Vulnerability Assessment Report: Nonce Leakage and Implementation Risks in (EC)DSA

15 min read
computer-science security

A structured look at HNP-based key recovery, BIGNUM representation leaks, lazy resizing CVEs, and protocol-level subgroup failures in modern signature stacks.

Vulnerability Assessment Report: Nonce Leakage and Implementation Risks in (EC)DSA

  1. Technical Scope and Threat Landscape

In the architecture of modern digital signature schemes such as DSA and ECDSA, the “nonce” (k)—a unique, ephemeral secret—is the linchpin of cryptographic security. For these algorithms, secrecy and uniformity are not merely best practices; they are existential requirements. The partial leakage of even a nominal number of nonce bits can lead to the total recovery of the long-term private key. While the “constant-time” paradigm is the recognized strategic benchmark for modern cryptographic libraries, implementation-level nuances frequently betray these theoretical guarantees. Subtle variations in Bignumber representation, memory management, and branching logic create side channels that bypass high-level protocol protections, transforming execution traces into actionable intelligence for an adversary.

The Hidden Number Problem (HNP) Framework

Side-channel observations are converted into private key recovery through the mathematical bridge of the Hidden Number Problem (HNP). This framework allows an attacker to recover a hidden value (x) by observing partial information about its multiples. The rigor of the attack is defined by the following progression:

  • Information Collection: An attacker gathers signatures where partial nonce information—specifically Most Significant Bits (MSBs) or Least Significant Bits (LSBs)—is leaked.
  • Inequality Modeling: Leaked bits are modeled as a system of inequalities. For a d-dimensional lattice, the USENIX benchmark for exploitability suggests that an attack requires approximately L \approx \log_2 \log_2 q bits of leakage to be viable.
  • Lattice-Based Reduction: This system is mapped to a Closest Vector Problem (CVP) or Shortest Vector Problem (SVP). Algorithms such as LLL (Lenstra–Lenstra–Lovász) or BKZ (Block Korkin-Zolotarev) are used to reduce the lattice and reveal the private key x.
  • Bleichenbacher-Style Attacks: For noisy or fractional bit leaks, FFT-based attacks use exponential sums to detect biases, requiring a higher volume of signatures but providing resilience against measurement errors.

Tooling and Methodology

This assessment utilizes the DATA (Differential Address Trace Analysis) framework. DATA instruments target binaries to record fine-grained address traces, identifying vulnerabilities by comparing traces generated from differing secrets. While DATA’s statistical tests filter noise from randomization (e.g., blinding), it remains a heuristic tool. Manual code review is mandatory to determine if identified statistical leaks constitute exploitable vulnerabilities in a production environment.

The static risks of data representation provide the foundation for dynamic execution-time vulnerabilities, specifically during memory allocation and resizing cycles.

  1. Analysis of Bignumber Representation Flaws

Efficiency-driven design choices in Bignumber libraries—specifically OpenSSL and LibreSSL—introduce unintended side channels. The pursuit of performance through “minimal representation” is fundamentally at odds with constant-time security. By utilizing a top field to track used limbs and performing “lazy reduction” via bn_fix_top to strip leading zeros, these libraries create a “leaky abstraction” where the logical value of a number dictates its physical memory footprint.

Minimal vs. Fixed-Width Representation

The following table contrasts the two primary philosophies of Bignumber management:

Feature OpenSSL / LibreSSL (Minimal) BoringSSL (Fixed-Width) Storage Metric Uses a top field to track used limbs; relies on bn_fix_top. Uses a width field representing maximum width. Memory Policy Lazily allocated; minimizes space by excluding leading zeros. Fixed-width; sensitive Bignumbers do not shrink. Word Boundary Sensitivity High: L = \log_2(q) \pmod w bits leaked at boundaries. None: Operations are independent of leading zeros. “So What?” Physical layout impacts timing/memory access patterns. Inherently resistant to size-related side channels.

