Hello,

I have read this paper https://eprint.iacr.org/2017/806.pdf on a side channel attack on Libgcrypt’s implementation of curve25519.

There are some countermeasures (I list them below) suggested to make ECC library resistant to this type of attack, and I would like to ask whether these countermeasure have been implemented in WolfSSL Crypto.

Countermeasures:
1) Constant Time Arithmetic
2) Rejecting Known Bad Points
3) Point Blinding
4) Scalar Randomization

About countermeasure 1), in the manual I read "wolfSSL provides the function “ConstantCompare” which guarantees constant time when doing comparison operations that could potentially leak timing information". Is "constant time" achieved also for the field arithmetic operations used for ECC?

About countermeasure 3), I know there is an build option, --enable-harden, that provides point blinding. Could you confirm that this applies to ECC points?

To sum up, my question is: is WolfSSL implementation of curve25519 vulnerable to the attack described in the paper?

Best regards,
Michela