Paper 2014/140

Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack

Yuval Yarom and Naomi Benger

Abstract

We illustrate a vulnerability introduced to elliptic curve cryptographic protocols when implemented using a function of the OpenSSL cryptographic library. For the given implementation using an elliptic curve E over a binary field with a point G \in E, our attack recovers the majority of the bits of a scalar k when kG is computed using the OpenSSL implementation of the Montgomery ladder. For the Elliptic Curve Digital Signature Algorithm (ECDSA) the scalar k is intended to remain secret. Our attack recovers the scalar k and thus the secret key of the signer and would therefore allow unlimited forgeries. This is possible from snooping on only one signing process and requires computation of less than one second on a quad core desktop when the scalar k (and secret key) is around 571 bits.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Side Channel AttackCacheECDSA
Contact author(s)
yval @ cs adelaide edu au
History
2014-02-27: received
Short URL
https://ia.cr/2014/140
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/140,
      author = {Yuval Yarom and Naomi Benger},
      title = {Recovering {OpenSSL} {ECDSA} Nonces Using the {FLUSH}+{RELOAD} Cache Side-channel Attack},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/140},
      year = {2014},
      url = {https://eprint.iacr.org/2014/140}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.