 Hello, my name is Alejandro and I am going to present the paper from A2Z, Projectic Coordination Leakage in the Wild. In this talk, we are going to analyze the status of the Projectic Coordination Leak in the industry and present number of facts about it. The first, we first describe this attack, then we analyze some mitigation proposed in previous works. As part of this research, we demonstrate that the economic ladder does not offer protection as belief. Similarly, we also show the randomization of the generator to not prevent the attack. In addition, several open-source libraries are analyzing regarding this vulnerability. This attack is demonstrated in practice through an end-to-end attack to digit grid ECDSA implementation. The scalar multiplication is the most computational intensive operation in ECC, hence increasing its performance in the serial world. Two different paths are followed to this end, proposing different algorithms and using different coordinate systems. An elliptical group point is represented by its affine coordinates. However, easy operation using these coordinates requires costly inversions. Therefore, in practice, Projectic Coordination are preferred as they only require one inversion after the scalar multiplication. Scalar multiplication path will look like this. The starting point is converted to Projectic Coordination, then the scalar multiplication takes place, and the output point is converted back to affine coordinates. Note that the priority to affine conversion requires a modular inversion computation, which represents a potential target to such an attack. Usually, easy protocols use affine coordinates, which makes the intermediate representation not visible to an adversary. However, implementation-based attack can be used to retrieve EC information. But is the computed Projectic representation of the point secret after all? This question was answered by Nakashiro in 2004. They proposed a very clever algebraic attack, independent of how the projectic coordinates are retrieved. This attack can be used to recover some bits of the scalar, thus it threatens schemes susceptible to partial leaks like ECDSA. Unfortunately, the number of previous work of this attack is small. The pioneering work was presented in 2004, then it was analysed two years later. One interesting content measure proposed in this work is based on randomising the generator point. Related demonstrate that it doesn't prevent the attack. Later, in 2013, the attack is considered an issue when the projectic coordinates are gathered using fault attacks. SEDIC work also analysed different projectic coordinates and scalar multiplication algorithms. In that work, the Alptos analysed the Montgomery ladder, concluding that it offered protection against this attack. As part of this research, we demonstrate that the Montgomery ladder does not protect as previously believed. This small number of previous work makes us wonder how well this attack is known in academy and industry, especially since two of these three papers share one author. To describe the attack, let's assume we are targeting the well-known or well-known scalar multiplication algorithm, and the adversary knows the priority representation of the output point R. Starting from this point, the attacker first guesses that if the last processed bit of K was a 1, an attempt to reverse the involvement operation, first it reverses the addition at line 5, then let's say that it leads to one solution to 0. Then it has to reverse the doubling operation at line 3, let's say that this operation yields two solutions. Reverting an addition and a doubling involves computing modular routes. This means that the number of solution bodies and sometimes no solution is obtained after all. The fact that this path leads to a solution means that the last processed bit could be a 1, however there is no certainty about it. Therefore, attackers repeat the process by guessing the last processed bit of K was a 0. This is why only reverting the doubling operation at line 3. So, if this path leads to no solution due to the modular route computation, it can be concluded that the last processed bit was indeed a 1. Repeating this procedure for several iterations could lead to recovery some bit of the scalar, however, in practice the tree grows very quickly, this means that the number of recovered bits is often small. The success rate of this attack depends on several factors. The later group form and the periodic coordinate system define the molar route that has to be computed, while the characteristics of the group we need to feel define the behavior such as roots, for instance the probability that solution exists and how many. In this work, we focus on why strass, why strass, corpse and jacquemian periodic coordinates, however the analysis can be extended to others. The Mungobi ladder was considered safe to this attack in a previous work. The rationale behind this analysis is based on the fact that the periodic coordinates of S are not involved in the coordinate conversion, therefore an attacker cannot get information about S. While this rational sounds it is not complete, let's apply the attack to this algorithm. Assuming they know the coordinates of R, let's start guessing that the last processed bit was S0. Note, in this path the value of R doesn't depend on S. Let's assume that this path leads to a solution, then repeating the process for the k-well one path, the attacker has to reverse line 8, which indeed involves S. The reversing equation in this case is the following, where the unknown values are collider. Note that the set coordinate of S is outside the root and inside it is only the x affine coordinates of S, however the Mungobi ladder invariants relate to affine representation of R, S and G and each outgoing iteration, thus the adversary can compute it for free. This implies that our operation inside the modular root can be computed by an attacker, so if not for the SIS, the attacker learns that the k-equal to one path is a non-solution one, revealing that the last processed bit of k was S0. Reaching this process iteratively allows the attacker to recover the number of trailing series of k in some cases. We validated this reasoning, simulating this attack for several traces. This analysis demonstrates that the Mungobi ladder is not a generic countermeasure against the projectic ordination attack, as previously believed. Another countermeasure was proposed to prevent this attack. This countermeasure is