Minerva attack in OpenSSL #23860
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
epic
Body of work that has to be broken down into more manageably sized issues
triaged: bug
The issue/pr is/fixes a bug
@tomato42 and I have tested OpenSSL and we found that it may be vulnerable to a variant of the Minerva attack. We used statistical analysis to confirm the presence of side channels but we did not perform the Minerva attack against the implementation.
In the test scenario, we measure the time of signing of random messages using the EVP_DigestSign API (Init, Update, and Final) and then use the private key to extract the K value (nonce) from the signatures. Then based on the bit size of the extracted nonce we compare the signing time of full-sized nonces to signatures that used smaller nonces using statistical tests.
In our initial test, we found side-channels in curves P-256, P-364, and P-521. In these results we can see a clear leak: there is a dependency between the bit size of K and the size of the side channel. For initial testing, we used the master checkout from 2023-09-11.
The sample tested has 107,970,608 observations.
The sample tested has 43,179,504 observations.
The sample tested has 97,170,890 observations. The results for P-521 are notable due to the big "step" present between results for 512-bit and 513-bit nonces, which is over 250ns.
After long cooperation with the OpenSSL team, we have arrived at a patch that significantly reduces leakage for P-256 and P-384 signing operations.
For P-521, with the patch applied, the "step" of 25ns is still present between the 512-bit and 513-bit nonce, but no side channel in larger nonce sizes.
The sample tested has 58,312,456 observations.
The text was updated successfully, but these errors were encountered: