When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015
- Cite this paper as:
- Kaufmann T., Pelletier H., Vaudenay S., Villegas K. (2016) When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham
The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks . This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements . The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.