Damien Miller <djm <at> mindrot.org> writes: > > On Sat, 1 Mar 2014, mancha wrote: > > > Here's a recently-published paper that describes a flush & reload > > attack on OpenSSL's ECDSA implementation: > > > > http://eprint.iacr.org/2014/140.pdf > > > > According to the authors, snooping a single signing round is > > sufficient to recover the secret key. > > It sounds like an interesting technique, though I note that they > attacked signing using one of the GF(2^m) curves rather than the > GP(p) curves that almost everything uses. Why? > > -d > The OpenSSL branching conditions targeted by this particular flush+reload attack are part of an optimized algorithm, thanks to Lopez/Dahab 1999, for computing elliptic scalar multiplication on curves defined over binary fields GF(2^m). Brumley/Hakala 2009, on the other hand, outline a cache-timing attack on OpenSSL's algorithm for computing elliptic scalar multiplication on curves defined over prime fields GF(p). --mancha _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
