Skip to main content
SpringerLink
Log in
Book cover

Cryptographers’ Track at the RSA Conference

CT-RSA 2018: Topics in Cryptology – CT-RSA 2018 pp 1–20Cite as

Breaking Ed25519 in WolfSSL

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10808))

Abstract

Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this value is critical for security: knowledge of one such a value, or partial knowledge of a series of them, allows reconstructing the signer’s private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc.

In this paper we show that in use cases where power or electromagnetic leakage can be exploited, exactly the mechanism that makes EdDSA deterministic complicates its secure implementation. In particular, we break an Ed25519 implementation in WolfSSL, which is a suitable use case for IoT applications. We apply differential power analysis (DPA) on the underlying hash function, SHA-512, requiring only 4 000 traces.

Finally, we present a tweak to the EdDSA protocol that is cheap and effective against the described attack while keeping the claimed advantage of EdDSA over ECDSA in terms of featuring less things that can go wrong e.g. the required high-quality randomness. However, we do argue with our countermeasure that some randomness (that need not be perfect) might be hard to avoid.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    This paper was published after the submission deadline of CT-RSA.

  2. 2.

    Piñata board. Accessed: 18-04-2017. Url: https://www.riscure.com/security-tools/hardware/pinata-training-target.

  3. 3.

    Current Probe. Accessed: 18-04-2017. Url: https://www.riscure.com/benzine/documents/CurrentProbe.pdf.

References

  1. ECRYPT II key recommendations (2012). https://www.keylength.com/en/3/

  2. The XEdDSA and VXEdDSA Signature Schemes (2017). https://signal.org/docs/specifications/xeddsa/xeddsa.pdf. Accessed 11 Sept 2017

  3. Things that use Ed25519 (2017). https://ianix.com/pub/ed25519-deployment.html. Accessed 29 Sept 2017

  4. Ambrose, C., Bos, J.W., Fay, B., Joye, M., Lochter, M., Murray, B.: Differential attacks on deterministic signatures. Cryptology ePrint Archive, report 2017/975 (2017). https://eprint.iacr.org/2017/975.pdf

  5. Belaid, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: 2013 International Conference on Security and Cryptography (SECRYPT), pp. 1–12. IEEE (2013)

    Google Scholar 

  6. Benoît, O., Peyrin, T.: Side-channel analysis of six SHA-3 candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 140–157. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_10

    Chapter  Google Scholar 

  7. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    Chapter  Google Scholar 

  8. Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_26

    Chapter  Google Scholar 

  9. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptographic Eng. 2(2), 77–89 (2012)

    Article  MATH  Google Scholar 

  10. Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_3

    Chapter  Google Scholar 

  11. Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference (2011). http://keccak.noekeon.org/Keccak-reference-3.0.pdf, http://keccak.noekeon.org/

  12. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  13. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_26

    Google Scholar 

  14. Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 468–479. ACM (2016)

    Google Scholar 

  15. Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(03), 393–423 (2007). https://doi.org/10.1090/s0273-0979-07-01153-6

    Article  MathSciNet  MATH  Google Scholar 

  16. Goubin, L.: A sound method for switching between Boolean and arithmetic masking. In: Proceedings of Third International Workshop Cryptographic Hardware and Embedded Systems - CHES 2001, Paris, France, 14-16 May 2001, pp. 3–15 (2001)

    Google Scholar 

  17. Hastings, M., Fried, J., Heninger, N.: Weak keys remain widespread in network devices. In: Proceedings of the 2016 ACM on Internet Measurement Conference, pp. 49–63. ACM (2016)

    Google Scholar 

  18. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  19. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Google Scholar 

  20. Lemke, K., Schramm, K., Paar, C.: DPA on n-bit sized boolean and arithmetic operations and its application to IDEA, RC6, and the HMAC-construction. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 205–219. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_15

    Chapter  Google Scholar 

  21. McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Differential power analysis of HMAC based on SHA-2, and countermeasures. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 317–332. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77535-5_23

    Chapter  Google Scholar 

  22. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31

    Google Scholar 

  23. Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptogr. 30(2), 201–217 (2003). https://doi.org/10.1023/A:1025436905711. ISSN: 1573-7586

    Article  MathSciNet  MATH  Google Scholar 

  24. Pub, F.: Secure hash standard (SHS). Technical report, NIST, July 2015

    Google Scholar 

  25. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). http://dx.doi.org/10.1007/BF00196725

    Article  MathSciNet  MATH  Google Scholar 

  26. Seuschek, H., Heyszl, J., De Santis, F.: A cautionary note: side-channel leakage implications of deterministic signature schemes. In: Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 2016, pp. 7–12. ACM, New York (2016). http://doi.acm.org/10.1145/2858930.2858932

  27. Zohner, M., Kasper, M., Stöttinger, M.: Butterfly-attack on Skein’s modular addition. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 215–230. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29912-4_16

    Chapter  Google Scholar 

Download references

Acknowledgments

This work was supported in part by a project funded by DarkMatter LLC.

Author information

Authors and Affiliations

  1. Digital Security Group, Radboud University, Nijmegen, The Netherlands

    Niels Samwel, Lejla Batina & Joan Daemen

  2. Security Pattern, Brescia, Italy

    Guido Bertoni

  3. STMicroelectronics, Diegem, Belgium

    Joan Daemen

  4. STMicroelectronics, Agrate Brianza, Italy

    Ruggero Susella

Authors
  1. Niels Samwel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lejla Batina
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guido Bertoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Joan Daemen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ruggero Susella
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Niels Samwel .

Editor information

Editors and Affiliations

  1. KU Leuven , Leuven, Belgium

    Nigel P. Smart

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Samwel, N., Batina, L., Bertoni, G., Daemen, J., Susella, R. (2018). Breaking Ed25519 in WolfSSL. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76953-0_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76952-3

  • Online ISBN: 978-3-319-76953-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation