Security Advisory Concerning Timing Attacks on ECDSA Peripheral in ESP32-H2

1/3 Security Advisory Title Security Advisory Concerning Timing Attacks on ECDSA Peripheral in ESP32-H2 Issue Date 2024/11/26 Advisory Number AR2024-007 Serial Number NA Version V1.0 Issue Summary There is a hardware vulnerability in ESP32-H2 SoCs before Chip revision v1.2 where the ECDSA peripheral does not operate in constant time, making it susceptible to timing attacks. However, enabling secure boot significantly reduces the likelihood of such attacks, as they require a large sample set with controlled data patterns. What is a Lattice Attack? The lattice attack proves that knowing just a few bits of k for multiple signatures can be sufficient to compromise the full private key, where k is the nonce in the ECDSA algorithm. The attacks on the ESP32-H2 described in this statement obtain signatures where the corresponding k has many zeros as the most significant bits with high probability. This is achieved by generating numerous signatures, filtering out, and retaining those where the generation time was below a certain threshold, and then applying the BKZ lattice reduction algorithm to obtain the ECDSA private keys. Issue Details This attack exploits the differences in calculation time for various multipliers when the ECDSA peripheral performs ECC point multiplication and uses the lattice attack algorithm to obtain the ECDSA private key. Additionally, current eFuse configurations have no way to distinguish between the ECDSA P192 and ECDSA P256 key purposes, thus reducing the effort required to perform the timing analysis. 2/3 Impact Analysis 1. To carry out the attack, an attacker would need to measure the time taken by the hardware to generate the ECDSA signature. This can be done in a few ways, each with significant limitations: • An attacker could remotely exploit the ECDSA signature timing, but this requires very stable communication delays and elimination of other time uncertainties. • An attacker could use power analysis to measure ECDSA signature time, but this requires a measurement device and physical access to the chip. • An attacker could directly operate the ECDSA peripheral to measure signature time, but this requires bypassing several security mechanisms like secure boot and flash encryption, making it very costly. 2. The complexity of the attack can be further reduced by first guessing the 192 bits using ECDSA P-192 curve operations using timing analysis and then brute forcing the remaining 64 bits of the ECDSA P-256 private key. 3. Implementing the attack requires a large number of samples and considerable effort and time. The accuracy of measuring ECDSA signature time affects the success rate. Signatures generated faster than a threshold are targeted, but even a slight decrease in accuracy significantly increases attack time. Affected Product Series: The lattice attack based on time analysis is theoretically applicable to all SoCs that include an ECC accelerator and support hardware-accelerated ECDSA signatures, which is the ESP32-H2 (