Please use this identifier to cite or link to this item: http://hdl.handle.net/2440/123397
Citations
Scopus Web of Science® Altmetric
?
?
Type: Conference paper
Title: May the fourth be with you: a microarchitectural side channel attack on several real-world applications of Curve25519
Author: Genkin, D.
Valenta, L.
Yarom, Y.
Citation: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security( CCS '17), 2017 / pp.845-858
Publisher: Association for Computing Machinery
Issue Date: 2017
ISBN: 9781450349468
ISSN: 1543-7221
Conference Name: ACM SIGSAC Conference on Computer and Communications Security (CCS) (30 Oct 2017 - 03 Nov 2017 : Dallas, TX, US)
Statement of
Responsibility: 
Daniel Genkin, Luke Valenta, Yuval Yarom
Abstract: In recent years, applications increasingly adopt security primitives designed with better countermeasures against side channel attacks. A concrete example is Libgcrypt’s implementation of ECDH encryption with Curve25519. The implementation employs the Montgomery ladder scalar-by-point multiplication, uses the unified, branchless Montgomery double-and-add formula and implements a constant-time argument swap within the ladder. However, Libgcrypt’s field arithmetic operations are not implemented in a constant-time side-channel-resistant fashion. Based on the secure design of Curve25519, users of the curve are advised that there is no need to perform validation of input points. In this work we demonstrate that when this recommendation is followed, the mathematical structure of Curve25519 facilitates the exploitation of side-channel weaknesses. We demonstrate the effect of this vulnerability on three software applications—encrypted git, email and messaging—that use Libgcrypt. In each case, we show how to craft malicious OpenPGP files that use the Curve25519 point of order 4 as a chosen ciphertext to the ECDH encryption scheme. We find that the resulting interactions of the point at infinity, order-2, and order-4 elements in the Montgomery ladder scalar-by-point multiplication routine create side channel leakage that allows us to recover the private key in as few as 11 attempts to access such malicious files.
Keywords: Side Channel Attacks; Curve25519; Cache-Attacks; Flush+Reload; Order-4 Elements
Description: Session D3: Logical Side Channels
Rights: © 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery.
RMID: 0030080051
DOI: 10.1145/3133956.3134029
Published version: https://dl.acm.org/doi/proceedings/10.1145/3133956
Appears in Collections:Computer Science publications

Files in This Item:
File Description SizeFormat 
hdl_123397.pdfAccepted version874.68 kBAdobe PDFView/Open


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.