LadderLeak: Breaking ECDSA with Less than One Bit of Nonce Leakage

The presentation discusses a key recovery attack on ECDSA using biased nonces and one-bit leakage. The attack is carried out in two phases: quantifying the bias of nodes and finding the candidate secret key. The presentation also explores the time-memory-data trade-offs and the possibility of improving them.

• The attack on ECDSA involves biased nonces and one-bit leakage
• The attack is carried out in two phases: quantifying the bias of nodes and finding the candidate secret key
• The time-memory-data trade-offs are explored and can be improved
• The attack works even with errors in the leakage information

The presentation shows that even a small amount of noise leakage can be exploited by an attacker to recover the secret key. The attack can be carried out with a much smaller amount of signatures than previously thought, and the time-memory-data trade-offs can be optimized to reduce the input data complexity. The attack was successfully executed on a 192-bit curve using an optimized pilot implementation in AWS EC2. The presentation also highlights the importance of analyzing the behavior of bias functions under erroneous leakage information.

Although one of the most popular signature schemes, ECDSA presents a number of implementation pitfalls, in particular due to the very sensitive nature of the random value (known as the nonce) generated during the signing algorithm. It is known that any small amount of nonce exposure or bias can in principle lead to a full key recovery by solving the hidden number problem (HNP). This has been practically exploited in many attacks in the literature, taking advantage of implementation defects or side-channel vulnerabilities. However, most of the attacks so far have relied on at least 2 bits of nonce bias (except for the special case of curves at the 80-bit security level, for which attacks against 1-bit biases are known, albeit with a very high number of required signatures).In this talk, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is present in several recent versions of OpenSSL. However, it leaks less than 1 bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability less than 1. Exploiting such a mild leakage would be intractable using techniques present in the literature so far. However, we present a number of theoretical improvements to solving the HNP (an approach originally due to Bleichenbacher), and this lets us practically break LadderLeak-vulnerable ECDSA implementations over the sect163r1 and NIST P-192 elliptic curves. In doing so, we achieve several significant computational records in practical attacks against the HNP.