Minerva: The curse of ECDSA nonces

We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. The number of signatures needed for a successful attack depends on the chosen method and its parameters as well as on the noise profile, influenced by the type of leakage and used computation platform. We use the set of vulnerabilities reported in this paper, together with the recently published TPM-FAIL vulnerability as a basis for real-world benchmark datasets to systematically compare our newly proposed methods and all previously published applicable lattice-based key recovery methods. The resulting exhaustive comparison highlights the methods\u27 sensitivity to its proper parametrization and demonstrates that our methods are more efficient in most cases. For the TPM-FAIL dataset, we decreased the number of required signatures from approximately 40 000 to mere 900

DiSSECT: Distinguisher of Standard & Simulated Elliptic Curves via Traits

It can be tricky to trust elliptic curves standardized in a non-transparent way. To rectify this, we propose a systematic methodology for analyzing curves and statistically comparing them to the expected values of a large number of generic curves with the aim of identifying any deviations in the standard curves. For this purpose, we put together the largest publicly available database of standard curves. To identify unexpected properties of standard generation methods and curves, we simulate over 250 000 curves by mimicking the generation process of four standards. We compute 22 different properties of curves and analyze them with automated methods to pinpoint deviations in standard curves, pointing to possible weaknesses

A Formula for Disaster : A Unified Approach to Elliptic Curve Special-Point-Based Attacks

The Refined Power Analysis, Zero-Value Point, and Exceptional Procedure attacks introduced side-channel techniques against specific cases of elliptic curve cryptography. The three attacks recover bits of a static ECDH key adaptively, collecting information on whether a certain multiple of the input point was computed. We unify and generalize these attacks in a common framework, and solve the corresponding problem for a broader class of inputs. We also introduce a version of the attack against windowed scalar multiplication methods, recovering the full scalar instead of just a part of it. Finally, we systematically analyze elliptic curve point addition formulas from the Explicit-Formulas Database, classify all non-trivial exceptional points, and find them in new formulas. These results indicate the usefulness of our tooling, which we released publicly, for unrolling formulas and finding special points, and potentially for independent future work.acceptedVersionPeer reviewe

Conformational Parameters and Hydrodynamic Behavior of Poly(2-Methyl-2-Oxazoline) in a Broad Molar Mass Range

In this work, we report our results on the hydrodynamic behavior of poly(2-methyl-2-oxazoline) (PMeOx). PMeOx is gaining significant attention for use as hydrophilic polymer in pharmaceutical carriers as an alternative for the commonly used poly(ethylene glycol) (PEG), for which antibodies are found in a significant fraction of the human population. The main focus of the current study is to determine the hydrodynamic characteristics of PMeOx under physiological conditions, which serves as basis for better understanding of the use of PMeOx in pharmaceutical applications. This goal was achieved by studying PMeOx solutions in phosphate-buffered saline (PBS) as a solvent at 37 °C. This study was performed based on two series of PMeOx samples; one series is synthesized by conventional living cationic ring-opening polymerization, which is limited by the maximum chain length that can be achieved, and a second series is obtained by an alternative synthesis strategy based on acetylation of well-defined linear poly(ethylene imine) (PEI) prepared by controlled side-chain hydrolysis of a defined high molar mass of poly(2-ethyl-2-oxazoline). The combination of these two series of PMeOx allowed the determination of the Kuhn–Mark–Houwink–Sakurada equations in a broad molar mass range. For intrinsic viscosity, sedimentation and diffusion coefficients, the following expressions were obtained: η=0.015M0.77, s0=0.019M0.42 and D0=2600M−0.58, respectively. As a result, it can be concluded that the phosphate-buffered saline buffer at 37 °C represents a thermodynamically good solvent for PMeOx, based on the scaling indices of the equations. The conformational parameters for PMeOx chains were also determined, revealing an equilibrium rigidity or Kuhn segment length, (A) of 1.7 nm and a polymer chain diameter (d) of 0.4 nm. The obtained value for the equilibrium rigidity is very similar to the reported values for other hydrophilic polymers, such as PEG, poly(vinylpyrrolidone) and poly(2-ethyl-2-oxazoline), making PMeOx a relevant alternative to PEG

Toll-like receptor signaling in thymic epithelium controls monocyte-derived dendritic cell recruitment and Treg generation

The development of thymic regulatory T cells (Treg) is mediated by Aire-regulated self-antigen presentation on medullary thymic epithelial cells (mTECs) and dendritic cells (DCs), but the cooperation between these cells is still poorly understood. Here we show that signaling through Toll-like receptors (TLR) expressed on mTECs regulates the production of specific chemokines and other genes associated with post-Aire mTEC development. Using single-cell RNA-sequencing, we identify a new thymic CD14(+)Sirp alpha (+) population of monocyte-derived dendritic cells (CD14(+)moDC) that are enriched in the thymic medulla and effectively acquire mTEC-derived antigens in response to the above chemokines. Consistently, the cellularity of CD14(+)moDC is diminished in mice with MyD88-deficient TECs, in which the frequency and functionality of thymic CD25(+)Foxp3(+) Tregs are decreased, leading to aggravated mouse experimental colitis. Thus, our findings describe a TLR-dependent function of mTECs for the recruitment of CD14(+)moDC, the generation of Tregs, and thereby the establishment of central tolerance. Immune tolerance is mediated by the deletion of autoreactive T cells via medullary thymic epithelial cells (mTEC) and dendritic cells (DC), and by the induction of regulatory T cells (Treg). Here the authors show that mTEC receiving toll-like receptor signaling control the recruitment of CD14(+)Sirp alpha (+) DC population that is capable of inducing Treg for establishing tolerance

