Breaking Ed25519 in WolfSSL

  • Niels Samwel
  • Lejla Batina
  • Guido Bertoni
  • Joan Daemen
  • Ruggero Susella
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)

Abstract

Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this value is critical for security: knowledge of one such a value, or partial knowledge of a series of them, allows reconstructing the signer’s private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc.

In this paper we show that in use cases where power or electromagnetic leakage can be exploited, exactly the mechanism that makes EdDSA deterministic complicates its secure implementation. In particular, we break an Ed25519 implementation in WolfSSL, which is a suitable use case for IoT applications. We apply differential power analysis (DPA) on the underlying hash function, SHA-512, requiring only 4 000 traces.

Finally, we present a tweak to the EdDSA protocol that is cheap and effective against the described attack while keeping the claimed advantage of EdDSA over ECDSA in terms of featuring less things that can go wrong e.g. the required high-quality randomness. However, we do argue with our countermeasure that some randomness (that need not be perfect) might be hard to avoid.

Keywords

EdDSA SHA-512 Side-channel attack Real world attack 

Notes

Acknowledgments

This work was supported in part by a project funded by DarkMatter LLC.

References

  1. 1.
    ECRYPT II key recommendations (2012). https://www.keylength.com/en/3/
  2. 2.
    The XEdDSA and VXEdDSA Signature Schemes (2017). https://signal.org/docs/specifications/xeddsa/xeddsa.pdf. Accessed 11 Sept 2017
  3. 3.
    Things that use Ed25519 (2017). https://ianix.com/pub/ed25519-deployment.html. Accessed 29 Sept 2017
  4. 4.
    Ambrose, C., Bos, J.W., Fay, B., Joye, M., Lochter, M., Murray, B.: Differential attacks on deterministic signatures. Cryptology ePrint Archive, report 2017/975 (2017). https://eprint.iacr.org/2017/975.pdf
  5. 5.
    Belaid, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: 2013 International Conference on Security and Cryptography (SECRYPT), pp. 1–12. IEEE (2013)Google Scholar
  6. 6.
    Benoît, O., Peyrin, T.: Side-channel analysis of six SHA-3 candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 140–157. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_10 CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_14 CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68164-9_26 CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptographic Eng. 2(2), 77–89 (2012)CrossRefMATHGoogle Scholar
  10. 10.
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_3 CrossRefGoogle Scholar
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference (2011). http://keccak.noekeon.org/Keccak-reference-3.0.pdf, http://keccak.noekeon.org/
  12. 12.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28632-5_2 CrossRefGoogle Scholar
  13. 13.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_26 Google Scholar
  14. 14.
    Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 468–479. ACM (2016)Google Scholar
  15. 15.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(03), 393–423 (2007).  https://doi.org/10.1090/s0273-0979-07-01153-6 MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Goubin, L.: A sound method for switching between Boolean and arithmetic masking. In: Proceedings of Third International Workshop Cryptographic Hardware and Embedded Systems - CHES 2001, Paris, France, 14-16 May 2001, pp. 3–15 (2001)Google Scholar
  17. 17.
    Hastings, M., Fried, J., Heninger, N.: Weak keys remain widespread in network devices. In: Proceedings of the 2016 ACM on Internet Measurement Conference, pp. 49–63. ACM (2016)Google Scholar
  18. 18.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25 Google Scholar
  20. 20.
    Lemke, K., Schramm, K., Paar, C.: DPA on n-bit sized boolean and arithmetic operations and its application to IDEA, RC6, and the HMAC-construction. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 205–219. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28632-5_15 CrossRefGoogle Scholar
  21. 21.
    McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Differential power analysis of HMAC based on SHA-2, and countermeasures. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 317–332. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77535-5_23 CrossRefGoogle Scholar
  22. 22.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986).  https://doi.org/10.1007/3-540-39799-X_31 Google Scholar
  23. 23.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003).  https://doi.org/10.1023/A:1025436905711. ISSN: 1573-7586MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Pub, F.: Secure hash standard (SHS). Technical report, NIST, July 2015Google Scholar
  25. 25.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). http://dx.doi.org/10.1007/BF00196725 MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Seuschek, H., Heyszl, J., De Santis, F.: A cautionary note: side-channel leakage implications of deterministic signature schemes. In: Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 2016, pp. 7–12. ACM, New York (2016). http://doi.acm.org/10.1145/2858930.2858932
  27. 27.
    Zohner, M., Kasper, M., Stöttinger, M.: Butterfly-attack on Skein’s modular addition. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 215–230. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29912-4_16 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Niels Samwel
    • 1
  • Lejla Batina
    • 1
  • Guido Bertoni
    • 2
  • Joan Daemen
    • 1
    • 3
  • Ruggero Susella
    • 4
  1. 1.Digital Security GroupRadboud UniversityNijmegenThe Netherlands
  2. 2.Security PatternBresciaItaly
  3. 3.STMicroelectronicsDiegemBelgium
  4. 4.STMicroelectronicsAgrate BrianzaItaly

Personalised recommendations