Squeezing a key through a carry bit @ 34c3

Squeezing a key through a carry bit @ 34c3

9fdab9d005b82612cadbfe699b541f83?s=128

Filippo Valsorda

December 27, 2017
Tweet

Transcript

  1. Squeezing a key through a carry bit Sean Devlin, Filippo

    Valsorda
  2. None
  3. None
  4. One month later

  5. The code a = a - b mod p a

    = a - b x = a a = a + p
  6. The code a = a - b mod p a

    = a - b x = a a = a + p a = a - b t = a t += p a ?= t
  7. The code a = a - b mod p a

    = a - b x = a a = a + p a < b a = a - b t = a t += p a ?= t
  8. a = a - b x = a a =

    a + p The bug a = a - b t = a t += p a ?= t
  9. The bug

  10. The bug Wrong result with probability 2-32

  11. A carry propagation bug

  12. ECCCCCCC Elliptic Curve Cryptography Crash Course for CCC • Field:

    numbers modulo p • Points: like (3, 7); fitting an equation • Group: a generator point and addition • Multiplication: repeated addition
  13. ECCCCCCCC Elliptic Curve Cryptography Crash Course for CCC (cont.) •

    Multiplication: 5Q = Q + Q + Q + Q + Q • ECDH private key: a big integer d • ECDH public key: Q = dG (think y = ga) • ECDH shared secret: Q2 = dQ1
  14. Double and add Q2 = dQ1 d is BIG. Like,

    256 bit. Can't add Q to itself 2256 times.
  15. Double and add Q2 = dQ1 1 0 1 0

    1 1 1 0 1 0 1 1 0 1 +Q1 Z +Q
  16. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 x2 Z +Q x2 Q2 = dQ1
  17. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 x2 Z +Q x2 x2 Q2 = dQ1
  18. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 +Q1 Z +Q x2 x2 +Q Q2 = dQ1
  19. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 x2 Q2 = dQ1
  20. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 +Q +Q1 Q2 = dQ1
  21. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 +Q x2 x2 Q2 = dQ1
  22. Double and add 1 0 1 0 1 1 1

    0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 +Q x2 x2 ... x2 Q2 = dQ1
  23. Back to the carry bug

  24. secret = ScalarMult(point, scalar) ← Q2 = dQ └─ p256PointAddAffineAsm

    └─ p256SubInternal attacker supplied secret key session key
  25. Q1 → ScalarMult(Q1, ) Q2 → ScalarMult(Q2, ) 1 1

    1 0 1 Z +Q1 x2 x2 +Q1 x2 +Q1 x2 +Q1 0 1 1 0 1 Z +Q2 x2 x2 +Q2 x2 +Q2 x2 x2
  26. Q1 → ScalarMult(Q1, ) → Q2 → ScalarMult(Q2, ) →

    ✅ ? 1 1 0 1 ? 1 1 0 1 1 1 1 0 1
  27. Q1 → Q2 → 0 1 1 0 1 1

    1 1 0 1 Q1 → Q2 → 0 0 1 1 0 1 1 0 1 1 0 1 Q1 → Q2 → 0 1 0 1 1 0 1 1 1 0 1 1 0 1
  28. None
  29. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed

    table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
  30. Precomp table

  31. Multiplication loop

  32. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed

    table of 1Q to 16Q. Add, double 5 times. Limbs representation: less overlap and aliasing problems. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ... {1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ...
  33. Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed

    table of 1Q to 16Q. Add, double 5 times. Attack one limb at a time, instead of one bit. 34 limb values → 17 points / 5 key bits on average. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
  34. Multiplication loop

  35. Assembly hook

  36. None
  37. None
  38. None
  39. The first limb 3 3 x2 x2 x2 x2 x2

    → 3 x25 Precomp Doubling Limb
  40. The first limb 3 3 x2 x2 x2 x2 x2

    → 3 x25 3 x2 6 x2 x2 x2 x2 x2 → 3 x26 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27 Precomp Doubling Limb
  41. The first limb 3 3 x2 x2 x2 x2 x2

    → 3 x25 3 x2 6 x2 x2 x2 x2 x2 → 3 x26 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27 Precomp Doubling Limb
  42. The last bits

  43. Kangaroo jumps depend from the terrain at the start point.

    Let a tracked kangaroo loose. Place a trap at the end.
  44. Kangaroo jumps depend from the terrain at the start point.

    If the wild kangaroo intersects the path at any point,
 it ends up in the trap.
  45. Back to elliptic curves. A jump is QN+1 = QN

    + H(QN) where H is a hash. Same starting point, same jump. You run from a known starting point, then from dG.
 If you collide, you traceback to d!
  46. A target • JSON Object Signing and Encryption, JOSE (JWT)

    • ECDH-ES public key algorithm • go-jose and Go 1.8.1 • Check if the service successfully decrypts payload
  47. Spot instance infrastructure Sage dispatcher /work /result

  48. Figures! • Each key: ~52 limbs, modulo the kangaroo •

    Each limb: ~16 points on average • Each point: ~226 candidate points • (226 * 16) candidate points: ~85 CPU hours • 85 CPU hours: $1.26 EC2 spot instances • Total: 4,400 CPU hours / $65 on EC2
  49. Demo

  50. Demo

  51. Demo

  52. Filippo Valsorda @FiloSottile Sean Devlin @spdevlin Thank you! No bug

    is small enough.