Implementation Complexity: Redundant Limbs and Karatsuba

Beyond simple representation, high-performance optimizations introduce new risks. Optimized implementations of secp384r1 often use a 56-bit redundant limb strategy with Solinas reduction. This requires complex telescopic sums to manage carries and prevent underflow, adding significant logic depth. Similarly, the Ed448-Goldilocks curve utilizes the “golden ratio” prime (2^{448} - 2^{224} - 1) to facilitate Karatsuba multiplication. While efficient, these optimizations require complex “telescopic” carry handling to prevent overflow in 128-bit accumulators, creating a breeding ground for subtle implementation errors.

Vulnerability V1: Small Nonce Information Leak

In OpenSSL and LibreSSL, nonces are represented in minimal form. If the modulus q of a curve is slightly above a word boundary (e.g., 32 or 64 bits), a nonce may occasionally require fewer limbs than the modulus. For curves like secp521r1 and sect131r1, a small nonce that clears the topmost bits results in a reduced top field, leaking L bits of information. Even rare leaks (e.g., 9 bits every 512th signature for secp521r1) are sufficient for HNP-based recovery.

The transition from these static representation risks to dynamic execution-time vulnerabilities is most visible during the padding and resizing phases.

  1. Side-Channel Mechanics: Lazy Resizing and K-Padding

“K-padding” was introduced to mitigate nonce-length leakage by padding the nonce k with the modulus q. Ironically, the implementation of this defense created new vulnerabilities due to how memory is managed during addition.

Vulnerabilities V2 & V5: Carry-Induced Resizing

The core issue lies in the interaction between BN_add and the bn_wexpand function.

  • The Mechanics: During the k + q addition, a carry operation may exceed the currently allocated limbs.
  • The Leak: If a carry occurs, bn_wexpand triggers a call to malloc or realloc. An attacker using Flush+Reload on the standard library’s allocation routines can detect this resize.
  • The Outcome: Because the carry depends on the topmost bits of the nonce, the attacker recovers approximately L bits. This was the basis for CVE-2018-0734 and CVE-2018-0735.

Vulnerability V4: Exponentiation Downgrade

A flaw in the patching of resizing leaks resulted in the incorrect propagation of the BN_FLG_CONSTTIME flag during BN_consttime_swap. This caused the target Bignumber to silently lose its constant-time status, leading to a fallback to variable-time code and exposing the library to traditional timing attacks.

Evaluation of the “So What?” Layer

  • Stated Defense Goal: Use K-padding to ensure uniform nonce bit-length.
  • Actual Vulnerability Outcome (V2): Triggering malloc via carries leaks nonce bits with high accuracy (CVE-2018-0734).
  • Stated Defense Goal: Ensure secure swapping of values during padding.
  • Actual Vulnerability Outcome (V4): Erroneous flag handling causes a silent downgrade to insecure, non-constant-time implementations.

These failures in the padding stage are followed by risks in the subsequent stages of the nonce life cycle, specifically during inversion and addition.

  1. Vulnerabilities in the Nonce Life Cycle

Generation and Truncation Risks

OpenSSL utilizes a Private Key Inclusion strategy for nonce generation, hashing the random seed with the private key (SHA512(x m rnd)). This acts as a defense-in-depth measure against biased PRNGs, ensuring the nonce remains unpredictable even if the entropy source is compromised. This contrasts with the pure rejection sampling used by BoringSSL.

Modular Inversion (V8 & V9)

The inversion of the nonce (k^{-1} \pmod q) is a critical point of failure in OpenSSL and LibreSSL:

  1. V8 Euclidean Leakage: Leakage specifically occurs during the first Euclidean iteration. Because the numerator (modulus) spillover to an extra limb only occurs when the nonce has fewer bits than the modulus, the resulting BN_div resize reveals the topmost nonce bit.
  2. V9 Conditional Negation: The algorithm conditionally negates the result based on a sign bit, which leaks information about the inverted nonce’s magnitude.
  • Mitigation: BoringSSL (and recently OpenSSL) utilizes Fermat’s Little Theorem (k^{q-2} \pmod q), which is inherently constant-time.

