https://eprint.iacr.org/2014/140.

pdf
Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache
Side-channel Attack
ECDSA - Ecliptic curve digital signature algorithm
* computation requires less than one second on a typical desktop.
* scalar multiplication of two points on an elliptic curve by a random
nonce. the confidentiality of this nonce is paramount.
* openssl implementation for nonce calculation is regular (doesnt
depend on the bits of previous nonce > resistant to side channel
attacks.
* but targets depend on the bits of the nonce, the code follows different
branches. tracing the brances may reveal the bits
* flush + reload attack
* security weakness in x86 machines, allows interprocess monitoring for
r/w on shared memory
* malicious party needs access to the memory of the targeted device (cohosted VMs, infected machines)
*
(montgomery ladder)
* instead of tracking addition and multiplications, the attack identifies
which branch of the if statement is taken
* flush+reload:
- clflush
- divide time into slots
- at the beginning, flush monitored memory line from cache
- at the end, load data from memory
- loading from cache is faster> measure time to load > detect
whether the memory is cached
- longer time slot > reduced measurement time
> probability to miss access of victim
> cannot determine multiple access on the same slot
https://eprint.iacr.org/2016/230.pdf
ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side
Channels
electromagnetic-power side channel attacks on OpenSSL and CoreBitcoin
(full on iOS, partial on Android)
challenges:
- ecdsa is faster than rsa > less physical information. sampling rate
needs to be increased > high cost, freq limited physical effects
- ecdsa signatures are randomized. No deterministic operations like in RSA
* first side channel attack on ecdsa on mobile devices

* figure1
* recorded 5000 OpenSSL ecdsa signatures on iphone 3gs
* measure electromagnetic emanations from iPhone
* store the recorded traces, and the signed message
* apply a Finite Impulse Response to supress noise (result in figure5)
* for locating the signing operations, a distinct pattern is discovered,
which occurs after each signing operation very similarly
* Singular Spectrum Anaylsis is applied as a preprocessing filter to further
remove noise
* end time for signing was detected in 1278 of 5000 traces
* out of these 1278, 114 were identified as having their DA sequence
terminate with at least three elliptic curve double operations, 3 of which
were false positive
* randomly 85 were selected out of 114 for analysis and were applied
Lattice Attack 30 times (to discard the effect of 3 false positives)
* accross the 30 attacks, the key was successfully recovered in 2
* the process took 2 hours on a desktop pc
* countermeasure
- constant-time implementations with constant memory access patterns
* current status of most of these software are invulnerable