BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION: 'Title: LadderLeak: Breaking ECDSA With Less Than One Bit Of
Nonce\n Leakage\n When: Friday\, Aug 7\, 11:00 - 11:59 PDT\n Where:
Crypto & Privacy Vlg\n Speakers:Akira Takahashi\,F.Â Novaes\,M.Â Tibouc
hi\,Y.Â Yarom\,Diego F.\n Aranha\n\n SpeakerBio:Akira Takahashi\n Ak
ira Takahashi is currently a PhD student at Cryptography and\n Security
Group\, Aarhus University\, Denmark. He was an intern in the\n Cryptogra
phy Research Laboratory at NTT Corporation\, Japan and has\n also worked
as a software developer at Richie Oy\, Finland. His\n research interest
s cover implementation attack on public key\n cryptographic algorithms a
nd construction of efficient secure\n two-/multi-party computation proto
cols. He has given talks about his\n research projects in different top-
tier conferences\, including\n Eurocrypt [3]\, Euro S&P\, and CHES [4].\
n\n SpeakerBio:F.Â Novaes\n No BIO available\n\n SpeakerBio:M.Â Tibo
uchi\n No BIO available\n\n SpeakerBio:Y.Â Yarom\n No BIO available\
n\n SpeakerBio:Diego F. Aranha\n Diego F. Aranha is an Associate Profe
ssor of Computer Science at\n Aarhus University\, Denmark. His professio
nal experience is in\n Cryptography and Computer Security\, with a speci
al interest in the\n efficient implementation of cryptographic algorithm
s and security\n analysis of real-world systems. He received the Google
Latin America\n Research Award for research on privacy twice\, and the M
IT TechReview's\n Innovators Under 35 Brazil Award for his work in elect
ronic voting. He\n has given talks about his research in more than 100 o
ccasions in 10\n different countries\, including BlackHat Asia [1] and D
EF CON Voting\n Village [2].\n\n Description:\n Although it is one o
f the most popular signature schemes today\, ECDSA\n presents a number o
f implementation pitfalls\, in particular due to the\n very sensitive na
ture of the random value (known as the nonce)\n generated as part of the
signing algorithm. It is known that any small\n amount of nonce exposur
e or nonce bias can in principle lead to a full\n key recovery: the key
recovery is then a particular instance of Boneh\n and Venkatesan's hidde
n number problem (HNP). That observation has\n been practically exploite
d in many attacks in the literature\, taking\n advantage of implementati
on defects or side-channel vulnerabilities in\n various concrete ECDSA i
mplementations. However\, most of the attacks\n so far have relied on at
least 2 bits of nonce bias (except for the\n special case of curves at
the 80-bit security level\, for which attacks\n against 1-bit biases are
known\, albeit with a very high number of\n required signatures).\n\n
In this paper\, we uncover LadderLeak\, a novel class of side-channel\n
vulnerabilities in implementations of the Montgomery ladder used in\n E
CDSA scalar multiplication. The vulnerability is in particular\n present
in several recent versions of OpenSSL. However\, it leaks less\n than 1
bit of information about the nonce\, in the sense that it\n reveals the
most significant bit of the nonce\, but with probability\n <1. Exploiti
ng such a mild leakage would be intractable using\n techniques present i
n the literature so far. However\, we present a\n number of theoretical
improvements of the Fourier analysis approach to\n solving the HNP (an a
pproach originally due to Bleichenbacher)\, and\n this lets us practical
ly break LadderLeak-vulnerable ECDSA\n implementations instantiated over
the sect163r1 and NIST P-192\n elliptic curves. In so doing\, we achiev
e several significant\n computational records in practical attacks again
st the HNP.\n\n\n Crypto & Privacy Village activities will be streamed t
o YouTube and\n Twitch.\n\n ------------------------------------------
---------------------------\n\n Twitch: [1]https://twitch.tv/cryptovilla
ge\n\n YouTube: [2]https://www.youtube.com/channel/UCGWMS6k9rg9uOf3FmYdj
wwQ\n\n '\n\n 1. https://twitch.tv/cryptovillage\n 2. https://www.yo
utube.com/channel/UCGWMS6k9rg9uOf3FmYdjwwQ\n\n\n
DTEND:20200807T185900Z
DTSTART:20200807T180000Z
LOCATION:CPV -
SUMMARY:LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage
END:VEVENT
END:VCALENDAR