nettle: Side-channel silence
1
1 6.7.3.1 Side-channel silence
1 ............................
1
1 Nettle’s implementation of the elliptic curve operations is intended to
1 be side-channel silent. The side-channel attacks considered are:
1
1 • Timing attacks If the timing of operations depends on secret
1 values, an attacker interacting with your system can measure the
1 response time, and infer information about your secrets, e.g., a
1 private signature key.
1
1 • Attacks using memory caches Assume you have some secret data on a
1 multi-user system, and that this data is properly protected so that
1 other users get no direct access to it. If you have a process
1 operating on the secret data, and this process does memory accesses
1 depending on the data, e.g, an internal lookup table in some
1 cryptographic algorithm, an attacker running a separate process on
1 the same system may use behavior of internal CPU caches to get
1 information about your secrets. This type of attack can even cross
1 virtual machine boundaries.
1
1 Nettle’s ECC implementation is designed to be “side-channel silent”,
1 and not leak any information to these attacks. Timing and memory
1 accesses depend only on the size of the input data and its location in
1 memory, not on the actual data bits. This implies a performance penalty
1 in several of the building blocks.
1