Table of Contents
Fetching ...

Sleep Reveals the Nonce: Breaking ECDSA using Sleep-Based Power Side-Channel Vulnerability

Sahan Sanjaya, Prabhat Mishra

TL;DR

The paper addresses the security risk posed by nonce secrecy in ECDSA by introducing SleepWalk, a sleep-induced power side-channel that leaks nonce information. It conducts cross-architecture experiments on ARM and RISC-V, evaluating three widely used libraries (RustCrypto, BearSSL, GoCrypto) and demonstrating that SleepWalk can reveal up to 20 bits of the per-signature nonce $k$, despite constant-time and deterministic nonce implementations. The contributions include a low-cost nonce-extraction approach requiring only a single trace point per trace and at most 1000 traces, evidence of cross-library and cross-architecture vulnerability, and an analysis connecting leading/trailing zero bits of $k$ to measurable power differences suitable for lattice-based key-recovery via the Hidden Number Problem. The findings highlight a practical, platform-general vulnerability that challenges current protection strategies and motivates defenses at both the cryptographic and system levels to mitigate leakage risks.

Abstract

Security of Elliptic Curve Digital Signature Algorithm (ECDSA) depends on the secrecy of the per-signature nonce. Even partial nonce leakage can expose the long-term private key through lattice-based cryptanalysis. In this paper, we introduce a previously unexplored power side-channel vulnerability that exploits sleep-induced power spikes to extract ECDSA nonces. Unlike conventional power-based side-channel attacks, this vulnerability leverages power fluctuations generated during processor context switches invoked by sleep functions. These fluctuations correlate with nonce-dependent operations in scalar multiplication, enabling nonce recovery even under constant-time and masked implementations. We evaluate the attack across multiple cryptographic libraries, RustCrypto, BearSSL, and GoCrypto, and processor architectures, including ARM and RISC-V. Our experiments show that subtle variations in the power envelope during sleep-induced context switches provide sufficient leakage for practical ECDSA nonce extraction, recovering 20 bits of the nonce. These results establish sleep-induced power spikes as a practical cross-platform side-channel threat and highlight the need to reconsider design choices in cryptographic systems.

Sleep Reveals the Nonce: Breaking ECDSA using Sleep-Based Power Side-Channel Vulnerability

TL;DR

The paper addresses the security risk posed by nonce secrecy in ECDSA by introducing SleepWalk, a sleep-induced power side-channel that leaks nonce information. It conducts cross-architecture experiments on ARM and RISC-V, evaluating three widely used libraries (RustCrypto, BearSSL, GoCrypto) and demonstrating that SleepWalk can reveal up to 20 bits of the per-signature nonce , despite constant-time and deterministic nonce implementations. The contributions include a low-cost nonce-extraction approach requiring only a single trace point per trace and at most 1000 traces, evidence of cross-library and cross-architecture vulnerability, and an analysis connecting leading/trailing zero bits of to measurable power differences suitable for lattice-based key-recovery via the Hidden Number Problem. The findings highlight a practical, platform-general vulnerability that challenges current protection strategies and motivates defenses at both the cryptographic and system levels to mitigate leakage risks.

Abstract

Security of Elliptic Curve Digital Signature Algorithm (ECDSA) depends on the secrecy of the per-signature nonce. Even partial nonce leakage can expose the long-term private key through lattice-based cryptanalysis. In this paper, we introduce a previously unexplored power side-channel vulnerability that exploits sleep-induced power spikes to extract ECDSA nonces. Unlike conventional power-based side-channel attacks, this vulnerability leverages power fluctuations generated during processor context switches invoked by sleep functions. These fluctuations correlate with nonce-dependent operations in scalar multiplication, enabling nonce recovery even under constant-time and masked implementations. We evaluate the attack across multiple cryptographic libraries, RustCrypto, BearSSL, and GoCrypto, and processor architectures, including ARM and RISC-V. Our experiments show that subtle variations in the power envelope during sleep-induced context switches provide sufficient leakage for practical ECDSA nonce extraction, recovering 20 bits of the nonce. These results establish sleep-induced power spikes as a practical cross-platform side-channel threat and highlight the need to reconsider design choices in cryptographic systems.
Paper Structure (20 sections, 11 equations, 12 figures, 2 tables)

This paper contains 20 sections, 11 equations, 12 figures, 2 tables.

Figures (12)

  • Figure 1: Illustration of the sleep-induced power spike in ARM-based processor. Unlike traditional power analysis, this approach relies on a single power amplitude, thereby removing the need for full-trace analysis, advanced preprocessing, or external triggers sanjaya2025sleepwalk.
  • Figure 2: Effect of the context-switching power signature (green line) and the residual power signature (represented by the power difference between the green and orange lines).
  • Figure 3: Scalar multiplication function in RustCrypto
  • Figure 4: Attack execution flow
  • Figure 5: Sleep-induced power spike vs number of leading zero nibbles in the nonce $k$ using RustCrypto ECDSA.
  • ...and 7 more figures