Topic: Side channel attack on Curve25519 implementation

Hello,

I have read this paper https://eprint.iacr.org/2017/806.pdf on a side channel attack on Libgcrypt’s implementation of curve25519.

There are some countermeasures (I list them below) suggested to make ECC library resistant to this type of attack, and I would like to ask whether these countermeasure have been implemented in WolfSSL Crypto.

Countermeasures:
1) Constant Time Arithmetic
2) Rejecting Known Bad Points
3) Point Blinding
4) Scalar Randomization

About countermeasure 1), in the manual I read "wolfSSL provides the function “ConstantCompare” which guarantees constant time when doing comparison operations that could potentially leak timing information". Is "constant time" achieved also for the field arithmetic operations used for ECC?

About countermeasure 3), I know there is an build option, --enable-harden, that provides point blinding. Could you confirm that this applies to ECC points?

To sum up, my question is: is WolfSSL implementation of curve25519 vulnerable to the attack described in the paper?

Best regards,
Michela

Share

Re: Side channel attack on Curve25519 implementation

Hi michymd,

Could you tell us a little about what it is you are working on and what led to this investigation?

wolfSSL provides the setting ECC_TIMING_RESISTANT and it is enabled by default in MOST cases. When it is not on by default we actually force a warning.

Looking forward to hearing more about what is motivating the interest here!

Warm Regards,

Kaleb

Re: Side channel attack on Curve25519 implementation

michymd,

We got a chance to read through parts of the research you sent and from what we can tell this research applied to the underling math library (libgcrypt). wolfSSL does not use this math library, our math was based off ref10 which has built-in timing resistance for curve25519.

Looking forward to details of your research and interest!

Warm Regards,

Kaleb