[cryptography] Alleged recovery of PS3 ECDSA private key from signatures

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Dec 30 06:41:04 EST 2010


Francois Grieu <fgrieu at gmail.com> writes:

>According to a presentation made at the 27th Chaos Communication Congress,
>there is a serious bug in the code that was used to produce ECDSA signatures
>for the PS3: the same secret random was reused in several signatures, which
>allowed the team to recover the private key from signatures.

Let me guess, the developers were so blinded by the cromulence of ECC ("we're 
using ECC not RSA, we're secure!") that they forgot that security goes far 
beyond just making an algorithm fashion statement.  I've always regarded DLP 
algorithms (all DLP algorithms, including the ECDLP ones) as far riskier than 
RSA because there are so many things you can get wrong, many of them outside 
your direct control, while with RSA as long as you check your padding properly 
you're pretty much done.

>The relevant part of the presentation starts at 5'15" in
>http://www.youtube.com/watch?v=84WI-jSgNMQ

The whole talk (in three parts) is fascinating viewing, particularly the
summary of jailbreaking of embedded devices:

- Pretty much all of the (public) jailbreaks were to get Linux or other 
software onto the device, not for piracy.

- All the devices were hacked in anything from one week to twelve months (the
record, for the Xbox360).

- Most of them used crypto, and AFAICT in none of them was the crypto directly 
broken (Shamir's Law, crypto is bypassed not attacked).

Peter.



More information about the cryptography mailing list