david wong

Hey! I'm David, a security engineer at the Blockchain team of Facebook, previously a security consultant for the Cryptography Services of NCC Group. I'm also the author of the Real World Cryptography book. This is my blog about cryptography and security and other related topics that I find interesting.

Timing and Lattice Attacks on a Remote ECDSA OpenSSL Server: How Practical Are They Really? posted August 2015

Alright! My master thesis is done. Here's a download link

It's a timing attack on an vulnerable version of OpenSSL. In particular its ECDSA signature with binary curves.

There was an optimization right before the constant-time scalar multiplication of the nonce with the public point. That leads to a timing attack that leaks the length of the ephemeral keys of an Openssl server's signatures.

In this paper I explain how to setup such an attack, how to use lattices to recover the private key out of just knowing the lengths of the nonces of a bunch of signatures taken during an ephemeral handshake.

If this doesn't make sense to you just read the paper :D

Also everything is on this github repo. You can reproduce my setup for a vulnerable server and an attacker. Patch and tools are there. If you end up getting better results than the ones in the paper, well tell me!

Also here's a demo:

EDIT: it's on the ePrint archive as well now.

Well done! You've reached the end of my post. Now you can leave a comment or read something else.



how about the latest openssl.


it is patched! Look at my paper :P


thanks.how about the get_small_nonces_data.py,may be missed. :)


btw,which paper,u mention in LLL video about tsinghua university,can u give a link~thanks


I just added it in `tools/`!

I have a bunch of other tools and readmes on how to make the plots, maybe I should upload that.

as for the tsinghua paper, check my paper here: https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/survey_final.pdf

But I might not talk about it there, if not I don't know where you can find that other than looking in the eprint of IACR for boneh and durfee


found it: Remarks on the bounds for cryptanalysis of low private key RSA (2008)


how about LLL compare to other method or algorithm. for example target rsa-150.
time cost,bla bla....


why would someone test rsa-150? (You mean rsa with modulus of 150bits?)

I don't really understand your question, there are some numbers in my paper. It would be interesting to see if BKZ has better results (although when I was testing it seemed to have the same results for the RSA attack)


i mean https://en.wikipedia.org/wiki/RSA_numbers


I don't think LLL and BKZ are very relevant to factorization contests

the attack applies if the private key is small


On my ubuntu local,it always run with result -trick(1000 | 10000 | 100000). i guess it's not that practical.
Also only solved when length=157.And when trick should be 6,when 7.
i guess may be i should try older version.like 0.9.8.

leave a comment...