Daniel Genkin and Yuval Yarom (University of Pennsylvania and University of Maryland; University of Adelaide)
Wednesday, 3.1.2018, 11:30
In recent years, applications increasingly adopt security primitives designed from the start with built-in side channel protection. A concrete example is Curve25519, which has been recently standardized in RFC-7748. Dealing away with obvious leakage sources such as key-dependent branches and memory accesses, RFC-7748 dictates that implementations should use a highly regular Montgomery ladder scalar-by-point multiplication, a unified, branchless double-and-add formula and a constant-time argument swap within the ladder. Moreover, as Curve25519 provides innate protection from small subgroup attacks, it is recommended that implementations do not validate the inputs, completing the Diffie-Hellman protocol irrespective of the input's mathematical properties.
In this talk we demonstrate that the failure to perform input validation, combined with the unique mathematical structure of Curve25519, can be used to amplify side channel leakage from several RFC-7748 compliant implementations. As case studies, we investigate two RFC-7748 compliant implementations: libgcrypt and the reference implementation provided as part of the NaCl library. We show effective attacks on both of these implementations, recovering secret key material from just a single leakage trace.
Joint work with Daniel Genkin, Niels Samwel, Luke Valenta, and Yuval Yarom.