squeezing a key through a carry bit
play

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda - PowerPoint PPT Presentation

Apr 05, 2024 •163 likes •695 views

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda One month later a = a - b The code x = a a = a + p a = a - b mod p a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a ?> t a = a - b

  1. Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda

  4. One month later

  5. a = a - b The code x = a a = a + p a = a - b mod p

  6. a = a - b a = a - b The code x = a t = a a = a + p a = a - b t += p mod p a �?> t

  7. a = a - b a = a - b a < b The code x = a t = a a = a + p a = a - b t += p mod p a �?> t

  8. a = a - b a = a - b x = a t = a The bug a = a + p t += p a �?> t

  9. The bug

  10. Wrong result with probability 2 -32 The bug

  11. A carry propagation bug

  12. ECCCCCCC Elliptic Curve Cryptography Crash Course for CCC • Field: numbers modulo p • Points: like (3, 7); fitting an equation • Group: a generator point and addition • Multiplication: repeated addition

  13. ECCCCCCCC Elliptic Curve Cryptography Crash Course for CCC (cont.) • Multiplication: 5Q = Q + Q + Q + Q + Q • ECDH private key: a big integer d • ECDH public key: Q = dG (think y = g a ) • ECDH shared secret: Q 2 = dQ 1

  14. Double and add Q 2 = dQ 1 d is BIG. Like, 256 bit. Can't add Q to itself 2 256 times.

  15. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q 1 Z +Q

  16. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2

  17. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2

  18. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q 1 Z +Q x2 x2 +Q

  19. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 +Q x2

  20. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q 1 Z +Q x2 x2 +Q x2 +Q

  21. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 +Q x2 +Q x2

  22. Double and add Q 2 = dQ 1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 +Q x2 +Q x2 x2 ...

  23. Back to the carry bug

  24. session key attacker supplied secret key secret = ScalarMult(point, scalar) ← Q 2 = dQ └─ p256PointAddA ffi neAsm └─ p256SubInternal 💦

  25. Q 1 → ScalarMult(Q 1 , ) 1 1 1 0 1 Z +Q 1 x2 x2 +Q 1 x2 +Q 1 x2 +Q 1 💦 Q 2 → ScalarMult(Q 2 , ) 0 1 1 0 1 Z +Q 2 x2 x2 +Q 2 x2 +Q 2 x2 x2 💦

  26. Q 1 → ScalarMult(Q 1 , ) → 💦 ? 1 1 0 1 Q 2 → ScalarMult(Q 2 , ) → ✅ ? 1 1 0 1 1 1 1 0 1

  27. Q 1 → 💦 0 1 1 0 1 Q 2 → 1 1 1 0 1 Q 1 → 0 0 1 1 0 1 Q 2 → 💦 1 0 1 1 0 1 Q 1 → 0 1 0 1 1 0 1 Q 2 → 1 1 0 1 1 0 1

  29. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ��../

  30. Precomp table

  31. Multiplication loop

  32. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ��../ Limbs representation: less overlap and aliasing problems. {1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ��../

  33. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ��../ Attack one limb at a time, instead of one bit. 34 limb values → 17 points / 5 key bits on average.

  34. 💦 Multiplication loop 💦

  35. Assembly hook 💦

  36. 💦 💦

  39. The first limb Precomp Doubling Limb 3 3 x2 x2 x2 x2 x2 → 3 x2 5 💦

  40. The first limb Precomp Doubling Limb 3 3 x2 x2 x2 x2 x2 → 3 x2 5 💦 3 x2 6 x2 x2 x2 x2 x2 → 3 x2 6 💦 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x2 7 💦

  41. The first limb Precomp Doubling Limb 3 3 x2 x2 x2 x2 x2 → 3 x2 5 💦 3 x2 6 x2 x2 x2 x2 x2 → 3 x2 6 💦 🔦 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x2 7 💦 🔦💤

  42. The last bits

  43. Kangaroo jumps depend from the terrain at the start point. 🐿 🐿 🐿 🐿 🐿 🕴 Let a tracked kangaroo loose. Place a trap at the end.

