Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
public:papers:minerva_tches20 [2020-09-07 13:32] – [Edit - Panel] xjancar | public:papers:minerva_tches20 [2020-09-07 13:33] (current) – [Edit - Panel] xjancar | ||
---|---|---|---|
Line 44: | Line 44: | ||
<panel type=" | <panel type=" | ||
- | We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries ('' | + | We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (**libgcrypt**, **wolfSSL**, **MatrixSSL**, **SunEC/ |
Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. | Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. | ||