A Tale of Three Signatures: Practical Attack of ECDSA with wNAF

Attacking ECDSA with wNAF implementation for the scalar multiplication first requires some side channel analysis to collect information, then lattice based methods to recover the secret key. In this paper, we reinvestigate the construction of the lattice used in one of these methods, the Extended Hidden Number Problem (EHNP). We find the secret key with only 3 signatures, thus reaching a known theoretical bound, whereas best previous methods required at least 4 signatures in practice. Given a specific leakage model, our attack is more efficient than previous attacks, and for most cases, has better probability of success. To obtain such results, we perform a detailed analysis of the parameters used in the attack and introduce a preprocessing method which reduces by a factor up to 7 the total time to recover the secret key for some parameters. We perform an error resilience analysis which has never been done before in the setup of EHNP. Our construction find the secret key with a small amount of erroneous traces, up to \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2\%$$\end{document} of false digits, and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$4\%$$\end{document} with a specific type of error.

[1]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[2]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[3]  Damien Stehlé,et al.  LLL on the Average , 2006, ANTS.

[4]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[5]  Yuval Yarom,et al.  ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[6]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[7]  David Schwartz,et al.  The Ripple Protocol Consensus Algorithm , 2014 .

[8]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[9]  Wenbo Wang,et al.  Attacking OpenSSL ECDSA with a small amount of side-channel information , 2016, Science China Information Sciences.

[10]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[11]  Cesar Pereida García,et al.  Constant-Time Callees with Variable-Time Callers , 2017, USENIX Security Symposium.

[12]  M. Hellman The Mathematics of Public-Key Cryptography , 1979 .

[13]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[14]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[15]  Wenbo Wang,et al.  Attacking OpenSSL Implementation of ECDSA with a Few Signatures , 2016, CCS.

[16]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[17]  Martin R. Albrecht,et al.  The General Sieve Kernel and New Records in Lattice Reduction , 2019, IACR Cryptol. ePrint Arch..

[18]  Yuval Yarom,et al.  Just a Little Bit More , 2015, CT-RSA.

[19]  Charanjit S. Jutla,et al.  On Finding Small Solutions of Modular Multivariate Polynomial Equations , 1998, EUROCRYPT.

[20]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[21]  Wolfgang Rankl,et al.  Smart Card Applications: Design models for using and programming smart cards , 2007 .

[22]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[23]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[24]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[25]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[26]  Martin Hlavác,et al.  Extended Hidden Number Problem and Its Cryptanalytic Applications , 2006, Selected Areas in Cryptography.

[27]  Brad Chase,et al.  Analysis of the XRP Ledger Consensus Protocol , 2018, ArXiv.

[28]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[29]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[30]  Claus-Peter Schnorr,et al.  Block Reduced Lattice Bases and Successive Minima , 1994, Combinatorics, Probability and Computing.

[31]  Onur Aciiçmez,et al.  A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL , 2008, CT-RSA.

[32]  Bernard L. Menezes,et al.  DSA Signing Key Recovery with Noisy Side Channels and Variable Error Rates , 2017, INDOCRYPT.

[33]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[34]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[35]  Thomas Eisenbarth,et al.  CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[36]  Naomi Benger,et al.  Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack , 2014, IACR Cryptol. ePrint Arch..

[37]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[38]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.