  44. Kangaroo jumps depend from the terrain at the start point. 🐿 🐿 🐿 🐿 🐿 🕴 🐿 🐿 🐿 🐿 If the wild kangaroo intersects the path at any point, 
 it ends up in the trap.

  45. Back to elliptic curves. 🐿 🐿 A jump is Q N+1 = Q N + H(Q N ) where H is a hash. Same starting point, same jump. You run from a known starting point, then from dG. 
 If you collide, you traceback to d!

  46. A target • JSON Object Signing and Encryption, JOSE (JWT) • ECDH-ES public key algorithm • go-jose and Go 1.8.1 • Check if the service successfully decrypts payload

  47. Spot instance infrastructure Sage dispatcher /work 💼 /result

  48. Figures! • Each key: ~52 limbs, modulo the kangaroo • Each limb: ~16 points on average • Each point: ~2 26 candidate points • (2 26 * 16) candidate points: ~85 CPU hours • 85 CPU hours: $1.26 EC2 spot instances • Total: 4,400 CPU hours / $65 on EC2

  49. Demo

  50. Demo

  51. Demo

  52. Thank you! No bug is small enough. Sean Devlin @spdevlin Filippo Valsorda @FiloSottile

Recommend

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing

Squeezing Information from Data at Exascale Joel Saltz Emory University Georgia Tech Squeezing Information from Temporal Spatial Datasets Leverage exascale data and 2 computer resources to squeeze the most out of image, sensor or

642 views • 36 slides
Study and experiment on the alternative technique of frequencydependent squeezing generation

Study and experiment on the alternative technique of frequencydependent squeezing generation

Study and experiment on the alternative technique of frequencydependent squeezing generation with EPR entanglement for next generation of gravitational wave detectors. Mateusz Bawaj on behalf of Virgo squeezing team Noise sources in Adv

248 views • 11 slides
Outline Introduction to CMOS VLSI Single-bit Addition Design Carry-Ripple Adder

Outline Introduction to CMOS VLSI Single-bit Addition Design Carry-Ripple Adder

Outline Introduction to CMOS VLSI Single-bit Addition Design Carry-Ripple Adder Carry-Skip Adder Carry-Lookahead Adder Lecture 11: Carry-Select Adder Adders Carry-Increment Adder Tree Adder David Harris Harvey Mudd

193 views • 8 slides
ex Addition: 1-bit half adder A + Sum B Carry out Carry A B Sum out 0 0 A 0 1 Sum

ex Addition: 1-bit half adder A + Sum B Carry out Carry A B Sum out 0 0 A 0 1 Sum

ex Addition: 1-bit half adder A + Sum B Carry out Carry A B Sum out 0 0 A 0 1 Sum B 1 0 1 1 Carry out Carry in ex Addition: 1-bit full adder A + Sum B Carry out Carry Carry Carry in A B Sum in out 0 0 0 A 0

343 views • 12 slides
FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA)

FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA)

1 FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA) Switched carry-ripple adder Carry-skip adder Carry-lookahead adder Prefix adder Carry-select adder and conditional-sum adder

921 views • 57 slides
Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska

Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska

Plan INTRODUCTION DEPHASING MODEL LOSSES TEMPERATURE Limit to Spin Squeezing in BEC : from two-mode to multimode A. Sinatra, Y. Castin, E. Witkowska , Li Yun, J.-C. Dornsetter Laboratoire Kastler Brossel, Ecole Normale Sup erieure,

645 views • 28 slides
Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP,

Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP,

Squeezing the limit: Quantum benchmarks for the teleportation and storage of squeezed states NJP, vol.10, 113014 (2008) M. Owari 1,2 , M.B. Plenio 1,2 , E.S. Polzik 3 , A. Serafini 4 , and M. M. Wolf 3 Institute of Mathematical Science, Imperial

