Ledger Donjon wins Kudelski Security Crypto Challenge: Behind the scene 1/3

Kudelski Security is happy to publish the solution found by the team Ledger Donjon to the first challenge of Kudelski Security’s 2018 crypto challenge!

Ledger Donjon wins Kudelski Security Crypto Challenge: Behind the scene 1/3

One Fault is enough to break EdDSA

This post is part of a series of 3 where we give our solutions on Kudelski CTF. In this post, we give our solution on the 1st challenge.

Kudelski organized a Capture The Flag (CTF) during last summer. The prizes were very attractive:

A Ledger Nano S with 100 USD in Ethereum!

Kudelski CTFs are very interesting, challenging and cryptography related. At Ledger, we have the Donjon team which evaluates the security of our products, hardening them and doing security research. Our areas of expertise include Side Channel Attacks, Fault Attacks and Software Attacks on various architectures.

Even though we were quite busy this summer, we found time to try to attempt the CTF. They were quite difficult and thus we are very proud to be able to solve them. Furthermore, we were the first to do so, and we won the CTF!

We could sadly not attend DEFCON this summer, but for winning the CTF, Kudelski has sent us our precious device :)

Our prize for winning the CTF: A Ledger Nano S with 100 USD in Ethereum

We would like to thank Kudelski for this very smooth organization of this great challenge. Kudelski asked us to prepare a write-up explaining how we solved the challenges. You’ll find below how we solved them.

Buckle up your security belt, it’s going to be slightly technical…

After having reversed the code, we assumed that the algorithm used to generate the signature is EdDSA. The symbols were still present in the binary. The functions were renamed in order to add a bit of obfuscation.

This was a fault attack on EdDSA and as Kudelski released a paper about it called Practical fault attack against the Ed25519 and EdDSA signature schemes, we assumed this problem was about implementing one of the attacks presented in the paper.

EdDSA is one of the variations of the ECDSA algorithm, with a small difference. Whilst in ECDSA the nonce is computed randomly, in EdDSA the nonce is deterministically computed from the message and the private key. It means that the two correct signatures of the same message will be the same. Firstly, we have found the correct signature by trying to verify all the given signatures.

For example, when requesting the server to sign the message 000000, we obtain several signatures:


One can see that one signature appears several times, which probably means it is the ‘correct’ signature. Querying the server for verification shows that indeed fe1f4434... is a valid signature, whereas the others are faulty ones.

As we know, the DFA attacks on EdDSA could influence either one part of the signature (S), or two (both R and S). R corresponds to the first half of the above signatures, and S to the second half.

Because the faulty signatures for the same message differ in both, R and S, we assumed that the fault could have occurred either during the computation of hash line 4, or during the point multiplication line 5.

A fault on line 4 affecting r during the whole signature would not lead to an easy recovery of the private key, unless the difference with the expected hash value can be bruteforced. Therefore we tried the simpler option of a transient fault during line 5, which affects ‘R’, and yields the private key with only a little bit of arithmetic.

To get the key, we only need to solve the equation taken from the algorithm

\begin{aligned} (R, S) &= (rB, r+ts \bmod l) \\    (R', S') &= (r'B, r+t's \bmod l) \end{aligned}

where and and S’ are known from the two signatures, t and t’ could be computed from

t' = \mathcal{H}(\mathrm{Enc}_\mathrm{Point}(R'), \mathrm{Enc}_\mathrm{Point}(A), m')

where R and R’ (faulty signature) are known from the signatures, A is the public key, m’ is the message.

The private key ‘a’ equals (S-S')\cdot(t-t')^{-1} in this case. Solving the equations for two signatures, faulty and not, we got the key. This information is enough to sign the required message for the challenge.

The flag is: CTF{cryp70 15 n07 cryp70curr3ncy}


The code can be found in our GitHub.

Stay tuned for the challenge #2.

By Ledger Donjon — Jean-Baptiste Bédrune — Victor Servant —Natalia Kulatova — Charles Guillemet

You can read their original post by clicking here.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s