Paper 2017/985

Breaking Ed25519 in WolfSSL

Niels Samwel, Lejla Batina, Guido Bertoni, Joan Daemen, and Ruggero Susella

Abstract

Ed25519 is an instance of the Elliptic Curve based signature scheme EdDSA that was recently introduced to solve an inconvenience of the more established ECDSA. Namely, both schemes require the generation of a random value (scalar of the ephemeral key pair) during the signature generation process and the secrecy of this random value is critical for security: knowledge of one such a random value, or partial knowledge of a series of them, allows reconstructing the signer's private key. In ECDSA it is not specified how to generate this random value and hence implementations critically rely on the quality of random number generators and are challenging to implement securely. EdDSA removes this dependence by deriving the secret deterministically from the message and a long-term auxiliary key using a cryptographic hash function. The feature of determinism has received wide support as enabling secure implementations and in particular deployment of Ed25519 is spectacular. Today Ed25519 is used in numerous security protocols, networks and both software and hardware security products e.g. OpenSSH, Tor, GnuPG etc. In this paper we show that in use cases where power or electromagnetic leakage can be exploited, exactly the mechanism that makes EdDSA deterministic complicates its secure implementation. In particular, we break an Ed25519 implementation in WolfSSL, which is a suitable use case for IoT applications. We apply differential power analysis (DPA) on the underlying hash function, SHA-512, requiring only 4000 traces. Finally, we present a tweak to the EdDSA protocol that is cheap and effective against the described attack while keeping the claimed advantage of EdDSA over ECDSA in terms of featuring less things that can go wrong e.g. the required high-quality randomness. However, we do argue with our countermeasure that some randomness (that need not be perfect) might be hard to avoid.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
EdDSASHA-512side-channel attackreal world attack
Contact author(s)
nsamwel @ cs ru nl
History
2017-10-09: received
Short URL
https://ia.cr/2017/985
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/985,
      author = {Niels Samwel and Lejla Batina and Guido Bertoni and Joan Daemen and Ruggero Susella},
      title = {Breaking Ed25519 in WolfSSL},
      howpublished = {Cryptology ePrint Archive, Paper 2017/985},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/985}},
      url = {https://eprint.iacr.org/2017/985}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.