BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:47e05aae-defc-4f67-9284-4a107a5b248b
DTSTAMP:20260607T040247Z
SUMMARY:LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage
DESCRIPTION:Although it is one of the most popular signature schemes today\
 , ECDSA presents a number of implementation pitfalls\, in particular due t
 o the very sensitive nature of the random value (known as the nonce) gener
 ated as part of the signing algorithm. It is known that any small amount o
 f nonce exposure or nonce bias can in principle lead to a full key recover
 y: the key recovery is then a particular instance of Boneh and Venkatesan'
 s hidden number problem (HNP). That observation has been practically explo
 ited in many attacks in the literature\, taking advantage of implementatio
 n defects or side-channel vulnerabilities in various concrete ECDSA implem
 entations. However\, most of the attacks so far have relied on at least 2 
 bits of nonce bias (except for the special case of curves at the 80-bit se
 curity level\, for which attacks against 1-bit biases are known\, albeit w
 ith a very high number of required signatures).\n\nIn this paper\, we unco
 ver LadderLeak\, a novel class of side-channel vulnerabilities in implemen
 tations of the Montgomery ladder used in ECDSA scalar multiplication. The 
 vulnerability is in particular present in several recent versions of OpenS
 SL. However\, it leaks less than 1 bit of information about the nonce\, in
  the sense that it reveals the most significant bit of the nonce\, but wit
 h probability 
URL:https://forum.defcon.org/node/234171
DTSTART:20200807T190000Z
DTEND:20200807T200001Z
LOCATION:Crypto & Privacy Vlg
END:VEVENT
END:VCALENDAR