Affected Users:
Users of wolfSSL builds that use the C implementation of Curve25519 for private key operations. This does not affect builds using assembly-optimized implementations (ARM or Intel), the small footprint Curve25519 build, or hardware offload implementations.
Summary:
A potential side-channel vulnerability was identified in the C implementation of Curve25519 private key operations in wolfSSL. Side-channel attacks are sophisticated techniques where an attacker analyzes physical characteristics of a cryptographic device during operation, such as power consumption or electromagnetic emissions, to extract sensitive information like private keys. While these attacks require physical proximity to the target device and specialized equipment, they represent a real threat for devices deployed in environments where an attacker may have physical access.
To address this vulnerability, wolfSSL version 5.8.0 introduced optional blinding support for Curve25519 operations as documented in our previous blog post. Blinding is a cryptographic countermeasure that randomizes intermediate values during computation, making it significantly more difficult for attackers to correlate observed side-channel information with secret key material.
In wolfSSL version 5.8.2, Curve25519 blinding protection has been enabled by default for applicable builds, providing automatic protection without requiring explicit configuration. This change ensures that users benefit from enhanced side-channel resistance without needing to manually enable the feature.
We would like to thank Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris for discovering and responsibly reporting this vulnerability to our team.
When Blinding Is Applicable:
Blinding is only relevant for builds that use the C implementation of Curve25519. It is not available or necessary in the following cases:
- Assembly-optimized implementations using
--enable-armasmor--enable-intelasm - The small footprint Curve25519 build using
--enable-curve25519=small
These implementations are not affected by this C-implementation vulnerability, and blinding is not available for them.
Affected Operations:
Blinding hardens Curve25519 operations where the private key is used with scalar multiplication:
wc_curve25519_export_public_ex– when deriving the public key from a private keywc_curve25519_make_key– during key pair generationwc_curve25519_genericwc_curve25519_shared_secret_ex
Important Note for Imported Keys:
When blinding is enabled, the functions wc_curve25519_export_public_ex and wc_curve25519_shared_secret_ex require an RNG to be set on the key structure. If you are importing private keys rather than generating them with wc_curve25519_make_key, you must call wc_curve25519_set_rng() to associate an RNG with the key before using these operations. Failure to do so will result in an error return value.
Disabling Blinding:
Users who need to explicitly disable blinding can define NO_CURVE25519_BLINDING during compilation. However, this removes side-channel protections and should only be used if you have a specific technical requirement and understand the security implications.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now