Skip to main content

May the fourth be with you: A microarchitectural side channel attack on a real-world applications of curve25519


Daniel Genkin, Luke Valenta and Yuval Yarom


University of Pennsylvania

University of Pennsylvania & University of Maryland

The University of Adelaide


In recent years, applications increasingly adopt security primitives designed with better countermeasures against side channel attacks. A concrete example is Libgcrypt’s implementation of ECDH encryption with Curve25519. The implementation employs the Montgomery ladder scalar-by-point multiplication, uses the unified, branchless Montgomery double-and-add formula and implements a constant-time argument swap within the ladder. Based on the secure design of Curve25519, users of the curve are advised that there is no need to perform validation of input points. In this work we demonstrate that when this recommendation is followed, the mathematical structure of Curve25519 facilitates the exploitation of side-channel weaknesses. We demonstrate the effect of this vulnerability on three software applications—encrypted git, email and messaging—that use Libgcrypt. In each case, we show how to craft malicious OpenPGP files that use the Curve25519 point of order 4 as a chosen ciphertext to the ECDH encryption scheme. We find that the resulting interactions of the point at infinity, the order-2, and order-4 elements in the Montgomery ladder scalar-by-point multiplication routine creates a side channel leakage that allows us to recover the private key in as few as 11 attampts to access such malicious files.

BibTeX Entry

    year             = {2017},
    month            = oct,
    pages            = {845-858},
    publisher        = {ACM},
    paperurl         = {},
    booktitle        = {ACM Conference on Computer and Communications Security},
    author           = {Genkin, Daniel and Valenta, Luke and Yarom, Yuval},
    address          = {Dallas},
    title            = {May the Fourth Be With You: {A} Microarchitectural Side Channel Attack on a Real-World Applications
                        of Curve25519},
    date             = {2017-10-31}