Here's a recently-published paper that describes a flush & reload attack on OpenSSL's ECDSA implementation: http://eprint.iacr.org/2014/140.pdf According to the authors, snooping a single signing round is sufficient to recover the secret key. --mancha
On Sat, 1 Mar 2014, mancha wrote:> Here's a recently-published paper that describes a flush & reload > attack on OpenSSL's ECDSA implementation: > > http://eprint.iacr.org/2014/140.pdf > > According to the authors, snooping a single signing round is > sufficient to recover the secret key.It sounds like an interesting technique, though I note that they attacked signing using one of the GF(2^m) curves rather than the GP(p) curves that almost everything uses. Why? -d