 Hello, my name is Alejandro and I am going to present the paper Novel Singlet Trace Attack on ECDSA and RSA. It is a joint work with Billy Brombley from Tampere University Finland. The content of the talk is the following. First, an introduction on site channel analysis to binary GCD-based algorithm is presented. Then, we develop a site channel attack against MBTLS binary GCD implementation that will be used to mount two Novel Singlet Trace Attack on ECDSA and RSA. These new attacks are the most important contributions of this work. Traditionally, spawning change and scala multiplication algorithms have been targets of site channel analysis. However, it is also important to protect other primitives and hunt the secret data, like the binary GCD-based algorithm. This algorithm and its variance for computing modular inverses have many use cases in cryptography. For instance, RSA scheme has a list of these during key generation, while ECDSA uses the following during a scenario generation. An interesting case is the last RSA one, where both algorithm inputs are secrets. Sometimes, inversions are added to an implementation as part of content measures, like for instance the inversion of the mass as a response to the paper return of the hidden number problem. Therefore, consider the many use cases. It is important to analyze the implementation regarding site channel analysis and deploy the required content measures. The implementation on the modular inversion primitive in NBDLS follows these steps. Note that there is a GCD computation before the actual inversion is computed using the BEA. This property allows an algorithm to develop a site channel attack against the binary GCD primitive and reproduce it for every GCD or modular inversion computation in this library. The binary GCD primitive implementation is very similar to the classic description with some optimizations. This algorithm has four conditional instructions, green boxes, that depend on the algorithm inputs. Following previous work rotation, the control flow information of this algorithm can be encoded using two variables, ZI and SI. Therefore, an attacker that wants to recover the inputs will aim to gather page or ZI for some algorithm iteration. Some leakage models have been proposed to describe how to relate the control flow information with the algorithm inputs. These models are independent of the use case of the algorithm. In 2007, the all or nothing model was proposed. This model requires knowledge of the entire control flow information. That is the result of all conditional aberrations. With this information, it can recover all the input bits. It is important to highlight that this model does not require that one of the algorithm inputs is not in advance. Ten years later, the batch model was proposed offering more flexibility. Using this model, an adversary can recover some information on the inputs using only partial information about the control flow. Nevertheless, the applicability of this model when both inputs are unknown was not done before, it got unfilled in this research. Using some leakage about the execution flow, it is possible to apply the partial model, obtaining a recovery equation like this one. The recovery equation relates some less significant bits of both inputs, U and B. Naturally, when one input is known, computing the other is trivial, as is often the case in many use cases of this algorithm. Among the advantages of the partial model are, it requires less information to recover all bits of a secret input than the all or nothing model. This implies that this model reduced the influence of uncertain and noise in the legal information. In the remaining of this talk, two novel attacks on the CDSA and RSA are described. The research is framed in controlled channel attacks on MB TLS applications deployed inside Intel XGS enclaves. Intel XGS is a technology that provides confidentiality and integrity to software running on modern Intel processors. The threat model of this technology assumes that the EOS has been compromised. Controlled channel attacks belong to a very industry-reserved field where the adversary can use OS resources to control the execution of the victim. SES Step is a framework for mounting controlled channel attacks on Intel XGS enclaves. It can be used to develop fault and inter-root-driven attacks. A fault-driven attack on memory-page granularity allows to track the seconds of set-executed memory pages, thus inconceivable that A, B, C are tracker-pages a trace looks like this. Inter-root-driven attacks augment previous leakage, providing information about the number of executed instructions at each tracker page, obtaining a trace like this one. The latter offer more information than the former, but it is more susceptible to noise. Using an inter-root-driven attack, we develop a side-channel attack on MB TLS binary GCD primitive. We capture 1,000 traces for random inputs and recover the control for information for each tracker. We observe a plus-minus-1 error in the stretching counts, however, as we will detail later, it is possible to deal with it. In this regard, the recovery of every set-i was perfect, however, we observe some error in X-i. To welcome this noise information, we develop a procedure to mark some X-i as a node, considering that every node X-i will lead to two algorithm input candidates. For following this procedure, we observe fewer than 10 node X-i per trace and only one trace had an error in X-i. This data suggests that the recovery of a set-i input using this attack can be officially done, expected a high-sucer rate. Now, let's take a closer look at the noise source that produces errors in X-i. In this graph, it shows the X-i-related instruction counts of an algorithm iteration. It is clear that there are groups of pairs that have the same number of instructions, however, some cases are outside these clusters. This is a code snippet of the companion function that led to these numbers. It can be seen that there are several early exit points and sometimes they are very close, like these