Minerva: Practically exploitable side-channel leakage in ECDSA implementations (opens in new tab)

(minerva.crocs.fi.muni.cz)

85 pointsj08ny6y ago50 comments

50 comments

> the trustworthiness of NIST-produced curves being questioned after revelations that the NSA willingly inserts backdoors into software, hardware components and published standards were made; well-known cryptographers have expressed doubts about how the NIST curves were designed, and voluntary tainting has already been proved in the past.

https://wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_...

loeg6y ago

Use Ed25519 for your SSH keys, then. (For the unfamiliar: it's not a NIST-chosen curve.)

wolf550e6y ago

'tptacek would write that no reputable cryptographer believes the NIST curves themselves are backdoored.

1000units6y ago

Is this a joke? Doesn't everybody believe they're backdoored?

1 more reply

tptacek6y ago

This looks like a really phenomenal writeup, with worked examples. The underlying math and algorithm stuff here is applicable to other attacks; it looks like this is worth a close read.

wolf550e6y ago

Can you say whether libgcrypt did something especially stupid? [1]

I understand that most people just take the ref10 code from supercop, but if I were to try to implement ed25519 from the paper (https://ed25519.cr.yp.to/papers.html), what is the chance I would do something like what libgcrypt did, or equally bad?

Basically, is ed25519 secure because everyone uses a known secure implementation or because it is engineered to be genuinely hard to implement incorrectly from the paper? (I know it's both, but is it mostly one or the other?)

1 - They special cased the point at infinity and this short-circuit allowed to count leading zeros.

j08nyOP6y ago

If my two cents count, I would say that if you were to implement EdDSA from the paper, you would have a good chance of creating a secure implementation w.r.t. to this kind of leakage.

However, if you were starting with some Short-Weierstrass EC code in your library, then you might be inclined to skip all the scalar multiplication specific stuff in the Ed25519 paper, just take some (incomplete) Edwards formulas, take some general scalar multiplication algo (or even reuse the one you have for Short-Weierstrass, like libgcrypt) and end up with a vulnerable EdDSA (if your ECDSA was).

The short-circuiting in the addition formulas is necessary if incomplete formulas are used. Either that is done, or the scalar multiplication algorithm has to explicitly find out the bit-length and start so that the point at infinity is not input into them ever.

1 more reply

j08nyOP6y ago

Thanks, a paper is being prepared with the full details and an improved method. The sensitivity of the method to noise (one bad inequality in the lattice can make it not find the key) is really worth looking at, as that would improve the number of signatures necessary for the attack severely.

exabrial6y ago

Great writeup. Once again, physical access owns. This line stuck out:

> The attack required 11000 signatures

For a smartcard, this seems rather impractical in the real world. My Nitrokey has 1938 total signs after a month of usage, signing every git commit to our company repository and using it to authenticate over ssh (gpg-agent)

j08nyOP6y ago

We are working on lowering that number :)

It is quite a conservative estimate, we didn't want to claim something our PoC couldn't deliver. Also, it is with minimal attack runtime, as in, after you have those signatures and timings it takes a few minutes to get the private key. There is a trade-off where you can get around some of the noise and thus need less signatures if you just throw more computation resources at it.

exabrial6y ago

Athena’s IDProtect Smart Card and Middleware Approved for US Government PIV/HSPD-12 Deployment

https://www.securetechalliance.org/athenas-idprotect-smart-c...

xnyan6y ago

There’s no reason I’m aware of to use ECDSA over other available crypto. Don’t use ECDSA.

wolf550e6y ago

1. They show libgcrypt managed to have the bug in EdDSA (https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=c...).

2. People need to use ECDSA for same reason they need to use RSA: compatibility. In particular, EdDSA webpki certificates will likely never happen (https://cabforum.org/pipermail/servercert-wg/2019-June/00087...).

tptacek6y ago

But, if you fear and loathe ECDSA (and I do as well), it's probably a good idea to get in early against protocols that seek to deploy more of it. For instance, DNSSEC, which is barely deployed anywhere on the Internet, is just now (as in, resolvers couldn't reliably verify ECC records until recently) introducing ECC support --- with ECDSA.

1 more reply

loeg6y ago

There's no reason I'm aware of to use libgcrypt over other available crypto. Don't use libgcrypt.

tptacek6y ago

This impacts EdDSA as well, the Edwards-curve Schnorr-based system that is a gold standard for signing crypto. While I agree that you should avoid ECDSA, implementation errors can happen to anything.

garganzol6y ago

I like the presentation format of this work. Not only it plays well as a paper, it also contains elements of interactivity to make things more concise and clear. Definitely a thing from the future.

