Slide 1

Slide 1 text

Squeezing a key through a carry bit Sean Devlin, Filippo Valsorda

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

One month later

Slide 5

Slide 5 text

The code a = a - b mod p a = a - b x = a a = a + p

Slide 6

Slide 6 text

The code a = a - b mod p a = a - b x = a a = a + p a = a - b t = a t += p a ?= t

Slide 7

Slide 7 text

The code a = a - b mod p a = a - b x = a a = a + p a < b a = a - b t = a t += p a ?= t

Slide 8

Slide 8 text

a = a - b x = a a = a + p The bug a = a - b t = a t += p a ?= t

Slide 9

Slide 9 text

The bug

Slide 10

Slide 10 text

The bug Wrong result with probability 2-32

Slide 11

Slide 11 text

A carry propagation bug

Slide 12

Slide 12 text

ECCCCCCC Elliptic Curve Cryptography Crash Course for CCC • Field: numbers modulo p • Points: like (3, 7); fitting an equation • Group: a generator point and addition • Multiplication: repeated addition

Slide 13

Slide 13 text

ECCCCCCCC Elliptic Curve Cryptography Crash Course for CCC (cont.) • Multiplication: 5Q = Q + Q + Q + Q + Q • ECDH private key: a big integer d • ECDH public key: Q = dG (think y = ga) • ECDH shared secret: Q2 = dQ1

Slide 14

Slide 14 text

Double and add Q2 = dQ1 d is BIG. Like, 256 bit. Can't add Q to itself 2256 times.

Slide 15

Slide 15 text

Double and add Q2 = dQ1 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q1 Z +Q

Slide 16

Slide 16 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 Q2 = dQ1

Slide 17

Slide 17 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 x2 Z +Q x2 x2 Q2 = dQ1

Slide 18

Slide 18 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 +Q1 Z +Q x2 x2 +Q Q2 = dQ1

Slide 19

Slide 19 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 x2 Q2 = dQ1

Slide 20

Slide 20 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 +Q +Q1 Q2 = dQ1

Slide 21

Slide 21 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 +Q x2 x2 Q2 = dQ1

Slide 22

Slide 22 text

Double and add 1 0 1 0 1 1 1 0 1 0 1 1 0 1 Z +Q x2 x2 +Q x2 +Q x2 x2 ... x2 Q2 = dQ1

Slide 23

Slide 23 text

Back to the carry bug

Slide 24

Slide 24 text

secret = ScalarMult(point, scalar) ← Q2 = dQ └─ p256PointAddAffineAsm └─ p256SubInternal attacker supplied secret key session key

Slide 25

Slide 25 text

Q1 → ScalarMult(Q1, ) Q2 → ScalarMult(Q2, ) 1 1 1 0 1 Z +Q1 x2 x2 +Q1 x2 +Q1 x2 +Q1 0 1 1 0 1 Z +Q2 x2 x2 +Q2 x2 +Q2 x2 x2

Slide 26

Slide 26 text

Q1 → ScalarMult(Q1, ) → Q2 → ScalarMult(Q2, ) → ✅ ? 1 1 0 1 ? 1 1 0 1 1 1 1 0 1

Slide 27

Slide 27 text

Q1 → Q2 → 0 1 1 0 1 1 1 1 0 1 Q1 → Q2 → 0 0 1 1 0 1 1 0 1 1 0 1 Q1 → Q2 → 0 1 0 1 1 0 1 1 1 0 1 1 0 1

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...

Slide 30

Slide 30 text

Precomp table

Slide 31

Slide 31 text

Multiplication loop

Slide 32

Slide 32 text

Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. Limbs representation: less overlap and aliasing problems. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ... {1 0} {15 1} {7 0} {5 0} {5 0} {9 0} {1 0} {8 1} {6 1} {9 1} ...

Slide 33

Slide 33 text

Go implementation of ScalarMult Booth's multiplication in 5-bit windows. Precomputed table of 1Q to 16Q. Add, double 5 times. Attack one limb at a time, instead of one bit. 34 limb values → 17 points / 5 key bits on average. 01 00010 01110 01010 01010 10010 00001 01111 10011 01101 ...

Slide 34

Slide 34 text

Multiplication loop

Slide 35

Slide 35 text

Assembly hook

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

The first limb 3 3 x2 x2 x2 x2 x2 → 3 x25 Precomp Doubling Limb

Slide 40

Slide 40 text

The first limb 3 3 x2 x2 x2 x2 x2 → 3 x25 3 x2 6 x2 x2 x2 x2 x2 → 3 x26 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27 Precomp Doubling Limb

Slide 41

Slide 41 text

The first limb 3 3 x2 x2 x2 x2 x2 → 3 x25 3 x2 6 x2 x2 x2 x2 x2 → 3 x26 3 x2 x2 12 x2 x2 x2 x2 x2 → 3 x27 Precomp Doubling Limb

Slide 42

Slide 42 text

The last bits

Slide 43

Slide 43 text

Kangaroo jumps depend from the terrain at the start point. Let a tracked kangaroo loose. Place a trap at the end.

Slide 44

Slide 44 text

Kangaroo jumps depend from the terrain at the start point. If the wild kangaroo intersects the path at any point,
 it ends up in the trap.

Slide 45

Slide 45 text

Back to elliptic curves. A jump is QN+1 = QN + H(QN) where H is a hash. Same starting point, same jump. You run from a known starting point, then from dG.
 If you collide, you traceback to d!

Slide 46

Slide 46 text

A target • JSON Object Signing and Encryption, JOSE (JWT) • ECDH-ES public key algorithm • go-jose and Go 1.8.1 • Check if the service successfully decrypts payload

Slide 47

Slide 47 text

Spot instance infrastructure Sage dispatcher /work /result

Slide 48

Slide 48 text

Figures! • Each key: ~52 limbs, modulo the kangaroo • Each limb: ~16 points on average • Each point: ~226 candidate points • (226 * 16) candidate points: ~85 CPU hours • 85 CPU hours: $1.26 EC2 spot instances • Total: 4,400 CPU hours / $65 on EC2

Slide 49

Slide 49 text

Demo

Slide 50

Slide 50 text

Demo

Slide 51

Slide 51 text

Demo

Slide 52

Slide 52 text

Filippo Valsorda @FiloSottile Sean Devlin @spdevlin Thank you! No bug is small enough.