ASA-2019-00392 – AMD Secure Encrypted Virtualization (SEV): Platform DH key recovery via invalid curve attack

Allele Security Alert



ASA-2019-00392, CVE-2019-9836


Platform DH key recovery via invalid curve attack




AMD EPYC server platforms

Affected version(s)

AMD EPYC server platforms (codename “Naples”) running SEV firmware version 0.17 build 11 and below are affected

Fixed version(s)

AMD EPYC server platforms (codename “Naples”) running SEV firmware version 0.17 build 22

Proof of concept



The SEV elliptic-curve (ECC) implementation was found to be vulnerable to an invalid curve attack. At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware’s private DH scalar.

By collecting enough modular residues, an attacker can recover the complete PDH private key. With the PDH, an attacker can recover the session key and the VM’s launch secret. This breaks the confidentiality guarantees offered by SEV.

Technical details

Key exchange during VM launch

1. The PSP publishes its PDH public key through SEV_PDH_CERT_EXPORT command. This key is computed by multiplying the ECC generator (NIST P256/P384 curves are supported) by the PDH private key: A<-G*k, where k, the private key, is randomly generated in the range (1, order(G)).

2. The client generates its private DH key, s, and computes the shared key C<-A*s=G*k*s. C is the shared point on the curve. Its x-coordinate is hashed and used as the master shared secret. Two keys KEK/KIK are derived from the master secret, and used to protect (encryption+integrity) the session keys.

3. The client computes its public key B<-G*s and sends it to the PSP through the SEV_LAUNCH_START command.

4. The PSP computes the shared key C by multiplying the client’s public key by its PDH private scalar: C<-B*k=G*s*k. Like the client, the PSP takes C’s x coordinate, computes the master shared secret and derives the KEK/KIK. These are used to unwrap the session keys. See API specification [3] for details.

ECDH security relies on the generator point, G, having a large order and on the discrete logarithm problem being hard for the curve.

Note that in step 4, the PSP performs a computation with its private key on user supplied data – the client’s public point.

Invalid curve attack

ECC point multiplication relies on a point addition primitive. There are different implementations for ECC point addition. A common one is based on the short Weierstrass ECC form, as described in [4]. Note that the curve’s “b” equation parameter is never used.

An invalid curve attack is where the ECDH point multiplication is done on a different curve – different (a,b) parameters. This becomes possible in the short Weierstrass point addition function since the “b” parameter is not used. On this curve, the point has a small prime order. By trying all possible values for the small order point, an attacker can recover the private scalar bits (modulo the order). The modular residues are assembled offline using the Chinese Remainder Theorem, leading to a full key recovery. See the original paper [5] on invalid curve attacks, or a more recent paper [6] on the topic.


Cfir Cohen (Google Cloud Security Team)


AMD-SEV: Platform DH key recovery via invalid curve attack (CVE-2019-9836)

AMD Product Security | AMD

Secure Encrypted Virtualization API Version 0.17

Short Weierstrass curves

Differential Fault Attacks on Elliptic Curve Cryptosystems (Extended Abstract)

Breaking the Bluetooth Pairing – Fixed Coordinate Invalid Curve Attack



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.