As of wolfSSL version 5.8.0, support for Curve25519 blinding has been introduced. Although originally listed as a feature addition in the changelog, it is more accurately characterized as a mitigation for a potential side-channel vulnerability affecting specific builds. This feature offers optional hardening against power or electromagnetic (EM) analysis during Curve25519 private key operations. While such attacks are generally difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation.
When Blinding Is Applicable
Blinding is only relevant for builds that use the C implementation of Curve25519 in wolfSSL. It is not available or necessary in the following cases:
- Assembly-optimized implementations (–enable-armasm / WOLFSSL_ARMASM, –enable-intelasm / USE_INTEL_SPEEDUP)
- The small footprint Curve25519 build (–enable-curve25519=small / CURVE25519_SMALL)
To enable blinding in the C implementation, define the macro WOLFSSL_CURVE25519_BLINDING. For example:
bash
CopyEdit
./configure --enable-curve25519 CPPFLAGS=-DWOLFSSL_CURVE25519_BLINDING
Affected APIs
Blinding hardens operations where the private key is used with scalar multiplication, such as:
- wc_curve25519_export_public_ex – when deriving the public key from a private key
- wc_curve25519_make_key – during key pair generation
- wc_curve25519_generic
- wc_curve25519_shared_secret_ex
If you are using the C implementation on hardware where physical side-channel exposure is a concern, it’s recommended to enable blinding and regenerate private keys used in these operations. Curve25519 blinding will be enabled by default for the C implementation in future wolfSSL releases.
Acknowledgments
Thanks to Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris for reporting this.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now