Proceedings of the 34th Annual Computer Security Applications Conference 2018
DOI: 10.1145/3274694.3274725
|View full text |Cite
|
Sign up to set email alerts
|

Side-Channel Analysis of SM2

Abstract: SM2 is a public key cryptography suite originating from Chinese standards, including digital signatures and public key encryption. Ahead of schedule, code for this functionality was recently mainlined in OpenSSL, marked for the upcoming 1.1.1 release. We perform a security review of this implementation, uncovering various deficiencies ranging from traditional software quality issues to side-channel risks. To assess the latter, we carry out a side-channel security evaluation and discover that the implementation… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
4
0

Year Published

2019
2019
2022
2022

Publication Types

Select...
5
2
2

Relationship

3
6

Authors

Journals

citations
Cited by 14 publications
(4 citation statements)
references
References 61 publications
0
4
0
Order By: Relevance
“…Prime curves. In curves defined over F p for large prime p, OpenSSL 1.0.2u employs the Montgomery ladder when precomputation is turned off, a scenario prevalent in practice since precomputation must be manually turned on for a certain point (typically a fixed generator) [67]. Parameters affected are NIST curves P-192, P-224, P-384 and P-521; and SECG curves secp192k1 and secp256k1 (i.e.…”
Section: Cache-timing Vulnerabilities In Openssl's Implementationmentioning
confidence: 99%
“…Prime curves. In curves defined over F p for large prime p, OpenSSL 1.0.2u employs the Montgomery ladder when precomputation is turned off, a scenario prevalent in practice since precomputation must be manually turned on for a certain point (typically a fixed generator) [67]. Parameters affected are NIST curves P-192, P-224, P-384 and P-521; and SECG curves secp192k1 and secp256k1 (i.e.…”
Section: Cache-timing Vulnerabilities In Openssl's Implementationmentioning
confidence: 99%
“…This feature could be interpreted as this model requires knowing one algorithm input to recover some bits of the other, especially because until now, it was only used under this scenario. For instance, in [ACSS17] and [Tuv+18] it was used to cryptanalyze modular inversion operations on secret data in DSA-like signature algorithms, where the modulus (one input) is known to the attacker. Also, in [Ald+19a] it was used to recover RSA private keys during generation: d = e −1 mod (p − 1)(q − 1), where the RSA public exponent, e, is also known to the attacker.…”
Section: Binary Gcd Algorithm and Side-channel Analysismentioning
confidence: 99%
“…In theory the latticebased cryptanalysis described below can work even with a 2-bit leak [NS03], however, exploiting this small (fewer than three bits) leak for 256-bit elliptic curves has not been demonstrated in practice [TTA18]. On the other hand, exploiting a leak of at least three bits is a common practice [Ben+14,PGB17,Tuv+18,Ald+19b].…”
Section: Private Key Recovery Using Latticesmentioning
confidence: 99%