ones. This proximity and the error range sometimes produces error in X-i. Fortunately, it is easy to detect them and mark as a node X-i, reducing the probability of serving error in X-i as summarized in the previous slide. After presenting the generated binary GCD attack on BDLS implementation, we are going to develop an over-attack against ECDSA. This is the linear part of ECDSA signature generation procedure, where the nodes are highlighted in red. The modular invasion of the node K is computed. Therefore, this computation should be protected against such an attack. One strong point to make sure is to mark these nodes using the following procedure. A second mask M is randomly generated and used to mask K. Then, the input of the modular invasion is safe to be leaked and afterwards, the mask is removed for horrendous. However, implementation will have to find a word. In BDLS, this confirmation is implemented using these steps. Note that BDLS does not reduce the product that mask K. For that reason, the input of the modular invasion algorithm is not protected as expected. A deep inspection to the modular invasion primitive in this library confirms that the input of the GCD primitive is the non-reduced product. To know how the unreduced product leaks information on K, let's use a toy example. Let's consider that K is equal to 15 and the attacker knows K is equal to 60. 60 is composed by these prime factors. Thus, it is easy to see that the product with one factor permutation will be K. Next, let's generalize this procedure. The functional over omega yields the number of prime factors of an integer with multiplicity. It runs in our sample, it is 4. Then, the number of candidates for K is 2 to the power omega. However, it is important to know how this procedure scales. The distribution of this function has been studied for light integers, and it has a log-log mean and an arrow standard deviation. This means that it is very likely this function will be small for more than a CDSA key length. Therefore, the security of the CDSA relies on factor in the product MK. The worst case for 250-bit CDSA is when both M and K are primes. This is equivalent to break RSA 512. We have been demonstrated in practice. For extensive experiment, we built our own factory machine. The details about the use algorithm and configuration can be found in the manuscript. For extensive experiment, we captured a thousand traces and extracted the control for information of each binary GCD instance. The median of MK candidates per trace was 4. The median of the factorization time was only 14 minutes and the median number of scalar multiplication for testing. The solution candidate was 129. Hence, the number, the running time on the attack is small. Regarding the success rate, it was possible to recover their current non-sync 99% of their cases, demonstrating effectiveness. The other attack developed as part of this research target RSA. Specifically, the computation of a CRT parameter inverse of Q mod B. Every time a private key is loaded in MBDLS, this model inverse is computed. This computation involves the same binary GCD primitive analyzed before. This use case is very interesting because the algorithm inputs are secret, but make it interesting for evaluating the partial model application in this scenario. For our experiment, we target RSA 2048. It can be broken by disclosures, one prime or half of it. Recalling, if an adversary knows the control for information of all iterations, they can recover both inputs using the auto-nose model. On the other hand, the application on the partial model in this scenario is an open question. Let's assume that some such challenge attack to a binary GCD implementation reveals the secretion for the first T iteration. Applying the partial model, the adversary can obtain an equation that relates some bits of B and Q. Then, using the RSA identity, it is possible to obtain a quadratic equation that depends only on B, which solution will give information on B. It can be proved that this quadratic equation has at most 16th solution. Consequently, a sufficient bit are recovered and RSA implementation will be broken using this procedure. This example shows how the partial model can be used when both inputs are wrong. Naturally, this is specific for RSA. However, we are not aware of other binary GCD model invasion use case where both inputs are wrong. We launched the attack a thousand times, obtaining a success rate of 99%. Hence, the attack is very feasible. The following table provides a comparison about the number of candidates for B considered in different ligates model and print analysis. Employing the auto-nose model implies gathering this world's execution flow information. This maximizes the chance of unknown XI. Besides, also, the number of candidates to test increases and remains practical. Note how the partial model can be used for both full and hard print recoveries, minimizing the number of XI of unknown XI. It is worth highlighting the number of candidates to test for all models are in practical domains. However, for side-channeling signals with a higher uncertain noise rate, the difference between the models plays a crucial role. As an output of this research, we contacted MVTLS reporting our findings. Afterwards, they recognized the vulnerabilities and developed the following war rounds. For a CDSA, they implemented the confirmation correctly. While for RSA, they only compute the CRT parameter it is not present in the prior key, reducing the attacker's chances. The main conclusion of this work is that it is important to keep in mind that countermeasured implementations most strictly follow the math descriptions, especially because a wrongly implemented countermeasured offers a false state of security. The attacks on the binary GCD primitive highlighted the need of the full stack secure implementation. Regarding the partial leakage model of binary GCD basic algorithm, it was shown that it can be used when both inputs are known, additionally, it reduces uncertain and noise influence. Thank you very much.