686 views • 32 slides
Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov

Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov

Symplectic non-squeezing for the discrete nonlinear Schr odinger equation Alexander Tumanov University of Illinois at Urbana-Champaign Quasilinear equations, inverse problems and their applications dedicated to the memory of Gennadi

1.11k views • 85 slides
Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019

Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019

Ti Time me Squeezing for Tiny Device ces DAC 2018, ISCA 2019 www.cs.northwestern.edu/~simonec/Research.html#Research_Variability Difficult to achieve energy wins in tiny devices Tiny devices include: Nano drones Implantable

490 views • 17 slides
ex start small with a 1-bit (half) adder A B Carry out Sum A 0 0 Sum 0 1 B 1 0 1 1

ex start small with a 1-bit (half) adder A B Carry out Sum A 0 0 Sum 0 1 B 1 0 1 1

Addition: ex start small with a 1-bit (half) adder A B Carry out Sum A 0 0 Sum 0 1 B 1 0 1 1 Carry out Carry in ex 1-bit full adder A + Sum B Carry out n-bit addition: Sum i = A i + B i + CarryOut i-1 Need a bigger adder!

328 views • 12 slides
Figure5.2 Half-adder x i y i c 00 01 11 10 i 1 1 0 c i x i y c s i i + 1 i 1 1

Figure5.2 Half-adder x i y i c 00 01 11 10 i 1 1 0 c i x i y c s i i + 1 i 1 1

x 0 0 1 1 + y + 0 + 1 + 0 + 1 c s 0 0 0 1 0 1 1 0 Carry Sum (a) The four possible cases Carry Sum x y c s 0 0 0 0 0 1 0 1 1 0 0 1 1 1 1 0 (b) Truth table x s y x s HA y c c (c) Circuit (d)

232 views • 7 slides
CSE Cout Cin Inputs: A, B, Carry-in 311 Outputs: Sum, Carry-out A A A A A B B B

CSE Cout Cin Inputs: A, B, Carry-in 311 Outputs: Sum, Carry-out A A A A A B B B

1-bit Binary Adder CSE Cout Cin Inputs: A, B, Carry-in 311 Outputs: Sum, Carry-out A A A A A B B B B B S S S S S A B Cin Cout S 0 0 0 0 0 0 0 0 1 1 A 0 1 0 0 1 S Foundations of 0 1 1 1 0 B 1

401 views • 7 slides
Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 .

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 .

Leakage Squeezing Revisited Vincent Grosso 1 , Fran cois-Xavier Standaert 1 , Emmanuel Prouff 2 . 1 ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain, Belgium. 2 ANSSI, 51 Bd de la Tour-Maubourg, 75700 Paris 07 SP, France. CARDIS

895 views • 68 slides
Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

388 views • 23 slides
GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory

GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory

GPU peak performance vs. CPU Squeezing GPU performance Peak Double Precision FLOPS Peak Memory Bandwidth GPGPU 2015: High Performance Computing with CUDA University of Cape Town (South Africa), April, 20 th -24 th , 2015 GPU 6x faster on

178 views • 4 slides
Squeezing down the computing Edit Master text styles Second level requirements of deep neural

Squeezing down the computing Edit Master text styles Second level requirements of deep neural

Squeezing down the computing Edit Master text styles Second level requirements of deep neural networks Third level Fourth level Fifth level Albert Shaw, Daniel Hunter, Sammy Sidhu, and Forrest Iandola Levels of automated driving Edit

1.19k views • 45 slides
PSConv: Squeezing Feature Pyramid into One Compact Poly-Scale Convolutional Layer Anbang Yao

PSConv: Squeezing Feature Pyramid into One Compact Poly-Scale Convolutional Layer Anbang Yao

