Security of OpenSSL ECDSA signatures

Damien Miller djm at
Tue May 24 07:36:35 EST 2011

On Mon, 23 May 2011, Dan Kaminsky wrote:

> > Unless a similar timing oracle is found for GF(p) fields then no
> > OpenSSH-side workaround is required.
> >
> >
> OpenSSL has had timing attacks against most of their production ciphers
> (RSA, AES, etc).  Has the author of the paper weighed in on whether he
> thinks his attack will affect GF(p)?

The Brumley and Tuveri attack is against a scalar multiplication
algorithm that is specific to GF(2m) fields (see section 3.2 of the
paper). An attack on prime fields would be a new one altogether.


More information about the openssh-unix-dev mailing list