Sleep Reveals the Nonce: Breaking ECDSA using Sleep-Based Power Side-Channel Vulnerability

Abstract: Security of Elliptic Curve Digital Signature Algorithm (ECDSA) depends on the secrecy of the per-signature nonce. Even partial nonce leakage can expose the long-term private key through lattice-based cryptanalysis. In this paper, we introduce a previously unexplored power side-channel vulnerability that exploits sleep-induced power spikes to extract ECDSA nonces. Unlike conventional power-based side-channel attacks, this vulnerability leverages power fluctuations generated during processor context switches invoked by sleep functions. These fluctuations correlate with nonce-dependent operations in scalar multiplication, enabling nonce recovery even under constant-time and masked implementations. We evaluate the attack across multiple cryptographic libraries, RustCrypto, BearSSL, and GoCrypto, and processor architectures, including ARM and RISC-V. Our experiments show that subtle variations in the power envelope during sleep-induced context switches provide sufficient leakage for practical ECDSA nonce extraction, recovering 20 bits of the nonce. These results establish sleep-induced power spikes as a practical cross-platform side-channel threat and highlight the need to reconsider design choices in cryptographic systems.