International Conference on Cryptology and Network Security

CANS 2016: Cryptology and Network Security pp 573-582

When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

  • Thierry Kaufmann
  • Hervé Pelletier
  • Serge Vaudenay
  • Karine Villegas
Conference paper

DOI: 10.1007/978-3-319-48965-0_36

Volume 10052 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Kaufmann T., Pelletier H., Vaudenay S., Villegas K. (2016) When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham

Abstract

The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements [10]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.

Keywords

Side-channelTiming attackECCRFC 7748X25519

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Thierry Kaufmann
    • 1
  • Hervé Pelletier
    • 1
  • Serge Vaudenay
    • 2
  • Karine Villegas
    • 3
  1. 1.Kudelski SecurityCheseauxSwitzerland
  2. 2.EPFLLausanneSwitzerland
  3. 3.NagravisionCheseauxSwitzerland