Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Mulder, Elke De; Hutter, Michael; Marson, Mark E.; Pearson, Peter K.

doi:10.1007/978-3-642-40349-1_25

Cited by 30 publications

(13 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, all these works only considered the setting where HNP samples come without any errors in the MSB information. In such an ideal case, our tradeoff formula actually allows to mount the attack given only 2 23 samples with almost the same time and space complexity. Appendix B describes how it can be achieved in detail.…”

Section: Concrete Parameters To Attack Opensslmentioning

confidence: 99%

“…The concrete attack parameters for the former are described in Appendix B and the ones for the latter were already described in Section 4.3. We first generated 2 23 and 2 24 ECDSA signatures like in the case of P-192, which took 1.8 and 3.6 CPU hours respectively. The measured experimental results are in Table 3.…”

Section: Attack Experimentsmentioning

confidence: 99%

“…For ℓ = 162 we present a solution to the linear programming problem in Table 2 for the optimized data complexity. Suppose the attacker is given 2 m in = 2 23…”

Section: B Concrete Parameters To Attack Hnp Without Errorsmentioning

confidence: 99%

“…Despite those features, it has garnered far less attention from the community than latticebased approaches, perhaps in part due to the lack of formal publications describing the attack until recently (even though some attack records were announced publicly [14]). It was only in 2013 that De Mulder et al [23] revisited the theory of Bleichenbacher's approach in a formally published scholarly publication, followed soon after by Aranha et al [6], who overcame the 1-bit "lattice barrier" by breaking 160-bit ECDSA with a single bit of nonce bias. Takahashi, Table 1: Comparison with the previous records of solutions to the hidden number problem with small nonce leakages.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

Aranha

Novaes

Takahashi

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Although it is one of the most popular signature schemes today, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated as part of the signing algorithm. It is known that any small amount of nonce exposure or nonce bias can in principle lead to a full key recovery: the key recovery is then a particular instance of Boneh and Venkatesan's hidden number problem (HNP). That observation has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities in various concrete ECDSA implementations. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures). In this paper, we uncover LadderLeak, a novel class of sidechannel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than 1 bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability < 1. Exploiting such a mild leakage would be intractable using techniques present in the literature so far. However, we present a number of theoretical improvements of the Fourier analysis approach to solving the HNP (an approach originally due to Bleichenbacher), and this lets us practically break LadderLeak-vulnerable ECDSA implementations instantiated over the sect163r1 and NIST P-192 elliptic curves. In so doing, we achieve several significant computational records in practical attacks against the HNP.

show abstract

Section: Concrete Parameters To Attack Opensslmentioning

confidence: 99%

Section: Attack Experimentsmentioning

confidence: 99%

“…For ℓ = 162 we present a solution to the linear programming problem in Table 2 for the optimized data complexity. Suppose the attacker is given 2 m in = 2 23…”

Section: B Concrete Parameters To Attack Hnp Without Errorsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

Aranha

Novaes

Takahashi

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Howgrave-Graham and Smart [19] noted that if a few bits of the ephemeral exponent are known for sufficiently many signatures, then the scheme can be broken, based on the so-called hidden number problem introduced by Boneh and Venkatesan [27]. Recently, De Mulder et al [28] demonstrated that, in practice, the lattice attack required as few as four bits of the ephemeral exponent assuming that some hundreds of such signatures could be obtained. However, this information would not be available to an adversary.…”

Section: Algorithm 7: Blinded Montgomery Powering Laddermentioning

confidence: 99%

Randomizing the Montgomery Powering Ladder

Tan

Tunstall

2015

Information Security Theory and Practice

View full text Add to dashboard Cite

Abstract. In this paper, we present novel randomized techniques to enhance Montgomery powering ladder. The proposed techniques increase the resistance against side-channel attacks and especially recently published correlation collision attacks in the horizontal setting. The first of these operates by randomly changing state such that the difference between registers varies, unpredictably, between two states. The second algorithm takes a random walk, albeit tightly bounded, along the possible addition chains required to compute an exponentiation. We also generalize the Montgomery powering ladder and present randomized (both left-to-right and right-to-left) m-ary exponentiation algorithms.

show abstract

Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies

Breitner¹,

Heninger

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Cited by 30 publications

References 19 publications

LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

Randomizing the Montgomery Powering Ladder

Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies

Contact Info

Product

Resources

About