intended to be used in the double and up algorithm and is based on randomized the projective representation of the iterative point. The idea behind this proposal is to make that the k-equal to one path cannot be computed. However, similar to the Mungobi ladder case, reversing the addition operation does not involve computing the modular root unknown data. We can see how the attacker only needs the extra fine-coordination of the generation, which is oblique. Therefore, the attacker could recover the number of trailing series of the scalar. Hence, this countermeasure does not plot it either. Assessing the vulnerability of this attack for a given implementation is tight-consuming and prone to error. It is a high-dimensional problem considering all the factors that affect the attack success rate. In addition, the attack can be adapted as in the case of the Mungobi ladder and the randomized generator countermeasure. Therefore, a secured by the follow-up approach is preferred. Then, which mitigation can be used to prevent this attack? To answer this question, let's analyze the projective to define conversion procedure. This conversion involves a modular inversion, which is often implemented using insecure binary GCD-based algorithms. Not however, all operations involved in this procedure could be targeted by an attacker, but modular inversion is more likely to be implemented in security. The first line of defense against such an attack is implemented such a insecure coordinate conversion using, for instance, the FLT instead of insecure inversion algorithm. Another approach is used is a challenge-securing virtual algorithm. However, all these approaches remain vulnerable to fault attacks. On the other hand, a more general countermeasure is to randomize the coordinates before conversion. This is a very cheap countermeasure that provides protection against such a channel of fault injection attacks. We analyzed 12 open-source libraries regarding this attack. We first annotated the scalar multiplication algorithm concluding that none of them provides a natural protection against this attack, hence we color them in red. Then we annotated how the inverse of set is computed, showing that only in four of them secured implementation were used. Note the case of Libre SSL, where the classic Euclidean algorithm is used for competing inversion instead of the binary one, and we level it as a safe implementation. Actually, this case is interesting because this algorithm has an input-deflating and independent execution flow. However, no leakage model has been developed that relates its execution flow with its inputs. We also analyzed the scalar multiplication countermeasures in place, however none of them provide the resistance against this attack, a fact that we verified using experiments. Finally, we conclude that 8 of the 12 analyzer libraries are potentially vulnerable to the projected coordinates attack, due to the use of side-channeling secure modular inversion algorithms. To demonstrate the feasibility of the attack in a real-world application, we touched the Libre GCCDSA implementation. This implementation, for NISCORP P256, used in Jacobian coordinates and the scalar multiplication algorithm, is the double and allowed add-always. The projected to affine conversion is performed using an insecure binary inversion algorithm. We frame our evaluation using a P4 attack when it tells XGS enclaves. Using this attack, it is possible to track the sequence of a secured memory page. The attack roadmap is the following. We executed an easy ESA signature generation and captured the side-channeling signal during the inversion set. With this information and this signature output, it is possible to recover the projected representation of the viewpoint. Then we executed the projected coordinates attack. If you see some videos of the scalar used to generate that signature will be recovered. Repeating this process several times, we are allowed to recover the private key using a hidden neural problem solver, details about how the lattice was constructed can be found in the manuscript. The easy ESA output does not involve the projected representation of the scalar multiplication output point. However, it is possible to obtain the affine representation using the easy ESA verification equation. Hence, if the adversaries recover the set coordinates, for instance, using a side-channeling attack, then it is possible to compute the remaining coordinates sufficient to start the attack. The binary inversion primitive linear list has an input-dependent execution flow. A page-tracking attack with 4 kilobyte granularity is sufficient to recover orbital sets. Traces and codes of this stage are available online. We conduct an extensive experiment. We capture several easy ESA traces to estimate the probability mass function of the projected coordinates attack. With this information, it was possible to estimate the probability of recovering at least a bit of the scalar. It is well known that the lattice mass solution to the hidden neural problem works better with at least 3 bits per leak cache signature. Therefore, we discarded those traces that didn't fulfill this property. In this setting, it was possible to recover the private key with 2,000 traces in 50 trials with a perfect success rate. We contacted all analyzer libraries and the following implemented some quantum measures. SSL implemented the FLT for inverting set, NSSS followed a constant type binary inversion algorithm and NBET TLS randomized the projective of the output point. To conclude this presentation, we would like to highlight what, in our opinion, is the most relevant after this research. The projected coordinates leakage have received a little attention in both academy and industry. The suffrage rates of this attack depends on several factors, which make us claim that a secure by default mitigation is preferable. The Montgomery ladder does not predict against the projected coordinates attack as we believe. Similarly, undermining the error in the WNAT algorithm does not prevent the attack either. And optimizing the projected representation on the output point should prevent both side channel and following its attack. We discovered two additional vulnerabilities in the ECDSM path or the G-PREAD. However, we would like to emphasize that our motivation was just not breaking this library but providing in the wild analysis of the projected coordinates attack and demonstrate its feasibility in practice. Thank you very much.