论文信息 - When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements [10]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.

[1] Daniel J. Bernstein,et al. Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[2] P. L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[3] Adam Langley,et al. Elliptic Curves for Security , 2016, RFC.

[4] Billy Bob Brumley,et al. Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[5] Pankaj Rohatgi,et al. Template Attacks , 2002, CHES.

[6] Yuval Yarom,et al. ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels , 2016, IACR Cryptol. ePrint Arch..

[7] Mehdi Tibouchi,et al. Side-Channel Analysis of Weierstrass and Koblitz Curve ECDSA on Android Smartphones , 2016, CT-RSA.

[8] Nigel P. Smart,et al. Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[9] Naomi Benger,et al. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack , 2014, IACR Cryptol. ePrint Arch..

[10] David Brumley,et al. Remote timing attacks are practical , 2003, Comput. Networks.

[11] Paul C. Kocher,et al. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.