
Cross-VM RSA Key Recovery in a Public Cloud - p4bl0
http://eprint.iacr.org/2015/898
======
feld
and for history, the 2009 version of this paper

[http://pages.cs.wisc.edu/~rist/papers/cloudsec.html](http://pages.cs.wisc.edu/~rist/papers/cloudsec.html)

------
zmanian
Basically is RSA so vulnerable to sidechannels that we can only use it safetly
inside HSMs?

I bet this would be much harder to do for ECC.

~~~
ctz
RSA and ECC have similarly-shaped common implementation strategies; just the
underlying field arithmetic is different. You have a secret input (an exponent
in RSA, or scalar in ECC) and work through it bit by bit, doing different
operations if a bit is set vs not set (RSA: square and perhaps multiply, ECC:
double and perhaps add). If the sequence of operations is visible to attacker
(via power, time, cache, branch predictor, etc.) then your secret key does,
too.

So, ECC implementations are not generally in a better state than RSA.

This is why curve25519 and its ilk are so much better; they can be efficiently
implemented using the Montgomery ladder which is really very easy _and cheap_
to make free of side-channels.

~~~
mardurhack
No, some implementations of the Montgomery ladder are not invulnerable to
side-channel attacks[1].

Unfortunately these attacks all focus on implementation issues rather than the
underlying algorithms (hence the name).

[1]
[https://eprint.iacr.org/2014/140.pdf](https://eprint.iacr.org/2014/140.pdf)

------
geggam
So... what does this mean for PCI/DSS in the cloud ?

~~~
wmf
Intel will bribe PCI to make Cache Allocation Technology yet another checkbox?

