Filippo Valsorda
December 27, 2017
1.3k

# Squeezing a key through a carry bit @ 34c3

## Filippo Valsorda

December 27, 2017

## Transcript

1. Squeezing a key
through a carry bit
Sean Devlin, Filippo Valsorda

2. One month later

3. The code
a = a - b
mod p
a = a - b
x = a
a = a + p

4. The code
a = a - b
mod p
a = a - b
x = a
a = a + p
a = a - b
t = a
t += p
a ?= t

5. The code
a = a - b
mod p
a = a - b
x = a
a = a + p
a < b
a = a - b
t = a
t += p
a ?= t

6. a = a - b
x = a
a = a + p
The bug
a = a - b
t = a
t += p
a ?= t

7. The bug

8. The bug
Wrong result with
probability 2-32

9. A carry propagation bug

10. ECCCCCCC
Elliptic Curve Cryptography Crash Course for CCC
• Field: numbers modulo p
• Points: like (3, 7); ﬁtting an equation
• Group: a generator point and addition

11. ECCCCCCCC
Elliptic Curve Cryptography Crash Course for CCC (cont.)
• Multiplication: 5Q = Q + Q + Q + Q + Q
• ECDH private key: a big integer d
• ECDH public key: Q = dG (think y = ga)
• ECDH shared secret: Q2 = dQ1

Q2 = dQ1
d is BIG. Like, 256 bit.
Can't add Q to itself 2256 times.

Q2 = dQ1
1 0 1 0 1 1 1 0 1 0 1 1 0 1
+Q1
Z +Q

1 0 1 0 1 1 1 0 1 0 1 1 0 1
x2
Z +Q x2
Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1
x2
Z +Q x2 x2
Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1
+Q1
Z +Q x2 x2 +Q
Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1
Z +Q x2 x2 +Q x2
x2
Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1
Z +Q x2 x2 +Q x2 +Q
+Q1
Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1
Z +Q x2 x2 +Q x2 +Q x2
x2
Q2 = dQ1

1 0 1 0 1 1 1 0 1 0 1 1 0 1
Z +Q x2 x2 +Q x2 +Q x2 x2 ...
x2
Q2 = dQ1

21. Back to the carry bug

22. secret = ScalarMult(point, scalar) ← Q2 = dQ
└─ p256SubInternal
attacker supplied secret key
session key

23. Q1
→ ScalarMult(Q1, )
Q2
→ ScalarMult(Q2, )
1 1 1 0 1
Z +Q1 x2 x2 +Q1 x2 +Q1 x2 +Q1

0 1 1 0 1
Z +Q2 x2 x2 +Q2 x2 +Q2 x2 x2

24. Q1
→ ScalarMult(Q1, ) →
Q2
→ ScalarMult(Q2, ) → ✅
? 1 1 0 1
? 1 1 0 1
1 1 1 0 1

25. Q1

Q2

0 1 1 0 1
1 1 1 0 1
Q1

Q2

0 0 1 1 0 1
1 0 1 1 0 1
Q1

Q2

0 1 0 1 1 0 1
1 1 0 1 1 0 1

26. Go implementation of ScalarMult
Booth's multiplication in 5-bit windows.
Precomputed table of 1Q to 16Q. Add, double 5 times.
01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...

27. Precomp
table

28. Multiplication
loop

29. Go implementation of ScalarMult
Booth's multiplication in 5-bit windows.
Precomputed table of 1Q to 16Q. Add, double 5 times.
Limbs representation: less overlap and aliasing problems.
01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...
{1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ...

30. Go implementation of ScalarMult
Booth's multiplication in 5-bit windows.
Precomputed table of 1Q to 16Q. Add, double 5 times.
Attack one limb at a time, instead of one bit.
34 limb values → 17 points / 5 key bits on average.
01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...

31. Multiplication
loop

32. Assembly
hook

33. The ﬁrst limb
3 3 x2 x2 x2 x2 x2 → 3 x25
Precomp Doubling
Limb

34. The ﬁrst limb
3 3 x2 x2 x2 x2 x2 → 3 x25
3 x2 6 x2 x2 x2 x2 x2 → 3 x26
3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27
Precomp Doubling
Limb

35. The ﬁrst limb
3 3 x2 x2 x2 x2 x2 → 3 x25
3 x2 6 x2 x2 x2 x2 x2 → 3 x26
3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27
Precomp Doubling
Limb

36. The
last bits

37. Kangaroo jumps depend from the terrain at the start point.
Let a tracked kangaroo loose. Place a trap at the end.

38. Kangaroo jumps depend from the terrain at the start point.
If the wild kangaroo intersects the path at any point,
it ends up in the trap.

39. Back to elliptic curves.
A jump is QN+1 = QN + H(QN) where H is a hash.
Same starting point, same jump.
You run from a known starting point, then from dG.
If you collide, you traceback to d!

40. A target
• JSON Object Signing and Encryption, JOSE (JWT)
• ECDH-ES public key algorithm
• go-jose and Go 1.8.1
• Check if the service successfully decrypts payload

41. Spot instance infrastructure

Sage
dispatcher /work
/result

42. Figures!
• Each key: ~52 limbs, modulo the kangaroo
• Each limb: ~16 points on average
• Each point: ~226 candidate points
• (226 * 16) candidate points: ~85 CPU hours
• 85 CPU hours: \$1.26 EC2 spot instances
• Total: 4,400 CPU hours / \$65 on EC2

43. Demo

44. Demo

45. Demo

46. Filippo Valsorda
@FiloSottile
Sean Devlin
@spdevlin
Thank you!
No bug is small enough.