Ledger Donjon wins Kudelski Crypto Challenge: Behind the scene 1/3 —

Charles Guillemet
Nov 21, 2018 · 4 min read

One Fault is enough to break EdDSA

This post is part of a series of 3 where we give our solutions on Kudelski CTF. In this post, we give our solution on the 1st challenge.

Kudelski organized a Capture The Flag (CTF) during last summer. The prizes were very attractive:

A Ledger Nano S with 100 USD in Ethereum!

Kudelski CTFs are very interesting, challenging and cryptography related. At Ledger, we have the Donjon team which evaluates the security of our products, hardening them and doing security research. Our areas of expertise include Side Channel Attacks, Fault Attacks and Software Attacks on various architectures.

Even though we were quite busy this summer, we found time to try to attempt the CTF. They were quite difficult and thus we are very proud to be able to solve them. Furthermore, we were the first to do so, and we won the CTF!

We could sadly not attend DEFCON this summer, but for winning the CTF, Kudelski has sent us our precious device :)

Our prize for winning the CTF: A Ledger Nano S with 100 USD in Ethereum

We would like to thank Kudelski for this very smooth organization of this great challenge. Kudelski asked us to prepare a write-up explaining how we solved the challenges. You’ll find below how we solved them.

Buckle up your security belt, it’s going to be slightly technical…

After having reversed the code, we assumed that the algorithm used to generate the signature is EdDSA. The symbols were still present in the binary. The functions were renamed in order to add a bit of obfuscation.

This was a fault attack on EdDSA and as Kudelski released a paper about it called Practical fault attack against the Ed25519 and EdDSA signature schemes, we assumed this problem was about implementing one of the attacks presented in the paper.

EdDSA is one of the variations of the ECDSA algorithm, with a small difference. Whilst in ECDSA the nonce is computed randomly, in EdDSA the nonce is deterministically computed from the message and the private key. It means that the two correct signatures of the same message will be the same. Firstly, we have found the correct signature by trying to verify all the given signatures.

For example, when requesting the server to sign the message 000000, we obtain several signatures:

fe1f44347edb2f3561c4a04ef723d26937329e72a9e7d85a39c2f081b09f8e29a086c6dad6c6d3a9d235d2b5ece309797e4490a91c01c5396dc14a7291e1de04

One can see that one signature appears several times, which probably means it is the ‘correct’ signature. Querying the server for verification shows that indeed fe1f4434...is a valid signature, whereas the others are faulty ones.

As we know, the DFA attacks on EdDSA could influence either one part of the signature (S), or two (both R and S). R corresponds to the first half of the above signatures, and S to the second half.

Because the faulty signatures for the same message differ in both, R and S, we assumed that the fault could have occurred either during the computation of hash line 4, or during the point multiplication line 5.

A fault on line 4 affecting r during the whole signature would not lead to an easy recovery of the private key, unless the difference with the expected hash value can be bruteforced. Therefore we tried the simpler option of a transient fault during line 5, which affects ‘R’, and yields the private key with only a little bit of arithmetic.

To get the key, we only need to solve the equation taken from the algorithm

where S and and S’ are known from the two signatures, t and t’ could be computed from

where R and R’ (faulty signature) are known from the signatures, A is the public key, m’ is the message.

The private key ‘a’ equals (S-S’).(t-t’)⁻¹ in this case. Solving the equations for two signatures, faulty and not, we got the key. This information is enough to sign the required message for the challenge.

The flag is: CTF{cryp70 15 n07 cryp70curr3ncy}


The code can be found in our GitHub.

Stay tuned for the challenge #2.


By Ledger Donjon — Jean-Baptiste Bédrune — Victor Servant —Natalia Kulatova — Charles Guillemet

Ledger

Founded in 2014, Ledger is a leader in security and…

Thanks to Olivier Heriveaux, Manuel San Pedro, Green Knot, Victor Servant, Cédric Mesnil, and Ledger

Charles Guillemet

Written by

CSO @ Ledger

Ledger

Ledger

Founded in 2014, Ledger is a leader in security and infrastructure solutions for cryptocurrencies and blockchain applications. The Nano S, Ledger’s flagship product, is the world most popular hardware wallet with more than 1.5 million units sold.

Charles Guillemet

Written by

CSO @ Ledger

Ledger

Ledger

Founded in 2014, Ledger is a leader in security and infrastructure solutions for cryptocurrencies and blockchain applications. The Nano S, Ledger’s flagship product, is the world most popular hardware wallet with more than 1.5 million units sold.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store