forked from openssl/openssl
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement blinding for EC scalar multiplication
This commit implements coordinate blinding for the generic implementations of both binary and prime elliptic curves in 1.0.2, to avoid leaking bits of the scalar and, potentially, bug attacks. While blinding is implemented in the 1.1.1 and master branches, it was deliberately decided to avoid backporting those changes as they were originally written for the newer branches, as the solution adopted there required major restructuring of code and structures that was deemed not suitable for 1.0.2. A group of security researchers and cryptographers from academia and industry, listed below, reported a successful cache timing attack in OpenSSL 1.0.2u against specific prime and binary curves whose order or field length is close to a word boundary. In this commit, as a possible fix, the authors propose implementing coordinate randomization to balance the two possibilities for the key bit in the first loop iteration of the Montgomery ladder. This way, the Z coordinates of both accumulator points will be non-trivial and the multiplication latency will be similar, with a tiny performance penalty. The original GitHub Pull Request openssl#11361 includes more details about the reported attack, literature references and discussions on how the originally proposed fix was incrementally edited to reflect the relevant details of the 1.1.1 and master branches regarding coordinate blinding. The authors of the original report and fix are Diego F. Aranha and Akira Takahashi (both from Aarhus University), Mehdi Tibouchi (NTT Corporation) and Yuval Yarom (University of Adelaide). Co-authored-by: Akira Takahashi <takahashi@cs.au.dk> Co-authored-by: Mehdi Tibouchi <tibouchi.mehdi@lab.ntt.co.jp> Co-authored-by: Yuval Yarom <yval@cs.adelaide.edu.au>
- Loading branch information
Showing
4 changed files
with
107 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters