Minerva attack on OpenSSL built without enable-ec_nistp_64_gcc_128 #24274
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
branch: 3.3
Merge to openssl-3.3
triaged: bug
The issue/pr is/fixes a bug
Comments
GeorgePantelakis
added
the
issue: bug report
GeorgePantelakis
changed the title
t8m
added
branch: master
|
@GeorgePantelakis I assume all these results were obtained with the nonce fixes from #24265 If you build with enable-ec_nistp_64_gcc_128 you should see the same leak on P-256 as it will also use the nistz256 implementation. |
|
@t8m No because when we ran this we didn't even have the patch for deterministic, we only had the non-deterministic fixes. In general, it used the HEAD git checkout of 2024-04-12. The non-deterministic path, which was tested, was fixed then so it shouldn't show a signal, but it does. Anyway, we are currently running the test again with the changes from #24265. If there is a signal in the new results I will close it as fixed with the fixed results. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@tomato42 and I have tested OpenSSL built without the enable-ec_nistp_64_gcc_128 option on Configure and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.
In the test scenario, we measure the time of signing of random messages using the
EVP_DigestSignAPI (Init,Update, andFinal) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.We have verified that for P-256, this path uses the nistz256 implementation and calls the ecp_nistz256_points_mul() function. The test used OpenSSL from HEAD on 2024-04-12.
We found a side-channel in P-256 on non-determinist OpenSSL. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel.
The results for P-256 non-deterministic path. Skilling-Mack test p-value: 0. The sample tested has 507,469,447 observations.
The results for P-384 non-deterministic path. Skilling-Mack test p-value: 2.528827e-54. The sample tested has 518,259,886 observations.
The results for P-521 non-deterministic path. Skilling-Mack test p-value: 1.318966e-256. The sample tested has 518,253,832 observations.
The text was updated successfully, but these errors were encountered: