Advertisement

Biased Nonce Sense: Lattice Attacks Against Weak ECDSA Signatures in Cryptocurrencies

  • Joachim Breitner
  • Nadia HeningerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)

Abstract

In this paper, we compute hundreds of Bitcoin private keys and dozens of Ethereum, Ripple, SSH, and HTTPS private keys by carrying out cryptanalytic attacks against digital signatures contained in public blockchains and Internet-wide scans. The ECDSA signature algorithm requires the generation of a per-message secret nonce. If this nonce is not generated uniformly at random, an attacker can potentially exploit this bias to compute the long-term signing key. We use a lattice-based algorithm for solving the hidden number problem to efficiently compute private ECDSA keys that were used with biased signature nonces due to multiple apparent implementation vulnerabilities.

Keywords

Hidden number problem ECDSA Lattices Bitcoin Crypto 

Notes

Acknowledgements

We thank Luke Valenta and Zakir Durumeric for help in updating ZGrab and Censys to collect HTTPS and SSH signature hashes, Tanja Lange for the reference on the surprisingly small binary representation of \(k = 1/2\) in secp256k1, and Greg Maxwell and Dan Brown for insightful comments on the preprint. Much of the work for this paper was done while the authors were at the University of Pennsylvania. This work was supported by the National Science Foundation under grants no. CNS-1651344 and CNS-1513671. We are grateful to Cisco for donating much of the computing cluster used to carry out our computations.

References

  1. 1.
    The most repeated r value on the blockchain (2015). https://bitcointalk.org/index.php?topic=1118704.0
  2. 2.
    Bitcoin wiki: Address reuse (2018). https://en.bitcoin.it/wiki/Address_reuse
  3. 3.
    Akavia, A.: Solving hidden number problem with one bit oracle and advice. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 337–354. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_20CrossRefGoogle Scholar
  4. 4.
    Bartoletti, M., Lande, S., Pompianu, L., Bracciali, A.: A general framework for blockchain analytics. In: Proceedings of the 1st Workshop on Scalable and Resilient Infrastructures for Distributed Ledgers, SERIAL 2017, pp. 7:1–7:6. ACM, New York (2017).  https://doi.org/10.1145/3152824.3152831. http://doi.acm.org/10.1145/3152824.3152831
  5. 5.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh aah... just a little bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44709-3_5CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_11CrossRefzbMATHGoogle Scholar
  7. 7.
    Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 157–175. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45472-5_11CrossRefGoogle Scholar
  8. 8.
    Brengel, M., Rossow, C.: Identifying key leakage of bitcoin users. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 623–643. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-00470-5_29CrossRefGoogle Scholar
  9. 9.
    Brown, D.R.L.: SEC 2: Recommended elliptic curve domain parameters (2010). http://www.secg.org/sec2-v2.pdf
  10. 10.
    Buterin, V.: Ethereum: a next-generation smart contract and decentralized application platform (2013). https://github.com/ethereum/wiki/wiki/White-Paper
  11. 11.
    Castellucci, R., Valsorda, F.: Stealing bitcoin with math (2016). https://news.webamooz.com/wp-content/uploads/bot/offsecmag/151.pdf
  12. 12.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  13. 13.
    Courtois, N.T., Emirdag, P., Valsorda, F.: Private key recovery combination attacks: on extreme fragility of popular bitcoin key management, wallet and cold storage solutions in presence of poor RNG events. Cryptology ePrint Archive, Report 2014/848 (2014). https://eprint.iacr.org/2014/848
  14. 14.
    Dall, F., et al.: Cachequote: efficiently recovering long-term secrets of SGX EPID via cache attacks. IACR Trans. Cryptogr. Hardware Embed. Syst. 2018(2), 171–191 (2018).  https://doi.org/10.13154/tches.v2018.i2.171-191. https://tches.iacr.org/index.php/TCHES/article/view/879
  15. 15.
    De Mulder, E., Hutter, M., Marson, M.E., Pearson, P.: Using bleichenbacher’s solution to the hidden number problem to attack nonce leaks in 384-bit ECDSA. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 435–452. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40349-1_25CrossRefGoogle Scholar
  16. 16.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol. IETF RFC RFC5246 (2008)Google Scholar
  17. 17.
    Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: 22nd ACM Conference on Computer and Communications Security, October 2015Google Scholar
  18. 18.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium, August 2012Google Scholar
  19. 19.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signatureschemes. Des. Codes Crypt. 23(3), 283–290 (2001).  https://doi.org/10.1023/A:1011214926272CrossRefzbMATHGoogle Scholar
  20. 20.
    Klyubin, A.: Some SecureRandom thoughts, August 2013. https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html
  21. 21.
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Michaelis, K., Meyer, C., Schwenk, J.: Randomly failed! The state of randomness in current Java implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 129–144. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36095-4_9CrossRefzbMATHGoogle Scholar
  23. 23.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2009). http://bitcoin.org/bitcoin.pdf
  24. 24.
    National Institute of Standards and Technology: FIPS PUB 180-2: Secure Hash Standard, August 2002Google Scholar
  25. 25.
    National Institute of Standards and Technology: FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013Google Scholar
  26. 26.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Crypt. 30(2), 201–217 (2003).  https://doi.org/10.1023/A:1025436905711MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006).  https://doi.org/10.1007/11792086_18CrossRefGoogle Scholar
  28. 28.
    Pollard, J.M.: Monte Carlo methods for index computation (mod \(p\)). In: Mathematics of Computation, vol. 32 (1978)Google Scholar
  29. 29.
    Pornin, T.: Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital signature algorithm (ECDSA) (2013). https://tools.ietf.org/html/rfc6979
  30. 30.
    rico666: Large bitcoin collider. https://lbc.cryptoguru.org/
  31. 31.
    Schnorr, C.P.: A hierarchy of polynomial time lattice basis reductionalgorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987).  https://doi.org/10.1016/0304-3975(87)90064-8CrossRefzbMATHGoogle Scholar
  32. 32.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994).  https://doi.org/10.1007/BF01581144MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Schwartz, D., Youngs, N., Britto, A.: The Ripple protocol consensus algorithm (2014). https://ripple.com/files/ripple_consensus_whitepaper.pdf. Accessed 08 Aug 2016
  34. 34.
    Shanks, D.: Class number, a theory of factorization, and genera. In: Proceedings of Symposia in Pure Mathematics, vol. 20, pp. 41–440 (1971)Google Scholar
  35. 35.
    Blockchain Team: Android wallet security update. https://blog.blockchain.com/2015/05/28/android-wallet-security-update/
  36. 36.
    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 8.1) (2017). http://www.sagemath.org
  37. 37.
    Valsorda, F.: Exploiting ECDSA failures in the bitcoin blockchain. Hack In The Box (HITB) (2014)Google Scholar
  38. 38.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) transport layer protocol.IETF RFC 4253 (2006)Google Scholar

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.DFINITY FoundationZugSwitzerland
  2. 2.University of CaliforniaSan DiegoUSA

Personalised recommendations