mancha <mancha1 <at> hush.com> writes: > > Damien Miller <djm <at> mindrot.org> writes: > > [SNIP QUOTED] > > It sounds like an interesting technique, though I note that they > > attacked signing using one of the GF(2^m) curves rather than the > > GP(p) curves that almost everything uses. Why? > > > > -d > > > > The OpenSSL branching conditions targeted by this particular > flush+reload attack are part of an optimized algorithm, thanks > to Lopez/Dahab 1999, for computing elliptic scalar multiplication > on curves defined over binary fields GF(2^m). > > Brumley/Hakala 2009, on the other hand, outline a cache-timing > attack on OpenSSL's algorithm for computing elliptic scalar > multiplication on curves defined over prime fields GF(p). > > --mancha > Brumley, Hakala, "Cache-Timing Template Attacks" (2009) http://www.iacr.org/archive/asiacrypt2009/59120664/59120664.pdf Lopez, Dahab, "Fast Multiplication on Elliptic Curves over GF(2^m) without Precomputation" (1999) http://link.springer.com/content/pdf/10.1007/3-540-48059-5_27.pdf --mancha _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
