Breaking Ed25519 in WolfSSL
Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this value is critical for security: knowledge of one such a value, or partial knowledge of a series of them, allows reconstructing the signer’s private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc.
In this paper we show that in use cases where power or electromagnetic leakage can be exploited, exactly the mechanism that makes EdDSA deterministic complicates its secure implementation. In particular, we break an Ed25519 implementation in WolfSSL, which is a suitable use case for IoT applications. We apply differential power analysis (DPA) on the underlying hash function, SHA-512, requiring only 4 000 traces.
Finally, we present a tweak to the EdDSA protocol that is cheap and effective against the described attack while keeping the claimed advantage of EdDSA over ECDSA in terms of featuring less things that can go wrong e.g. the required high-quality randomness. However, we do argue with our countermeasure that some randomness (that need not be perfect) might be hard to avoid.
KeywordsEdDSA SHA-512 Side-channel attack Real world attack
This work was supported in part by a project funded by DarkMatter LLC.
- 1.ECRYPT II key recommendations (2012). https://www.keylength.com/en/3/
- 2.The XEdDSA and VXEdDSA Signature Schemes (2017). https://signal.org/docs/specifications/xeddsa/xeddsa.pdf. Accessed 11 Sept 2017
- 3.Things that use Ed25519 (2017). https://ianix.com/pub/ed25519-deployment.html. Accessed 29 Sept 2017
- 4.Ambrose, C., Bos, J.W., Fay, B., Joye, M., Lochter, M., Murray, B.: Differential attacks on deterministic signatures. Cryptology ePrint Archive, report 2017/975 (2017). https://eprint.iacr.org/2017/975.pdf
- 5.Belaid, S., Bettale, L., Dottax, E., Genelle, L., Rondepierre, F.: Differential power analysis of HMAC SHA-2 in the Hamming weight model. In: 2013 International Conference on Security and Cryptography (SECRYPT), pp. 1–12. IEEE (2013)Google Scholar
- 11.Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference (2011). http://keccak.noekeon.org/Keccak-reference-3.0.pdf, http://keccak.noekeon.org/
- 14.Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 468–479. ACM (2016)Google Scholar
- 16.Goubin, L.: A sound method for switching between Boolean and arithmetic masking. In: Proceedings of Third International Workshop Cryptographic Hardware and Embedded Systems - CHES 2001, Paris, France, 14-16 May 2001, pp. 3–15 (2001)Google Scholar
- 17.Hastings, M., Fried, J., Heninger, N.: Weak keys remain widespread in network devices. In: Proceedings of the 2016 ACM on Internet Measurement Conference, pp. 49–63. ACM (2016)Google Scholar
- 20.Lemke, K., Schramm, K., Paar, C.: DPA on n-bit sized boolean and arithmetic operations and its application to IDEA, RC6, and the HMAC-construction. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 205–219. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_15 CrossRefGoogle Scholar
- 21.McEvoy, R., Tunstall, M., Murphy, C.C., Marnane, W.P.: Differential power analysis of HMAC based on SHA-2, and countermeasures. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 317–332. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77535-5_23 CrossRefGoogle Scholar
- 24.Pub, F.: Secure hash standard (SHS). Technical report, NIST, July 2015Google Scholar
- 26.Seuschek, H., Heyszl, J., De Santis, F.: A cautionary note: side-channel leakage implications of deterministic signature schemes. In: Proceedings of the Third Workshop on Cryptography and Security in Computing Systems, CS2 2016, pp. 7–12. ACM, New York (2016). http://doi.acm.org/10.1145/2858930.2858932