When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015
The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks . This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements . The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.
KeywordsSide-channel Timing attack ECC RFC 7748 X25519
- 1.Belgarric, P., Fouque, P.-A., Macario-Rat, G., Tibouchi, M.: Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones. Cryptology ePrint Archive, Report 2016/231 (2016)Google Scholar
- 3.Brumley, D., Boneh, D.: Remote timing attacks are practical. Computer Networks, pp. 701–716 (2005)Google Scholar
- 6.Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., Yarom, Y.: ECDSA key extraction from mobile devices via nonintrusive physical side channels. Cryptology ePrint Archive, Report 2016/230 (2016)Google Scholar
- 9.Langley, A.: Implementation of curve25519-donna. http://code.google.com/p/curve25519-donna. Accessed 16 Sep 2015
- 10.Turner, S., Langley, A., Hamburg, M.: Elliptic Curves for Security. IETF RFC 7748, January 2016Google Scholar