From A to Z: Projective coordinates leakage in the wild

Alejandro Cabrera Aldaya, Cesar Pereida García, and Billy Bob Brumley

Abstract

At EUROCRYPT 2004, Naccache et al. showed that the projective coordinates representation of the resulting point of an elliptic curve scalar multiplication potentially allows to recover some bits of the scalar. However, this attack has received little attention by the scientific community, and the status of deployed mitigations to prevent it in widely adopted cryptography libraries is unknown. In this paper, we aim to fill this gap, by analyzing several cryptography libraries in this context. To demonstrate the applicability of the attack, we use a side-channel attack to exploit this vulnerability within libgcrypt in the context of ECDSA. To the best of our knowledge, this is the first practical attack instance. It targets the insecure binary extended Euclidean algorithm implementation using a microarchitectural side-channel attack that allows recovering the projective representation of the output point of scalar multiplication during ECDSA signature generation. We captured 100k traces to estimate the number of traces an attacker would need to compromise the libgcrypt ECDSA implementation, resulting in less than 2k for commonly used elliptic curve secp256r1, demonstrating the attack feasibility. During exploitation, we found two additional vulnerabilities. However, we remark the purpose of this paper is not merely exploiting a library but about providing an analysis on the projective coordinates vulnerability status in widely deployed open-source libraries, filling a gap between its original description in the academic literature and the adoption of countermeasures to thwart it in real-world applications.

Available format(s)
Category
Public-key cryptography
Publication info
Keywords
applied cryptographyprojective coordinates leakopen source librariesside-channel analysisECDSAmodular inversionbinary GCDlibgcryptCVE-2020-10932CVE-2020-11735
Contact author(s)
aldaya @ gmail com
History
Short URL
https://ia.cr/2020/432

CC BY

BibTeX

@misc{cryptoeprint:2020/432,
author = {Alejandro Cabrera Aldaya and Cesar Pereida García and Billy Bob Brumley},
title = {From A to Z: Projective coordinates leakage in the wild},
howpublished = {Cryptology ePrint Archive, Paper 2020/432},
year = {2020},
note = {\url{https://eprint.iacr.org/2020/432}},
url = {https://eprint.iacr.org/2020/432}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.