FYI: Flush+Reload attack on OpenSSL's ECDSA
mancha
mancha1 at hush.com
Tue Mar 4 06:51:09 EST 2014
mancha <mancha1 <at> hush.com> writes:
>
> Damien Miller <djm <at> mindrot.org> writes:
> >
[SNIP QUOTED]
> > It sounds like an interesting technique, though I note that they
> > attacked signing using one of the GF(2^m) curves rather than the
> > GP(p) curves that almost everything uses. Why?
> >
> > -d
> >
>
> The OpenSSL branching conditions targeted by this particular
> flush+reload attack are part of an optimized algorithm, thanks
> to Lopez/Dahab 1999, for computing elliptic scalar multiplication
> on curves defined over binary fields GF(2^m).
>
> Brumley/Hakala 2009, on the other hand, outline a cache-timing
> attack on OpenSSL's algorithm for computing elliptic scalar
> multiplication on curves defined over prime fields GF(p).
>
> --mancha
>
Brumley, Hakala, "Cache-Timing Template Attacks" (2009)
http://www.iacr.org/archive/asiacrypt2009/59120664/59120664.pdf
Lopez, Dahab, "Fast Multiplication on Elliptic Curves over GF(2^m)
without Precomputation" (1999)
http://link.springer.com/content/pdf/10.1007/3-540-48059-5_27.pdf
--mancha
More information about the openssh-unix-dev
mailing list