Use of elliptic curves in cryptography
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Lattice Attacks on Digital Signature Schemes
Designs, Codes and Cryptography
CM-Curves with Good Cryptographic Properties
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Guide to Elliptic Curve Cryptography
Guide to Elliptic Curve Cryptography
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Remote timing attacks are practical
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
Proceedings of the 16th ACM conference on Computer and communications security
Are AES x86 cache timing attacks still feasible?
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
The security impact of a new cryptographic library
LATINCRYPT'12 Proceedings of the 2nd international conference on Cryptology and Information Security in Latin America
| Hi-index | 0.00 |
For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem with a goal to provide side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery's ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we describe and implement an effective countermeasure.