When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

  • Thierry Kaufmann
  • Hervé Pelletier
  • Serge Vaudenay
  • Karine Villegas
Conference paper

DOI: 10.1007/978-3-319-48965-0_36

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)
Cite this paper as:
Kaufmann T., Pelletier H., Vaudenay S., Villegas K. (2016) When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham

Abstract

The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements [10]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.

Keywords

Side-channel Timing attack ECC RFC 7748 X25519 

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Thierry Kaufmann
    • 1
  • Hervé Pelletier
    • 1
  • Serge Vaudenay
    • 2
  • Karine Villegas
    • 3
  1. 1.Kudelski SecurityCheseauxSwitzerland
  2. 2.EPFLLausanneSwitzerland
  3. 3.NagravisionCheseauxSwitzerland

Personalised recommendations