Organometallic indolo[3,2-c]quinolines versus indolo[3,2-d]benzazepines: synthesis, structural and spectroscopic characterization, and biological efficacy

The synthesis of ruthenium(II) and osmium(II) arene complexes with the closely related indolo[3,2-c]quinolines N-(11H-indolo[3,2-c]quinolin-6-yl)-ethane-1,2-diamine (L1) and N′-(11H-indolo[3,2-c]quinolin-6-yl)-N,N-dimethylethane-1,2-diamine (L2) and indolo[3,2-d]benzazepines N-(7,12-dihydroindolo-[3,2-d][1]benzazepin-6-yl)-ethane-1,2-diamine (L3) and N′-(7,12-dihydroindolo-[3,2-d][1]benzazepin-6-yl)-N,N-dimethylethane-1,2-diamine (L4) of the general formulas [(η6-p-cymene)MII(L1)Cl]Cl, where M is Ru (4) and Os (6), [(η6-p-cymene)MII(L2)Cl]Cl, where M is Ru (5) and Os (7), [(η6-p-cymene)MII(L3)Cl]Cl, where M is Ru (8) and Os (10), and [(η6-p-cymene)MII(L4)Cl]Cl, where M is Ru (9) and Os (11), is reported. The compounds have been comprehensively characterized by elemental analysis, electrospray ionization mass spectrometry, spectroscopy (IR, UV–vis, and NMR), and X-ray crystallography (L1·HCl, 4·H2O, 5, and 9·2.5H2O). Structure–activity relationships with regard to cytotoxicity and cell cycle effects in human cancer cells as well as cyclin-dependent kinase (cdk) inhibition and DNA intercalation in cell-free settings have been established. The metal-free indolo[3,2-c]quinolines inhibit cancer cell growth in vitro, with IC50 values in the high nanomolar range, whereas those of the related indolo[3,2-d]benzazepines are in the low micromolar range. In cell-free experiments, these classes of compounds inhibit the activity of cdk2/cyclin E, but the much higher cytotoxicity and stronger cell cycle effects of indoloquinolines L1 and 7 are not paralleled by a substantially higher kinase inhibition compared with indolobenzazepines L4 and 11, arguing for additional targets and molecular effects, such as intercalation into DNA

Fooling primality tests on smartcards

We analyse whether the smartcards of the JavaCard platform correctly validate primality of domain parameters. The work is inspired by Albrecht et al.[1], where the authors analysed many open-source libraries and constructed pseudoprimes fooling the primality testing functions. However, in the case of smartcards, often there is no way to invoke the primality test directly, so we trigger it by replacing (EC)DSA and (EC)DH prime domain parameters by adversarial composites. Such a replacement results in vulnerability to Pohlig-Hellman[30] style attacks, leading to private key recovery. Out of nine smartcards (produced by five major manufacturers) we tested (See https://crocs.fi.muni.cz/papers/primality_esorics20 for more information), all but one have no primality test in parameter validation. As the JavaCard platform provides no public primality testing API, the problem cannot be fixed by an extra parameter check, making it difficult to mitigate in already deployed smartcards

SHINE: Resilience via Practical Interoperability of Multi-party Schnorr Signature Schemes

19th International Conference on Security and Cryptography (SECRYPT), Lisbon, PORTUGAL, JUL 11-13, 2022International audienceSecure multi-party cryptographic protocols divide the secret key among multiple devices and never reconstruct it in a single place. Such a mechanism protects against malware, code vulnerabilities, and backdoors when different implementations and devices are used. Still, a protocol-level issue may result in a compromise, and up until now, it has been unknown how to combine different unmodified multi-party protocols. We study the interoperability of different multi-party Schnorr signature schemes and classify them based on their approach to the nonce agreement. We identify issues that could hinder in-class interoperability, and we propose a trustless mediator that facilitates interoperability among different classes in certain cases. Besides mitigating the risks, interoperability provides usability and performance benefits, as protocols better suited for special devices can be used together with more general protocols. We make use of these advantages in our new multi-signature scheme SHINE, which is optimized for resourcelimited devices like cryptographic smartcards while being interoperable with popular schemes such as MSDL, MuSig2, or SpeedyMuSig

Minerva: The curse of ECDSA nonces : Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces

We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. The number of signatures needed for a successful attack depends on the chosen method and its parameters as well as on the noise profile, influenced by the type of leakage and used computation platform. We use the set of vulnerabilities reported in this paper, together with the recently published TPM-FAIL vulnerability [MSE+20] as a basis for real-world benchmark datasets to systematically compare our newly proposed methods and all previously published applicable lattice-based key recovery methods. The resulting exhaustive comparison highlights the methods’ sensitivity to its proper parametrization and demonstrates that our methods are more efficient in most cases. For the TPM-FAIL dataset, we decreased the number of required signatures from approximately 40 000 to mere 900

Minerva: The curse of ECDSA nonces

We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. The number of signatures needed for a successful attack depends on the chosen method and its parameters as well as on the noise profile, influenced by the type of leakage and used computation platform. We use the set of vulnerabilities reported in this paper, together with the recently published TPM-FAIL vulnerability [MSE+20] as a basis for real-world benchmark datasets to systematically compare our newly proposed methods and all previously published applicable lattice-based key recovery methods. The resulting exhaustive comparison highlights the methods’ sensitivity to its proper parametrization and demonstrates that our methods are more efficient in most cases. For the TPM-FAIL dataset, we decreased the number of required signatures from approximately 40 000 to mere 900