When Constant-time Source Yields Variable-time Binary: Exploiting Curve25519-donna Built with MSVC 2015

The elliptic curve Curve25519 has been presented as pro- tected against state-of-the-art timing attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implemen- tation which follows the RFC 7748 requirements [11]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execu- tion and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.


Published in:
Cryptology And Network Security, Cans 2016, 10052, 573-582
Presented at:
15th International Conference on Cryptology and Network Security, Milan, Italy, November 14-16, 2016
Year:
2016
Publisher:
Cham, Springer Int Publishing Ag
ISSN:
0302-9743
ISBN:
978-3-319-48965-0
978-3-319-48964-3
Keywords:
Laboratories:




 Record created 2016-12-21, last modified 2018-09-13

n/a:
Download fulltext
PDF

Rate this document:

Rate this document:
1
2
3
 
(Not yet reviewed)