UI_at_80x246y ago

What is the latest "most secure" crypto I should be using?

loeg6y ago

In new designs or like, SSH keys?

For new designs: basically just use libsodium.

For SSH: Ed25519 or 2048 bit RSA.

We can get into the weeds about which specific cryptographic primitives are fine in isolation, but that misses the point — the ones that were fine 5-10 years ago are still more or less fine — the problems for developers and end-users generally stem from accidental misuse of cryptographic primitives in designing systems incorporating cryptographic primitives as a component. Sure, don't use DES, DSA, or MD5/SHA1; strong primitives are only necessary, not sufficient.

regecks6y ago

>For new designs: basically just use libsodium.

Check out libhydrogen from the same author. The API contains less footguns (like nonces).

1 more reply

exabrial6y ago

Finally, read this: "If You’re Typing the Letters A-E-S Into Your Code You’re Doing It Wrong"

https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

pilsetnieks6y ago

Now that's a deep cut even for a Dan Harmon fan.

1 more reply

bob10296y ago

What's wrong with using AES in CBC mode?

2 more replies

exabrial6y ago

At minimum, for asymmetric, at the time of the writing:

* ECDSA with secp-256 or ed25519 curves

* RSA >= 2048 bits. Performance takes a steep dive at 4096bits unfortunately

What people don't understand is that your implementation needs to be selected against your attack surface. If your attack surface includes hardening against side channels, your implementation selection needs to take that into account.

regecks6y ago

I don't think curve25519 is used in any ECDSA implementations. ed25519 is part of EdDSA.

1 more reply

zokier6y ago

Start from cryptographic right answers:

https://latacora.singles/2018/04/03/cryptographic-right-answ...

On a glance none of those recommendations have become invalid in the passing 18 months or so.

wolf550e6y ago

previously: https://news.ycombinator.com/item?id=21136946

j / k navigate · click thread line to collapse

50 comments

svnpenn6y ago

https://wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_...

loeg6y ago

Use Ed25519 for your SSH keys, then. (For the unfamiliar: it's not a NIST-chosen curve.)

wolf550e6y ago

'tptacek would write that no reputable cryptographer believes the NIST curves themselves are backdoored.

1000units6y ago

Is this a joke? Doesn't everybody believe they're backdoored?

1 more reply

tptacek6y ago

This looks like a really phenomenal writeup, with worked examples. The underlying math and algorithm stuff here is applicable to other attacks; it looks like this is worth a close read.

wolf550e6y ago

Can you say whether libgcrypt did something especially stupid? [1]

1 - They special cased the point at infinity and this short-circuit allowed to count leading zeros.

j08nyOP6y ago

If my two cents count, I would say that if you were to implement EdDSA from the paper, you would have a good chance of creating a secure implementation w.r.t. to this kind of leakage.

1 more reply

j08nyOP6y ago

exabrial6y ago

Great writeup. Once again, physical access owns. This line stuck out:

> The attack required 11000 signatures

j08nyOP6y ago

We are working on lowering that number :)

exabrial6y ago

Athena’s IDProtect Smart Card and Middleware Approved for US Government PIV/HSPD-12 Deployment

https://www.securetechalliance.org/athenas-idprotect-smart-c...

xnyan6y ago

There’s no reason I’m aware of to use ECDSA over other available crypto. Don’t use ECDSA.

wolf550e6y ago

1. They show libgcrypt managed to have the bug in EdDSA (https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=c...).

tptacek6y ago

1 more reply

loeg6y ago

There's no reason I'm aware of to use libgcrypt over other available crypto. Don't use libgcrypt.

tptacek6y ago

This impacts EdDSA as well, the Edwards-curve Schnorr-based system that is a gold standard for signing crypto. While I agree that you should avoid ECDSA, implementation errors can happen to anything.

garganzol6y ago

I like the presentation format of this work. Not only it plays well as a paper, it also contains elements of interactivity to make things more concise and clear. Definitely a thing from the future.

UI_at_80x246y ago

What is the latest "most secure" crypto I should be using?

loeg6y ago

In new designs or like, SSH keys?

For new designs: basically just use libsodium.

For SSH: Ed25519 or 2048 bit RSA.

regecks6y ago

>For new designs: basically just use libsodium.

Check out libhydrogen from the same author. The API contains less footguns (like nonces).

1 more reply

exabrial6y ago

Finally, read this: "If You’re Typing the Letters A-E-S Into Your Code You’re Doing It Wrong"