When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

  • Thierry Kaufmann
  • Hervé Pelletier
  • Serge Vaudenay
  • Karine Villegas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10052)


The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements [10]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.


Side-channel Timing attack ECC RFC 7748 X25519 


  1. 1.
    Belgarric, P., Fouque, P.-A., Macario-Rat, G., Tibouchi, M.: Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones. Cryptology ePrint Archive, Report 2016/231 (2016)Google Scholar
  2. 2.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). doi: 10.1007/11745853_14 CrossRefGoogle Scholar
  3. 3.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Computer Networks, pp. 701–716 (2005)Google Scholar
  4. 4.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Chari, S., Rao, J.R., Rohatgi, P.: Template Attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). doi: 10.1007/3-540-36400-5_3 CrossRefGoogle Scholar
  6. 6.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. Cryptology ePrint Archive, Report 2016/230 (2016)Google Scholar
  7. 7.
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Kocher, P.C.: Timing Attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_9 Google Scholar
  9. 9.
    Langley, A.: Implementation of curve25519-donna. Accessed 16 Sep 2015
  10. 10.
    Turner, S., Langley, A., Hamburg, M.: Elliptic Curves for Security. IETF RFC 7748, January 2016Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Thierry Kaufmann
    • 1
  • Hervé Pelletier
    • 1
  • Serge Vaudenay
    • 2
  • Karine Villegas
    • 3
  1. 1.Kudelski SecurityCheseauxSwitzerland
  2. 2.EPFLLausanneSwitzerland
  3. 3.NagravisionCheseauxSwitzerland

Personalised recommendations