Point Addition Leakage (V7)

In optimized implementations of NIST curves (e.g., secp256k1), the !z2_is_zero check used to skip additions of the “point at infinity” is a short-circuit evaluation of a branching condition. An attacker can detect this branch via instruction-level side channels (such as those available in SGX), learning exactly when a nonce window is all-zero.

This implementation-level fragility is further exacerbated when moving to the protocol layer and group theory.

  1. Group Theory and Architectural Vulnerabilities (CISPA Findings)

When protocols operate in non-prime order groups or fail to validate points, the attack surface expands to protocol-level failures.

Subgroup Confinement and Invalid Point Attacks

In groups with small cofactors (e.g., Curve25519), elements can be confined to small subgroups. An attacker providing a “low-order” point can force the resulting shared secret into a tiny set of possible values.

  • Bluetooth Attack: Possible because only the x-coordinate is included in the numeric comparison check. The protocol allows y-coordinate manipulation because y is excluded from the hash, enabling invalid curve attacks.
  • Scuttlebutt Attack: Leverages low-order points in Curve25519 to bypass authentication, allowing handshakes to complete without knowledge of the responder’s public key.

Case Study Comparison

Attack Target Mechanism Primary Consequence Scuttlebutt Low-order points in Curve25519. Authentication bypass; unauthorized handshake completion. Bluetooth y-coordinate manipulation (excluded from hash). Invalid curve attack forcing shared secret to known values. Tendermint Small subgroup points (Curve25519). Signature substitution; attacker replays a valid signature on a constant challenge.

Twist Security

Single-coordinate ladders (Montgomery ladders) are often twist-secure. However, if an attacker can move a computation to a twist that lacks security (e.g., a twist with a composite order where the discrete log problem is weak), they can extract keys despite the ladder’s efficiency.

  1. Defense Evaluation and Mitigation Strategies

Mitigation Hierarchy

  1. Fixed-Width Bignumber Implementation: Eliminating the top field (the BoringSSL model) is the only definitive way to remove representation-based leaks.
  2. Exclusion of Low-Order Points: This measure remains controversial (the “Bernstein vs. IETF” friction). While some argue it is only for “exotic” protocols, implementation divergence—where LibSodium rejects low-order points but Go’s standard library accepts them—creates significant audit risk.
  3. Low-Order Clearing (Cofactor Clamping): Essential in Curve25519 to prevent information leakage by zeroing the low-order component.
  4. Order Checking and Equation Validation: Mandatory for preventing invalid curve attacks, despite the performance cost.

Effectiveness of Patches

The “cat-and-mouse” cycle of OpenSSL/LibreSSL patching (where fixing V2 introduced V4) underscores that side-channel resistance is a moving target. Auditors must verify that patches do not introduce silent downgrades.

  1. Audit Conclusions and Strategic Recommendations

Implementation security in (EC)DSA is currently hindered by efficiency-driven “basement” flaws in Bignumber libraries. Even “constant-time” claims are often invalidated by lazy resizing and minimal representation.

Summary of Key Implementation Traps

  • Lazy Resizing: malloc calls during padding provide a direct path to nonce recovery.
  • Minimal Representation: The top field is a leaky abstraction that must be abandoned for sensitive data.
  • Short-Circuit Point Addition: Branching on “all-zero” windows allows bit-by-bit scalar reconstruction.

Strategic Recommendations

  • Adopt Fermat Inversion: Replace Euclidean algorithms with Fermat’s Little Theorem to eliminate inversion-related leaks.
  • Enforce Fixed-Width Arithmetic: Transition to the BoringSSL model where width is determined by the modulus, not the value.
  • Protocol-Level Validation: Enforce curve equation checks and reject low-order points at the protocol entry point; do not rely solely on implementation-level twist security.

Final Statement: Current trends show that while algebraic security is robust, the underlying memory management of cryptographic libraries remains structurally vulnerable. A fundamental shift toward fixed-width arithmetic is required to mitigate key recovery risks.

Related Posts