On 3/5/2014 7:49 AM, Mike Hearn wrote: > A new practical technique has been published that can recover > secp256k1 private keys after observing OpenSSL calculate as little as > 200 signatures: > > http://eprint.iacr.org/2014/161.pdf > > This attack is based on the FLUSH+RELOAD technique published last > year. It works by observing L3 CPU cache timings and forcing cache > line flushes using the clflush opcode. As a result, it is applicable > to any x86 environment where an attacker may be able to run on the > same hardware i.e. virtualised hosting environments where keys are > being reused. > > I am not currently aware of any efforts to make OpenSSL's secp256k1 > implementation completely side channel free in all aspects. Also, > unfortunately many people have reimplemented ECDSA themselves and even > if OpenSSL gets fixed, the custom implementations probably won't. > > So, IMHO this is a sign for hot wallet users to start walking (but not > running) towards the exits of these shared cloud services: it doesn't > feel safe to sign transactions on these platforms, so hot wallets > should be managed by dedicated hardware. Of course other parts of the > service, like the website, are less sensitive and can still run in the > cloud. I doubt the researchers will release their code to do the side > channel attack and it's rather complex to reimplement, so this gives > some time for mitigation. Unfortunately the huge sums being held in > some "bitbank" style hot wallets mean that attackers are well > motivated to pull off even quite complex attacks. > > > ------------------------------------------------------------------------------ > Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. > With Perforce, you get hassle-free workflows. Merge that actually works. > Faster operations. Version large binaries. Built-in WAN optimization and the > freedom to use Git, Perforce or both. Make the move to Perforce. > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk > > > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development How can we patch this issue? -- Kevin