Paper 2014/434

Just a Little Bit More

Joop van de Pol, Nigel P. Smart, and Yuval Yarom

Abstract

We extend the FLUSH+RELOAD side-channel attack of Benger et al. to extract a significantly larger number of bits of information per observed signature when using OpenSSL. This means that by observing only 25 signatures, we can recover secret keys of the secp256k1 curve, used in the Bitcoin protocol, with a probability greater than 50 percent. This is an order of magnitude improvement over the previously best known result. The new method of attack exploits two points: Unlike previous partial disclosure attacks we utilize all information obtained and not just that in the least significant or most significant bits, this is enabled by a property of the “standard” curves choice of group order which enables extra bits of information to be extracted. Furthermore, whereas previous works require direct information on ephemeral key bits, our attack utilizes the indirect information from the wNAF double and add chain.

Note: CT-RSA 2015

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision.Topics in Cryptology – CT-RSA 2015
DOI
10.1007/978-3-319-16715-2_1
Keywords
side-channelshidden number problem
Contact author(s)
nigel @ cs bris ac uk
yval @ cs adelaide edu au
joop vandepol @ bristol ac uk
History
2015-03-25: revised
2014-06-12: received
See all versions
Short URL
https://ia.cr/2014/434
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/434,
      author = {Joop van de Pol and Nigel P.  Smart and Yuval Yarom},
      title = {Just a Little Bit More},
      howpublished = {Cryptology ePrint Archive, Paper 2014/434},
      year = {2014},
      doi = {10.1007/978-3-319-16715-2_1},
      note = {\url{https://eprint.iacr.org/2014/434}},
      url = {https://eprint.iacr.org/2014/434}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.