes are to be used in the ArgonCube 2x2 demonstrator, aka proto DUNE-ND Upstream rock muon

320 views • 10 slides
Minerva Informatics Equality Award Chair Award Committee: Gordana Dodig-Crnkovic Sponsored by

Minerva Informatics Equality Award Chair Award Committee: Gordana Dodig-Crnkovic Sponsored by

Informatics Europe Awards Ceremony 2020 Minerva Informatics Equality Award Chair Award Committee: Gordana Dodig-Crnkovic Sponsored by Chalmers University of Technology Mlardalen University Minerva Informatics Equality Award Supporting

561 views • 28 slides
MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration

MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration

MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration Proton PMG 1 November 2018 Live Time and Data Collection q 10/20 Started receiving beam in the evening. Some detector work in the afternoon. q

232 views • 9 slides
Proposed GEORGETOWN SQUARE TOWNHOMES May 1, 2014 You Are Here MINERVA USA Experience 30+

Proposed GEORGETOWN SQUARE TOWNHOMES May 1, 2014 You Are Here MINERVA USA Experience 30+

Proposed GEORGETOWN SQUARE TOWNHOMES May 1, 2014 You Are Here MINERVA USA Experience 30+ residential communities, over 11,000 lots 20 multi-family projects with 3,000 units 3,000,000 square feet of industrial 14

684 views • 33 slides
Learning to Predict the Global Risks Interconnections from the Web [ Minerva: AI/ML for News ]

Learning to Predict the Global Risks Interconnections from the Web [ Minerva: AI/ML for News ]

Learning to Predict the Global Risks Interconnections from the Web [ Minerva: AI/ML for News ] Dr. Ernesto Diaz-Aviles Co-Founder, CEO and Chief Scientist at Libre AI and Adjunct Assistant Professor at UCD &lt;ernesto@libreai.com&gt;

418 views • 26 slides
The MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration

The MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration

The MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration All Experimenters Meeting 30 April 2018 Live Time and Data q 04/18, 04/23-04/25 Low/0 efficiency because of the rawdata and corresponding

181 views • 5 slides
ASIC accelerators 1 To read more This days papers: Reagan et al, Minerva: Enabling

ASIC accelerators 1 To read more This days papers: Reagan et al, Minerva: Enabling

ASIC accelerators 1 To read more This days papers: Reagan et al, Minerva: Enabling Low-Power, Highly-Accurate Deep Neural Network Accelerators Shao et al, The Aladdin Approach to Accelerator Design and Modeling (Computer

602 views • 41 slides
The MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration

The MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration

The MINERA Operations Report Nuruzzaman (home.fnal.gov/~nur/) for the MINERvA Collaboration All Experimenters Meeting 24 April 2017 Live Time and Data 4/13-14 MINOS magnet tripped few times 4/15-17 Struggle with MINOS

83 views • 7 slides
16/03/2020 Terracotta Juno Juno Moneta 1 2 Goose from Constantinople Minerva, Jupiter and

16/03/2020 Terracotta Juno Juno Moneta 1 2 Goose from Constantinople Minerva, Jupiter and

16/03/2020 Terracotta Juno Juno Moneta 1 2 Goose from Constantinople Minerva, Jupiter and Juno 3 4 5 6 1 16/03/2020 Mercury and Juno 7 8 Rubens Judgement of Paris with Juno, Venus and Minerva Rubens Judgement of Paris 9 10

707 views • 32 slides
Cosmological Evolution of Gravitationally Unstable Galactic Disks Marcello Cacciato Minerva

Cosmological Evolution of Gravitationally Unstable Galactic Disks Marcello Cacciato Minerva

Cosmological Evolution of Gravitationally Unstable Galactic Disks Marcello Cacciato Minerva Fellow @ Hebrew University of Jerusalem in collaboration with Avishai Dekel and Shy Genel Observed Disk Galaxies @ z~2 Disks rotating with

494 views • 14 slides
5245-02-02,72/73 WIS 23 WIS 11 Mineral Point County Shop Road to Minerva Street Lafayette

5245-02-02,72/73 WIS 23 WIS 11 Mineral Point County Shop Road to Minerva Street Lafayette

5245-02-02,72/73 WIS 23 WIS 11 Mineral Point County Shop Road to Minerva Street Lafayette County Public Involvement Meeting May 3, 2016 5:30 p.m. to 7:30 p.m. Agenda Introductions Project Location Purpose and Need Scope of

361 views • 34 slides
Avocado-derived biomass: Chemical composition and antioxidant potential potential Minerva C.

Avocado-derived biomass: Chemical composition and antioxidant potential potential Minerva C.

Avocado-derived biomass: Chemical composition and antioxidant potential potential Minerva C. Garca Vargas, Mara del Mar Contreras, Irene Gmez-Cruz, Juan Miguel Romero-Garca, Eulogio Castro Content Introduction and objective

556 views • 13 slides
MINER A (E-938) Goals, Progress and Project Kevin McFarland University of Rochester FNAL

MINER A (E-938) Goals, Progress and Project Kevin McFarland University of Rochester FNAL

MINER A (E-938) Goals, Progress and Project Kevin McFarland University of Rochester FNAL PAC Meeting 7 April 2005 MINERvA in a Nutshell MINERvA is a dedicated neutrino cross-section experiment operating in the NuMI near hall in

575 views • 44 slides
CC Coherent and CC neutral pion production results from MINERvA Jos Palomino* On behalf of the

CC Coherent and CC neutral pion production results from MINERvA Jos Palomino* On behalf of the

1 CC Coherent and CC neutral pion production results from MINERvA Jos Palomino* On behalf of the MINER A collaboration Centro Brasileiro de Pesquisas Fsicas, Brazil *Supported by University of Pittsburgh CC Coherent and CC neutral pion

836 views • 30 slides
5245-02-02, 72 WIS 23 WIS 11 Mineral Point County Shop Road to Minerva Street Lafayette

5245-02-02, 72 WIS 23 WIS 11 Mineral Point County Shop Road to Minerva Street Lafayette

5245-02-02, 72 WIS 23 WIS 11 Mineral Point County Shop Road to Minerva Street Lafayette County Public Involvement Meeting #3 October 11, 2018 5:30 p.m. to 7:30 p.m. Project Team WisDOT Project Development Supervisor Bill Strobel,

616 views • 36 slides
UWA ERA Publications Collection 2011 Overview of the collection process Introduction to Minerva

UWA ERA Publications Collection 2011 Overview of the collection process Introduction to Minerva

UWA ERA Publications Collection 2011 Overview of the collection process Introduction to Minerva Research Assessment Unit September 2011 In this seminar Why we collect ERA publications data See UWA Publications Manual , section A

729 views • 37 slides
MINERA-MINOS muon energy scale in CC inclusive events Gonzalo Daz Bautista Pontificia

MINERA-MINOS muon energy scale in CC inclusive events Gonzalo Daz Bautista Pontificia

MINERA-MINOS muon energy scale in CC inclusive events Gonzalo Daz Bautista Pontificia Universidad Catlica del Per New Perspectives Conference June, 14 th 2012 - Fermilab, Batavia, IL Overview The MINERvA experiment MINERvA detector

526 views • 28 slides

More recommend