We apply the FLUSH+RELOAD side-channel attack based on cache hits/misses to extract a small amount of data from OpenSSL ECDSA signature requests. We then apply a "standard" lattice technique to extract the private key, but unlike previous attacks we are able to make use of the side-channel information from almost all of the observed executions. This means we obtain private key recovery by observing a relatively small number of executions, and by expending a relatively small amount of post-processing via lattice reduction. We demonstrate our analysis via experiments using the curve secp256k1 used in the Bitcoin protocol. In particular we show that with as little as 200 signatures we are able to achieve a reasonable level of success in recovering the secret key for a 256-bit curve. This is significantly better than prior methods of applying lattice reduction techniques to similar side channel information.
Abstract. A cryptographic pairing evaluates as an element of a finite extension field, and the evaluation itself involves a considerable amount of extension field arithmetic. It is recognised that organising the extension field as a "tower" of subfield extensions has many advantages. Here we consider criteria that apply when choosing the best towering construction, and the associated choice of irreducible polynomials for the implementation of pairing-based cryptosystems. We introduce a method for automatically constructing efficient towers for more classes of finite fields than previous methods, some of which allow faster arithmetic. We also show that for some families of pairing-friendly elliptic curves defined over Fp there are a large number of instances for which an efficient tower extension F p k is given immediately if the parameter defining the prime characteristic of the field satisfies a few easily checked equivalences.
Abstract. When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order r involved in the pairing. Of these G1 is a group of points on the base field E(F p ) and G 2 is instantiated as a group of points with coordinates on some extension field, over a twisted curve E (F p d ), where d divides the embedding degree k. While hashing to G 1 is relatively easy, hashing to G 2 has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on G2 which exploits an efficiently computable homomorphism.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.