Minerva attack on s390x architecture #24252
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
branch: 3.3
Merge to openssl-3.3
help wanted
resolved: not a bug
The issue is not considered a bug
triaged: bug
The issue/pr is/fixes a bug
@tomato42 and I have tested OpenSSL in s390x architecture with z15 microarchitecture and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.
In the test scenario, we measure the time of signing of random messages using the
EVP_DigestSign
API (Init
,Update
, andFinal
) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.In our initial test, we found side-channels in curves P-256, P-364, and P-521. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel.
For the non-deterministic path of the code:
Results for P-256. Skilling-Mack test p-value: 0. The sample tested has 143,963,933 observations.
Results for P-384. Skilling-Mack test p-value: 0. The sample tested has 143,966,184 observations.
Results for P-521. Skilling-Mack test p-value: 0. The sample tested has 143,961,342 observations.
For the deterministic path of the code:
Results for P-256. Skilling-Mack test p-value: 0. The sample tested has 143,961,755 observations.
Results for P-384. Skilling-Mack test p-value: 1.180236e-133. The sample tested has 143,952,618 observations.
Results for P-521. Skilling-Mack test p-value: 8.712206e-06. The sample tested has 143,961,258 observations.
The text was updated successfully, but these errors were encountered: