Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Squeezing a key through a carry bit @ 34c3

Squeezing a key through a carry bit @ 34c3

Filippo Valsorda

December 27, 2017
Tweet

More Decks by Filippo Valsorda

Other Decks in Programming

Transcript

  1. Squeezing a key
    through a carry bit
    Sean Devlin, Filippo Valsorda

    View full-size slide

  2. One month later

    View full-size slide

  3. The code
    a = a - b
    mod p
    a = a - b
    x = a
    a = a + p

    View full-size slide

  4. The code
    a = a - b
    mod p
    a = a - b
    x = a
    a = a + p
    a = a - b
    t = a
    t += p
    a ?= t

    View full-size slide

  5. The code
    a = a - b
    mod p
    a = a - b
    x = a
    a = a + p
    a < b
    a = a - b
    t = a
    t += p
    a ?= t

    View full-size slide

  6. a = a - b
    x = a
    a = a + p
    The bug
    a = a - b
    t = a
    t += p
    a ?= t

    View full-size slide

  7. The bug
    Wrong result with
    probability 2-32

    View full-size slide

  8. A carry propagation bug

    View full-size slide

  9. ECCCCCCC
    Elliptic Curve Cryptography Crash Course for CCC
    • Field: numbers modulo p
    • Points: like (3, 7); fitting an equation
    • Group: a generator point and addition
    • Multiplication: repeated addition

    View full-size slide

  10. ECCCCCCCC
    Elliptic Curve Cryptography Crash Course for CCC (cont.)
    • Multiplication: 5Q = Q + Q + Q + Q + Q
    • ECDH private key: a big integer d
    • ECDH public key: Q = dG (think y = ga)
    • ECDH shared secret: Q2 = dQ1

    View full-size slide

  11. Double and add
    Q2 = dQ1
    d is BIG. Like, 256 bit.
    Can't add Q to itself 2256 times.

    View full-size slide

  12. Double and add
    Q2 = dQ1
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    +Q1
    Z +Q

    View full-size slide

  13. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    x2
    Z +Q x2
    Q2 = dQ1

    View full-size slide

  14. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    x2
    Z +Q x2 x2
    Q2 = dQ1

    View full-size slide

  15. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    +Q1
    Z +Q x2 x2 +Q
    Q2 = dQ1

    View full-size slide

  16. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2
    x2
    Q2 = dQ1

    View full-size slide

  17. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2 +Q
    +Q1
    Q2 = dQ1

    View full-size slide

  18. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2 +Q x2
    x2
    Q2 = dQ1

    View full-size slide

  19. Double and add
    1 0 1 0 1 1 1 0 1 0 1 1 0 1
    Z +Q x2 x2 +Q x2 +Q x2 x2 ...
    x2
    Q2 = dQ1

    View full-size slide

  20. Back to the carry bug

    View full-size slide

  21. secret = ScalarMult(point, scalar) ← Q2 = dQ
    └─ p256PointAddAffineAsm
    └─ p256SubInternal
    attacker supplied secret key
    session key

    View full-size slide

  22. Q1
    → ScalarMult(Q1, )
    Q2
    → ScalarMult(Q2, )
    1 1 1 0 1
    Z +Q1 x2 x2 +Q1 x2 +Q1 x2 +Q1

    0 1 1 0 1
    Z +Q2 x2 x2 +Q2 x2 +Q2 x2 x2

    View full-size slide

  23. Q1
    → ScalarMult(Q1, ) →
    Q2
    → ScalarMult(Q2, ) → ✅
    ? 1 1 0 1
    ? 1 1 0 1
    1 1 1 0 1

    View full-size slide

  24. Q1

    Q2

    0 1 1 0 1
    1 1 1 0 1
    Q1

    Q2

    0 0 1 1 0 1
    1 0 1 1 0 1
    Q1

    Q2

    0 1 0 1 1 0 1
    1 1 0 1 1 0 1


    View full-size slide

  25. Go implementation of ScalarMult
    Booth's multiplication in 5-bit windows.
    Precomputed table of 1Q to 16Q. Add, double 5 times.
    01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...

    View full-size slide

  26. Precomp
    table

    View full-size slide

  27. Multiplication
    loop

    View full-size slide

  28. Go implementation of ScalarMult
    Booth's multiplication in 5-bit windows.
    Precomputed table of 1Q to 16Q. Add, double 5 times.
    Limbs representation: less overlap and aliasing problems.
    01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
    {1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ...

    View full-size slide

  29. Go implementation of ScalarMult
    Booth's multiplication in 5-bit windows.
    Precomputed table of 1Q to 16Q. Add, double 5 times.
    Attack one limb at a time, instead of one bit.
    34 limb values → 17 points / 5 key bits on average.
    01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...

    View full-size slide

  30. Multiplication
    loop


    View full-size slide

  31. Assembly
    hook

    View full-size slide

  32. The first limb
    3 3 x2 x2 x2 x2 x2 → 3 x25
    Precomp Doubling
    Limb

    View full-size slide

  33. The first limb
    3 3 x2 x2 x2 x2 x2 → 3 x25
    3 x2 6 x2 x2 x2 x2 x2 → 3 x26
    3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27
    Precomp Doubling
    Limb



    View full-size slide

  34. The first limb
    3 3 x2 x2 x2 x2 x2 → 3 x25
    3 x2 6 x2 x2 x2 x2 x2 → 3 x26
    3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27
    Precomp Doubling
    Limb





    View full-size slide

  35. The
    last bits

    View full-size slide




  36. Kangaroo jumps depend from the terrain at the start point.
    Let a tracked kangaroo loose. Place a trap at the end.

    View full-size slide







  37. Kangaroo jumps depend from the terrain at the start point.
    If the wild kangaroo intersects the path at any point,

    it ends up in the trap.

    View full-size slide

  38. Back to elliptic curves.
    A jump is QN+1 = QN + H(QN) where H is a hash.
    Same starting point, same jump.
    You run from a known starting point, then from dG.

    If you collide, you traceback to d!


    View full-size slide

  39. A target
    • JSON Object Signing and Encryption, JOSE (JWT)
    • ECDH-ES public key algorithm
    • go-jose and Go 1.8.1
    • Check if the service successfully decrypts payload

    View full-size slide

  40. Spot instance infrastructure

    Sage
    dispatcher /work
    /result

    View full-size slide

  41. Figures!
    • Each key: ~52 limbs, modulo the kangaroo
    • Each limb: ~16 points on average
    • Each point: ~226 candidate points
    • (226 * 16) candidate points: ~85 CPU hours
    • 85 CPU hours: $1.26 EC2 spot instances
    • Total: 4,400 CPU hours / $65 on EC2

    View full-size slide

  42. Filippo Valsorda
    @FiloSottile
    Sean Devlin
    @spdevlin
    Thank you!
    No bug is small enough.

    View full-size slide