LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

Diego F. Aranha; Felipe Rodrigues Novaes; Akira Takahashi; Mehdi Tibouchi; Yuval Yarom

doi:10.1145/3372297.3417268

LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

Diego F. Aranha, Felipe Rodrigues Novaes, Akira Takahashi, Mehdi Tibouchi, Yuval Yarom

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Although it is one of the most popular signature schemes today, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated as part of the signing algorithm. It is known that any small amount of nonce exposure or nonce bias can in principle lead to a full key recovery: the key recovery is then a particular instance of Boneh and Venkatesan's hidden number problem (HNP). That observation has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities in various concrete ECDSA implementations. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures). In this paper, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than 1 bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability

Original language	English
Title of host publication	Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
Publisher	ACM
Pages	225-242
Number of pages	18
ISBN (Electronic)	978-1-4503-7089-9
DOIs	https://doi.org/10.1145/3372297.3417268
Publication status	Published - 2 Nov 2020
Event	The 27th ACM Conference on Computer and Communications Security, 2020 - Online Duration: 9 Nov 2020 → 13 Nov 2020 Conference number: 27 https://sigsac.org/ccs/CCS2020/index.html

Conference

Conference	The 27th ACM Conference on Computer and Communications Security, 2020
Abbreviated title	CCS 2020
Period	9/11/20 → 13/11/20
Internet address	https://sigsac.org/ccs/CCS2020/index.html

Keywords / Materials (for Non-textual outputs)

side-channel attack
cache attack
ECDSA
OpenSSL
Montgomery ladder
hidden number problem
Bleichenbacher’s attack
generalized birthday problem

Access to Document

10.1145/3372297.3417268Licence: All Rights Reserved

https://dl.acm.org/doi/10.1145/3372297.3417268Licence: All Rights Reserved

Cite this

@inproceedings{6596bad1fede40b0be6bcd2a266148d9,

title = "LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage",

abstract = "Although it is one of the most popular signature schemes today, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated as part of the signing algorithm. It is known that any small amount of nonce exposure or nonce bias can in principle lead to a full key recovery: the key recovery is then a particular instance of Boneh and Venkatesan's hidden number problem (HNP). That observation has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities in various concrete ECDSA implementations. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures). In this paper, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than 1 bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability ",

keywords = "side-channel attack, cache attack, ECDSA, OpenSSL, Montgomery ladder, hidden number problem, Bleichenbacher{\textquoteright}s attack, generalized birthday problem",

author = "Aranha, {Diego F.} and Novaes, {Felipe Rodrigues} and Akira Takahashi and Mehdi Tibouchi and Yuval Yarom",

year = "2020",

month = nov,

day = "2",

doi = "10.1145/3372297.3417268",

language = "English",

pages = "225--242",

booktitle = "Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "ACM",

note = "The 27th ACM Conference on Computer and Communications Security, 2020, CCS 2020 ; Conference date: 09-11-2020 Through 13-11-2020",

url = "https://sigsac.org/ccs/CCS2020/index.html",

}

TY - GEN

T1 - LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

AU - Aranha, Diego F.

AU - Novaes, Felipe Rodrigues

AU - Takahashi, Akira

AU - Tibouchi, Mehdi

AU - Yarom, Yuval

N1 - Conference code: 27

PY - 2020/11/2

Y1 - 2020/11/2

N2 - Although it is one of the most popular signature schemes today, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated as part of the signing algorithm. It is known that any small amount of nonce exposure or nonce bias can in principle lead to a full key recovery: the key recovery is then a particular instance of Boneh and Venkatesan's hidden number problem (HNP). That observation has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities in various concrete ECDSA implementations. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures). In this paper, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than 1 bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability

AB - Although it is one of the most popular signature schemes today, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated as part of the signing algorithm. It is known that any small amount of nonce exposure or nonce bias can in principle lead to a full key recovery: the key recovery is then a particular instance of Boneh and Venkatesan's hidden number problem (HNP). That observation has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities in various concrete ECDSA implementations. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures). In this paper, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than 1 bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability

KW - side-channel attack

KW - cache attack

KW - ECDSA

KW - OpenSSL

KW - Montgomery ladder

KW - hidden number problem

KW - Bleichenbacher’s attack

KW - generalized birthday problem

U2 - 10.1145/3372297.3417268

DO - 10.1145/3372297.3417268

M3 - Conference contribution

SP - 225

EP - 242

BT - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

PB - ACM

T2 - The 27th ACM Conference on Computer and Communications Security, 2020

Y2 - 9 November 2020 through 13 November 2020

ER -

LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

Abstract

Conference

Keywords / Materials (for Non-textual outputs)

Access to Document

Fingerprint

Cite this