Minerva attack on OpenSSL built without enable-ec_nistp_64_gcc_128 #24274
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
branch: 3.3
Merge to openssl-3.3
triaged: bug
The issue/pr is/fixes a bug
@tomato42 and I have tested OpenSSL built without the enable-ec_nistp_64_gcc_128 option on Configure and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.
In the test scenario, we measure the time of signing of random messages using the
EVP_DigestSign
API (Init
,Update
, andFinal
) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.We have verified that for P-256, this path uses the nistz256 implementation and calls the ecp_nistz256_points_mul() function. The test used OpenSSL from HEAD on 2024-04-12.
We found a side-channel in P-256 on non-determinist OpenSSL. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel.
The results for P-256 non-deterministic path. Skilling-Mack test p-value: 0. The sample tested has 507,469,447 observations.
The results for P-384 non-deterministic path. Skilling-Mack test p-value: 2.528827e-54. The sample tested has 518,259,886 observations.
The results for P-521 non-deterministic path. Skilling-Mack test p-value: 1.318966e-256. The sample tested has 518,253,832 observations.
The text was updated successfully, but these errors were encountered: