OpenSSL PowerPC Architecture Minerva Attack Vulnerability

A vulnerability in OpenSSL versions 3.0.0 to 3.3.2 on PowerPC architecture allows a Minerva attack, which exploits timing variations in the signing process of ECDSA messages. By measuring how long it takes to sign messages with the EVP_DigestSign API, an attacker can infer information about the private key, specifically the nonce (K value) used in the signatures. This timing data can be used to compare the signing times of full-sized nonces with those of smaller nonces, creating a statistical basis for extracting the private key. The vulnerability arises from a side-channel leak in the P-364 elliptic curve implementation, where the signing time correlates with the bit size of the nonce, allowing for private key recovery after analyzing a few hundred to a few thousand signatures.

Impact

Successful exploitation allows for the extraction of private keys from ECDSA signatures, compromising the security of cryptographic operations that rely on these keys.

Reproduction

The vulnerability can be reproduced by collecting timing data from ECDSA signature operations on an affected PowerPC system running OpenSSL 3.0.0 to 3.3.2. This can be done using a Python script that measures the duration of signing operations while the 'pyscard' library is used to communicate with a smart card that performs the signing. The collected timing data can then be analyzed to extract the nonce bit-length, which is crucial for the attack. After gathering enough signatures, the private key can be recovered using lattice reduction techniques, leveraging the information about the nonces obtained from the timing measurements.

Remediation

Users can update to OpenSSL versions 3.3.3 or later, where this vulnerability has been addressed.