PSConv: Squeezing Feature Pyramid into One Compact Poly-Scale Convolutional Layer Anbang Yao Qifeng Chen Duo Li Highlights investigates multi-scale architecture through the lens of kernel engineering instead of network engineering

830 views • 16 slides
Stretching and squeezing time Nick Stroustrup Winston Anthony Walter Fontana Javier Apfeld

Stretching and squeezing time Nick Stroustrup Winston Anthony Walter Fontana Javier Apfeld

Stretching and squeezing time Nick Stroustrup Winston Anthony Walter Fontana Javier Apfeld Adam Gomez Systems Biology Vivek Gowda Harvard Medical School Isaac F. Lpez-Moyado walter@hms.harvard.edu Zachary M. Nash Bryne Ulmschneider

903 views • 37 slides
EE 457 Unit 2b Fast Adders (Carry-Lookahead Adder) 2 Carry-Lookahead Adders FAST ADDERS 3

EE 457 Unit 2b Fast Adders (Carry-Lookahead Adder) 2 Carry-Lookahead Adders FAST ADDERS 3

1 EE 457 Unit 2b Fast Adders (Carry-Lookahead Adder) 2 Carry-Lookahead Adders FAST ADDERS 3 Ripple Carry Adder Critical Path Critical Path = Longest possible delay path Assume t sum = 5 ns, t carry = 4 ns X Y X Y X Y X Y 16 ns

467 views • 18 slides
Crash-Neutral Currency Carry Trades Jakub W. Jurek Princeton University Bendheim Center for

Crash-Neutral Currency Carry Trades Jakub W. Jurek Princeton University Bendheim Center for

Crash-Neutral Currency Carry Trades Jakub W. Jurek Princeton University Bendheim Center for Finance March 2009 Currency Carry Trade Currency carry trades exploit violations of uncovered interest parity (UIP) by buying (selling) currencies

668 views • 41 slides
Squeezing GPU performance GPGPU 2015: High Performance Computing with CUDA University of Cape Town

Squeezing GPU performance GPGPU 2015: High Performance Computing with CUDA University of Cape Town

Squeezing GPU performance GPGPU 2015: High Performance Computing with CUDA University of Cape Town (South Africa), April, 20 th -24 th , 2015 Manuel Ujaldn Associate Professor @ Univ. of Malaga (Spain) Conjoint Senior Lecturer @ Univ. of

352 views • 14 slides
Assignment 1 Design module FA(a,b,c,sum,carry) //inputs input a,b,c //outputs output

Assignment 1 Design module FA(a,b,c,sum,carry) //inputs input a,b,c //outputs output

Assignment 1 Design module FA(a,b,c,sum,carry) //inputs input a,b,c //outputs output sum,carry //full adder assignments. assign sum=(a^b^c) assign carry=((a&amp;b)|(b&amp;c)|(c&amp;a)) endmodule module multiplier(output [5:0] P,

446 views • 11 slides
Probability Whenever we carry out an experiment, we cannot predict exactly what the outcome will

Probability Whenever we carry out an experiment, we cannot predict exactly what the outcome will

ST 370 Probability and Statistics for Engineers Probability Whenever we carry out an experiment, we cannot predict exactly what the outcome will be. If we could, there would be no need to carry it out! We can describe all the possible outcomes,

375 views • 22 slides
EE 457 Unit 2b Fast Adders Carry-Lookahead Adders (Carry-Lookahead Adder) FAST ADDERS 2b.3

EE 457 Unit 2b Fast Adders Carry-Lookahead Adders (Carry-Lookahead Adder) FAST ADDERS 2b.3

2b.1 2b.2 EE 457 Unit 2b Fast Adders Carry-Lookahead Adders (Carry-Lookahead Adder) FAST ADDERS 2b.3 2b.4 Ripple Carry Adder Critical Path Ripple Carry Adders Critical Path = Longest possible delay path Ripple-carry adders (RCA)

311 views • 5 slides

More recommend