“Ooh Aah... Just a Little Bit” : A Small Amount of Side Channel Can Go a Long Way

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8731)


We apply the Flush+Reload side-channel attack based on cache hits/misses to extract a small amount of data from OpenSSL ECDSA signature requests. We then apply a “standard” lattice technique to extract the private key, but unlike previous attacks we are able to make use of the side-channel information from almost all of the observed executions. This means we obtain private key recovery by observing a relatively small number of executions, and by expending a relatively small amount of post-processing via lattice reduction. We demonstrate our analysis via experiments using the curve secp256k1 used in the Bitcoin protocol. In particular we show that with as little as 200 signatures we are able to achieve a reasonable level of success in recovering the secret key for a 256-bit curve. This is significantly better than prior methods of applying lattice reduction techniques to similar side channel information.


Elliptic Curve Scalar Multiplication Defense Advance Research Project Agency Defense Advance Research Project Agency Cryptology ePrint Archive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-Cache. In: Ning, P., Atluri, V. (eds.) Proceedings of the ACM Workshop on Computer Security Architecture, Fairfax, Virginia, United States, pp. 11–18 (November 2007)Google Scholar
  2. 2.
    Acıiçmez, O., Brumley, B.B., Grabher, P.: New results on instruction cache attacks. In: Mangard, S., Standaert, F.-X. (eds.) Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems, Santa Barbara, California, United States, pp. 110–124 (August 2010)Google Scholar
  3. 3.
    Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: On the power of simple branch prediction analysis. In: Proceedings of the Second ACM Symposium on Information, Computer and Communication Security, Singapore, pp. 312–320 (2007)Google Scholar
  5. 5.
    Acıiçmez, O., Schindler, W.: A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on OpenSSL. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 256–273. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Arcangeli, A., Eidus, I., Wright, C.: Increasing memory density by using KSM. In: Proceedings of the Linux Symposium, Montreal, Quebec, Canada, pp. 19–28 (July 2009)Google Scholar
  7. 7.
    Bernstein, D.J.: Cache-timing attacks on AES (April 2005),
  8. 8.
    Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 159–176. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Bos, J.W., Halderman, J.A., Heninger, N., Moore, J., Naehrig, M., Wustrow, E.: Elliptic curve cryptography in practice. Cryptology ePrint Archive, Report 2013/734 (2013),
  10. 10.
    Brumley, B.B., Hakala, R.M.: Cache-timing template attacks. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 667–684. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Cadé, D., Pujol, X., Stehlé, D.: Fplll-4.0.4 (2013),
  13. 13.
    Canteaut, A., Lauradoux, C., Seznec, A.: Understanding cache attacks. Technical Report 5881, INRIA (April 2006)Google Scholar
  14. 14.
    Chen, C., Wang, T., Kou, Y., Chen, X., Li, X.: Improvement of trace-driven I-Cache timing attack on the RSA algorithm. The Journal of Systems and Software 86(1), 100–107 (2013)CrossRefGoogle Scholar
  15. 15.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Cipresso, T., Stamp, M.: Software reverse engineering. In: Stavroulakis, P., Stamp, M. (eds.) Handbook of Information and Communication Security, vol. 31, pp. 659–696. Springer (2010)Google Scholar
  17. 17.
    Faz-Hernandez, A., Longa, P., Sanchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. Cryptology ePrint Archive, Report 2013/158 (2013),
  18. 18.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Gopalakrishnan, K., Thériault, N., Yao, C.Z.: Solving discrete logarithms from partial knowledge of the key. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 224–237. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Gullasch, D., Bangerter, E., Krenn, S.: Cache games — bringing access-based cache attacks on AES to practice. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, United States, pp. 490–595 (May 2011)Google Scholar
  21. 21.
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Designs, Codes and Cryptography 23(3), 283–290 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. 23.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: An update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  25. 25.
    Möller, B.: Parallelizable elliptic curve point multiplication method with resistance against side-channel attacks. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 402–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Muir, J.A., Stinson, D.R.: On the low Hamming weight discrete logarithm problem for nonadjacent representations. Appl. Algebra Eng. Commun. Comput. 16(6), 461–472 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Naccache, D., Nguyên, P.Q., Tunstall, M., Whelan, C.: Experimenting with faults, lattices and the DSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 16–28. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system,
  29. 29.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs, Codes and Cryptography 30(2), 201–217 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
  32. 32.
    Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. IACR Cryptology ePrint Archive, 2002:169 (2002)Google Scholar
  33. 33.
    Percival, C.: Cache missing for fun and profit (2005),
  34. 34.
    Ron, D., Shamir, A.: Quantitative analysis of the full Bitcoin transaction graph. Cryptology ePrint Archive, Report 2012/584 (2012),
  35. 35.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In: Budach, L. (ed.) FCT 1991. LNCS, vol. 529, pp. 68–85. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  36. 36.
    Stinson, D.R.: Some baby-step giant-step algorithms for the low Hamming weight discrete logarithm problem. Math. Comput. 71(237), 379–391 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks in AES, and countermeasures. Journal of Cryptology 23(2), 37–71 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Waldspurger, C.A.: Memory resource management in VMware ESX Server. In: Culler, D.E., Druschel, P. (eds.) Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, Boston, Massachusetts, United States, pp. 181–194 (December 2002)Google Scholar
  39. 39.
    Yarom, Y., Benger, N.: Recovering OpenSSL ECDSA nonces using the Flush+Reload cache side-channel attack. Cryptology ePrint Archive, Report 2014/140 (2014),
  40. 40.
    Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: Proceedings of the 23rd USENIX Security Symposium (to appear, 2014)Google Scholar
  41. 41.
    Zhang, Y., Jules, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) Proceedings of the 19th ACM Conference on Computer and Communication Security, Raleigh, North Carolina, United States, pp. 305–316 (October 2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.School of Computer ScienceThe University of AdelaideAustralia
  2. 2.Dept. Computer ScienceUniversity of BristolUnited Kingdom

Personalised recommendations