Re: FYI: Flush+Reload attack on OpenSSL's ECDSA

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Damien Miller <djm <at> mindrot.org> writes:
> 
> On Sat, 1 Mar 2014, mancha wrote:
> 
> > Here's a recently-published paper that describes a flush & reload
> > attack on OpenSSL's ECDSA implementation:
> > 
> > http://eprint.iacr.org/2014/140.pdf
> > 
> > According to the authors, snooping a single signing round is
> > sufficient to recover the secret key.
> 
> It sounds like an interesting technique, though I note that they
> attacked signing using one of the GF(2^m) curves rather than the
> GP(p) curves that almost everything uses. Why?
> 
> -d
> 

The OpenSSL branching conditions targeted by this particular
flush+reload attack are part of an optimized algorithm, thanks
to Lopez/Dahab 1999, for computing elliptic scalar multiplication
on curves defined over binary fields GF(2^m).

Brumley/Hakala 2009, on the other hand, outline a cache-timing
attack on OpenSSL's algorithm for computing elliptic scalar
multiplication on curves defined over prime fields GF(p).

--mancha

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux