

Flush+Reload side-channel attacks on secp256k1 used in Bitcoin protocol [pdf] - mukyu
http://eprint.iacr.org/2014/161.pdf

======
epaga
Here's a great ELI5 summary by reddit user "underachiever" on the reddit
discussion page linked to by p4bl0. Can't vouch for its accuracy, but it at
least makes a bit of sense to me:

Basically you run a co-process that invalidates cache lines by evicting them
out of the cache. While each process has their own virtual memory they all
share physical memory and physical memory is mapped to the cache in a lossy
fashion (because there is less cache than physical memory). So if you guess
that a particular temp variable is on cache line X you can evict it. Now if
the algorithm chooses to use that variable based on a bit of the key then you
can measure it (the overall operation). So now you know that a particular
bit(s) of the key are probably that value. The trick is to refine the attack
so your evictions are meaningful (e.g. you evict the right data and at the
right time).

Where this attack fails practicality:

* It requires the victim to be signing a lot and on demand. That is the attacker basically forces you to sign things

* The attacker needs to run an unprivileged task on your machine

Where it gets weird ...

* The attack can be placed in a completely different VM so long as it runs on the same host processor

* The attack is unprivileged

* The only way to prevent the attack is to lock down all other cores and processes while this operation is happening

~~~
p4bl0
Yes, that's pretty much it. A very similar technique was already used 2 years
ago by Zhang et al. in their paper _Cross-VM Side Channels and Their Use to
Extract Private Keys_ [1] at CCS.

[1]
[https://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf](https://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf)

------
p4bl0
I posted that earlier but it did not get any traction. I guess I should have
added "Bitcoin" in the link title…

Anyway, there are some reactions on the crypto subreddit
([https://pay.reddit.com/r/crypto/comments/1zmzto/sidechannel_...](https://pay.reddit.com/r/crypto/comments/1zmzto/sidechannel_attack_against_openssls_ecdsa/))
and Twitter
([https://twitter.com/matthew_d_green/status/44123758372587520...](https://twitter.com/matthew_d_green/status/441237583725875200)).

